Infrastructure Diagrams

Overview

All diagrams are maintained as separate D2 source files for maximum CI/CD scalability and maintainability.

Diagram Files Location
modules/ROOT/images/diagrams/
├── network-topology.d2          # Complete infrastructure
├── vlan-segmentation.d2         # Security zones
├── eaptls-authentication-flow.d2 # 802.1X flow
├── linux-auth-architecture.d2   # wpa_supplicant vs NetworkManager
├── identity-services.d2         # ISE/AD/Keycloak
├── infrastructure-overview.d2   # High-level overview
├── backup-flow.d2               # Backup workflow
├── pki-hierarchy.d2             # Certificate chain
└── certbot-renewal-flow.d2      # Certbot automation

Infrastructure Overview

Full topology of Domus Digitalis infrastructure including security, PKI, wireless, compute, and switching layers.

Infrastructure Overview
Table 1. Key Systems
System IP Role

pfSense-01

10.50.1.1

Firewall/Router

ISE-02 (PAN)

10.50.1.21

RADIUS/NAC (Primary Admin Node)

Keycloak-01

10.50.1.80

SAML/OIDC IdP (Docker)

home-dc01

10.50.1.50

AD DS / DNS (CA deprecated)

certmgr-01

10.50.1.60

Vault PKI / Let’s Encrypt

9800-CL-WLC

10.50.1.40

Wireless Controller

KVM-01

10.50.1.99

Hypervisor (supermicro300-9d1)

NAS-01

10.50.1.70

Synology Backups

iPSK-Mgr-01

10.50.1.30

iPSK Portal

Backup Flow

Shows how netapi CLI commands flow from operator workstation through infrastructure systems to NAS storage.

Backup Flow
Backup Commands Quick Reference
# Full infrastructure backup
netapi ise backup --upload-nas
netapi wlc backup --upload-nas
netapi pfsense backup --upload-nas
netapi ios backup --all --upload-nas
netapi kvm backup --all --upload-nas
netapi keycloak backup --upload-nas

# Check backup status
netapi synology backup-status --detailed

PKI Hierarchy

Certificate authority chain showing AD CS (internal) and Let’s Encrypt (external) trust paths.

PKI Hierarchy
Table 2. Certificate Types
Type Issuer Use Cases

Internal (AD CS)

HOME-ROOT-CA

ISE Admin, EAP-TLS, pxGrid

External (Let’s Encrypt)

ISRG Root X1

Guest Portal, WLC WebUI, iPSK Manager

Planned (Vault)

HOME-ROOT-CA (signed)

Automated internal issuance
certmgr-01 is a single point of failure for Let’s Encrypt certificates. See Certmgr Troubleshooting for known issues.

Certbot Renewal Flow

Shows the Certbot renewal process with DNS-01 challenge via Cloudflare API, including known error states.

Certbot Renewal Flow
Table 3. Current Known Issues
Certificate Issue Status

guest.domusdigitalis.dev

Cloudflare credentials path wrong (/root/.secrets/ vs /home/ansible/.secrets/)

CRITICAL

kvm-01.inside.domusdigitalis.dev

DNS NXDOMAIN for _acme-challenge TXT record

CRITICAL

See Certmgr Troubleshooting Runbook for fixes.

Network Topology (Complete)

Comprehensive view of all infrastructure including KVM hypervisor, VMs, physical devices, and client connectivity.

Network Topology
Table 4. Complete Device Inventory
Device IP VLAN Role

pfSense-01

10.50.1.1

100

Firewall/Router/DNS

ISE-01

10.50.1.20

100

Shut down (stale config, do not start)

ISE-02 (PAN)

10.50.1.21

100

Primary Admin Node / PSN / MnT

9800-WLC-01

10.50.1.40

100

Wireless Controller

home-dc01

10.50.1.50

100

AD DS / DNS / DHCP

certmgr-01

10.50.1.60

100

Vault PKI / Let’s Encrypt

NAS-01

10.50.1.70

100

Synology Backups

NAS-02

10.50.1.71

100

Synology NAS (secondary)

Gitea-01

10.50.1.70

100

Gitea (on NAS-01)

Keycloak-01

10.50.1.80

100

SAML/OIDC IdP (Docker)

KVM-01

10.50.1.99

100

Hypervisor (supermicro300-9d1)

KVM-01-LAN

192.168.1.181

 — 

KVM Host LAN interface

IPMI-01

10.50.1.200

100

KVM Host IPMI/BMC

3560CX-01

10.50.1.10

100

802.1X Switch

iPSK-Mgr-01

10.50.1.30

100

iPSK Portal

iPSK-Mgr-02

10.50.1.31

100

iPSK Manager (secondary)

modestus-p50

10.50.40.100

40

Linux Workstation

VLAN Segmentation

Security zones with inter-VLAN routing through pfSense (default deny policy).

VLAN Segmentation
Table 5. VLAN Configuration
VLAN Name Subnet Purpose

100

Management

10.50.1.0/24

Infrastructure devices only

10

Data

10.50.10.0/24

Authenticated workstations

20

Voice

10.50.20.0/24

VoIP/Video (QoS)

30

Guest

10.50.30.0/24

Guest portal (internet only)

40

Research/IoT

10.50.40.0/24

Linux workstations, IoT

999

Critical Auth

 — 

Auth failure fallback

802.1X EAP-TLS Authentication Flow

Complete authentication flow from Linux client through NAD to ISE with certificate validation.

EAP-TLS Flow
Table 6. Authentication Steps
Step Action Protocol

1

Client initiates EAPOL-Start

EAPOL

2

Client sends identity (CN from cert)

EAP-Identity

3

TLS handshake begins

EAP-TLS

4

ISE validates cert chain against ROOT CA

TLS/CRL

5

ISE sends Access-Accept with VLAN + dACL

RADIUS

6

Port authorized, DHCP proceeds

DHCP

Linux Authentication Architecture

Comparison of wpa_supplicant (current) vs NetworkManager (target for Dr. Shahab migration).

Linux Auth Architecture
Dr. Shahab NetworkManager migration is DUE TOMORROW (2026-01-25). See Project Documentation.
Table 7. wpa_supplicant vs NetworkManager
Feature wpa_supplicant NetworkManager

Configuration

Manual config files

nmcli or GUI

Credential Storage

Plaintext in conf

GNOME Keyring (encrypted)

Service Management

Separate systemd units

Single NetworkManager.service

Enterprise Support

Full 802.1X

Full 802.1X

Use Case

Servers, headless

Desktop, workstations

Identity Services Architecture

Complete identity infrastructure including ISE, AD, Keycloak, and iPSK integration.

Identity Services
Table 8. Authentication Methods Supported
Method Protocol Use Case

EAP-TLS

802.1X

Linux workstations (certificate auth)

EAP-PEAP

802.1X

Windows devices (username/password)

MAB

RADIUS

Printers, legacy devices

iPSK

WPA2-PSK

Guests, IoT (identity-based PSK)

Guest Portal

Web Auth

Visitors (VLAN 30)

Diagram Source Files

All diagrams are written in D2 language and rendered via Kroki.

Example: Editing Infrastructure Overview
# Edit diagram
vim modules/ROOT/images/diagrams/infrastructure-overview.d2

# Preview locally (requires d2 CLI)
d2 infrastructure-overview.d2 infrastructure-overview.svg

# Or use Kroki API
curl -X POST https://kroki.io/d2/svg \
  --data-binary @infrastructure-overview.d2 \
  -o infrastructure-overview.svg
D2 Styling Reference
# Color palette (Catppuccin Mocha)
style: {
  fill: "#1a1a2e"       # Dark background
  stroke: "#f5a623"     # Orange accent (ops theme)
  font-color: "#e0e0e0" # Light text
}

# Status colors
stroke: "#50fa7b"  # Green - OK
stroke: "#ffb347"  # Orange - Warning
stroke: "#ff5252"  # Red - Critical
stroke: "#6c7086"  # Gray - Planned/Disabled

Adding New Diagrams

  1. Create D2 file in modules/ROOT/images/diagrams/

  2. Add include block in relevant page:

    [d2,diagram-name,svg]
\....
include::../images/diagrams/diagram-name.d2[]
\....

  3. Build HTML to verify rendering

  4. Commit both .d2 source and update to pages