Phase 11: Verification

Phase 11: Verification

Comprehensive validation of every subsystem deployed in Phases 0-10. Run after all phases complete. Each check includes the command AND expected output.

System Health

# Failed services (expect: 0 listed)
systemctl --failed
# Kernel errors (filter noise, focus on real errors)
dmesg | grep -iE 'error|fail' | grep -vE 'firmware|Bluetooth' | tail -10
# Boot time analysis
systemd-analyze
systemd-analyze blame | head -10

Boot & Encryption

# Current kernel
uname -r
# LUKS volumes open
lsblk -f | grep -E 'crypto_LUKS|crypt'
# Btrfs subvolumes
sudo btrfs subvolume list / | awk '{print $NF}'
# Expected: @, @snapshots, @var_log
sudo btrfs subvolume list /home | awk '{print $NF}'
# Expected: @home
# zram swap active
zramctl
# Boot entries
bootctl list
# ESP kernel sync (kernels on ESP match /boot)
diff <(md5sum /boot/vmlinuz-linux | awk '{print $1}') <(md5sum /boot/efi/vmlinuz-linux | awk '{print $1}') && echo "MATCH" || echo "MISMATCH"
# Kernel boot parameters include AppArmor
grep apparmor /proc/cmdline

Security

# AppArmor status
sudo aa-status | head -5
# LSM stack
cat /sys/kernel/security/lsm
# Expected: capability,landlock,lockdown,yama,apparmor,bpf
# Browser profiles enforced (not unconfined)
sudo aa-status | awk '/in enforce/{p="enforce"} /in unconfined/{p="unconfined"} /firefox|chrome|chromium/{print p": "$0}'
# Expected: all show "enforce"
# Firewall status (after Phase 12 execution)
sudo ufw status verbose 2>/dev/null || echo "UFW not yet configured"
# SSH config
sudo sshd -T | grep -iE 'permitroot|passwordauth|maxauthtries'
# Open ports audit
ss -tlnp | awk 'NR>1{print $4, $6}' | sort

Desktop Environment

# Hyprland running
pgrep -a Hyprland && echo "OK" || echo "NOT RUNNING"
# Monitor config and scaling
hyprctl monitors | grep -E 'Monitor|resolution|scale'
# Wayland session
echo $XDG_SESSION_TYPE
# Expected: wayland
# GPU
nvidia-smi --query-gpu=name,driver_version,memory.total --format=csv,noheader
# Expected: NVIDIA GeForce RTX 5090, 570.xx, 24576 MiB
# DRM modesetting
cat /sys/module/nvidia_drm/parameters/modeset
# Expected: Y
# Audio (should NOT show "Dummy Output")
wpctl status | grep -A5 'Sinks:'
# Bluetooth controller present
bluetoothctl show | grep -E 'Name|Powered|Address'
# Key desktop processes
for proc in waybar mako pipewire wireplumber; do
    pgrep -x $proc > /dev/null && echo "✓ $proc" || echo "✗ $proc MISSING"
done

Development Tools

# Languages
python3 --version && echo "---"
node --version && echo "---"
rustc --version && echo "---"
go version
# Package managers
uv --version && echo "---"
npm --version && echo "---"
cargo --version
# Neovim + config
nvim --version | head -1
ls ~/.config/nvim/init.lua 2>/dev/null && echo "nvim config: OK" || echo "nvim config: MISSING"
# Claude Code
claude --version 2>/dev/null || echo "Claude Code not installed"
# Git remotes (check first domus repo)
git -C ~/atelier/_bibliotheca/domus-captures remote -v | awk '{print $1, $2}' | sort -u
# SSH connectivity
ssh -T git@github.com 2>&1 | head -1
# gopass
gopass ls 2>/dev/null | head -5 || echo "gopass not configured"

AI Stack

# Ollama running
systemctl is-active ollama.service
# Models loaded
ollama list
# Model storage on /home (not root)
mount | grep ollama-models
# Quick inference test
ollama run quick "What is 2+2?" 2>/dev/null | head -1

Secrets & Credentials

# GPG key present
gpg --list-secret-keys --keyid-format long 2>/dev/null | grep -c sec
# Expected: at least 1
# SSH keys
ls ~/.ssh/id_ed25519_* | wc -l
# Vault SSH cert validity (if issued)
ssh-keygen -L -f ~/.ssh/id_ed25519_vault-cert.pub 2>/dev/null | grep Valid || echo "No Vault SSH cert"
# age identities present
ls ~/.age/identities 2>/dev/null && echo "age identities: OK" || echo "age identities: MISSING"
# gocryptfs vault
ls ~/.credentials/ 2>/dev/null && echo "gocryptfs: mounted" || echo "gocryptfs: not mounted"

Network & Connectivity

# WiFi EAP-TLS connection
nmcli connection show --active | grep -i domus
# DNS resolution
dig +short vault-01.inside.domusdigitalis.dev
# EAP-TLS cert expiration
openssl x509 -in /etc/ssl/certs/modestus-p16g-eaptls.pem -noout -enddate 2>/dev/null || echo "EAP-TLS cert not found"

Summary Checklist

Check Status

No failed systemd services

[ ]

Both kernels boot (mainline + LTS)

[ ]

LUKS unlock works

[ ]

Btrfs subvolumes correct (4 subvols)

[ ]

zram swap active

[ ]

AppArmor enforcing (browsers confined)

[ ]

NVIDIA GPU detected with correct VRAM

[ ]

DRM modesetting enabled

[ ]

Audio output works (not Dummy Output)

[ ]

Bluetooth controller present and powered

[ ]

Hyprland running on Wayland

[ ]

Monitor scaling correct (3.2K OLED)

[ ]

Waybar, Mako, PipeWire running

[ ]

Python, Node, Rust, Go installed

[ ]

Neovim + domus-nvim config loaded

[ ]

Claude Code installed

[ ]

Git SSH connectivity (GitHub)

[ ]

gopass accessible

[ ]

GPG key present

[ ]

Ollama running with models loaded

[ ]

WiFi EAP-TLS active

[ ]

DNS resolving lab hostnames

[ ]

Clean-State Snapshot

After ALL checks pass, take a read-only btrfs snapshot as a known-good rollback point.

sudo btrfs subvolume snapshot -r / /.snapshots/fresh-deploy-$(date +%Y%m%d)
# Verify snapshot created
sudo btrfs subvolume list /.snapshots | tail -1
# Document snapshot for reference
echo "Clean deployment snapshot: fresh-deploy-$(date +%Y%m%d)" >> ~/DEPLOY-NOTES.md