My Actual Infrastructure

Why I Reshaped My Home‑Lab

  • Power draw: old i7 tower idled at ≈80 W for almost nothing.
  • NAS: Upgraded to a real NAS with a trusted 12TB NFS share for Proxmox.
  • Consolidation: Intel N100 mini‑PC now runs Proxmox and all VMs. / LXCs
  • Network segmentation: Ubiquiti VLANs split services directly from the switch.
  • Out-of-band access: JetKVM is available from a dedicated VLAN when remote rescue is needed.
  • Hands‑on learning: every layer is mine—no SaaS lock‑in.
Intel N100 mini‑PC interior

Hosted Services

Edge WAF

Native nginx + ModSecurity (OWASP CRS) + fail2ban on dedicated reverse-proxy LXCs. Terminates TLS and filters traffic before it reaches app containers.

Forgejo

Self-hosted git forge for code, issues and collaboration.

https://git.godef.be

Memos

A lightweight personal note-taking and knowledge base service.

https://memos.godef.be

 PrivateBin

End‑to‑end encrypted paste‑bin. Zero server knowledge, custom expiry & no third‑party logs.

https://bin.godef.be

FreshRSS

Self-hosted RSS reader to follow feeds without third-party services.

https://rss.godef.be

wimd

Fun terminal print service: curl -NL wimd.godef.be.

Code source:

https://github.com/ggodefroid/wimd

Monitoring & Alerting

Logs from the hypervisor and monitored LXCs are centralized with Fluent Bit into OpenSearch. ElastAlert2 evaluates custom rules and pushes Discord notifications for SSH access, WAF blocks, reverse shell indicators, and stack health. A separate watchdog covers Proxmox login events via Telegram. Full write-up: Monitoring Stack documentation.

Centralized logstack

Fluent Bit agents, OpenSearch, OpenSearch Dashboards, ElastAlert2, and a custom Discord alerter. Edge WAF and app logs feed the same pipeline.

Proxmox Login Watchdog

A Python script tails journalctl for pvedaemon logins and pushes instant Telegram alerts on success or failure.

GitHub - pve-notifier
Alert example
germain@godef.be
LinkedIn