02IN PRODUCTION

Zero-Trust Home Lab

Production-grade security posture on consumer hardware.

SECURITYINFRA

§ OVERVIEW

Proxmox-hosted homelab with Cloudflare Tunnel, Caddy reverse proxy, Wazuh SIEM, and Pi-hole DNS filtering.

§ STACK

Proxmox VE

Bare-metal hypervisor running all workloads

pfSense

Perimeter firewall, VLAN segmentation, routing

Cloudflare Tunnel

Zero-trust ingress — no exposed ports on WAN

Caddy

Reverse proxy with automatic HTTPS

Wazuh

SIEM/XDR — log aggregation, threat detection

Pi-hole

DNS-level ad and malware domain blocking

Fail2ban

Adaptive IP banning on repeated auth failures

§ DECISIONS

Cloudflare Tunnel over port forwarding

Port forwarding exposes my WAN IP. Cloudflare Tunnel creates an outbound-only encrypted connection — my origin IP never appears in DNS, and Cloudflare absorbs DDoS before it reaches me.

Caddy over nginx

Caddy's automatic certificate renewal via ACME meant zero manual cert management. Nginx gives more fine-grained control I don't need yet. If I move to a multi-tenant setup, I'll revisit.

Wazuh SIEM from day one

Most homelabs add monitoring as an afterthought. I wanted to build alerting and log correlation as a first-class concern — both because it's the right security posture, and because operating Wazuh is directly transferable to professional SOC work.

§ WHAT'S NEXT

•Add Suricata IDS on the pfSense SPAN port for deep packet inspection
•Migrate secrets to HashiCorp Vault (replacing .env files)
•Add Gitea for self-hosted source control off GitHub
•Build out a second Proxmox node for HA and live migration testing

← Self-Hosted AI Agent Pipeline This Portfolio →