Infrastructure Operations

Domus Digitalis infrastructure documentation - runbooks, recovery procedures, automation, and architecture for a production home enterprise network.

802.1X EAP-TLS • Zero Trust • HashiCorp Vault PKI • netapi Automation

Quick Links

Section	Description
netapi Automation	NEW - Unified API automation framework for all infrastructure
dsec Secrets Management	NEW - Age-encrypted secrets with domain isolation
Infrastructure Diagrams	Visual architecture diagrams (D2 source files)
Current Roadmap	Active infrastructure backup and security roadmap
Vault Troubleshooting	CRITICAL - Fix renewal failures before certs expire
Backup Runbook	Step-by-step infrastructure backup procedure
Research Workstation	Linux workstation 802.1X EAP-TLS deployment pattern

Section

Description

netapi Automation

NEW - Unified API automation framework for all infrastructure

dsec Secrets Management

NEW - Age-encrypted secrets with domain isolation

Infrastructure Diagrams

Visual architecture diagrams (D2 source files)

Current Roadmap

Active infrastructure backup and security roadmap

Vault Troubleshooting

CRITICAL - Fix renewal failures before certs expire

Backup Runbook

Step-by-step infrastructure backup procedure

Research Workstation

Linux workstation 802.1X EAP-TLS deployment pattern

Infrastructure Overview

See Infrastructure Diagrams for full visual documentation.

Domus Digitalis Infrastructure - VyOS HA / 6-Node k3s / Cilium BGP

Table 1. Active Systems
System	IP	Hypervisor	Status
vyos-01 (Master)	10.50.1.2	kvm-01	Active - VyOS HA Firewall (VRRP VIP: 10.50.1.1)
vault-01	10.50.1.60	kvm-01	Active - Vault PKI + SSH CA
ise-01	10.50.1.20	kvm-01	Active - ISE 3.4 RADIUS/NAC
home-dc01	10.50.1.50	kvm-01	Active - AD DS / GPO / Kerberos
bind-01 (Primary)	10.50.1.90	kvm-01	Active - Authoritative DNS (AXFR master)
bind-02 (Secondary)	10.50.1.91	kvm-02	Active - DNS HA (AXFR slave)
k3s-master-01	10.50.1.120	kvm-01	Active - Kubernetes (Cilium + Vault Agent)
keycloak-01	10.50.1.80	kvm-01	Active - SAML/OIDC IdP
ipsk-manager	10.50.1.30	kvm-01	Active - iPSK Self-Service Portal
ipa-01	10.50.1.100	kvm-01	Active - FreeIPA (Linux auth)
9800-CL-WLC	10.50.1.40	kvm-01	Active - Wireless Controller (Primary)
vyos-02 (Backup)	10.50.1.3	kvm-02	Active - VyOS HA Firewall (VRRP Backup)
ise-02	10.50.1.21	kvm-02	Active - ISE 3.4 HA Secondary
9800-WLC-02	10.50.1.41	kvm-02	Active - WLC HA Standby (SSO)
kvm-01	10.50.1.110	Physical	Active - Supermicro A (Hypervisor)
kvm-02	10.50.1.111	Physical	Active - Supermicro B (Hypervisor)
nas-01	10.50.1.70	Physical	Active - Synology DS1821+ (48TB)
3560CX-01	10.50.1.10	Physical	Active - 802.1X Access Switch

Document Structure

Tools

Automation frameworks and utilities for infrastructure operations:

netapi - Unified CLI for all infrastructure APIs (ISE, VyOS, Gitea, Keycloak, etc.)
dsec - Age-encrypted secrets management with domain isolation
Integration patterns and best practices

Roadmaps

Long-term planning documents organized by year and month. Each roadmap tracks:

Action items with priorities
Checklists for completion tracking
Notes and discoveries

Projects

Discrete work items with defined scope and completion criteria:

Dr. Shahab Linux Workstation
HashiCorp Vault Sub-CA
Future projects…

Runbooks

Step-by-step operational procedures:

Backup procedures
Disaster recovery
Security validation

Incidents

Post-incident reviews and lessons learned.

Reviews

Periodic infrastructure reviews and audits.

Backup Status

Check current backup health:

# Load credentials with dsec
DSEC_SECURITY_MODE=permissive eval $(dsec source d000 dev/network)

# Check backup status with netapi
netapi synology backup-status --detailed

See netapi Integration and dsec Integration for complete automation documentation.

Version History

Version	Date	Changes
2026.01	2026-01-24	Initial structure, backup roadmap, YubiKey validation

Version

Date

Changes

2026.01

2026-01-24

Initial structure, backup roadmap, YubiKey validation