securebytes.net
← All projects

PROJECT — IN PROGRESS

Network Automation Toolkit

April 30, 2026

A working migration from “run these commands in order” to “run this playbook.” The homelab works today, but adding a new service still means manually creating the LXC, installing packages, writing an nginx site config, running the cert install, and pushing a DNS record into Pi-hole. That’s seven or eight steps that should be one.

Goal

A single Ansible run that takes a service name, an upstream IP/port, and a protocol, then produces:

  • An LXC container with the right base image and resources
  • An nginx vhost on the reverse proxy with the wildcard cert wired in
  • A Pi-hole DNS record pointing the service hostname at the proxy
  • A Cloudflare DNS record if the service is public-facing
  • A test that confirms the service responds with a 200 over HTTPS before declaring success

Status

In progress. Currently working through the Pi-hole role — Pi-hole v6 replaces the entire hosts list on each call, so the playbook needs to read existing state, merge the new record, and push the full list back. The naive “append” approach silently destroys other records.

Why bother

Two reasons. One: the homelab is large enough now that any change risks breaking something else, so reproducible deployment is starting to matter. Two: the network automation skill gap is the next layer of seniority — everyone past mid-level is expected to read and write Ansible / Terraform / similar, and this is the natural place to build that fluency on real infrastructure.

A writeup will follow once the first end-to-end run works.

Stack

AnsiblePythonBashCloudflare APIJinja2