There’s a gap between knowing how enterprise infrastructure works and understanding why it works. During my time at the University of Washington Bothell, I had a general understanding of how IT infrastructure worked within businesses but was missing the “know how” of the technical engineering “under the hood.” I know what buttons to press and what the expected outputs are. But there’s a difference between being a skilled operator and being someone who could build the thing from scratch if they had to.

The home lab was my attempt to close that gap & understand zero-trust at scale.

The Setup

The core is a Proxmox hypervisor running a mix of Docker containers (via LXCs) and full Linux VMs. Nothing exotic as its just commodity hardware, no enterprise licensing, no cloud spend. The constraint was intentional. If I couldn’t build it with what I had on hand, I didn’t build it.

Here’s what’s running:

Network layer: Pi-hole with Unbound for DNS resolution. All DNS queries go through my own recursive resolver instead of a third-party service. A self-hosted VPN (WireGuard via Tailscale) for secure remote access. Cloudflared tunnel for exposing select services without opening inbound ports. Nginx reverse proxy handling routing and TLS termination.

Storage: TrueNAS for centralized storage with snapshot-based backup. Serves as the data layer for everything else in the stack.

Observability: Prometheus for metrics collection, Grafana for dashboards and alerting, Uptime Kuma for availability monitoring. Every service in the lab reports health metrics. If something goes down at 2 AM, I know about it.

Management: MeshCentral for remote device management across the lab. Useful for accessing VMs and containers without SSH-ing through multiple layers.

Sandbox: A dedicated testing environment for spinning up temporary services, breaking things, and experimenting with configurations I wouldn’t try on production-facing infrastructure.

What I Was Actually Learning

The tools themselves aren’t the point. Anyone can follow a YouTube tutorial and get Pi-hole running in an afternoon. The learning happens in the spaces between the tutorials, when things break in ways the documentation doesn’t cover.

DNS is more political than technical. Setting up a recursive DNS resolution taught me more about how the internet actually works, relative to the courses taken at college. The chain from stub resolver to recursive resolver to authoritative nameserver is conceptually simple, but the failure modes (DNSSEC validation errors, upstream resolver timeouts, split-horizon edge cases) taught me how much of “the internet works” is actually “the internet works because a lot of things happen to not be broken right now.”

Observability changes how you think about systems. Before I had Prometheus and Grafana running, I diagnosed problems reactively. Something breaks, I go look at logs. After building the monitoring stack, I started thinking in terms of baselines and deviations. What’s the normal CPU utilization for this container? What does a healthy request latency distribution look like? When a service starts degrading, is the symptom in the application, the network, or the host? That shift from reactive to observability-driven troubleshooting directly translated to how I investigate issues at work.

Reverse proxies are an exercise in trust boundaries. Configuring Nginx to route traffic correctly forced me to think carefully about what’s exposed, to whom, and under what conditions. Which services should be publicly reachable? Which ones sit behind authentication? How do I handle TLS termination without creating a gap where traffic travels unencrypted inside my own network? These are the same questions enterprise security teams deal with, just at a smaller scale where I can see all the moving parts.

Backups are a discipline, not a feature. TrueNAS snapshots are easy to configure. The hard part is building a backup strategy that actually works: testing restores, verifying integrity, ensuring the backup schedule accounts for the data change rate. I lost data exactly once early on because I assumed the snapshots were working without verifying. That lesson cost me a weekend of rebuilding and permanently changed how I think about data protection.

How This Connects to Enterprise Work

The home lab isn’t a résumé line item. It’s a thinking tool.

Whether I’m troubleshooting VPN access issues at/before work, such as Zscaler configurations through Entra ID and CyberArk key authentication problems, I’m drawing on the same mental model I built by configuring WireGuard tunnels and debugging certificate chains at home. The vendor names change, the scale changes, but the underlying logic of “traffic needs to get from A to B through an authenticated, encrypted channel, and here’s where it’s failing” stays constant.

When I’m building PowerBI dashboards to visualize IAM metrics, the data pipeline thinking comes from the same place as wiring Prometheus exporters into Grafana: define what you want to measure, instrument the source, build the visualization, set the alert thresholds.

When I’m documenting security procedures for the team, the instinct to write clear, testable runbooks comes from writing wiki documentation at APL-UW and realizing that documentation only works if someone who isn’t you can follow it without calling you.

The home lab is where I make mistakes cheaply so I can make decisions confidently at work.

What’s Next

The current stack is stable, which means it’s time to break it. I’m planning to add a SIEM layer, probably Wazuh or an ELK stack, to start correlating logs across services and practicing detection engineering. The goal is to move from “I can monitor infrastructure” to “I can detect and investigate suspicious activity across a heterogeneous environment.”

That’s the current trajectory: operate, automate, observe, detect. Each layer builds on the last.

Nathan Lim is a Cybersecurity IAM Analyst based in Seattle. He holds CompTIA Security+ and AWS Solutions Architect Associate certifications and maintains a self-hosted infrastructure lab focused on zero-trust architecture and observability.