About This Website

After passing the CompTIA Security+ exam, I wanted to build something based on the lessons and fundamentals learned in the exam.

The result is this site, a front end that explains the journey of building and maintaining of a cybersecurity lab.

How it started

In terms of hardware, this site was running on an old laptop that was gathering dust. I replaced the mechanical drive with an SSD, booted onto an ubuntu usb, and voila, an old dusty laptop was turned into a webserver.

The early stack was simple and built with whatever I had lying around: Apache serving this static site, UFW and Fail2Ban for host hardening, OpenSSH over a WireGuard VPN for remote access, and Wazuh SIEM running on a separate Ubuntu box (my gaming PC) to aggregate and alert on Apache access logs. A git deploy script pulled changes from GitHub and rsynced them into the Apache document root.

How it evolved

At a local DEFCON meetup, a more serious architecture was sketched out for me on scrap paper. Credit to VarB for the the inspiritation and for the drawing below. VarB strongly encouraged me to start using proxmox for my lab and access my backends using mTLS.

The decision came down to moving my lab from the apartment laptop and onto a proper dedicated server. I picked up a Hetzner dedicated server in Helsinki via their server auction for around €40/month, baremetal, not a VPS.

Before and after the migration:

Before

After

The move to Hetzner was a huge learning experience. It involved setting up a Proxmox hypervisor, configuring OPNsense as the primary firewall, deploying HAProxy as a reverse proxy, and building my own PKI from scratch. The VPN only model was replaced with mutual TLS. Not my cert? That means no access for you.

Current infrastructure

• Hetzner dedicated server (Helsinki) — baremetal hypervisor host
• Proxmox VE — virtualisation layer; all VMs and services run here
• OPNsense VM — primary firewall and WAN gateway; controls all traffic in and out
• HAProxy — reverse proxy enforcing mTLS; only clients with a valid signed certificate can reach backends
• Self-built PKI — Root CA (offline, stored on encrypted USB) + Intermediate CA in OPNsense; leaf certs issued per service and per client
• Wazuh SIEM — log aggregation, alerting, and dashboards for Apache access logs
• Ollama Server — for private personal AI
• Instant Custom VM Clients — for cybersecurity testing
• Apache — webserver for this static site; access logs feed into Wazuh
• Fail2Ban + UFW — host-level hardening on every Linux node
• WireGuard VPN — internal access to the homelab from anywhere (some services still need to be migrated to mTLS)

Full details on past and current work are in the project blog.