Homelab
Hardware, cloud tenants,
and deliberate friction.
My homelab isn't optimized for ease — it's optimized for learning. Every layer is something I had to figure out, break, and rebuild. This is what it looks like right now.
The Hardware
What's physically on the shelf
ThinkPad X220
Portable Lab Node
i7-2640M · 16 GB · 512 GB SSD — pfSense triage, field kit, travel ops
Dell PowerEdge 210 II × 3
Core Compute + Storage
Xeon E3 · ECC RAM · hot-swap bays — FreeNAS, Docker, Cisco adjacency
GL.iNet WiFi 6 Router
Travel Gateway
WireGuard client built-in — tunnels home regardless of location
The Stack
Layer by layer
Network
pfSense + Cisco Edge & Core Switches
pfSense handles routing, firewall, DHCP, and DNS. Two Cisco switches — one edge, one core — handle VLAN segmentation and inter-VLAN routing. The setup gives me a real enterprise-adjacent topology to practice against.
Storage
FreeNAS on the PowerEdge Cluster
FreeNAS running on one of the 210 IIs with ZFS pools shared across the other nodes via NFS. Storage for Docker volumes, backups, and media. Simple, reliable, self-healing.
Services
Docker Compose — Forgejo, UniFi, Pi-hole + more
Everything self-hosted runs in Docker Compose stacks. Forgejo for private Git, UniFi controller for AP management, Pi-hole for network-level DNS filtering. Traefik fronts all of it with free TLS from Certbot.
Remote Access
WireGuard — Always Tunneled Home
The GL.iNet router runs a WireGuard client so my travel kit is always on my home network regardless of what hotel or coffee shop I'm connecting from. All traffic routes through my pfSense gateway.
Cloud
Microsoft, AWS & GCP Learning Tenants
Separate learning tenants in Azure, AWS, and GCP for hands-on cloud security work. Used for detection engineering exercises, IAM deep-dives, and practicing cloud incident response without touching anything production.
TLS / Certs
Traefik + Certbot — Free SSL Everywhere
Traefik as the reverse proxy for all internal services. Certbot handles ACME cert issuance and renewal automatically via DNS-01 challenge. Every internal service gets a real signed cert — no browser warnings, no exceptions.
Related Posts