Home Lab

Technology is at the heart of everything I do!

Here are some of the projects I've been working on at home.

Virtualization

I have a 3-node Proxmox cluster deployed utilizing CEPH hyper-converged storage, each providing 8 TB of SSD storage.

Each host is based off AMD Ryzen architecture with the following identical build:

AMD Ryzen 7 3700X 

128 DDR5 non-ECC

4x 2TB Samsung EVO

Mellanox ConnectX-3 Pro 10G w/ 10G SFP+ direct-to-switch

NAS

QNAP 2-bay stores all  forwarded system and authentication logs which are parsed by Crowdsec and Wazuh.

unRAID

unRAID server provides 40TB of local (JBOD) mechanical-backed storage , and 2 TB of PCIE-4 NVME cache.

This manages some virtualization, but is primarily for containerization, media delivery, and backups using Proxmox Backup Server (for virtualization), as well as Duplicati for endpoints.

AMD Ryzen 7 3700X 

128 DDR5 non-ECC

Nvidia GeForce 1080ti for media transcoding

LSI SAS9211-8i HBA (flashed in IT mode) w/SAS to SATA breakout cables: 

12TB Seagate Ironwolf Pro (parity)

5x 8TB Seagate Ironwolf Array 

2TB Samsung 990 Pro NVMe

Mellanox ConnectX-3 Pro 10G w/ 10G SFP+ direct-to-switch

Self-hosted Cloud

Nextcloud is deployed and externally accessible, protected by MFA, and providing a self-hosted, viable alternative to Google Drive and Microsoft OneDrive.

Nextcloud delivers:

• Full document editing capabilities

• Photo storage, management, indexing and facial /object recognition 

• Sharable, custom short-links for simplified sharing and collaboration

• Practically unlimited storage

Access, Authentication and Security

• Self-hosted, High Availability Wireguard VPN server

• High Availability, synchronized physical and virtual Pi-Hole network-wide ad blocking utilizing unbound recursive DNS, and keepalived 

  • 1 Physical Raspberry Pi 3B+ devices (one per subnet /VLAN, 3 total)

  • 2 LXC containers configured as Pi-Hole (two per subnet /VLAN, 6 total)

• Traefik Reverse Proxy manages traffic and routing to services exposed

• Crowdsec inspects logs, and performs actions based on brute-force attempts, authentication failures and any suspicious /malicios activities

• Crowdsec interfaces directly with Cloudflare Firewall via API to manage banning of suspect traffic at the perimeter

• Authelia provides MFA based on strict rules

  • TOTP is configured

  • Webauthn is configured to push notifications to my Pixel 8 Pro & tablet for biometrics authentication

  • Webauthn is also configured to accept registered Yubikeys

  • Cisco Duo Mobile is also configured to push notifications to registered Pixel 8 Pro and Tablet

Orchestration

I leverage Ansible to provide orchestration and infrastructure automation to achive some specific goals:

• Rapid deployment of minimal Debian Cloud-Image VM's  &  LXC containers

• Bootstrap playbooks for new endpoints:

  • Update cache and packages

  • Default package installation

  • Netdata installation and configuration for monitoring

  • Wazuh installation for SIEM functionality

  • SSH key, authorized_keys and known_hosts management

  • User creation and permission management

  • Firewall configuration

  • SSH hardening

• OS and Application updates and upgrades

Monitoring & Logging

Live monitoring is provided by Netdata, deployed via Ansible to all Linux and Windows endpoints.

Logs are shipped to a central standalone NAS using rsyslog on Linux hosts.

Graylog ingests logs that I can review when things go Bump in the night and the Gremlins come out.

Backup & Recovery

Virtualization is protected by daily Proxmox VM Snapshots and stored on a Proxmox Backup Server.

Backup policy has retention configured to ensure there is always a usable 'version' of server:

• 1 Weekly Backup

• 12 Monthly Backups

• 1 Yearly Backup

Linux endpoints use rsync to backup critical system, application and user files.

Windows endpoints use Duplicati for backups.

SIEM and VMS

Wazuh is deployed across home infrastructure monitoring hosts, VMs, LXC & Docker containers for file changes, security mis-configurations, hardening recommendations and vulnerability remediation and mitigation.

All endpoints are configured to report into Wazuh at-build. 

Containerization

unRAID and Portainer manage a variety of containers, some of which are securely accessible from outside my network (SSL & MFA protected), such as:

• Bitwarden Password Vault

• Plex, Emby media servers

• CodeServer (self-hosted VS Code)

• Netdata

• Confluence Server (migrating to xWiki)

• xWiki

• Home Assistant automation server (lighting, motion sensors, water sensors, door & window sensors, window shades, toggle action buttons, cameras)

• Self-hosted Nextcloud

Networking

Ubiquity Unifi Network devices provide seamless connectivity through wired Access Points. 

• Console is a managed Dream Machine Pro SE

• 4x USW-U6 Access Points with 1G Ethernet backhaul

• USW-24 Switch (24 port)

• USW-Aggregation 

• Multiple configured subnets & VLANs  for LAN, IOT and Kids

• Wifi bound to configured VLANs

Proxmox hosts are connected via 10GBE Mellanox ConnectX-3 Pro to Unifi Switch (USW-Aggregation)

DNS

Bind9 is configured on a Linux server to provide FQDN to infrastructure. 

This DNS server then utilizes Pi-Hole VIP (keepalived) as it's upstream

Keepalived is responsible for load balancing traffic to 1 physical & 2 virtual Pi-Hole which are fully synchronized

Pi-Holes are configured to use unbound as it's recursive DNS 

SSL Everywhere

Internal Certificate Authority provides valid SSL certificates to all local internal services where possible.

Root-CA certificate is installed in all browsers and OS's allowing secure, encrypted traffic even to internal FQDN and IP's .

All exposed services are protected by Cloudflare SSL Certificated in strict-mode.