Appendix: Post-Deploy TODOs

Re-issue Vault EAP-TLS cert with CN=modestus-p16g (done Apr 3)

Update nmcli WiFi identity to modestus-p16g.inside.domusdigitalis.dev (done Apr 3)

Install certs on P16g filesystem — /etc/ssl/certs/modestus-p16g-eaptls.pem (done Apr 3)

Re-encrypt SSH config with modestus-p16g entry + corrected Razer IP (done Apr 3)

Set up gocryptfs vault — gcvault deployed, 4 vaults, credentials mounted, Claude Code + gh symlinked (done Apr 3)

Claude Code installed + OAuth authenticated (done Apr 3)

OpenCode installed + stowed (done Apr 3)

pinentry-auto deployed — SSH gets curses, desktop gets Qt (done Apr 3)

gpg-connect-agent updatestartuptty added to .zshrc for SSH sessions (done Apr 3)

Mass t16g→p16g rename across all 18 deploy partials (done Apr 3)

Configure Vault SSH cert for machine-to-machine auth — blocked by VLAN anti-pivot segmentation

SEC-001: Install AppArmor — sudo pacman -S apparmor (done Apr 5)

SEC-001: Update boot params on all 3 entries — lsm=…​apparmor,bpf apparmor=1 security=apparmor (done Apr 5)

SEC-001: Restore missing acpi_mask_gpe=0x6E on arch-fallback.conf + arch-lts.conf (done Apr 5)

SEC-001: Enable apparmor.service (done Apr 5)

SEC-001: Reboot and verify — cat /sys/kernel/security/lsm, aa-enabled, sudo aa-status (now Phase 12)

SEC-001: Phase 2 — complain-mode baseline (2-3 days normal usage) (now Phase 12)

SEC-001: Phase 3 — enforce profiles for browsers, node/npm, Docker with credential store denies (now Phase 12)

SEC-001: Phase 4 — Docker AppArmor integration verification (now Phase 12)

Phase 9: Claude Code installed + authenticated (done Apr 3)

Phase 9: OpenCode installed + stowed (done Apr 3)

Phase 9: Stow claude package — ~/.claude/settings.json + hooks now symlinked (done Apr 3)

Phase 9: Build domus-antora-ui UI bundle — cd into repo, npm install && npx gulp bundle (done Apr 3)

Phase 9: Install Docker for Kroki — pacman -S docker, enable service, usermod -aG docker, newgrp docker (done Apr 3)

Phase 9: Install lsof — sudo pacman -S lsof (done Apr 3)

Phase 9: Verify dots-quantum/setup script includes claude in stow list — prevent recurrence on future machines

Phase 9: Verify Cloudflare Pages deployments trigger from P16g pushes — check CF dashboard after next push

Phase 9: Deploy .git/hooks/pre-commit on P16g — copy from Razer or implement core.hooksPath solution

Phase 9: Clone all remaining domus-* repos (15 spoke repos + project repos)

Phase 9: Run npm install in each cloned domus-* repo (node_modules not tracked)

Phase 9: Set up multi-remote push (GitHub + GitLab + Gitea)

Phase 9: Deploy git pre-commit hook for AsciiDoc validation — three options under consideration:

Phase 9: aerc email configuration validation

Phase 10: Install Ollama, configure bind mount for model storage on /home

Phase 10: Pull models (qwen3-coder:30b, qwen2.5-coder:32b, qwen2.5-coder:14b)

Phase 10: Create custom models (domus-chat-v3, quick)

Phase 10: Deploy ollama-local FastAPI service

Phase 11: Run full verification checklist

Phase 11: Take btrfs clean-state snapshot

Phase 12: UFW firewall rules + SSH hardening

Test Hyprland display scaling on 3.2K OLED

Pair Bluetooth: Kinesis Advantage 360 Pro, Galaxy Buds3 Pro

Fix .cargo/env missing warning (.zshenv sources it but cargo not installed via standalone)

Wired EAP-TLS (Domus-Wired-EAP-TLS) — need cable + switch port (Phase 13)

Pacman hook validation — trigger with next kernel update (Phase 13)

Resolve multiple nvim config situation (instrumentum-nvim vs domus-nvim)

ssh-agent persistence strategy (keychain, systemd user unit, or gpg-agent) (Phase 13)

Set up systemd timer for automated Borg backups (Phase 13)

TLP charge thresholds (START_CHARGE_THRESH_BAT0=40, STOP_CHARGE_THRESH_BAT0=80) (Phase 13)

Update all domus-captures docs from t16g to p16g