Personal Tracker: February 2026

Overview

Visual dashboard tracking home enterprise infrastructure projects, learning goals, and personal growth for February 2026.

Visual Dashboard

Personal Tracker February 2026

Projects

In Progress

Project Description Status Notes

k3s Platform

Production k3s cluster on kvm-01

Active

Prometheus, Grafana, Wazuh deployed

Wazuh Archives

Enable archives indexing in Filebeat

Active

PVC fix pending

kvm-02 Hardware

Supermicro B deployment

Active

Hardware ready, RAM upgrade done

Completed (Feb 2026)

Project Description Date

Wazuh SIEM 4.14.3

k3s deployment, all pods running

2026-02-23

Vault SSH CA

8h certs, 9 hosts configured

2026-02-21

Prometheus + Grafana

Monitoring stack on k3s

2026-02-23

CLI Mastery Docs

openssl/curl/awk/sed/xargs

2026-02-26

Vault External TLS

TLS on 10.50.1.60:8200

2026-02-20

certmgr-01 → vault-01

VM rename, DNS, 82 docs updated

2026-02-20

Planned

Project Description Target Blocked By

Vault HA (3-node)

vault-02, vault-03 on kvm-02

Q2 2026 (slipped from Q1)

kvm-02 deployment

k3s HA (3-node)

Control plane HA

Q2 2026 (slipped from Q1)

kvm-02 deployment

ArgoCD GitOps

k3s GitOps deployment

After k3s stable

 — 

MinIO S3

Object storage for k3s

After ArgoCD

 — 

Domus Inventory

Personal asset management (YAML + CLI + AsciiDoc)

Q2 2026

Schema approved

Tasks

BLOCKERS — Fix Immediately

Task Details Origin Days Impact

Z Fold 7 Termux

gopass and SSH not working

2026-03-10

58

BLOCKER — Cannot access passwords on mobile

gopass v3 organization

Inconsistent structure, poor key-value usage

2026-03-20

48

Inefficient password management, no aggregation

Git history scrub — sensitive personal terms

Plaintext references to personal legal matters in committed worklogs (WRKLOG-2026-03-14, WRKLOG-2026-04-18). Forward-fixed but old commits still contain strings. Requires git filter-repo + force-push. See runbook below.

2026-04-22

15

SECURITY — sensitive terms in public git history

Runbook: Git History Scrub (d000 Personal Terms)

Problem: Two committed worklogs contained plaintext references to personal legal matters. The files have been edited (forward-fix), but git history retains the original text in prior commits.

Affected commits: Any commit touching these files:

# Identify affected commits
git log --oneline -- \
  docs/modules/ROOT/pages/2026/03/WRKLOG-2026-03-14.adoc \
  docs/modules/ROOT/pages/2026/04/WRKLOG-2026-04-18.adoc

Scrub procedure:

# 1. BEFORE: Full backup of the repo
cp -a ~/atelier/_bibliotheca/domus-captures ~/atelier/_bibliotheca/domus-captures.bak

# 2. Install git-filter-repo (if not present)
# Arch: pacman -S git-filter-repo
# pip: pip install git-filter-repo

# 3. Create expressions file for replacement
cat > /tmp/scrub-expressions.txt << 'EXPR'
regex:(?i)divorce==[REDACTED]
regex:(?i)dissolutio(?!n\.adoc\.age)==[REDACTED-LEGAL]
regex:(?i)iliana==[REDACTED-NAME]
regex:(?i)angulo-arreola==[REDACTED-NAME]
regex:legal-divorce-notes\.age==legal-notes.age
regex:1099-NEC-iliana==1099-NEC
EXPR

# 4. Verify before (dry run — count matches in history)
git log -p --all -S 'divorce' -- '*.adoc' | grep -c 'divorce' || echo "0 matches"
git log -p --all -S 'iliana' -- '*.adoc' | grep -c 'iliana' || echo "0 matches"

# 5. Run filter-repo (DESTRUCTIVE — rewrites all commit hashes)
git filter-repo --replace-text /tmp/scrub-expressions.txt --force

# 6. Verify after
git log -p --all -S 'divorce' -- '*.adoc' | grep -c 'divorce' || echo "0 matches — CLEAN"
git log -p --all -S 'iliana' -- '*.adoc' | grep -c 'iliana' || echo "0 matches — CLEAN"

# 7. Re-add remotes (filter-repo removes them)
git remote add origin git@github.com:<user>/domus-captures.git
# Add any other remotes (Gitea, etc.)

# 8. Force-push to all remotes (DESTRUCTIVE — overwrites remote history)
git remote | xargs -I{} git push {} main --force

# 9. Clean up
rm /tmp/scrub-expressions.txt
rm -rf ~/atelier/_bibliotheca/domus-captures.bak  # only after verifying

Post-scrub checklist:

  • Backup created before running

  • git filter-repo installed

  • Expressions file reviewed — no false positives (e.g., Don Quijote "Angulo el Malo" is in segunda-parte/texto/texto-011.adoc — the regex targets angulo-arreola specifically to avoid this)

  • Dry-run counts match expectations

  • Filter-repo executed

  • Post-scrub verification shows 0 matches

  • Remotes re-added

  • Force-pushed to all remotes

  • Cloudflare Pages rebuild verified

  • Local clones on other machines re-cloned or git fetch --all && git reset --hard origin/main

  • Backup removed

Active — Infrastructure

Task Details Priority Status Due

Wazuh agent deployment

Deploy agents to all infrastructure hosts

P2

Pending

After archives fix

k3s Platform

Production k3s cluster on kvm-01

P1

In Progress

 — 

Wazuh Archives

Enable archives indexing in Filebeat, PVC fix

P1

In Progress

 — 

kvm-02 Hardware

Supermicro B deployment, RAM upgrade done

P1

In Progress

 — 

Active — Security & Encryption

Task Details Priority Status Due

Configure 4th YubiKey

SSH FIDO2 keys

P1

TODO

 — 

Cold storage M-DISC backup

age-encrypted archives

P1

TODO

After YubiKey setup

Active — Development & Tools

Task Details Priority Status Due

netapi Commercialization

Go CLI rewrite with Cobra-style argument discovery, package for distribution

P0

Active

 — 

Ollama API Service

FastAPI (17 endpoints), productize — config audit, doc tools, runbook gen

P0

Active

 — 

Shell functions (fe, fec, fef)

File hunting helpers

P3

TODO

 — 

Active — Documentation

Task Details Priority Status Due

D2 Catppuccin Mocha styling

domus-* spoke repos (177 files total)

P3

In Progress

 — 

Active — Financial

Task Details Priority Status Due

Amazon order history import

Download CSV from Privacy Central → parse with awk → populate subscriptions tracker

P1

Waiting

Pending Amazon data export (requested 2026-04-04)

Active — Education

Task Details Priority Status Due

No active education tasks — see education trackers

Active — Personal & Life Admin

Task Details Priority Status Due

ThinkPad T16g Setup

Arch install, stow dotfiles, Ollama stack, netapi dev env

P0

Pending

 — 

P50 Arch to Ubuntu migration

CR-2026-03-12

P2

In Progress

 — 

X1 Carbon Ubuntu installs

2 laptops, LUKS encryption

P2

In Progress

 — 

P50 Steam Test

Test Flatpak Steam + apt cleanup of broken i386 packages

P3

Pending

 — 

Recurring — Operations

Task Context Frequency Notes

Borg backup verification

Workstation backups

Weekly

SSH cert renewal

vault-ssh-sign

Every 8h

Automated

Vault unseal check

After reboots

As needed

ISE eval backup restore

Cisco ISE 3.4 eval license

Every 90 days

Restore from backup to reset timer

Tracker days update

work/adhoc.adoc, personal/adhoc.adoc

Each worklog

Recurring — Maintenance & Hygiene

Task Context Frequency Notes

Subscriptions tracker review

Audit for cost creep, unused services

Monthly

Subscriptions & Bills

Cancelled services audit

Verify no zombie charges after cancellation

Quarterly

FOSS inventory sync

pacman -Qe reconciliation

Quarterly

Catch drift between system and tracker

Pending — Infrastructure

Task Details Blocked By

Vault HA (3-node)

vault-02, vault-03 on kvm-02

kvm-02 deployment

k3s HA (3-node)

Control plane HA

kvm-02 deployment

ArgoCD GitOps

k3s GitOps deployment

k3s stable

MinIO S3

Object storage for k3s

After ArgoCD

Pending — Security

Task Details Blocked By

SanDisk USB offsite rotation

Backup strategy

Time

Cold storage verification

M-DISC read test

After M-DISC burn

Windows PC Vault PKI migration

EAP-TLS certs

Runbook creation

Pending — Development

Task Details Blocked By

OpenClaw evaluation

Deploy on separate machine (security concerns)

Needs dedicated VM

Deferred

Task Details Reason Revisit

ISE HA

PAN HA (ise-01 reconfigure)

Wait until ise-02 stable

After ISE 3.4 migration

ISE 3.5 Migration

Upgrade path: 3.2p9 → 3.4 → 3.5

After 3.4 completes

Q3 2026

Keycloak Rebuild

keycloak-01 corrupted, rebuild from scratch

Priority P3 — SSO broken but not blocking

When bandwidth allows

FreeIPA HA

ipa-02 replica

SPOF but stable

After Vault HA

AD DC HA

home-dc02 replication

SPOF but stable

After FreeIPA HA

iPSK Manager HA

ipsk-mgr-02 with MySQL replication

Low urgency

After AD HA

Dotfiles Windows sync

winfiles-optimus parity with dotfiles-optimus

Low priority

 — 

Recently Resolved

Task Details Resolved Notes

domus-captures accuracy sweep

Verify all statistics, indices

2026-03-16

Completed

nvim-domus public release

GitHub repo creation

2026-03-16

CR

Repository structure audit

Projects vs operations organization

2026-03-16

Fixed

Kinesis 360 BT disconnect

Keyboard pairing

2026-02-27

Troubleshooting guide

Attributes split

attributes.adoc → home/work/styles

2026-03-22

327 → 94+239+33 lines

Wazuh SIEM 4.14.3 deploy

k3s deployment, all pods running

2026-02-23

Completed

Vault SSH CA

8h certs, 9 hosts configured

2026-02-21

Production

Prometheus + Grafana

Monitoring stack on k3s

2026-02-23

Production

Ideas — Infrastructure

Inbox

Idea Context Category Captured

BIND secondary DNS

bind-02 for HA (currently SPOF)

infra

2026-03-22

ipa-02 replica

FreeIPA HA (currently SPOF)

infra

2026-03-22

Borg backup dashboard

Visualize backup status across hosts

infra

2026-03-22

Vault HA Cluster

Current Vault is single-node (vault-01). Need 3-node Raft HA cluster for production reliability. Blocked by kvm-02 deployment.

  • vault-01 (10.50.1.60) — existing, leader

  • vault-02 — new, on kvm-02

  • vault-03 — new, on kvm-02

  • Raft storage backend — replicated, no external dependency

  • Auto-unseal via transit or recovery keys

This unblocks: k3s Vault Agent Injector, ArgoCD secrets, certificate auto-renewal at scale. The SPOF risk is real — if vault-01 goes down, SSH certificates stop issuing, PKI breaks, and secrets become inaccessible.

k3s HA Cluster

Current k3s is single control plane. Need 3-node for production:

  • Embedded etcd (3-node quorum)

  • Cilium CNI already deployed — HA-ready

  • MetalLB L2 mode — no changes needed

  • Blocked by: kvm-02 hardware + Vault HA (secrets injection depends on Vault)

Vault Backup to S3

Automated Vault Raft snapshots to MinIO (self-hosted S3). Currently manual snapshots to Synology NAS. Need:

  • MinIO deployed on k3s (depends on k3s HA)

  • Vault cron job for vault operator raft snapshot save

  • Retention policy (7 daily, 4 weekly, 12 monthly)

  • Restore tested and documented

Ideas — Development & Tools

Inbox

Idea Context Category Captured

adoc improvements

Add --watch flag, live reload to domus-asciidoc-build

tooling

2026-03-22

tmux sessionizer

Project-based tmux sessions (like ThePrimeagen)

tooling

2026-03-22

fzf git integrations

Interactive branch switching, log searching

tooling

2026-03-22

gopass v3 → ADMINISTRATIO migration

Script to move remaining entries from old structure

tooling

2026-03-22

netapi Expansion

netapi currently covers ISE (ERS, MnT, DataConnect), pfSense, WLC, Synology, Cloudflare. Three API surfaces are missing and needed:

  • VyOS — replaced pfSense 2026-03-07. Need API integration for config management, firewall rules, VRRP status. VyOS has a REST API on HTTPS.

  • BIND — nsupdate for dynamic DNS, rndc for server control. Critical for infrastructure automation — currently manual.

  • k3s — kubectl wrapper with common patterns (pod status, log tailing, rollout restart). Not a full k8s client — just the operational commands used daily.

Also: batch operations — cross-vendor commands like "backup all configs" or "check all endpoints." This is the glue that makes netapi more than a collection of wrappers.

netapi-tui — Network Operations TUI

Interactive terminal UI for ISE and network infrastructure management. Repo exists (netapi-tui). This is the visual layer on top of netapi — browse endpoints, view sessions, trigger CoA, all from a TUI instead of raw curl.

Could become a differentiator for ISE health check consulting — run it live during an engagement.

domus-cli — Infrastructure Orchestration

SSH-based infrastructure orchestration CLI. Repo exists. The glue between all infrastructure components — run commands across hosts, coordinate deployments, manage the homelab as a fleet.

domus-api — FastAPI Backend

REST API for the domus ecosystem. Repo exists. Could serve: association engine queries, codex search, ISE data proxy, worklog/tracker API for mobile access.

domus-asciidoc-build Enhancements

Standalone build toolchain — validated 2026-04-24. Ideas:

  • --attributes-file flag to auto-load data/shared/attributes.adoc

  • New HTML variants: Dracula, Nord, Solarized, Gruvbox, Tokyo Night

  • Fix Rouge syntax highlighting in royal/dark/light variants (only catppuccin fixed)

  • Interactive features: collapsible sections, search, keyboard navigation

  • --watch mode with live reload

domus-infra-ops Enhancements

296 pages, 529-line antora.yml. The most comprehensive repo. Ideas:

  • Validated Designs need review — 50+ configs, some may be stale post-VyOS migration

  • Runbooks need the partials architecture applied (like we did for data/d001/)

  • ISE runbooks could use the shared prereqs from data/shared/partials/

  • Disaster recovery runbooks — ISE, Vault, k3s, BIND — cross-reference with d001 DR project

  • Ansible playbooks integration — link automation-ops content to infra-ops runbooks

association-engine Expansion

Bidirectional knowledge graph — 379 keys, 602+ edges. Currently YAML-based. Ideas:

  • Web UI for graph visualization (D3.js or Cytoscape)

  • CLI query improvements — traverse depth, path finding

  • Integration with codex entries — auto-link commands to projects

  • Export to D2 diagrams

vim-odyssey

Educational vim game built in Rust. Repo exists. Could become a training product — gamified vim learning. Ties into the training content income stream.

obsidian-asciidoc-viewer

Secure AsciiDoc viewer for Obsidian with native .adoc support, edit mode, diagram rendering. Potential for Obsidian community — plugin marketplace distribution.

instrumentum-nvim

Streamlined Neovim config — the distributable version (separate from domus-nvim personal config). Could be a community project or part of training content.

crypta

Repo exists — purpose unclear. Document or archive.

gopass v3 Restructure

Current gopass structure is inconsistent — some entries use old v2 paths, some use v3 hierarchy. Need to:

  • Audit all entries: gopass ls --flat v3/ | wc -l

  • Apply gopass-personal-docs templates (bills, storage, subscriptions)

  • Add missing queries: gopass-query vehicles, gopass-query insurance, monthly totals

  • Document the structure in domus-secrets-ops

Ideas — Education & Training

Inbox

Idea Context Category Captured

Anki deck from Don Quijote

Extract vocabulary to spaced repetition

language

2026-03-22

DELE C1 mock exams

Practice test structure — timed writing + oral

language

2026-03-22

Ruby metaprogramming deep dive

Tracker exists but unexplored — ties to Puppet/Chef understanding

programming

2026-04-25

TypeScript fundamentals

Tracker exists — needed for Obsidian plugin dev and domus-api frontend

programming

2026-04-25

C/C++ fundamentals

Trackers exist — systems programming foundation for Rust trajectory

programming

2026-04-25

Kernel IPC study

Pages exist under education/kernel/ipc — deepen systems understanding

systems

2026-04-25

CLI Mastery — Curriculum Track

The foundation for everything. Multiple tracks in progress, need consolidation:

  • AWK — tracker exists (awk.adoc). Like regex curriculum — 10 modules, drills. Current level: Intermediate. Need: state machines, multi-file processing, BEGIN/END patterns.

  • sed — tracker exists (sed.adoc). Pattern-based editing mastery. Hold buffer, multiline, in-place with verify-before/after.

  • find — tracker exists (find.adoc). Advanced: -exec sh -c, -print0 | xargs -0, predicate logic, prune.

  • grep — tracker exists (grep.adoc). PCRE lookaheads/lookbehinds, -P patterns.

  • jq — tracker exists (jq.adoc). Path expressions, select, group_by, @csv, reduce.

  • Regex — tracker exists (regex-mastery.adoc, regex-carryover.adoc). Morning carryover item. Foundation for everything.

These should be studied together — each tool reinforces the others. Daily practice: pick one tool, solve one real problem, capture to codex.

Ultimate Linux Shell Scripting Guide

Cloned to ~/atelier/_bibliotheca/community-repos/The-Ultimate-Linux-Shell-Scripting-Guide/. Chapters 6-23. Missing chapters 1-5.

Pairs with the local Bash Reference Manual at /usr/share/doc/bash/bashref.html. Both should be worked through systematically — the guide for practical patterns, the reference for deep understanding.

High priority because CLI mastery compounds into everything: automation, netapi, ISE API work, daily workflow. Two months in, writing interactive loops from memory — next level is state machines, getopts, signal handling, subshell control.

Bash Reference Manual (Local)

/usr/share/doc/bash/bashref.html — already on this machine. The authoritative source. Read section by section, extract patterns to codex. Key sections:

  • Shell Expansions (parameter, command, arithmetic, process substitution)

  • Compound Commands ([[ ]], , for, while, case, select)

  • Shell Builtin Commands (every builtin, what it does, when to use it)

  • Job Control (background, foreground, wait, trap)

  • Bash Variables ($?, $!, $$, $@, $#, BASH_REMATCH)

CISSP Study Activation

Tracker exists at trackers/education/cissp.adoc — 8 domains, all "Not Started." Q3 2026 target is ~2 months away.

Domains 4 (Network), 5 (IAM), 6 (Assessment), 7 (Operations) map directly to CHLA work. Start there.

  • Acquire official study guide + Boson practice exams

  • Create 12-week schedule (1 domain/week + 4 weeks review)

  • Map CHLA experience to each domain for endorsement

  • Daily practice questions (10/day minimum)

RHCSA Certification

Tracker exists (rhcsa.adoc). In progress. Linux administration is daily work — this cert validates it. Complements LPIC-1 (already held) and feeds into LPIC-2.

LPIC-2 Advancement

Tracker exists (lpic-2.adoc). LPIC-1 already held. LPIC-2 covers: capacity planning, kernel, network config, storage, DNS, web servers, file sharing, LDAP, email, security. Directly applicable to homelab infrastructure.

DevNet Associate

Tracker exists (devnet.adoc). Cisco developer certification — Python, APIs, automation. Aligns with netapi development and the automation trajectory at CHLA. The Python + ISE API work you’re doing daily is the study material.

Terraform / IaC

Tracker exists (terraform.adoc). Infrastructure as Code for KVM VMs, Vault config, Cloudflare DNS. Partially implemented in domus-terraform repo. Need to formalize the study track.

Vault / HashiCorp

Tracker exists (vault-hashicorp.adoc). Running Vault HA in production. Deep knowledge exists — need to formalize for potential HashiCorp certification and the PKI consulting income stream.

Python Deepening

Tracker exists (python-fundamentals.adoc). Repo exists (domus-python). Two months into scripting. Current: API integration, DataConnect queries, report generation. Next level: OOP patterns, packaging, testing, type hints. The report.py and qradar-charts.py scripts are the foundation — need to level up from scripts to maintainable tools.

Go CLI Development

Tracker exists (go.adoc). Learn Go via CLI tool development — netapi rewrite target. Cobra-style argument parsing, cross-compilation, single binary distribution. This is the commercialization path for netapi.

Lua / Neovim Plugin Development

Tracker exists (lua.adoc). Plugin development, lazy.nvim patterns. You use nvim daily — understanding Lua unlocks custom tooling. Ties to instrumentum-nvim (distributable config) and domus-nvim (personal config).

Rust

Tracker exists (rust.adoc). Current level: Beginner. vim-odyssey repo exists (Rust game). Long-term investment — systems programming, CLI tools, WASM. Not urgent but compounds over years.

Mathematics

Repo exists (domus-math). Tracker exists (college-algebra.adoc). Mathematics for infrastructure, security, and research computing. Cryptography tracker also exists — PKI work demands understanding of the math underneath.

Languages & Literature

Extensive content exists:

  • Spanish — DELE C1 track (dele-spanish.adoc), SIELE (siele.adoc), writing (spanish-writing.adoc), immersion pages. domus-literature repo.

  • Don Quijote — tracker exists (don-quijote.adoc), full chapter pages in education/literature/quijote/.

  • García Márquez — tracker exists (garcia-marquez.adoc).

  • Scripture — domus-scripture repo. RV1909, KJV, Tanakh. Trackers: la-reina-valera.adoc, tanakh.adoc.

  • Linguistics — tracker exists, pages exist.

  • Latin — current level A2 per skill levels.

Music

  • Violin — tracker exists (violin.adoc). domus-musica repo.

  • Cello — tracker exists (cello.adoc).

Container & Kubernetes Deepening

Tracker exists (containers.adoc, k8s-fundamentals.adoc). Running k3s + Cilium + ArgoCD in homelab. Need to formalize: CKA preparation, Helm chart development, operator patterns. Ties to the k3s HA infrastructure idea.

DNS / BIND Mastery

Tracker exists (dns-bind.adoc). Running BIND in production — split-horizon, DNSSEC, RPZ content filtering. Formalize the knowledge for the infrastructure consulting offering.

Ideas — Documentation

Inbox

Idea Context Category Captured

Antora search fix

Lunr index too large — explore alternatives

docs

2026-03-22

domus-* cross-reference audit

Find and fix broken xrefs across all repos

docs

2026-03-22

Runbook template standardization

Consistent format across all runbooks

docs

2026-03-22

Ideas — Personal & Creative

Inbox

Idea Context Category Captured

LilyPond → PDF pipeline

Automate music notation compilation

music

2026-03-22

age encryption workflow doc

Document full workflow for cold storage

security

2026-03-22

Income Diversification

Full assessment in .drafts/income-streams-assessment-2026-04-24.adoc. 19-repo skill surface analyzed. Four tiers identified:

  • Tier 1 (now): ISE health checks, compliance documentation, pentest remediation consulting

  • Tier 2 (build once): Runbook templates, training content (operational ISE), PKI/secrets consulting

  • Tier 3 (recurring): SIEM migration services, threat hunting playbooks, observability buildouts

  • Tier 4 (longer): Full security architecture consulting, NAC-to-microsegmentation bridge, vCISO

The reframe: security infrastructure architect, not ISE engineer. The 5-10 year NAC transition period is where the consulting money is.

Next step: pick 1 Tier 1 offering and define scope, deliverable, price. ISE health checks are the fastest — remote, half-day, repeatable.

Ad-Hoc / Troubleshooting

BLOCKERS — Fix Immediately

Task Details Origin Days Impact

Z Fold 7 Termux

gopass and SSH not working

2026-03-10

58

BLOCKER — Cannot access passwords on mobile

gopass v3 organization

Inconsistent structure, poor key-value usage

2026-03-20

48

Inefficient password management, no aggregation

Git history scrub — sensitive personal terms

Plaintext references to personal legal matters in committed worklogs (WRKLOG-2026-03-14, WRKLOG-2026-04-18). Forward-fixed but old commits still contain strings. Requires git filter-repo + force-push. See runbook below.

2026-04-22

15

SECURITY — sensitive terms in public git history

Runbook: Git History Scrub (d000 Personal Terms)

Problem: Two committed worklogs contained plaintext references to personal legal matters. The files have been edited (forward-fix), but git history retains the original text in prior commits.

Affected commits: Any commit touching these files:

# Identify affected commits
git log --oneline -- \
  docs/modules/ROOT/pages/2026/03/WRKLOG-2026-03-14.adoc \
  docs/modules/ROOT/pages/2026/04/WRKLOG-2026-04-18.adoc

Scrub procedure:

# 1. BEFORE: Full backup of the repo
cp -a ~/atelier/_bibliotheca/domus-captures ~/atelier/_bibliotheca/domus-captures.bak

# 2. Install git-filter-repo (if not present)
# Arch: pacman -S git-filter-repo
# pip: pip install git-filter-repo

# 3. Create expressions file for replacement
cat > /tmp/scrub-expressions.txt << 'EXPR'
regex:(?i)divorce==[REDACTED]
regex:(?i)dissolutio(?!n\.adoc\.age)==[REDACTED-LEGAL]
regex:(?i)iliana==[REDACTED-NAME]
regex:(?i)angulo-arreola==[REDACTED-NAME]
regex:legal-divorce-notes\.age==legal-notes.age
regex:1099-NEC-iliana==1099-NEC
EXPR

# 4. Verify before (dry run — count matches in history)
git log -p --all -S 'divorce' -- '*.adoc' | grep -c 'divorce' || echo "0 matches"
git log -p --all -S 'iliana' -- '*.adoc' | grep -c 'iliana' || echo "0 matches"

# 5. Run filter-repo (DESTRUCTIVE — rewrites all commit hashes)
git filter-repo --replace-text /tmp/scrub-expressions.txt --force

# 6. Verify after
git log -p --all -S 'divorce' -- '*.adoc' | grep -c 'divorce' || echo "0 matches — CLEAN"
git log -p --all -S 'iliana' -- '*.adoc' | grep -c 'iliana' || echo "0 matches — CLEAN"

# 7. Re-add remotes (filter-repo removes them)
git remote add origin git@github.com:<user>/domus-captures.git
# Add any other remotes (Gitea, etc.)

# 8. Force-push to all remotes (DESTRUCTIVE — overwrites remote history)
git remote | xargs -I{} git push {} main --force

# 9. Clean up
rm /tmp/scrub-expressions.txt
rm -rf ~/atelier/_bibliotheca/domus-captures.bak  # only after verifying

Post-scrub checklist:

  • Backup created before running

  • git filter-repo installed

  • Expressions file reviewed — no false positives (e.g., Don Quijote "Angulo el Malo" is in segunda-parte/texto/texto-011.adoc — the regex targets angulo-arreola specifically to avoid this)

  • Dry-run counts match expectations

  • Filter-repo executed

  • Post-scrub verification shows 0 matches

  • Remotes re-added

  • Force-pushed to all remotes

  • Cloudflare Pages rebuild verified

  • Local clones on other machines re-cloned or git fetch --all && git reset --hard origin/main

  • Backup removed

Active — Infrastructure

Task Details Priority Status Due

Wazuh agent deployment

Deploy agents to all infrastructure hosts

P2

Pending

After archives fix

k3s Platform

Production k3s cluster on kvm-01

P1

In Progress

 — 

Wazuh Archives

Enable archives indexing in Filebeat, PVC fix

P1

In Progress

 — 

kvm-02 Hardware

Supermicro B deployment, RAM upgrade done

P1

In Progress

 — 

Active — Security & Encryption

Task Details Priority Status Due

Configure 4th YubiKey

SSH FIDO2 keys

P1

TODO

 — 

Cold storage M-DISC backup

age-encrypted archives

P1

TODO

After YubiKey setup

Active — Development & Tools

Task Details Priority Status Due

netapi Commercialization

Go CLI rewrite with Cobra-style argument discovery, package for distribution

P0

Active

 — 

Ollama API Service

FastAPI (17 endpoints), productize — config audit, doc tools, runbook gen

P0

Active

 — 

Shell functions (fe, fec, fef)

File hunting helpers

P3

TODO

 — 

Active — Documentation

Task Details Priority Status Due

D2 Catppuccin Mocha styling

domus-* spoke repos (177 files total)

P3

In Progress

 — 

Active — Financial

Task Details Priority Status Due

Amazon order history import

Download CSV from Privacy Central → parse with awk → populate subscriptions tracker

P1

Waiting

Pending Amazon data export (requested 2026-04-04)

Active — Education

Task Details Priority Status Due

No active education tasks — see education trackers

Active — Personal & Life Admin

Task Details Priority Status Due

ThinkPad T16g Setup

Arch install, stow dotfiles, Ollama stack, netapi dev env

P0

Pending

 — 

P50 Arch to Ubuntu migration

CR-2026-03-12

P2

In Progress

 — 

X1 Carbon Ubuntu installs

2 laptops, LUKS encryption

P2

In Progress

 — 

P50 Steam Test

Test Flatpak Steam + apt cleanup of broken i386 packages

P3

Pending

 — 

Deferred

Task Details Reason Revisit

ISE HA

PAN HA (ise-01 reconfigure)

Wait until ise-02 stable

After ISE 3.4 migration

ISE 3.5 Migration

Upgrade path: 3.2p9 → 3.4 → 3.5

After 3.4 completes

Q3 2026

Keycloak Rebuild

keycloak-01 corrupted, rebuild from scratch

Priority P3 — SSO broken but not blocking

When bandwidth allows

FreeIPA HA

ipa-02 replica

SPOF but stable

After Vault HA

AD DC HA

home-dc02 replication

SPOF but stable

After FreeIPA HA

iPSK Manager HA

ipsk-mgr-02 with MySQL replication

Low urgency

After AD HA

Dotfiles Windows sync

winfiles-optimus parity with dotfiles-optimus

Low priority

 — 

Recurring — Operations

Task Context Frequency Notes

Borg backup verification

Workstation backups

Weekly

SSH cert renewal

vault-ssh-sign

Every 8h

Automated

Vault unseal check

After reboots

As needed

ISE eval backup restore

Cisco ISE 3.4 eval license

Every 90 days

Restore from backup to reset timer

Tracker days update

work/adhoc.adoc, personal/adhoc.adoc

Each worklog

Recurring — Maintenance & Hygiene

Task Context Frequency Notes

Subscriptions tracker review

Audit for cost creep, unused services

Monthly

Subscriptions & Bills

Cancelled services audit

Verify no zombie charges after cancellation

Quarterly

FOSS inventory sync

pacman -Qe reconciliation

Quarterly

Catch drift between system and tracker

Recently Resolved

Task Details Resolved Notes

domus-captures accuracy sweep

Verify all statistics, indices

2026-03-16

Completed

nvim-domus public release

GitHub repo creation

2026-03-16

CR

Repository structure audit

Projects vs operations organization

2026-03-16

Fixed

Kinesis 360 BT disconnect

Keyboard pairing

2026-02-27

Troubleshooting guide

Attributes split

attributes.adoc → home/work/styles

2026-03-22

327 → 94+239+33 lines

Wazuh SIEM 4.14.3 deploy

k3s deployment, all pods running

2026-02-23

Completed

Vault SSH CA

8h certs, 9 hosts configured

2026-02-21

Production

Prometheus + Grafana

Monitoring stack on k3s

2026-02-23

Production

Ideas — Infrastructure

Inbox

Idea Context Category Captured

BIND secondary DNS

bind-02 for HA (currently SPOF)

infra

2026-03-22

ipa-02 replica

FreeIPA HA (currently SPOF)

infra

2026-03-22

Borg backup dashboard

Visualize backup status across hosts

infra

2026-03-22

Vault HA Cluster

Current Vault is single-node (vault-01). Need 3-node Raft HA cluster for production reliability. Blocked by kvm-02 deployment.

  • vault-01 (10.50.1.60) — existing, leader

  • vault-02 — new, on kvm-02

  • vault-03 — new, on kvm-02

  • Raft storage backend — replicated, no external dependency

  • Auto-unseal via transit or recovery keys

This unblocks: k3s Vault Agent Injector, ArgoCD secrets, certificate auto-renewal at scale. The SPOF risk is real — if vault-01 goes down, SSH certificates stop issuing, PKI breaks, and secrets become inaccessible.

k3s HA Cluster

Current k3s is single control plane. Need 3-node for production:

  • Embedded etcd (3-node quorum)

  • Cilium CNI already deployed — HA-ready

  • MetalLB L2 mode — no changes needed

  • Blocked by: kvm-02 hardware + Vault HA (secrets injection depends on Vault)

Vault Backup to S3

Automated Vault Raft snapshots to MinIO (self-hosted S3). Currently manual snapshots to Synology NAS. Need:

  • MinIO deployed on k3s (depends on k3s HA)

  • Vault cron job for vault operator raft snapshot save

  • Retention policy (7 daily, 4 weekly, 12 monthly)

  • Restore tested and documented

Ideas — Development & Tools

Inbox

Idea Context Category Captured

adoc improvements

Add --watch flag, live reload to domus-asciidoc-build

tooling

2026-03-22

tmux sessionizer

Project-based tmux sessions (like ThePrimeagen)

tooling

2026-03-22

fzf git integrations

Interactive branch switching, log searching

tooling

2026-03-22

gopass v3 → ADMINISTRATIO migration

Script to move remaining entries from old structure

tooling

2026-03-22

netapi Expansion

netapi currently covers ISE (ERS, MnT, DataConnect), pfSense, WLC, Synology, Cloudflare. Three API surfaces are missing and needed:

  • VyOS — replaced pfSense 2026-03-07. Need API integration for config management, firewall rules, VRRP status. VyOS has a REST API on HTTPS.

  • BIND — nsupdate for dynamic DNS, rndc for server control. Critical for infrastructure automation — currently manual.

  • k3s — kubectl wrapper with common patterns (pod status, log tailing, rollout restart). Not a full k8s client — just the operational commands used daily.

Also: batch operations — cross-vendor commands like "backup all configs" or "check all endpoints." This is the glue that makes netapi more than a collection of wrappers.

netapi-tui — Network Operations TUI

Interactive terminal UI for ISE and network infrastructure management. Repo exists (netapi-tui). This is the visual layer on top of netapi — browse endpoints, view sessions, trigger CoA, all from a TUI instead of raw curl.

Could become a differentiator for ISE health check consulting — run it live during an engagement.

domus-cli — Infrastructure Orchestration

SSH-based infrastructure orchestration CLI. Repo exists. The glue between all infrastructure components — run commands across hosts, coordinate deployments, manage the homelab as a fleet.

domus-api — FastAPI Backend

REST API for the domus ecosystem. Repo exists. Could serve: association engine queries, codex search, ISE data proxy, worklog/tracker API for mobile access.

domus-asciidoc-build Enhancements

Standalone build toolchain — validated 2026-04-24. Ideas:

  • --attributes-file flag to auto-load data/shared/attributes.adoc

  • New HTML variants: Dracula, Nord, Solarized, Gruvbox, Tokyo Night

  • Fix Rouge syntax highlighting in royal/dark/light variants (only catppuccin fixed)

  • Interactive features: collapsible sections, search, keyboard navigation

  • --watch mode with live reload

domus-infra-ops Enhancements

296 pages, 529-line antora.yml. The most comprehensive repo. Ideas:

  • Validated Designs need review — 50+ configs, some may be stale post-VyOS migration

  • Runbooks need the partials architecture applied (like we did for data/d001/)

  • ISE runbooks could use the shared prereqs from data/shared/partials/

  • Disaster recovery runbooks — ISE, Vault, k3s, BIND — cross-reference with d001 DR project

  • Ansible playbooks integration — link automation-ops content to infra-ops runbooks

association-engine Expansion

Bidirectional knowledge graph — 379 keys, 602+ edges. Currently YAML-based. Ideas:

  • Web UI for graph visualization (D3.js or Cytoscape)

  • CLI query improvements — traverse depth, path finding

  • Integration with codex entries — auto-link commands to projects

  • Export to D2 diagrams

vim-odyssey

Educational vim game built in Rust. Repo exists. Could become a training product — gamified vim learning. Ties into the training content income stream.

obsidian-asciidoc-viewer

Secure AsciiDoc viewer for Obsidian with native .adoc support, edit mode, diagram rendering. Potential for Obsidian community — plugin marketplace distribution.

instrumentum-nvim

Streamlined Neovim config — the distributable version (separate from domus-nvim personal config). Could be a community project or part of training content.

crypta

Repo exists — purpose unclear. Document or archive.

gopass v3 Restructure

Current gopass structure is inconsistent — some entries use old v2 paths, some use v3 hierarchy. Need to:

  • Audit all entries: gopass ls --flat v3/ | wc -l

  • Apply gopass-personal-docs templates (bills, storage, subscriptions)

  • Add missing queries: gopass-query vehicles, gopass-query insurance, monthly totals

  • Document the structure in domus-secrets-ops

Ideas — Education & Training

Inbox

Idea Context Category Captured

Anki deck from Don Quijote

Extract vocabulary to spaced repetition

language

2026-03-22

DELE C1 mock exams

Practice test structure — timed writing + oral

language

2026-03-22

Ruby metaprogramming deep dive

Tracker exists but unexplored — ties to Puppet/Chef understanding

programming

2026-04-25

TypeScript fundamentals

Tracker exists — needed for Obsidian plugin dev and domus-api frontend

programming

2026-04-25

C/C++ fundamentals

Trackers exist — systems programming foundation for Rust trajectory

programming

2026-04-25

Kernel IPC study

Pages exist under education/kernel/ipc — deepen systems understanding

systems

2026-04-25

CLI Mastery — Curriculum Track

The foundation for everything. Multiple tracks in progress, need consolidation:

  • AWK — tracker exists (awk.adoc). Like regex curriculum — 10 modules, drills. Current level: Intermediate. Need: state machines, multi-file processing, BEGIN/END patterns.

  • sed — tracker exists (sed.adoc). Pattern-based editing mastery. Hold buffer, multiline, in-place with verify-before/after.

  • find — tracker exists (find.adoc). Advanced: -exec sh -c, -print0 | xargs -0, predicate logic, prune.

  • grep — tracker exists (grep.adoc). PCRE lookaheads/lookbehinds, -P patterns.

  • jq — tracker exists (jq.adoc). Path expressions, select, group_by, @csv, reduce.

  • Regex — tracker exists (regex-mastery.adoc, regex-carryover.adoc). Morning carryover item. Foundation for everything.

These should be studied together — each tool reinforces the others. Daily practice: pick one tool, solve one real problem, capture to codex.

Ultimate Linux Shell Scripting Guide

Cloned to ~/atelier/_bibliotheca/community-repos/The-Ultimate-Linux-Shell-Scripting-Guide/. Chapters 6-23. Missing chapters 1-5.

Pairs with the local Bash Reference Manual at /usr/share/doc/bash/bashref.html. Both should be worked through systematically — the guide for practical patterns, the reference for deep understanding.

High priority because CLI mastery compounds into everything: automation, netapi, ISE API work, daily workflow. Two months in, writing interactive loops from memory — next level is state machines, getopts, signal handling, subshell control.

Bash Reference Manual (Local)

/usr/share/doc/bash/bashref.html — already on this machine. The authoritative source. Read section by section, extract patterns to codex. Key sections:

  • Shell Expansions (parameter, command, arithmetic, process substitution)

  • Compound Commands ([[ ]], , for, while, case, select)

  • Shell Builtin Commands (every builtin, what it does, when to use it)

  • Job Control (background, foreground, wait, trap)

  • Bash Variables ($?, $!, $$, $@, $#, BASH_REMATCH)

CISSP Study Activation

Tracker exists at trackers/education/cissp.adoc — 8 domains, all "Not Started." Q3 2026 target is ~2 months away.

Domains 4 (Network), 5 (IAM), 6 (Assessment), 7 (Operations) map directly to CHLA work. Start there.

  • Acquire official study guide + Boson practice exams

  • Create 12-week schedule (1 domain/week + 4 weeks review)

  • Map CHLA experience to each domain for endorsement

  • Daily practice questions (10/day minimum)

RHCSA Certification

Tracker exists (rhcsa.adoc). In progress. Linux administration is daily work — this cert validates it. Complements LPIC-1 (already held) and feeds into LPIC-2.

LPIC-2 Advancement

Tracker exists (lpic-2.adoc). LPIC-1 already held. LPIC-2 covers: capacity planning, kernel, network config, storage, DNS, web servers, file sharing, LDAP, email, security. Directly applicable to homelab infrastructure.

DevNet Associate

Tracker exists (devnet.adoc). Cisco developer certification — Python, APIs, automation. Aligns with netapi development and the automation trajectory at CHLA. The Python + ISE API work you’re doing daily is the study material.

Terraform / IaC

Tracker exists (terraform.adoc). Infrastructure as Code for KVM VMs, Vault config, Cloudflare DNS. Partially implemented in domus-terraform repo. Need to formalize the study track.

Vault / HashiCorp

Tracker exists (vault-hashicorp.adoc). Running Vault HA in production. Deep knowledge exists — need to formalize for potential HashiCorp certification and the PKI consulting income stream.

Python Deepening

Tracker exists (python-fundamentals.adoc). Repo exists (domus-python). Two months into scripting. Current: API integration, DataConnect queries, report generation. Next level: OOP patterns, packaging, testing, type hints. The report.py and qradar-charts.py scripts are the foundation — need to level up from scripts to maintainable tools.

Go CLI Development

Tracker exists (go.adoc). Learn Go via CLI tool development — netapi rewrite target. Cobra-style argument parsing, cross-compilation, single binary distribution. This is the commercialization path for netapi.

Lua / Neovim Plugin Development

Tracker exists (lua.adoc). Plugin development, lazy.nvim patterns. You use nvim daily — understanding Lua unlocks custom tooling. Ties to instrumentum-nvim (distributable config) and domus-nvim (personal config).

Rust

Tracker exists (rust.adoc). Current level: Beginner. vim-odyssey repo exists (Rust game). Long-term investment — systems programming, CLI tools, WASM. Not urgent but compounds over years.

Mathematics

Repo exists (domus-math). Tracker exists (college-algebra.adoc). Mathematics for infrastructure, security, and research computing. Cryptography tracker also exists — PKI work demands understanding of the math underneath.

Languages & Literature

Extensive content exists:

  • Spanish — DELE C1 track (dele-spanish.adoc), SIELE (siele.adoc), writing (spanish-writing.adoc), immersion pages. domus-literature repo.

  • Don Quijote — tracker exists (don-quijote.adoc), full chapter pages in education/literature/quijote/.

  • García Márquez — tracker exists (garcia-marquez.adoc).

  • Scripture — domus-scripture repo. RV1909, KJV, Tanakh. Trackers: la-reina-valera.adoc, tanakh.adoc.

  • Linguistics — tracker exists, pages exist.

  • Latin — current level A2 per skill levels.

Music

  • Violin — tracker exists (violin.adoc). domus-musica repo.

  • Cello — tracker exists (cello.adoc).

Container & Kubernetes Deepening

Tracker exists (containers.adoc, k8s-fundamentals.adoc). Running k3s + Cilium + ArgoCD in homelab. Need to formalize: CKA preparation, Helm chart development, operator patterns. Ties to the k3s HA infrastructure idea.

DNS / BIND Mastery

Tracker exists (dns-bind.adoc). Running BIND in production — split-horizon, DNSSEC, RPZ content filtering. Formalize the knowledge for the infrastructure consulting offering.

Ideas — Documentation

Inbox

Idea Context Category Captured

Antora search fix

Lunr index too large — explore alternatives

docs

2026-03-22

domus-* cross-reference audit

Find and fix broken xrefs across all repos

docs

2026-03-22

Runbook template standardization

Consistent format across all runbooks

docs

2026-03-22

Ideas — Personal & Creative

Inbox

Idea Context Category Captured

LilyPond → PDF pipeline

Automate music notation compilation

music

2026-03-22

age encryption workflow doc

Document full workflow for cold storage

security

2026-03-22

Income Diversification

Full assessment in .drafts/income-streams-assessment-2026-04-24.adoc. 19-repo skill surface analyzed. Four tiers identified:

  • Tier 1 (now): ISE health checks, compliance documentation, pentest remediation consulting

  • Tier 2 (build once): Runbook templates, training content (operational ISE), PKI/secrets consulting

  • Tier 3 (recurring): SIEM migration services, threat hunting playbooks, observability buildouts

  • Tier 4 (longer): Full security architecture consulting, NAC-to-microsegmentation bridge, vCISO

The reframe: security infrastructure architect, not ISE engineer. The 5-10 year NAC transition period is where the consulting money is.

Next step: pick 1 Tier 1 offering and define scope, deliverable, price. ISE health checks are the fastest — remote, half-day, repeatable.

Education & Certifications

Education Tracks Overview

Literature

Track Description Status Progress

Don Quijote

Cervantes' masterwork in original Spanish

ACTIVE

Primera Parte Ch 33/52

García Márquez

Colombian magical realism

In Progress

Cien años de soledad

La Reina Valera

Biblical literature in classical Spanish

In Progress

Pentateuco + Evangelios

Languages

Track Description Status Progress

DELE C1/C2

Instituto Cervantes Spanish certification

ACTIVE

Conectores phase

SIELE

Computer-based proficiency (modular)

Planning

0%

Redacción Español

Formal writing skills

In Progress

Essays + conectores

Latin

Classical Latin for etymology, scientific/legal terminology

Planning

0%

Mathematics

Track Description Status Progress

College Algebra

Foundation for calculus (LaTeX textbook)

ACTIVE

Ch 1/8

Certifications

Track Description Status Progress

RHCSA 9

Red Hat Certified System Administrator

ACTIVE

Ch 1-2 / 20

CISSP

ISC² Security Professional

Planning

0/8 domains

DevNet Associate

Cisco Developer Network

Planning

netapi = portfolio

LPIC-1

Linux Professional (101/102)

Planning

After RHCSA

LPIC-2

Linux Professional (201/202)

Planning

After LPIC-1

Programming

Track Description Status Progress

Python

Automation, CLI, API development

In Progress

netapi development

Ruby

Metaprogramming and DSLs

PARKED

0%

C++

Systems programming foundation

Planning

Future

Systems & Tools

Track Description Status Progress

Terminal Mastery

CLI patterns, shell efficiency

DONE

100%

Vim Mastery

Neovim expertise

In Progress

Codex + daily use

Regex Mastery

Pattern matching across contexts

In Progress

BRE/ERE done, PCRE learning

CLI Mastery

Advanced patterns: awk, sed, jq, find, xargs

ACTIVE

Daily deliberate practice

Kubernetes

Container orchestration (k3s)

In Progress

Cluster deployed

Music

Track Description Status Progress

Violin

Classical violin, Heifetz-inspired

In Progress

Scales + études

Cello

Secondary instrument

Planning

Future

Sciences

Track Description Status Progress

Applied Cryptography

PKI, TLS, secrets management

In Progress

Vault PKI production

Humanities

Track Description Status Progress

Philosophy

Biblical and classical traditions

In Progress

Wisdom literature

History

Context for technology and culture

Planning

Via literature

Linguistics

Language science for Spanish mastery

In Progress

Syntax + morphology

Track Status Legend

Status Meaning

ACTIVE

Currently working on (limit to 3-4 max)

In Progress

Started, working intermittently

Planning

Study plan created, not started

PARKED

Deliberately paused (priority shift)

DONE

Completed, may revisit for mastery

Quick Stats

Active In Progress Planning Parked Done

5

9

9

1

1

Total tracks: 25

Category Quick Reference

Category Tracks

Literature

don-quijote, garcia-marquez, la-reina-valera

Languages

dele-spanish, siele, spanish-writing, latin

Mathematics

college-algebra

Certifications

rhcsa, cissp, devnet, lpic-1, lpic-2

Programming

python-fundamentals, ruby-metaprogramming, cpp-fundamentals

Systems/Tools

terminal-mastery, vim-mastery, regex-mastery, cli-mastery, k8s-fundamentals

Music

violin, cello

Sciences

cryptography

Humanities

philosophy, history, linguistics

Infrastructure Summary

For complete infrastructure inventory with IPs and hostnames, see domus-infra-ops: architecture/infrastructure-inventory.adoc
Category Services Status

Identity

AD, FreeIPA, Keycloak

Active

PKI/Secrets

Vault (PKI, SSH CA, KV)

Active

Network

pfSense, BIND DNS

Active

Storage

Synology NAS, Borg

Active

Compute

kvm-01, kvm-02 (planned)

Active

Kubernetes

k3s + Cilium + Traefik

Active

Observability

Prometheus, Grafana, Wazuh

Active

Legend

Color Meaning

Red

Active/In Progress

Green

Completed

Purple

Planned

Orange

Infrastructure

Pink

Personal Growth
Arrow Meaning

Solid

Active workflow

Dashed

Dependencies

Animated

Current focus