securebytes.net

// stack

The actual stack.

The exact setup. No gatekeeping.

INTERNET EDGE NETWORK COMPUTE Cloudflare Tunnel · Access · DNS Tailscale WireGuard overlay Netgate 2100 — pfSense Plus FRRouting · Snort IDS · pfBlockerNG · eBGP mesh USW-Lite-8-PoE Managed switch · VLANs U7 Pro AP Wi-Fi 7 · UniFi P920 Workstation Proxmox node 1 · CML · Security Onion FRRouting · BGP AS M710q Tiny Proxmox node 2 · nginx · Pi-hole Grafana · Vaultwarden · Gitea Buffalo NAS Shared storage Proxmox backups eBGP
2 Proxmox nodes
9 Internal services
3 eBGP peers
14 Uptime monitors

01 — compute

Homelab nodes

Lenovo ThinkStation P920 Workstation

Primary Proxmox node — heavy compute, VMs, and resource-hungry workloads like Cisco CML and Security Onion.

The big box. Runs the demanding stuff.
core

Lenovo ThinkCentre M710q Tiny

Second Proxmox node — always-on lightweight LXC containers and cluster quorum. Fanless, low power, permanently on.

The small always-on box.
core

Buffalo NAS

Shared storage for the cluster — ISO library and Proxmox backup target. Both nodes mount it for VM disk storage and backups.

Network-attached storage. Both computers share it.
active

MacBook Pro 14" M3 Pro

Daily driver. SSH into the lab, write code, push to git, watch the Grafana dashboard.

The laptop I work from.
daily

02 — networking

Edge, switching, wireless

Netgate 2100 — pfSense Plus

Edge firewall and router. Runs FRRouting for the eBGP mesh, VLAN segmentation, Snort IDS, and pfBlockerNG DNS filtering. ARM-based, fanless.

The front door. Controls all traffic in and out of the network.
core

Ubiquiti USW-Lite-8-PoE

8-port managed switch. VLAN trunking between the firewall, nodes, and AP. Powers the access point over Ethernet.

The network hub everything plugs into.
core

Ubiquiti U7 Pro

Wi-Fi 7 AP managed through a self-hosted UniFi controller on the cluster. Separate SSIDs for trusted devices and IoT.

The wireless access point. Managed centrally like enterprise gear.
active

Intel I350-T4V2 NIC

Quad-port NIC in the P920 for additional VLAN separation. SR-IOV capable — one physical card can appear as multiple virtual NICs to VMs.

Extra network ports for isolating different types of traffic.
active

03 — platform

Hypervisor & core services

Proxmox VE 9.2.2 — kernel 7.0

Two-node HA cluster. Runs VMs and LXC containers with shared storage across both nodes. Everything treated as production — no sandbox exceptions.

The OS that runs on the servers and hosts all the other software.
core

FRRouting — eBGP mesh

BGP running on both Proxmox nodes and the pfSense edge — three peers, two paths per subnet, zero static routes. Private ASNs per RFC 6996. Same routing protocol that runs the internet.

Makes all three boxes automatically learn each other's routes. If one goes down, traffic reroutes itself.
core

nginx + acme.sh — wildcard TLS

Central reverse proxy for all internal services. Wildcard cert for *.lab.securebytes.net via Cloudflare DNS-01. Renewal automated. API token scoped strictly to the securebytes.net zone.

Routes web traffic to the right service. Gives every internal site a valid padlock.
core

Cloudflare Tunnel + Access

Two services exposed publicly with zero open inbound ports. Tunnel daemon dials out to Cloudflare edge. Admin paths protected by email-OTP. No port forwarding, no public IP exposure.

Lets the internet reach two services without opening a hole in the firewall.
core

Tailscale — WireGuard overlay

Deny-by-default ACLs as version-controlled policy — three tags, three tiers (admin / dns / monitor). Pi-hole is the subnet router, advertising the internal /24 so enrolled clients reach LAN hosts without Tailscale on every box.

Secure remote access to the lab from anywhere. No VPN server, no open ports.
active

Pi-hole v6

Internal DNS for every *.lab.securebytes.net hostname. Also the Tailscale subnet router — one lightweight LXC doing double duty.

DNS server. Knows the address of every internal service, blocks ads network-wide.
active

Vaultwarden

Self-hosted Bitwarden-compatible password manager. Browser extension on every device. Vault stays on local hardware — no third-party cloud stores the credentials.

Password manager. Like 1Password, but running on my own server.
active

Gitea

Self-hosted git server. Private operational repo lives here — real IPs, configs, runbooks. Public GitHub is a sanitized mirror. Dual-repo workflow enforced after a May 2026 audit found IPs in commit history.

Like GitHub, but self-hosted. Private configs stay private.
active

Security Onion

Network IDS and SIEM on the cluster. Monitors traffic across the lab. Provides the security visibility layer most homelabs skip.

Watches all network traffic for anything suspicious and logs it.
active

04 — observability

Monitoring & alerting

Grafana + Prometheus + Node Exporter

12-panel NOC dashboard — uptime, CPU, memory, disk, temperature, LAN/WAN throughput per node. Node Exporter on every host (~10 MB RAM). 60-second scrape interval. One consolidated view.

Live dashboard showing the health of every machine. Like a control room.
core

ntfy

Self-hosted push notification server. Prometheus Alertmanager fires to ntfy when a host goes down or a threshold trips. Push to phone — no polling.

Sends a notification to my phone when something breaks.
active

Uptime Kuma

Public status page at status.securebytes.net. 14 monitors across every external and internal service.

Public uptime page. Green or red for every service.
active

Docker Compose

Runs the entire observability stack — Prometheus, Grafana, Alertmanager — in one compose file. Named volumes persist all data through restarts and full recomposes.

Runs the monitoring tools as containers. Data survives reboots.
active

05 — simulation

Network design & lab work

Cisco Modeling Labs — 20-node license

Full Cisco stack: IOS-XR, NX-OS, ASAv, FTDv, FMCv, Catalyst 9800 WLC, ISE, SD-WAN control plane. Active topologies include BGP hot-cut migrations, failure injection, L2, FTD policy, and an automation test environment.

Simulates real Cisco gear inside a VM. Test designs before touching real hardware.
active

EVE-NG

Non-Cisco vendor simulation alongside CML. FortiGate live — policy, NAT, VPN. Juniper vMX and Arista vEOS planned for multi-vendor interop topologies.

Like CML but for Fortinet, Juniper, Arista.
active

06 — automation

IaC & scripting

Ansible + Jinja2

In progress. Migrating from shell scripts to idempotent playbooks — LXC bootstrap, nginx vhost templating via Jinja2, Pi-hole DNS merge, TLS cert distribution. Goal: one command to provision any service end-to-end.

Automates setup tasks so running them twice doesn't break anything.
in progress

Cloudflare API + Python

Automation target in the Ansible toolkit — creates public DNS records for externally-facing services as part of the provisioning pipeline. Bash for glue scripting throughout.

Automatically creates the DNS entry when a new public service goes live.
in progress

07 — workstation

Software I use daily

VS Code

YAML, Python, Astro, Ansible playbooks, Sigma rules. Vim keybindings.

daily

iTerm2 + Zsh + tmux

SSH into the cluster, git, and every CLI operation. tmux keeps sessions alive on remote nodes across disconnects.

Terminal. Stays connected to remote servers even when the laptop sleeps.
daily

Wireshark / tcpdump

tcpdump on the remote node to capture, Wireshark locally to analyze. First tool out when something is wrong on the wire.

Reads actual network packets. Closest thing to seeing what's really on the wire.
daily

Astro

This site. Static output, content collections, zero client-side JS framework. Deployed to Cloudflare Pages on every push to main.

Builds this website into static files and ships them to Cloudflare.
active
Last updated May 2026. k3s HA cluster, VictoriaMetrics, Loki, and Proxmox Backup Server are next on the list. If you're running something similar or want to trade notes, get in touch.