[canadianhomelabber]
0:feed*
1:post
2:pages
The home lab — where the data stays home, the stack keeps growing, and the fun in learning never stops!
☰ menu
2026-06-10 🍁
── My Current Projects ──────────────────────────────
witenite@canadianhomelabber:~$ cat pages/current-projects.md
My Current Projects
Identity & Authentication
| Service |
Description |
Status |
| FreeIPA |
Central identity provider — users, groups, Kerberos authentication |
Running |
| -- LDAP |
Directory service (bundled with FreeIPA) |
Running |
| -- Kerberos |
Authentication and ticket system (bundled with FreeIPA) |
Running |
| -- SSSD |
System Security Services Daemon — local caching of identity data |
Running |
| -- Certmonger |
Automatic certificate renewal for enrolled hosts |
Running |
| Keycloak |
SSO/OIDC provider — enterprise authentication for services |
Running |
Networking
| Component |
Description |
Status |
| pfSense |
Firewall, router, and network orchestration — manages all traffic, security policies, and service access |
Running |
| -- HAProxy |
Reverse proxy and TLS termination — handles encrypted connections and routes requests to services |
Running |
| -- ACME / Let's Encrypt |
Automatic certificate management for external services — ensures TLS is always valid |
Running |
| DNS Architecture |
Split-horizon DNS — internal services resolve privately, external queries go to public DNS. Kerberos-aware for authentication |
Running |
Network Segmentation
| Concept |
Purpose |
| DMZ / External Services |
Isolated network zone for publicly accessible services — limits blast radius if a service is compromised |
| Infrastructure |
Dedicated zone for core identity, auth, logging, and management services — protects the backbone from general workstation traffic |
| Storage |
Separated from general traffic — optimized for high-speed, secure data access — performance + security for sensitive data |
| Management |
Admin interfaces only — XO, pfSense WebUI, hypervisor access — prevents accidental exposure of admin tools |
| Workstations |
User devices and development machines — isolation from critical services |
| Guest |
Network for visitors and temporary access — dedicated network for guests |
Hardware
Core Infrastructure
| Component |
Description |
Status |
| Firewall |
pfSense appliance — network edge, security enforcement, routing |
Running |
| Hypervisors |
XCP-ng virtualization hosts — compute platform for VMs |
Running |
| Storage |
TrueNAS — centralized NAS with ZFS for data integrity and snapshots |
Running |
Workstations
| Component |
Description |
Status |
| Primary |
Debian-based laptop — daily driver, development, management |
Running |
| Desktop |
Rocky Linux desktop with GPU — media processing, AI workloads (Ollama) |
Running |
Network Hardware
| Component |
Description |
Status |
| Core Switch |
Enterprise-grade switching — VLAN trunking, network segmentation |
Running |
| Wireless AP |
TP-Link managed AP — WiFi coverage for guest and user networks |
Running |
Power Resilience
| Component |
Description |
Status |
| Dual UPS |
Redundant uninterruptible power supplies — automatic failover, uptime assurance |
Running |
| Separate Circuits |
Distributed power distribution — reduces single-point-of-failure risk |
Running |
AI (Ollama and models)
| Component |
Description |
Status |
| Ollama |
Local LLM inference engine — runs AI models on-premise without cloud dependencies |
Running |
| -- qwen3.5 |
General-purpose reasoning model — 4B and 9B variants for various tasks |
Running |
| -- qwen3-vl |
Vision model — image analysis and tagging for photo library (Immich) |
Running |
| -- qwen2.5 |
Specialized model for alert triage — enriches firewall alerts and system events (Keep AIOps) |
Running |
| -- gemma4 |
Lightweight reasoning model — backup for quick inference tasks |
Running |
OS Management
| Component |
Description |
Status |
| AIDE |
File Integrity Monitoring — detects unauthorized changes to system files and configurations |
Running |
| auditd |
Audit daemon — logs system calls and security events for compliance and troubleshooting |
Running |
| firewalld |
Host-level firewall — per-VM network segmentation and security policies |
Running |
| System Hardening |
Security baseline applied to all hosts — SSH hardening, permission restrictions, SELinux/AppArmor policies |
Running |
| Docker |
Container runtime — lightweight application deployment, isolation, and resource management |
Running |
| User Environment |
Desktop configuration and user tooling — dotfiles, shell environment, development tools |
In Development |
| Auto-Update Scripts |
Automated patch management — keeps systems current with security and stability updates |
Planned |
Automation
| Component |
Description |
Status |
| Ansible |
Configuration management — pull architecture on first boot, push architecture for ongoing management |
Running |
| -- Bootstrap Role |
Initial VM setup — FreeIPA enrollment, firewall config, logging, monitoring agents |
Running |
| -- Docker Role |
Container management — deployment, networking, volume handling |
In Development |
| -- Server Role |
Base configuration for production servers — standardized setup across infrastructure |
Planned |
| -- Workstation Role |
Configuration for workstations and desktops — user environment, development tools |
Planned |
| -- Sandbox Role |
Configuration for sandbox/test environment — isolated testing and experimentation |
Planned |
| cloud-init |
VM provisioning — first-boot configuration, Ansible trigger, hostname/network setup |
Running |
| Terraform |
Infrastructure-as-Code for VM provisioning and resource management |
Planned |
Logging and Monitoring
| Component |
Description |
Status |
| Graylog |
Log aggregation platform — collects syslog, Filebeat, and event streams from across infrastructure |
Running |
| -- Streams |
Organized log channels — pfSense, FreeIPA, security events, per-service logs |
Running |
| -- Pipelines |
Log processing rules — field extraction, event enrichment, filtering |
Running |
| Filebeat |
Log shipping agent — deployed on all VMs, forwards logs securely to Graylog |
Running |
| Keep AIOps |
Alert enrichment and triage — uses LLM to analyze events, adds context, routes to notifications |
Running |
| Ntfy |
Push notifications — delivers alerts and system events to users in real-time |
Running |
| Prometheus |
Metrics collection — gathers CPU, memory, disk, network stats from all hosts |
Running |
| -- node_exporter |
Host metrics agent — deployed across all VMs, exports system performance data |
Running |
| Grafana |
Dashboards and visualization — displays metrics, creates alerting rules, provides operational visibility |
Running |
| Umami |
Privacy-focused web analytics — monitors site traffic across multiple domains without tracking users |
Planned |
Data Storage
| Component |
Description |
Status |
| TrueNAS |
Centralized storage platform — NFS shares, snapshots, backups, data integrity |
Running |
| -- ZFS |
Advanced filesystem — data protection, snapshots, compression, integrity checking |
Running |
| -- NFS |
Network file sharing — Kerberos-secured access for VMs and services |
Running |
| Vaultwarden |
Secrets and credentials management — encrypted password storage, secure credential sharing |
Running |
| GitLab CE |
Git repository and version control — stores code, configs, Ansible playbooks |
Running |
| Minio |
S3-compatible object storage — state backend for Terraform, CI/CD artifacts |
Planned |
| Offsite Replication |
Remote backup and disaster recovery — replicates critical data to external location |
Planned |
| Component |
Description |
Status |
| Immich |
Photo and video library with AI tagging — centralized media management with vision AI analysis |
Running |
| Joplin Server |
Note-taking and synchronization platform — encrypted notes accessible across devices |
Running |
Infrastructure & DevOps
| Component |
Description |
Status |
| Xen Orchestra |
Hypervisor management — VM provisioning, snapshots, backups, resource orchestration |
Running |
| Portainer |
Container management UI — Docker visibility, deployment, stack management across hosts |
Running |
| Ansible Push |
Configuration management control node — pushes config updates across all infrastructure |
Running |
| Omada Controller |
Wireless AP management — centralized WiFi configuration and monitoring |
Running |
| Technitium DHCP |
DHCP service — network addressing for direct storage links and internal subnets |
Running |
Security
| Component |
Description |
Status |
| Certificate Infrastructure |
FreeIPA CA and certmonger — automatic certificate lifecycle management for internal services |
Running |
| -- Specific LE Certificates |
External TLS certificates for individual services — encrypts and protects external-facing connections |
Running |
| Security Philosophy |
Defense in depth approach — network segmentation, host hardening, audit logging, least-privilege access throughout |
Running |
| Incident Response |
Alert triage and enrichment via Keep AIOps — automated analysis of security events, context gathering |
Running |
| TPM Hardening |
Hardware-based security — TPM enrollment, hardware-bound authentication, disk encryption |
Planned |
| Vulnerability Management |
Regular updates, patch management, and security scanning — keeps systems current against known exploits |
Running |
External/Outward/WAN Services
| Component |
Description |
Status |
| Immich |
Photo and video library — externally accessible with Keycloak SSO authentication, AI-powered tagging |
Running |
| Ntfy |
Push notification service — delivers alerts and system events to mobile and desktop clients |
Running |
| Netbird |
Wireguard-based VPN overlay network — secure remote access to homelab, encrypted peer-to-peer connections |
Running |
| HAProxy |
TLS termination and reverse proxy — routes external traffic securely to backend services, manages certificates |
Running |
| CanadianHomelabber.ca |
Community resource and knowledge base — documentation, guides, and current homelab state |
Running |
witenite@canadianhomelabber:~$