Post-Rotation TODOs

Post-Rotation TODOs

Pre-Rotation (domus-infra-ops runbook updates)

  • Replace all 10.50.1.1 references with VyOS VRRP VIP

  • Consolidate gopass paths to v3 only — remove v2 references

  • Update CPU pinning map: pfSense → VyOS

  • Update NAD section: remove pfSense, verify WLC and switch entries

  • Verify NTP server configuration — added pool.ntp.org upstream to vyos-01

  • Add NTP upstream to vyos-02

  • Verify DNS update process still uses PowerShell on home-dc01

  • Add NFS mounts to kvm-01 /etc/fstab

  • Fix kvm-01 bridge name in runbook: virbr0 → br-mgmt

  • Add post-install ISO eject + boot order step to runbook

  • Document kvm-01 root filesystem too small for ISO (use onboard SSD)

During Rotation

  • Backup ise-02 via CLI (backup command — admin UI locked)

  • Verify ISO exists on NAS

  • Mount NAS on kvm-01: sudo mount -t nfs4 10.50.1.70:/volume1/isos /mnt/nas/isos

  • Copy ISO to onboard SSD (root too small): /mnt/onboard-ssd/vms/

  • Deploy ise-01 on kvm-01 with CPU pinning (br-mgmt, CPUs 6-9)

  • Fix boot loop: eject ISO, set boot order hd,cdrom

  • Fix VyOS NTP: add pool.ntp.org upstream to vyos-01

  • Wait for ISE services to come up

  • Change ISE NTP from pool.ntp.org back to 10.50.1.1

  • Stage Patch 3 on NAS: rsync -avP ~/Downloads/ise-patchbundle-3.5.0.527-Patch3-26040703.SPA.x86_64.tar.gz kvm-02:/mnt/nas/isos/

  • Restore from backup

  • Apply Patch 3

  • Issue certificates from Vault

  • Reconfigure Keycloak SAML

  • Test auth with one client before full cutover

  • Validate all 5 API surfaces

Post-Rotation

  • Verify printer authenticates to WiFi via ISE (iPSK)

  • Configure CUPS with printer IP once discovered

  • Print Quijote caps 37-39 annotated PDFs

  • Update dsec environment to point to ise-01

  • Keep ise-02 available for 1-2 weeks as rollback

  • Decommission ise-02 VM after verification period

  • Reboot workstation to kernel 7.0.11 (usb_storage module)

  • Add NTP upstream to vyos-02: set service ntp server pool.ntp.org

  • Document any deviations in this project’s issues appendix

  • Identify device 9C:83:06:CE:89:46 (Samsung OUI) — Remarkable? ZFold?

  • Reissue expired EAP-TLS client cert from Vault for 9C:83:06:CE:89:46

  • Install cert on device and verify dot1x/EAP-TLS pass in DataConnect

  • Investigate Boox2/Remarkable not appearing in WLC or ISE — different network path?

  • Create Vault role domus-pxgrid with OU="pxGrid Services", server+client flags

  • Create Vault role domus-eap with OU="EAP Authentication" for admin/EAP certs

  • Migrate cert issuance from generic domus-server to purpose-specific roles