The stack,
in full.

4-node cluster running Proxmox VE 9.1 with Ceph distributed storage across all nodes. HA-capable, with VMs and LXC containers spread across the cluster. PBS handles nightly backups to Synology NAS.

Wazuh 4.11.2 deployed as a VM with 9 agents across all Linux hosts. OPNsense syslog forwarding feeds firewall events into the SIEM. SOC dashboard is the default view: alerts, agent health, and event timeline all visible at a glance.

Authentik running in Docker with OIDC providers configured for Homarr, Grafana, AdGuard Home, Nginx Proxy Manager, and all four Proxmox nodes. Single sign-on across the entire lab stack.

Prometheus scraping Node Exporter on all four Proxmox nodes. Grafana dashboards showing CPU, memory, disk, and network metrics per node. Authentik SSO integrated.

Nginx Proxy Manager handling reverse proxy for all internal services. Cloudflare Tunnel provides zero-trust public access with 6 active routes, all with Let's Encrypt SSL via Cloudflare DNS challenge.

Proxmox Backup Server running nightly backups of all VMs and containers to a Synology NAS via NFSv3. Retention policy set to keep-last=3 with verification runs confirming backup integrity.

OPNsense running baremetal as the network edge. Handles all firewall rules, VLAN segmentation between lab and personal networks, and forwards syslog events to Wazuh for security monitoring.

Self-hosted photo management running in an LXC container. Currently syncing from two phones with plans to offload storage to the Synology NAS. Replaces Google Photos for personal use.