Domus Digitalis

Production home enterprise network with 802.1X EAP-TLS, Zero Trust segmentation, HashiCorp Vault PKI, k3s Kubernetes, Wazuh SIEM, and full API automation.

15 documentation components • 1100+ pages • Built with Antora

Infrastructure Accomplishments

Area Achievement Status

802.1X EAP-TLS

Full certificate-based authentication on wired and wireless networks using Vault PKI

Production

HashiCorp Vault

PKI CA (DOMUS-ROOT-CA/ISSUING-CA), SSH CA (8h certs), secrets management

Production

k3s Kubernetes

Single-node cluster with Cilium CNI, MetalLB, NFS provisioner, Vault Agent

Production

Wazuh SIEM 4.14.3

Security monitoring, log aggregation, threat detection on k3s

Production

Prometheus + Grafana

Metrics collection, dashboards, AlertManager on k3s

Production

Cloudflare Pages

Automated documentation deployment with Cloudflare Access protection

Production

netapi CLI

Unified automation for ISE, VyOS, WLC, Vault, Synology, Wazuh

Production

dsec Secrets

Age-encrypted secrets with domain isolation, YubiKey integration

Production

Documentation Components

Component Description Pages

Infrastructure Operations

Runbooks, Vault PKI/SSH CA, backup/DR, k3s, KVM, VyOS HA, AD, services

255

netapi CLI

Network automation CLI: ISE (ERS, MnT, DataConnect, pxGrid), VyOS, WLC, Vault, Synology, Wazuh

230

Linux Operations

Commands mastery: AWK, grep, jq, xargs, sed, kubectl patterns, CTF tools

192

Work Chronicles

Daily worklogs, session captures, deployment runbooks, reference materials

176

ISE Operations

Cisco ISE 3.4 deployment, policies, profiling, AD integration, RADIUS

78

Linux EAP-TLS

802.1X methodology: wpa_supplicant, NetworkManager, certificates, ISE policy

55

Secrets Management

dsec/SOPS/age encryption, gopass v3, YubiKey GPG, gocryptfs vaults

31

Python Operations

Python tools: biz, geodist, sinkctl, httpstat, epoch, jpp, uv scripts

23

Observability

Prometheus, Grafana, AlertManager, Loki - metrics and dashboards

23

SIEM Operations

Wazuh 4.14.3, QRadar AQL, Sentinel KQL, threat detection queries

22

Windows EAP-TLS

Windows 802.1X: GPO, TEAP, certificates, PowerShell enrollment

15

Identity & SSO

Keycloak, SAML, OIDC federation, FreeIPA, AD integration

15

Automation

GitOps templates, Ansible patterns, Terraform modules

12

Windows Operations

PowerShell, WSL, Windows Server, certificate management

11

Quick Navigation

Section Quick Links

Recovery & PKI

Credential Chain | Vault SSH CA | PKI Issuance | PKI Ceremony

Kubernetes

k3s Deployment | k3s Operations | Prometheus+Grafana | Wazuh SIEM

802.1X

Linux EAP-TLS | Windows EAP-TLS | Hardened dACL | AD Auth dACL

CLI Reference

DataConnect | MnT API | ERS API | Wazuh

Secrets

dsec | gopass v3 | YubiKey | GPG Setup

Linux Commands

AWK | jq/yq | xargs | kubectl

SIEM & Observability

SIEM Overview | Observability | Wazuh Deployment

Quick Start

  • Network Credentials

  • ISE Sessions

  • Switch 802.1X

  • Vault PKI

  • SSH CA

# Load network environment
dsource d000 dev/network
# Check active 802.1X sessions
netapi ise mnt sessions
# Check switch access sessions
netapi ios exec "show access-session"
# Issue workstation certificate
netapi vault pki-issue workstation.inside.domusdigitalis.dev --role domus-workstation
# Sign SSH key (8h cert)
vault-ssh-sign

# Test all hosts
vault-ssh-test

Key Technologies

Technology Purpose Status

Cisco ISE 3.4

RADIUS/NAC: EAP-TLS, dACLs, profiling, AD integration

Production

HashiCorp Vault

PKI CA, SSH CA (8h certs), secrets engine

Production

k3s

Single-node Kubernetes: Cilium CNI, MetalLB, NFS storage

Production

Wazuh 4.14.3

SIEM: Security monitoring, log aggregation, threat detection

Production

Prometheus + Grafana

Metrics collection, visualization, alerting

Production

VyOS HA

Dual-node VRRP firewall, NAT, DHCP, zones (replaced pfSense 2026-03-07)

Production

Cisco C9800-CL

Wireless LAN Controller with 802.1X

Production

Cisco C9300

IBNS 2.0 switch with device-tracking

Production

netapi

Unified CLI for ISE, VyOS, WLC, Vault, Synology, Wazuh

Production

dsec

Age-encrypted secrets with domain isolation

Production

Infrastructure Overview

Zone Systems IPs

Management

VyOS HA (×2), BIND (×2), KVM (×2)

10.50.1.1-99

Security

Vault (×3), ISE (×2), iPSK Manager

10.50.1.20-69

Identity

Windows DC, FreeIPA, Keycloak

10.50.1.50-89, 100-109

Network

C9300, 3560CX, C9800-WLC

10.50.1.10-49

Kubernetes

k3s masters (×3), workers (×3)

10.50.1.120-129

MetalLB VIPs

Traefik, Prometheus, Grafana, Wazuh

10.50.1.130-140

Storage

Synology NAS, Gitea

10.50.1.70-79

Contact

Evan Modestus - Home Enterprise Network

Built with Antora | Powered by netapi | Secured by Vault