Petr Jurásek — Infrastructure Portfolio

00 / About

Who's behind this

I'm Petr, a final-year MSc student in Applied Computer Science at Palacký University in Olomouc. My academic background is in software development, but the work I find most compelling sits at the boundary between software and infrastructure — the layer where reliability, security, and operational discipline actually get enforced.

This homelab is how I close the gap between theory and practice. Every design decision here mirrors what you'd find in a production environment: VLAN segmentation with default-deny firewall policy, HA-aware service placement across a two-node Proxmox cluster, zero-trust external access via Cloudflare tunnels with no open WAN ports, and a full observability stack — Prometheus, Grafana, and Wazuh — that gives me real signal when something breaks. The goal is to build the muscle memory that textbooks don't provide.

I'm particularly drawn to roles that sit at the intersection of infrastructure reliability and data stewardship — network administration, hypervisor and Linux systems management, or data infrastructure roles focused on access control, dataset structuring, and keeping data secure at rest and in transit. If your team cares about doing these things properly, I'd like to talk.

Education

MSc — Applied Computer Science

Software Development · Palacký University in Olomouc

2024 – 2026

BSc — Information Technology

Palacký University in Olomouc

2021 – 2024

Open to

Network administrator Linux systems admin Hypervisor / virtualisation Data infrastructure Storage & ACL management Infrastructure engineer

01 / Infrastructure

Compute & storage

A two-node Proxmox VE cluster with shared TrueNAS storage, a dedicated backup server, and a Raspberry Pi quorum device to prevent split-brain during single-node failures.

lenovo1 · primary

Proxmox VE

10.169.91.70

Primary cluster node. Hosts most production LXCs. All DNS points to a pre-allocated keepalived VIP so failover requires zero DNS changes.

Proxmox 9VLAN 169cluster primary

lenovo2 · secondary

Proxmox VE

10.169.91.71

Secondary node and HA target. Planned host for the second Traefik node + keepalived, eliminating the reverse proxy as a single point of failure.

Proxmox 9VLAN 169HA failoverTraefik node 2 planned

truenas · primary datastore

TrueNAS SCALE

10.169.69.69

Shared storage over NFS and SMB. Issues its own ACME certs natively. Single source of truth for persistent data.

NFSSMBACME certsVLAN 169

pbs · backup

Proxmox Backup Server

10.169.173.99

Scheduled incremental backups for all LXCs and VMs with deduplication. Critical config paths verified per service. Stored on separate hardware from compute.

incrementaldedupscheduledVLAN 169

rpi5b · quorum

Raspberry Pi 5B

10.169.91.72

Cluster quorum device — prevents split-brain when one Proxmox node becomes unreachable. With only two nodes, a tiebreaker is mandatory for HA to function correctly.

quorumsplit-brain prevention

ubiquiti · routing & switching

UniFi Network

all VLANs

All switching and routing on UniFi hardware. Zone-based firewall with default-deny between VLANs and explicit allow rules only. No implicit inter-VLAN trust.

zone firewalldefault-deny6 VLANs

02 / Network Architecture

VLAN segmentation

Each workload class lives in its own VLAN with tailored firewall rules. This limits blast radius if any service is compromised and enforces least-privilege networking by default.

VLAN map — six segments

proxy

10.20.0.0/16

Ingress layer — sole entry point for all proxied traffic

TraefikCloudflaredkeepalived VIP 10.20.0.10

media

10.30.0.0/16

Media stack — isolated, no outbound to any other VLAN

PlexSonarrRadarrProwlarrSeerrqBittorrent

game

10.40.0.0/16

Game servers — isolated, port-forwarded directly bypassing Traefik

TeamSpeak 6AMP

services

10.50.0.0/16

Primary application VLAN — internal and split-horizon services

ImmichAuthentikOpenWebUIDocmostFoundryVTTNetboxN8N+more

exposed

10.55.0.0/16

Internet-facing services with stricter isolation from VLAN 50

NextcloudForgejoForgejo runnerPortfolio

169

infra

10.169.0.0/16

Infrastructure — hypervisors, storage, DNS, monitoring

ProxmoxTrueNASPBSTechnitiumPrometheusGrafanaWazuh

Firewall policy

Inter-VLAN rules

ALLOWDNS request from any VLAN → Technitium on VLAN 169

ALLOWVLAN 20 → backend VLANs on specific ports only

ALLOWCloudflare IPs → VLAN 20 only

DENYVLAN 30 (Media) → any other VLAN

DENYVLAN 40 (Game) → any other VLAN

DENYAll other inter-VLAN by default

WAN ingress

ALLOW9987/UDP → TS6 (voice)

ALLOW32400/TCP → Plex (direct streaming)

ALLOW3478, 5349 → Nextcloud (STUN/TURN)

DENYAll other inbound WAN traffic

Split-horizon DNS

Technitium DNS server

10.169.188.49 · Primary

10.169.139.122 · Secondary

10.154.222.213 · Offsite failover

Authoritative for local.screedy.com. Forwarder zone for screedy.com — local overrides resolve to Traefik VIP (10.20.0.10), unknown records forwarded to Cloudflare. Secondary Technitium syncs via zone transfer.

Domain conventions

*.local.screedy.com

Internal only. Technitium-authoritative. Never published to Cloudflare DNS. Unreachable externally by design.

*.screedy.com

Public or split-horizon. Technitium override for internal clients + Cloudflare public record for external clients. Same domain, different resolution.

03 / Services

Deployed applications

25+ self-hosted services across six VLANs, all accessible via Traefik with wildcard TLS certs issued through a Cloudflare DNS challenge — no open WAN ports required for web access.

Productivity & knowledge

Nextcloud

split-horizon

nextcloud.screedy.com

Full self-hosted cloud suite — file sync, calendar, contacts, collaborative editing, and video calls. STUN/TURN port-forwards bypass Traefik for real-time communication.

VLAN 55Cloudflare tunnelSTUN/TURN

Docmost

split-horizon

docmost.screedy.com

Collaborative wiki and documentation platform accessible externally via Cloudflare tunnel.

VLAN 50Cloudflare tunnel

Immich

internal

immich.local.screedy.com

Self-hosted Google Photos alternative with ML-powered face recognition, EXIF search, and mobile backup. NFS-backed storage on TrueNAS. Migrating from VLAN 169 to VLAN 50.

VLAN 50NFS storageML faces

Booklore

internal

booklore.local.screedy.com

Self-hosted library management and e-book reader with metadata enrichment and reading progress tracking.

VLAN 50

Kiwix

internal

wiki.local.screedy.com

Offline Wikipedia and reference content server. Useful when external internet is unavailable.

VLAN 50Doomsday Preparation

AI & automation

OpenWebUI

split-horizon

ai.screedy.com

Web frontend for local LLMs served through LiteLLM proxy. Supports model switching, conversation history, and RAG pipelines from behind a Cloudflare tunnel.

VLAN 50Cloudflare tunnelLiteLLM

N8N

internal

n8n.local.screedy.com

Low-code workflow automation platform. Migrating to VLAN 50 with full Traefik integration and persistent NFS storage.

VLAN 50migrating

Changedetection

internal

changedetection.local.screedy.com

Website change monitoring with alerting. Tracks upstream service updates, CVEs, and infrastructure advisories.

VLAN 50monitoring

Infrastructure & operations

Traefik v3

internal

traefik.local.screedy.com

traefik.screedy.com

Reverse proxy and TLS termination for all internal and split-horizon services. Wildcard certs via Cloudflare DNS challenge. Dynamic config hot-reloads with no restart. Proxmox HA configured for automatic failover.

VLAN 20Proxmox HAwildcard TLSmetrics

Authentik

internal

auth.screedy.com

Identity provider and SSO. Forward auth middleware for Traefik planned — will protect services without built-in auth. Cloudflare tunnel exposure planned.

VLAN 50SSOforward auth planned

Netbox

internal

netbox.local.screedy.com

Network source of truth — VLAN documentation, device inventory, and rack diagrams.

VLAN 50

Technitium DNS

internal

10.169.188.49

Primary DNS server with split-horizon zones. Authoritative for local.screedy.com, forwarder for screedy.com. Secondary node provides HA for DNS resolution.

VLAN 169split-horizonzone transfer

Forgejo

split-horizon

forgejo.screedy.com

Self-hosted git forge. Hosts all infrastructure and application code, including the CI/CD pipelines that deploy this portfolio. Actions runner in VLAN 55 SSHes into target LXCs for zero-downtime deploys.

VLAN 55Cloudflare tunnelActions runner

Media (VLAN 30 — isolated)

Plex

split-horizon

plex.screedy.com

Media server. Port-forwarded directly on 32400 for remote direct streaming — bypasses Traefik by design to avoid proxy overhead on large media streams. Isolated in VLAN 30.

VLAN 30port-forwardisolated

Arr stack

internal

*.local.screedy.com

Sonarr, Radarr, Prowlarr, Seerr, qBittorrent, Flaresolverr — fully automated media acquisition pipeline. All services reside in VLAN 30 with no outbound to other VLANs.

VLAN 30isolatedNFS storage

Gaming and entertainment

FoundryVTT

split-horizon

vtt.screedy.com

Self-hosted virtual tabletop for TTRPGs. Exposed externally via Cloudflare tunnel with WebSocket support through Traefik. Split-horizon DNS keeps latency low for local players.

VLAN 50WebSocketCloudflare tunnel

TeamSpeak 6

port-forward

ts6.screedy.com

Voice communication server for gaming. Port-forwarded directly on UDP 9987 to minimize latency.

VLAN 40port-forwardisolated

04 / Security

Security posture

Defence in depth — from VLAN segmentation at the network layer up through zero-trust tunnels, automated TLS, SIEM alerting, and per-service access controls.

Network segmentation

Six VLANs isolate workloads by risk profile and purpose
Default-deny between all VLANs — explicit allow rules only
Media (30) and Game (40) have no outbound to internal services
VLAN 55 (Exposed) further isolates exposed services from VLAN 50
Traefik on VLAN 20 is the sole ingress point for proxied web traffic

Zero-trust external access

Cloudflare Tunnel — no inbound WAN ports for web services
All external traffic terminates at Cloudflare edge
*.local.screedy.com is never published to public DNS — unreachable externally by design
Cloudflared LXC isolated from backend VLANs — only permitted to reach Traefik

TLS everywhere

Wildcard certs for *.local.screedy.com and *.screedy.com via Cloudflare DNS challenge
No HTTP-01 challenge — WAN ports 80/443 remain closed
Cert managed centrally in Traefik, renewed automatically before expiry
HTTPS backends use serversTransport with appropriate cert verification settings
HSTS, XSS protection, frame options, referrer policy enforced via Traefik middleware

SIEM & access monitoring

Wazuh agent on Traefik LXC ships access logs and daemon logs as JSON
Custom Wazuh rules (IDs 100200–100207): brute force, 5xx storms, blocked access, slow response anomalies
Traefik access log captures ClientHost, X-Forwarded-For, DownstreamStatus, Duration, RouterName
Prometheus scrapes Traefik metrics — Grafana dashboards for request rates and error spikes
Rate-limit middleware on Traefik: 100 req/s average, burst 50
Basic auth on Prometheus endpoint enforced via Traefik middleware

05 / Observability

Monitoring & alerting

Metrics, logs, and security events aggregated into a coherent observability pipeline — so problems surface before they become outages.

Prometheus

Metrics collection

Scrapes Traefik (/metrics on :8080), Unpoller (UniFi network metrics), and itself. Basic auth enforced by Traefik middleware.

Grafana

Dashboards

Datasource pointed directly at Prometheus (bypasses Traefik auth layer). Dashboards for UniFi AP/client metrics, Traefik request rates, error rates, and response time percentiles.

Wazuh

SIEM / EDR

Agent on Traefik LXC with custom JSON decoder for Traefik access logs. Custom rule IDs fire on brute-force patterns, 5xx error spikes, blocked access events, and slow response anomalies.

Unpoller

Network metrics

UniFi controller exporter for Prometheus. Tracks per-client and per-AP traffic, signal quality, and channel utilisation. Pure exporter — no UI, port 9130 only.

Beszel

Host monitoring

Lightweight agent-based host monitoring. Tracks CPU, memory, disk I/O, and network per LXC and VM. Low overhead compared to full node_exporter setups.

Loki (planned)

Log aggregation

Planned addition to unify log shipping from all LXCs and VMs into Grafana. Currently logs are inspected per-host; Loki will enable label-based querying across the entire cluster.

06 / Engineering decisions

Why this setup?

The decisions that shaped this setup — and the trade-offs considered.

LXC over VM for most services

LXCs share the host kernel, making them faster to start and far cheaper on RAM — a meaningful constraint with two nodes. Proxmox HA works on LXCs, so failover is still automatic. VMs are reserved for workloads that genuinely need kernel isolation, like Nextcloud.

Cloudflare Tunnel instead of open WAN ports

No inbound WAN firewall rules for web services. Traffic terminates at Cloudflare's edge — the origin IP is never exposed. DDoS protection, WAF and rate-limiting handled by Cloudflare. The trade-off is a dependency on Cloudflare's availability for public-facing services, which is an acceptable risk for a homelab.

DNS challenge for wildcard TLS

Using the Cloudflare DNS-01 ACME challenge means no ports need to be open for cert issuance or renewal. A single wildcard cert covers all subdomains, and renewal is fully automated inside Traefik — no manual intervention ever needed.

VIP pre-allocated before HA is built

All DNS records point to 10.20.0.10 (future keepalived VIP) even before the second Traefik node exists. When lenovo2 gets its Traefik instance and keepalived is configured, no DNS records need to change — the cutover is operationally invisible.

Split-horizon DNS over separate domain names

Internal clients resolve service.screedy.com to the Traefik VIP via Technitium's forwarder zone. External clients get Cloudflare's public record. Same domain, different resolution path — no internal traffic hairpins through Cloudflare, and no UX difference for users.

Quorum device for a two-node cluster

Proxmox requires quorum to take HA actions. With only two nodes, a network partition creates a tie — without a tiebreaker, neither node can safely fence the other and HA stalls. The Raspberry Pi resolves this at minimal cost and power draw.

Separate VLAN 55 for internet-facing services

Nextcloud receives STUN/TURN port-forwards directly from WAN and runs the AiO container which exposes more surface area. Putting it in VLAN 55 rather than VLAN 50 limits the blast radius if the container is compromised — it cannot reach other application services.