Architecture Write-Up

Enterprise Homelab

Identity-Centric Infrastructure Architecture

A layered enterprise-style lab focused on segmentation, centralized identity, Zero Trust access, observability, and intelligent automation.

Overview

This project is a continuously evolving infrastructure environment designed to mirror modern enterprise IT architecture.

The primary design principle is simple:

Identity is the control plane.

Network segmentation enforces boundaries.
Access is explicitly granted.
Observability validates system state.
Automation reduces operational friction.

This environment is structured, documented, and operated with enterprise practices in mind. It is built to demonstrate architectural thinking rather than isolated technical experiments.

Architecture Overview

Edge Layer

  • Router: MikroTik hAP ax3 (Wi-Fi 6 router)
  • VLAN segmentation at the edge
  • Logical segments include WAN, Infrastructure, Clients, IoT, Management, and DMZ

All east-west traffic is intentional and policy-driven.

Virtualization Layer

  • Hypervisor: Proxmox VE (virtualization platform)
  • VLAN-aware bridges
  • Isolated infrastructure services
  • No flat internal network

This layer hosts all control plane systems, including identity services, monitoring, and application workloads.

Internal Firewall Layer

  • Platform: pfSense (firewall distribution)
  • Planned role: inter-VLAN routing and policy enforcement
  • Future VPN termination point
  • Future IDS and DNS filtering integration

This layer is currently in design. The objective is to introduce a dedicated policy engine between all segments rather than relying solely on edge routing.

Architecture Diagram

flowchart LR

subgraph Edge["Edge Layer"]
  MT["MikroTik hAP ax3<br/>VLAN Segmentation"]
end

subgraph Firewall["Firewall Layer (Planned)"]
  PFS["pfSense<br/>Inter-VLAN Policy<br/>VPN Termination<br/>IDS + DNS Filtering"]
end

subgraph Virtualization["Virtualization"]
  PVE["Proxmox VE<br/>VLAN-aware Bridges"]
end

subgraph ZeroTrust["Zero Trust + Remote Access"]
  CF["Cloudflare Zero Trust<br/>Tunnel + MFA (Active)"]
  TS["Tailscale<br/>Private Mesh (Active)"]
  WG["WireGuard<br/>At pfSense (Planned)"]
end

subgraph Identity["Identity (In Progress)"]
  IPA["FreeIPA<br/>Kerberos + LDAP<br/>HBAC + sudo + SSH Keys"]
  AD["Samba AD DC<br/>Windows Domain + GPO"]
  Trust["Cross-Forest Trust<br/>(In Progress)"]
  IPA --> Trust
  AD --> Trust
end

subgraph Observability["Observability (Planned)"]
  Prom["Prometheus<br/>Metrics"]
  Graf["Grafana<br/>Dashboards"]
  Loki["Loki<br/>Centralized Logs"]
  Kuma["Uptime Kuma<br/>Service Health"]
  Prom --> Graf
  Loki --> Graf
end

subgraph Agents["Agent Layer (In Progress)"]
  LLM["LLM Assistants<br/>Doc-aware Retrieval"]
  RO["Scoped Agents<br/>Query + Controlled Actions"]
  Guardrails["Guardrails<br/>Identity-scoped Access<br/>Context-scoped Permissions<br/>Full Auditability"]
  LLM --> RO
  RO --> Guardrails
end

MT --> PFS
MT --> PVE
PFS --> PVE
CF --> PVE
TS --> PVE
WG --> PFS
PVE --> IPA
PVE --> AD
PVE --> Prom
PVE --> Loki
PVE --> Kuma
Guardrails --> IPA
Guardrails --> Prom

Identity Architecture

Identity is the core architectural focus of this lab.

Linux and Unix Identity

  • Directory: FreeIPA (identity management suite)
  • Kerberos authentication
  • LDAP directory services
  • HBAC enforcement
  • Centralized sudo policy
  • SSH key management

Windows Identity

  • Directory: Samba (Active Directory-compatible server) AD Domain Controller
  • Windows domain join capability
  • Group Policy support
  • Native Windows authentication

Federation Model

Cross-forest trust between FreeIPA and Samba AD is the architectural goal of this layer. Work is actively in progress.

  • FreeIPA deployed as the primary Kerberos + LDAP authority for Linux hosts
  • Samba AD DC stood up with domain join and GPO support
  • Ansible connector service built to bridge identity attributes between directories
  • Cross-forest trust initiated; authentication limitations reached at the Samba boundary

Samba's AD implementation does not fully honor FreeIPA's Kerberos auth model at the cross-realm boundary. After exhausting Ansible-based workarounds, the path forward is a genuine Windows Server deployment to validate the full federation model.

See the FreeIPA + Samba AD write-up for the full account of what was built, what the limitation is, and the plan forward.

Zero Trust and Remote Access

Application Publishing

  • Cloudflare Zero Trust Access
  • Tunnel-based publishing
  • No inbound port exposure
  • MFA enforced through identity policies

Administrative surfaces remain private. Application surfaces are protected by identity-driven access policies.

Private Access Model

  • Current direction: Tailscale for secure mesh connectivity
  • Future state: WireGuard termination at pfSense
  • Administrative interfaces restricted to private network access

Access policy model:

  • Administration requires private connectivity
  • Applications require identity validation and MFA
  • Infrastructure services are not publicly exposed

Observability and Telemetry

The lab is evolving toward measurable system-state visibility.

Planned and in-progress components:

  • Prometheus metrics
  • Grafana dashboards
  • Loki centralized logs
  • Uptime Kuma service health monitoring

The objective is to move from reactive troubleshooting to proactive system insight.

Intelligent Systems and Agent Layer

This environment is expanding to include AI-assisted infrastructure workflows.

Focus areas include:

  • LLM-backed internal assistants
  • Documentation-aware retrieval systems
  • Read-only infrastructure query agents
  • AI-assisted troubleshooting workflows
  • Policy-aware AI boundaries

Agents are treated as controlled cognitive extensions of the environment rather than privileged automation tools.

Design principles for AI integration:

  • Identity-scoped access
  • Explicit permission boundaries
  • No autonomous destructive actions
  • Observability into agent behavior

The goal is to model how intelligent systems can exist safely inside enterprise environments.

Security Direction

  • VLAN least-privilege enforcement
  • Bastion isolation within management segment
  • IDS deployment
  • DNS filtering and sinkholing
  • Backup and recovery planning
  • Log retention and audit strategy

Security posture evolves alongside infrastructure complexity.

Strategic Objective

This project exists to:

  • Demonstrate cross-platform identity federation
  • Showcase Zero Trust architectural design
  • Prove secure Linux and Windows interoperability
  • Model observability-driven infrastructure
  • Explore responsible AI integration in enterprise systems
  • Serve as a living portfolio artifact

All documentation, diagrams, and walkthroughs are being structured as engineering artifacts rather than blog-style posts.

Current Hardware

  • CPU: Intel Xeon E5 2620 v2, 6 cores, 12 threads
  • Memory: 32 GB ECC, expandable to 96 GB
  • Storage: 2 x 1 TB Samsung 870 EVO SSD
  • Networking: Intel 82579V and Realtek 8111/8168 NICs
  • Role: Proxmox infrastructure host

Planned Hardware Expansion

  • Memory expansion to 64 to 96 GB
  • Intel i350 quad-port NIC
  • Dedicated SSD or NVMe for monitoring and log workloads
  • Second Proxmox node for backup and clustering