Validated Designs & Configurations

Overview

Validated Designs (VDs) are production-ready configurations that have been:

Designed with security and scalability in mind
Implemented in the Domus Digitalis home enterprise
Tested under real-world conditions
Documented with exact commands and expected outputs
Maintained with version control and change tracking

Every configuration in this section has been deployed and validated. No theoretical designs. No untested configs. If it’s here, it works.

Validation Status Legend

Status	Meaning
	Deployed, tested, production-ready
	Deployed, validation in progress
	Design complete, pending deployment
	Superseded by newer design

Status

Meaning

Deployed, tested, production-ready

Deployed, validation in progress

Design complete, pending deployment

Superseded by newer design

Disciplines

Network Infrastructure

Design	Status	Description
pfSense HA Firewall	Draft	CARP failover, VLANs, NAT, VPN
Cisco Switching (IOS-XE)	Draft	C9300/3560CX trunk, access, 802.1X
Cisco WLC 9800	Draft	FlexConnect, WPA3-Enterprise, policy tags
VLAN Architecture	Draft	Segmentation strategy, inter-VLAN routing
BIND DNS	Draft	Split-horizon, DNSSEC, zone transfers

Design

Status

Description

pfSense HA Firewall

Draft

CARP failover, VLANs, NAT, VPN

Cisco Switching (IOS-XE)

Draft

C9300/3560CX trunk, access, 802.1X

Cisco WLC 9800

Draft

FlexConnect, WPA3-Enterprise, policy tags

VLAN Architecture

Draft

Segmentation strategy, inter-VLAN routing

BIND DNS

Draft

Split-horizon, DNSSEC, zone transfers

Identity & Access Management

Design	Status	Description
Active Directory	Draft	Windows Server 2025 Core, GPO, DNS integration
FreeIPA	Draft	RHEL identity, Kerberos, sudo rules
Keycloak IdP	Draft	OIDC/SAML, realm config, client federation
Cisco ISE	Draft	PAN/PSN/MnT, HA, profiling, posture
802.1X Wired (EAP-TLS)	Draft	Switch config, ISE policy, certificates
802.1X Wireless (EAP-TLS)	Draft	WLC config, ISE policy, roaming
MAB for IoT/Printers	Draft	MAC bypass, profiling, dACL assignment
iPSK (Identity PSK)	Draft	Device onboarding, RADIUS lookup, VLAN assignment

Design

Status

Description

Active Directory

Draft

Windows Server 2025 Core, GPO, DNS integration

FreeIPA

Draft

RHEL identity, Kerberos, sudo rules

Keycloak IdP

Draft

OIDC/SAML, realm config, client federation

Cisco ISE

Draft

PAN/PSN/MnT, HA, profiling, posture

802.1X Wired (EAP-TLS)

Draft

Switch config, ISE policy, certificates

802.1X Wireless (EAP-TLS)

Draft

WLC config, ISE policy, roaming

MAB for IoT/Printers

Draft

MAC bypass, profiling, dACL assignment

iPSK (Identity PSK)

Draft

Device onboarding, RADIUS lookup, VLAN assignment

PKI & Certificates

Design	Status	Description
Vault PKI Hierarchy	Draft	Root CA, Issuing CA, cert roles
Vault SSH CA	Draft	Short-lived certs, principals, host verification
EAP-TLS Certificates	Draft	Client certs, SAN, key usage, renewal
Server TLS Certificates	Draft	Web services, API endpoints, auto-renewal
Code Signing	Draft	Git commits, container images, scripts

Design

Status

Description

Vault PKI Hierarchy

Draft

Root CA, Issuing CA, cert roles

Vault SSH CA

Draft

Short-lived certs, principals, host verification

EAP-TLS Certificates

Draft

Client certs, SAN, key usage, renewal

Server TLS Certificates

Draft

Web services, API endpoints, auto-renewal

Code Signing

Draft

Git commits, container images, scripts

Secrets Management

Design	Status	Description
gopass Taxonomy	Draft	v3 hierarchy, team sharing, git sync
Vault KV Secrets	Draft	Path structure, policies, AppRole
dsec CLI Workflow	Draft	Environment sourcing, age encryption
Credential Rotation	Draft	Automated rotation, notification, validation

Design

Status

Description

gopass Taxonomy

Draft

v3 hierarchy, team sharing, git sync

Vault KV Secrets

Draft

Path structure, policies, AppRole

dsec CLI Workflow

Draft

Environment sourcing, age encryption

Credential Rotation

Draft

Automated rotation, notification, validation

Virtualization & Compute

Design	Status	Description
KVM/libvirt	Draft	VM provisioning, CPU pinning, storage pools
cloud-init Templates	Draft	User-data, network config, first-boot
Rocky Linux Base Image	Draft	Hardened base, SELinux, minimal install
Arch Linux Workstation	Draft	Development environment, dotfiles, tooling

Design

Status

Description

KVM/libvirt

Draft

VM provisioning, CPU pinning, storage pools

cloud-init Templates

Draft

User-data, network config, first-boot

Rocky Linux Base Image

Draft

Hardened base, SELinux, minimal install

Arch Linux Workstation

Draft

Development environment, dotfiles, tooling

Kubernetes & Containers

Design	Status	Description
k3s HA Cluster	Draft	3-node control plane, embedded etcd
Cilium CNI	Draft	eBPF, network policies, Hubble
MetalLB LoadBalancer	Draft	L2 mode, IP pools, service announcements
Traefik Ingress	Draft	TLS termination, middleware, routing
Vault Agent Injector	Draft	Sidecar secrets, annotations, templates
ArgoCD GitOps	Draft	App-of-apps, sync policies, RBAC
NFS StorageClass	Draft	Dynamic provisioning, access modes

Design

Status

Description

k3s HA Cluster

Draft

3-node control plane, embedded etcd

Cilium CNI

Draft

eBPF, network policies, Hubble

MetalLB LoadBalancer

Draft

L2 mode, IP pools, service announcements

Traefik Ingress

Draft

TLS termination, middleware, routing

Vault Agent Injector

Draft

Sidecar secrets, annotations, templates

ArgoCD GitOps

Draft

App-of-apps, sync policies, RBAC

NFS StorageClass

Draft

Dynamic provisioning, access modes

Observability & SIEM

Design	Status	Description
Wazuh SIEM	Draft	Manager, indexer, dashboard, agents
Prometheus Stack	Draft	kube-prometheus, ServiceMonitors, alerts
Grafana Dashboards	Draft	Infrastructure, k8s, application metrics
AlertManager	Draft	Routing, receivers, silences
Log Aggregation	Draft	Syslog, Filebeat, index lifecycle

Design

Status

Description

Wazuh SIEM

Draft

Manager, indexer, dashboard, agents

Prometheus Stack

Draft

kube-prometheus, ServiceMonitors, alerts

Grafana Dashboards

Draft

Infrastructure, k8s, application metrics

AlertManager

Draft

Routing, receivers, silences

Log Aggregation

Draft

Syslog, Filebeat, index lifecycle

Storage & Backup

Design	Status	Description
Synology NAS	Draft	Shares, NFS exports, permissions
Borg Backup	Draft	Deduplication, encryption, pruning
Vault Raft Backup	Draft	Snapshots, restore procedures
3-2-1 Backup Strategy	Draft	Local, NAS, offsite/cloud
Disaster Recovery	Draft	RTO/RPO, runbooks, testing

Design

Status

Description

Synology NAS

Draft

Shares, NFS exports, permissions

Borg Backup

Draft

Deduplication, encryption, pruning

Vault Raft Backup

Draft

Snapshots, restore procedures

3-2-1 Backup Strategy

Draft

Local, NAS, offsite/cloud

Disaster Recovery

Draft

RTO/RPO, runbooks, testing

Automation & IaC

Design	Status	Description
Ansible Project Structure	Draft	Roles, inventory, vault integration
Terraform Modules	Draft	KVM, Vault, Cloudflare providers
CI/CD Pipelines	Draft	GitHub Actions, GitLab CI, deployment
Pre-commit Hooks	Draft	Linting, secrets detection, formatting

Design

Status

Description

Ansible Project Structure

Draft

Roles, inventory, vault integration

Terraform Modules

Draft

KVM, Vault, Cloudflare providers

CI/CD Pipelines

Draft

GitHub Actions, GitLab CI, deployment

Pre-commit Hooks

Draft

Linting, secrets detection, formatting

Documentation Platform

Design	Status	Description
Antora Multi-Repo	Draft	Aggregator, spoke repos, playbooks
AsciiDoc Standards	Draft	Attributes, includes, partials
D2 Diagrams	Draft	Styling, themes, CI rendering
Cloudflare Pages	Draft	Deployment, Access policies, DNS

Design

Status

Description

Antora Multi-Repo

Draft

Aggregator, spoke repos, playbooks

AsciiDoc Standards

Draft

Attributes, includes, partials

D2 Diagrams

Draft

Styling, themes, CI rendering

Cloudflare Pages

Draft

Deployment, Access policies, DNS

CLI Tooling

Design	Status	Description
netapi CLI	Draft	ISE, pfSense, WLC, Synology automation
dsec Secrets CLI	Draft	Age encryption, environment sourcing
Shell Environment	Draft	zsh, aliases, functions, completions
Dotfiles Management	Draft	GNU Stow, git sync, machine-specific

Design

Status

Description

netapi CLI

Draft

ISE, pfSense, WLC, Synology automation

dsec Secrets CLI

Draft

Age encryption, environment sourcing

Shell Environment

Draft

zsh, aliases, functions, completions

Dotfiles Management

Draft

GNU Stow, git sync, machine-specific

Security Hardening

Design	Status	Description
Linux Hardening	Draft	SSH, firewalld, SELinux/AppArmor
Vault Hardening	Draft	Policies, audit, seal/unseal
Network Segmentation	Draft	VLANs, ACLs, zero-trust principles
Certificate Lifecycle	Draft	Issuance, renewal, revocation, monitoring

Design

Status

Description

Linux Hardening

Draft

SSH, firewalld, SELinux/AppArmor

Vault Hardening

Draft

Policies, audit, seal/unseal

Network Segmentation

Draft

VLANs, ACLs, zero-trust principles

Certificate Lifecycle

Draft

Issuance, renewal, revocation, monitoring

Design Document Template

Each validated design follows a standard structure:

Overview - What problem does this solve?
Architecture - Diagrams, components, data flow
Prerequisites - Dependencies, credentials, access
Configuration - Exact commands with expected output
Validation - How to verify it works
Troubleshooting - Common issues and fixes
Maintenance - Upgrades, backups, rotation
References - Vendor docs, RFCs, related designs

See Validated Design Template for the full structure.

Contributing

To add a validated design:

Deploy and test in home enterprise
Document with exact commands
Include expected output
Add troubleshooting from real issues
Submit PR with validation evidence

No untested designs. No theoretical configs. Prove it works.