Infrastructure Operations

Domus Digitalis infrastructure documentation - runbooks, recovery procedures, automation, and architecture for a production home enterprise network.

802.1X EAP-TLS • Zero Trust • HashiCorp Vault PKI • netapi Automation

Quick Links

Section Description

netapi Automation

NEW - Unified API automation framework for all infrastructure

dsec Secrets Management

NEW - Age-encrypted secrets with domain isolation

Infrastructure Diagrams

Visual architecture diagrams (D2 source files)

Current Roadmap

Active infrastructure backup and security roadmap

Vault Troubleshooting

CRITICAL - Fix renewal failures before certs expire

Backup Runbook

Step-by-step infrastructure backup procedure

Research Workstation

Linux workstation 802.1X EAP-TLS deployment pattern

Infrastructure Overview

See Infrastructure Diagrams for full visual documentation.

Domus Digitalis Infrastructure - VyOS HA / 6-Node k3s / Cilium BGP
Table 1. Active Systems
System IP Hypervisor Status

vyos-01 (Master)

10.50.1.2

kvm-01

Active - VyOS HA Firewall (VRRP VIP: 10.50.1.1)

vault-01

10.50.1.60

kvm-01

Active - Vault PKI + SSH CA

ise-01

10.50.1.20

kvm-01

Active - ISE 3.4 RADIUS/NAC

home-dc01

10.50.1.50

kvm-01

Active - AD DS / GPO / Kerberos

bind-01 (Primary)

10.50.1.90

kvm-01

Active - Authoritative DNS (AXFR master)

bind-02 (Secondary)

10.50.1.91

kvm-02

Active - DNS HA (AXFR slave)

k3s-master-01

10.50.1.120

kvm-01

Active - Kubernetes (Cilium + Vault Agent)

keycloak-01

10.50.1.80

kvm-01

Active - SAML/OIDC IdP

ipsk-manager

10.50.1.30

kvm-01

Active - iPSK Self-Service Portal

ipa-01

10.50.1.100

kvm-01

Active - FreeIPA (Linux auth)

9800-CL-WLC

10.50.1.40

kvm-01

Active - Wireless Controller (Primary)

vyos-02 (Backup)

10.50.1.3

kvm-02

Active - VyOS HA Firewall (VRRP Backup)

ise-02

10.50.1.21

kvm-02

Active - ISE 3.4 HA Secondary

9800-WLC-02

10.50.1.41

kvm-02

Active - WLC HA Standby (SSO)

kvm-01

10.50.1.110

Physical

Active - Supermicro A (Hypervisor)

kvm-02

10.50.1.111

Physical

Active - Supermicro B (Hypervisor)

nas-01

10.50.1.70

Physical

Active - Synology DS1821+ (48TB)

3560CX-01

10.50.1.10

Physical

Active - 802.1X Access Switch

Document Structure

Tools

Automation frameworks and utilities for infrastructure operations:

  • netapi - Unified CLI for all infrastructure APIs (ISE, VyOS, Gitea, Keycloak, etc.)

  • dsec - Age-encrypted secrets management with domain isolation

  • Integration patterns and best practices

Roadmaps

Long-term planning documents organized by year and month. Each roadmap tracks:

  • Action items with priorities

  • Checklists for completion tracking

  • Notes and discoveries

Projects

Discrete work items with defined scope and completion criteria:

  • Dr. Shahab Linux Workstation

  • HashiCorp Vault Sub-CA

  • Future projects…​

Runbooks

Step-by-step operational procedures:

  • Backup procedures

  • Disaster recovery

  • Security validation

Incidents

Post-incident reviews and lessons learned.

Reviews

Periodic infrastructure reviews and audits.

Backup Status

Check current backup health:

# Load credentials with dsec
DSEC_SECURITY_MODE=permissive eval $(dsec source d000 dev/network)

# Check backup status with netapi
netapi synology backup-status --detailed

See netapi Integration and dsec Integration for complete automation documentation.

Version History

Version Date Changes

2026.01

2026-01-24

Initial structure, backup roadmap, YubiKey validation