Infrastructure Diagrams

Overview

All diagrams are maintained as separate D2 source files for maximum CI/CD scalability and maintainability.

Diagram Files Location
modules/ROOT/images/diagrams/
├── infrastructure-radial-v6.d2      # CURRENT STATE (WLC HA SSO, ISE HA, VLAN migration)
├── network-discovery-flow-v16.d2    # VPC-style infrastructure layout (compact)
├── vault-enterprise-architecture.d2 # Vault current vs target state
├── vault-ha-topology.d2             # Vault HA cluster with Raft
├── vyos-ha-topology.d2              # VyOS firewall HA with VRRP
├── vyos-k8s-bgp.d2                  # VyOS + Cilium BGP peering
├── backup-flow.d2                   # Backup workflow
├── network-topology.d2              # Complete infrastructure
├── vlan-segmentation.d2             # Security zones
├── eaptls-authentication-flow.d2    # 802.1X flow
├── linux-auth-architecture.d2       # wpa_supplicant vs NetworkManager
├── identity-services.d2             # ISE/AD/Keycloak
├── pki-hierarchy.d2                 # Certificate chain
└── certbot-renewal-flow.d2          # Certbot automation

Archived (.archive/):
├── infrastructure-radial-v5.d2      # Superseded (single WLC, no ISE HA)
├── infrastructure-radial-v3.d2      # Superseded (pfSense era)
├── infrastructure-radial-v4.d2      # Superseded (draft VyOS)
├── infrastructure-radial-v2.d2      # Superseded by v3
├── infrastructure-radial.d2         # Original (no version)
├── infrastructure-ha-compact.d2     # Unused HA variant
└── infrastructure-ha-complete.d2    # Unused HA variant

Infrastructure Overview (Current State)

Current topology with VyOS HA firewall, WLC HA (SSO), ISE HA (Primary/Secondary PAN), 6-node k3s cluster, and Cilium BGP.

Domus Digitalis Infrastructure - Current State
Table 1. Key Architecture Components
Component Configuration

Firewall

VyOS HA (VRRP) - vyos-01 Master, vyos-02 Backup

k3s Cluster

3 masters + 3 workers (etcd HA)

CNI

Cilium (VXLAN mode, Hubble enabled)

LoadBalancer

Cilium BGP (AS 65001) advertising 10.50.1.128/28

Hypervisors

kvm-01 (128GB) + kvm-02 (64GB)

VLANs

Infrastructure: 100=INFRA, 110=SECURITY, 120=SERVICES

Client VLANs

10=DATA, 20=VOICE, 30=GUEST, 40=IOT, 999=QUARANTINE

Infrastructure Topology (VPC-Style)

AWS VPC-style nested layout showing all infrastructure zones with HA clusters and cross-zone connections.

Domus Digitalis Infrastructure - VPC Style Layout

Complete Infrastructure Inventory

Current Systems (Active)

System IP Hypervisor Status

vyos-01 (Master)

10.50.1.2

kvm-01

Active - VyOS HA Firewall (VRRP VIP: 10.50.1.1)

vault-01

10.50.1.60

kvm-01

Active - Vault PKI + SSH CA

ise-01

10.50.1.20

kvm-01

Active - ISE 3.4 RADIUS/NAC

home-dc01

10.50.1.50

kvm-01

Active - AD DS / GPO / Kerberos

bind-01 (Primary)

10.50.1.90

kvm-01

Active - Authoritative DNS (AXFR master)

bind-02 (Secondary)

10.50.1.91

kvm-02

Active - DNS HA (AXFR slave)

k3s-master-01

10.50.1.120

kvm-01

Active - Kubernetes (Cilium + Vault Agent)

keycloak-01

10.50.1.80

kvm-01

Active - SAML/OIDC IdP

ipsk-manager

10.50.1.30

kvm-01

Active - iPSK Self-Service Portal

ipa-01

10.50.1.100

kvm-01

Active - FreeIPA (Linux auth)

9800-CL-WLC

10.50.1.40

kvm-01

Active - Wireless Controller (Primary)

vyos-02 (Backup)

10.50.1.3

kvm-02

Active - VyOS HA Firewall (VRRP Backup)

ise-02

10.50.1.21

kvm-02

Active - ISE 3.4 HA Secondary

9800-WLC-02

10.50.1.41

kvm-02

Active - WLC HA Standby (SSO)

kvm-01

10.50.1.110

Physical

Active - Supermicro A (Hypervisor)

kvm-02

10.50.1.111

Physical

Active - Supermicro B (Hypervisor)

nas-01

10.50.1.70

Physical

Active - Synology DS1821+ (48TB)

3560CX-01

10.50.1.10

Physical

Active - 802.1X Access Switch

Planned Systems (kvm-02 Expansion)

System IP Hypervisor Purpose

KVM-02

10.50.1.111

Physical

Supermicro B - Second Hypervisor

IPMI-02

10.50.1.201

BMC

KVM-02 out-of-band management

vault-02

10.50.1.61

kvm-02

Vault HA (Raft follower)

vault-03

10.50.1.62

kvm-02

Vault HA (Raft follower)

k3s-master-02

10.50.1.121

kvm-02

k3s control plane HA

k3s-master-03

10.50.1.122

kvm-02

k3s control plane HA

k3s-worker-01

10.50.1.123

kvm-01

k3s worker (workloads)

k3s-worker-02

10.50.1.124

kvm-02

k3s worker (workloads)

k3s-worker-03

10.50.1.125

kvm-02

k3s worker (workloads)

bind-02

10.50.1.91

kvm-02

DNS Secondary

ipa-02

10.50.1.101

kvm-02

FreeIPA Replica (LDAP HA)

vyos-02

10.50.1.3

kvm-02

VyOS Router HA (VRRP backup)

ISE-02 (Secondary)

10.50.1.21

kvm-02

ISE HA Secondary

9800-WLC-02

10.50.1.41

kvm-02

WLC HA Standby (SSO)

home-dc02

10.50.1.51

kvm-02

AD Secondary DC

eve-ng-01

10.50.1.150

kvm-01

EVE-NG CE — heavy topologies (FMC, ISE, NX-OS)

eve-ng-ws

localhost

Razer workstation

EVE-NG CE — lightweight labs (multi-vendor, R&S, API)

IP Allocation Plan (MGMT: 10.50.1.0/24)

IP Range Purpose Status

10.50.1.1-3

Gateway (VyOS HA)

Allocated (.1=VIP, .2=vyos-02, .3=vyos-01)

10.50.1.10-19

Network Devices (Switches)

Allocated (3560CX, C9300)

10.50.1.20-29

Identity Services (ISE HA)

Allocated (ise-01, ise-02)

10.50.1.30-39

iPSK Manager (HA)

Allocated (ipsk-mgr-01/02)

10.50.1.40-49

Wireless (WLC, APs)

Allocated (9800-CL-WLC)

10.50.1.50-59

Domain Controllers (AD DS)

Allocated (home-dc01/02)

10.50.1.60-69

PKI & Secrets (Vault HA)

Allocated (vault-01/02/03)

10.50.1.70-79

Storage & Git

Allocated (NAS, Gitea, MinIO)

10.50.1.80-89

IdP/SSO (Keycloak)

Allocated (keycloak-01/02)

10.50.1.90-99

DNS (BIND)

Allocated (bind-01/02)

10.50.1.100-109

LDAP/Directory (FreeIPA)

Allocated (ipa-01/02)

10.50.1.110-111

Hypervisors

Allocated (kvm-01=.110, kvm-02=.111)

10.50.1.112-119

Reserved for Expansion

Available

10.50.1.120-125

k3s Cluster Nodes

Allocated (3 masters + 3 workers)

10.50.1.128-143

Cilium BGP LB Pool

Allocated (10.50.1.128/28)

10.50.1.144-149

Reserved for Growth

Available

10.50.1.150-159

EVE-NG Lab Infrastructure

Allocated (.150=eve-ng-01 on kvm-01)

10.50.1.160-199

Reserved for Growth

Available

10.50.1.200-201

IPMI/OOB Management

Allocated (ipmi-01/02)

KVM Hypervisor Distribution

KVM-01 (Supermicro A) - Active

Table 2. Current VM Inventory
VM vCPU RAM Role

vyos-01

4 (pinned 0-3)

4GB

VyOS HA Master (VRRP + Zone Firewall + BGP)

home-dc01

2 (pinned 4-5)

4GB

AD DS / GPO / Kerberos

ise-01

4 (pinned 6-9)

16GB

ISE 3.4 RADIUS/NAC

9800-CL-WLC

4 (pinned 10-13)

16GB

Wireless Controller

vault-01

1

1GB

Vault PKI + SSH CA

k3s-master-01

4

8GB

Kubernetes (Cilium CNI)

ipsk-manager

2

4GB

iPSK Self-Service Portal

keycloak-01

2

4GB

SAML/OIDC IdP

bind-01

2

2GB

Authoritative DNS

ipa-01

2

4GB

FreeIPA (Linux auth)
Total: 27 vCPU, 63GB RAM. Host has 6C/12T and 128GB RAM.

KVM-02 (Supermicro B) - Planned

Table 3. Planned VM Distribution
VM vCPU RAM Purpose

ise-02 ✓

4

12GB

ISE 3.5 (temp primary) - DEPLOYED

ipsk-mgr-02

2

4GB

iPSK Self-Service Portal HA

vault-02 ✓

2

4GB

Vault HA (Raft follower) - DEPLOYED

vault-03 ✓

2

4GB

Vault HA (Raft follower) - DEPLOYED

home-dc02

2

4GB

AD DS Secondary

bind-02 ✓

1

2GB

DNS Secondary (AXFR slave) - DEPLOYED

ipa-02

2

4GB

FreeIPA Replica (LDAP HA)

vyos-02 ✓

2

2GB

VyOS Router HA (VRRP backup) - DEPLOYED

k3s-master-02

4

8GB

k3s HA control plane

k3s-master-03

4

8GB

k3s HA control plane

k3s-worker-01

4

8GB

k3s workloads

k3s-worker-02

4

8GB

k3s workloads

k3s-worker-03

4

8GB

k3s workloads

9800-WLC-02 ✓

4

16GB

WLC HA Standby (SSO) - DEPLOYED

Backup Architecture

Backup Flow

NAS Storage Structure

Naming convention: {service}_backups where service is the actual service name.

Table 4. Active Backup Shares
Share Purpose netapi Command

/ise_backups

ISE configuration exports

netapi ise backup

/wlc_backups

WLC running-config

netapi wlc backup

/firewall_backups

VyOS config export

netapi vyos backup

/switch_backups

IOS running-config

netapi ios backup

/kvm_backups

VM disk images (qcow2)

netapi kvm backup

/vault_backups

Vault Raft snapshots

netapi vault backup

/borg_backups

Workstation Borg repos

Borg client
Table 5. Planned Shares (k3s)
Share Purpose NFS Export

/k3s

k3s PersistentVolumes (runtime)

Yes (10.50.1.120-125)

/k3s_backups

k3s etcd snapshots

No (backup target)
Legacy shares like /Backups, /Network_Backup_Files, /NetBackup exist but are deprecated. Use the {service}_backups naming convention for new shares.

Backup Commands Reference

Infrastructure Backup Commands
# Infrastructure Backup Commands Reference
# Include with: include::example$backup-commands-reference.sh[]
# Requires: subs=attributes+ for 10.50.1.10 substitution

# Load credentials
dsource d000 dev/network   # ISE, VyOS, WLC, switches
dsource d000 dev/vault     # Vault
dsource d000 dev/storage   # Synology NAS

# ========================================================================
# NETWORK INFRASTRUCTURE
# ========================================================================
# ISE configuration backup
netapi ise backup --upload-nas
netapi ise backup --output /tmp/ise-$(date +%Y%m%d).tar.gz

# WLC configuration backup
netapi wlc backup --upload-nas
netapi wlc backup --output /tmp/wlc-$(date +%Y%m%d).txt

# VyOS configuration backup
netapi vyos backup --upload-nas
netapi vyos backup --output /tmp/vyos-$(date +%Y%m%d).conf

# Cisco switch backups (all configured switches)
netapi ios backup --all --upload-nas
netapi ios backup --host 10.50.1.10 --output /tmp/3560cx-$(date +%Y%m%d).txt

# ========================================================================
# SECRETS & PKI
# ========================================================================
# Vault Raft snapshot (from vault-01)
vault operator raft snapshot save /tmp/vault-$(date +%Y%m%d).snap
scp /tmp/vault-*.snap nas-01:/vault_backups/

# Manual Vault backup with netapi (if implemented)
# netapi vault backup --upload-nas

# ========================================================================
# IDENTITY SERVICES
# ========================================================================
# Keycloak realm export (via container)
ssh nas-01 "docker exec keycloak /opt/keycloak/bin/kc.sh export \
  --dir /tmp/export --realm domus"
ssh nas-01 "cp /volume1/docker/keycloak/data/export/* /volume1/Backups/keycloak/"

# FreeIPA backup (on ipa-01)
ssh ipa-01 "sudo ipa-backup --data --logs"

# ========================================================================
# VIRTUALIZATION
# ========================================================================
# KVM VM disk backup (large - run off-hours)
netapi kvm backup --all --upload-nas
netapi kvm backup --vm vault-01 --output /mnt/onboard-ssd/backups/

# ========================================================================
# BACKUP STATUS
# ========================================================================
# Check all backup freshness
netapi synology backup-status --detailed

# Check specific system backups
netapi synology backup-list ise
netapi synology backup-list vyos
netapi synology backup-list vault

Backup Schedule (Recommended)

System Frequency Notes

ISE

Daily

Config changes trigger immediate backup

VyOS

Daily

Plus before/after any rule changes

WLC

Weekly

Unless AP changes made

Switches

Weekly

Unless config changes

Vault

Daily

Raft snapshot to NAS

KVM VMs

Weekly

Full disk images (off-hours)

Keycloak

Weekly

Realm export only

FreeIPA

Weekly

Data + logs

Workstations

Continuous

Borg with hourly snapshots

Vault HA Topology

Three-node Vault cluster with Raft consensus for high availability.

Vault HA Cluster Topology
Table 6. Vault Cluster Nodes
Node IP Hypervisor Status

vault-01

10.50.1.60

kvm-01

Active (Leader)

vault-02

10.50.1.61

kvm-02

Planned (Raft follower)

vault-03

10.50.1.62

kvm-02

Planned (Raft follower)

VyOS Firewall HA Topology

VyOS VRRP high availability with master/backup failover across hypervisors.

VyOS Firewall HA Topology
Table 7. VyOS HA Nodes
Node IP Priority Role

vyos-01

10.50.1.2

200

Master (kvm-01)

vyos-02

10.50.1.3

100

Backup (kvm-02)

VIP

10.50.1.1

-

Virtual Gateway
Clients use VIP (10.50.1.1) as their gateway. VRRP handles failover transparently.

VyOS + k3s BGP Architecture

Cilium BGP Control Plane (AS 65001) peering with VyOS (AS 65000) for LoadBalancer IP advertisement.

VyOS + k3s Cilium BGP Architecture
Table 8. BGP Peering Summary
Component ASN Role Peers

vyos-01

65000

Route receiver

All 6 k3s nodes

vyos-02

65000

Route receiver (backup)

All 6 k3s nodes

Cilium (per node)

65001

Route advertiser

vyos-01, vyos-02
Table 9. LoadBalancer IP Pool
Attribute Value

CIDR

10.50.1.128/28

Range

10.50.1.128 - 10.50.1.143

Advertisement

BGP from Cilium to VyOS
This replaces MetalLB L2 mode. BGP provides faster failover, ECMP load balancing, and enterprise-grade routing experience.

k3s Cluster Architecture

Table 10. k3s Node Distribution
Node IP Hypervisor Role

k3s-master-01

10.50.1.120

kvm-01

Control plane (active)

k3s-master-02

10.50.1.121

kvm-02

Control plane (planned)

k3s-master-03

10.50.1.122

kvm-02

Control plane (planned)

k3s-worker-01

10.50.1.123

kvm-01

Workloads (planned)

k3s-worker-02

10.50.1.124

kvm-02

Workloads (planned)

k3s-worker-03

10.50.1.125

kvm-02

Workloads (planned)
Table 11. k3s Stack
Component Description

CNI

Cilium 1.16.5 (replaces Flannel)

Ingress

Traefik (k3s default)

Secrets

Vault Agent Injector

Storage

NFS from NAS-01 (/k3s/*)

Observability

Prometheus + Grafana + Wazuh

GitOps

ArgoCD

Vault Policy Flow

Authentication and authorization flow showing how tokens acquire policies.

Vault Authentication and Policy Flow

PKI Hierarchy

Certificate authority chain showing Vault PKI (internal) and Let’s Encrypt (external) trust paths.

PKI Hierarchy
Table 12. Certificate Types
Type Issuer Use Cases

Internal (Vault PKI)

DOMUS-ISSUING-CA

EAP-TLS, SSH CA, service certs

External (Let’s Encrypt)

ISRG Root X1

Guest Portal, WLC WebUI, iPSK Manager

Legacy (AD CS)

HOME-ROOT-CA

Deprecated - migrating to Vault
Vault PKI is now the primary internal CA. AD CS is deprecated.

Certbot Renewal Flow

Shows the Certbot renewal process with DNS-01 challenge via Cloudflare API, including known error states.

Certbot Renewal Flow

Network Topology (Complete)

Comprehensive view of all infrastructure including KVM hypervisor, VMs, physical devices, and client connectivity.

Network Topology

VLAN Segmentation

Security zones with inter-VLAN routing through VyOS zone firewall (default deny policy).

VLAN Segmentation
Table 13. VLAN Configuration
VLAN Name Subnet Purpose

Infrastructure VLANs (servers/services)

100

INFRA

10.50.1.0/24

Network hardware, hypervisors, k3s nodes

110

SECURITY

10.50.110.0/24

Crown jewels: Vault, ISE, secrets

120

SERVICES

10.50.120.0/24

General VMs: Keycloak, Gitea, FreeIPA, BIND

Client VLANs (endpoints only)

10

DATA

10.50.10.0/24

Corporate wired/wireless devices

20

VOICE

10.50.20.0/24

VoIP phones (QoS)

30

GUEST

10.50.30.0/24

Guest portal (internet only)

40

IOT

10.50.40.0/24

IoT devices, limited access

999

CRITICAL_AUTH

 — 

802.1X failure quarantine (no gateway)
INFRA (10.50.1.0/24) is a dedicated VyOS interface (eth0), not a VLAN tag. VyOS handles inter-VLAN routing with zone-based firewall policies.

802.1X EAP-TLS Authentication Flow

Complete authentication flow from Linux client through NAD to ISE with certificate validation.

EAP-TLS Flow
Table 14. Authentication Steps
Step Action Protocol

1

Client initiates EAPOL-Start

EAPOL

2

Client sends identity (CN from cert)

EAP-Identity

3

TLS handshake begins

EAP-TLS

4

ISE validates cert chain against ROOT CA

TLS/CRL

5

ISE sends Access-Accept with VLAN + dACL

RADIUS

6

Port authorized, DHCP proceeds

DHCP

Linux Authentication Architecture

Comparison of wpa_supplicant (current) vs NetworkManager (target for workstation migrations).

Linux Auth Architecture
Table 15. wpa_supplicant vs NetworkManager
Feature wpa_supplicant NetworkManager

Configuration

Manual config files

nmcli or GUI

Credential Storage

Plaintext in conf

GNOME Keyring (encrypted)

Service Management

Separate systemd units

Single NetworkManager.service

Enterprise Support

Full 802.1X

Full 802.1X

Use Case

Servers, headless

Desktop, workstations

Identity Services Architecture

Complete identity infrastructure including ISE, AD, Keycloak, and iPSK integration.

Identity Services
Table 16. Authentication Methods Supported
Method Protocol Use Case

EAP-TLS

802.1X

Linux workstations (certificate auth)

EAP-PEAP

802.1X

Windows devices (username/password)

MAB

RADIUS

Printers, legacy devices

iPSK

WPA2-PSK

Guests, IoT (identity-based PSK)

Guest Portal

Web Auth

Visitors (VLAN 30)

Diagram Source Files

All diagrams are written in D2 language and rendered via Kroki.

Example: Editing Infrastructure Overview
# D2 Diagram Editing Workflow
# Include with: include::example$d2-editing-example.sh[]

# Edit diagram
vim modules/ROOT/images/diagrams/infrastructure-overview.d2

# Preview locally (requires d2 CLI)
d2 --theme 200 infrastructure-overview.d2 infrastructure-overview.svg

# Or use Kroki API
curl -X POST https://kroki.io/d2/svg \
  --data-binary @infrastructure-overview.d2 \
  -o infrastructure-overview.svg
D2 Styling Reference (Catppuccin Mocha)
# D2 Styling Reference (Catppuccin Mocha Theme)
# Include with: include::example$d2-styling-reference.d2[]

# Color palette
style: {
  fill: "#1a1a2e"       # Dark background
  stroke: "#f5a623"     # Orange accent (ops theme)
  font-color: "#e0e0e0" # Light text
}

# Status colors
stroke: "#50fa7b"  # Green - OK/Active
stroke: "#ffb347"  # Orange - Warning
stroke: "#ff5252"  # Red - Critical
stroke: "#6c7086"  # Gray - Planned/Disabled
stroke: "#89b4fa"  # Blue - Info
stroke: "#cba6f7"  # Purple - Security

Adding New Diagrams

  1. Create D2 file in modules/ROOT/images/diagrams/

  2. Render with d2 --theme 200 <file>.d2 <file>.svg

  3. Add image reference in relevant page:

    image::diagrams/<diagram-name>.svg[Alt Text,width=100%]

  4. Build HTML to verify rendering

  5. Commit both .d2 source and .svg output