Intro to this Blog and Current Setup

This blog will show a bit of what I've been working on for the past few years in my home lab and show what I'm implementing next! Stay tuned for more!

UniFi Networking and Home Automation

I got a VERY overbuilt UniFi network. Especially for a household of one (plus cat). Designed to be 2.5 gig ready, and I can swap in 10 GbE equipment if I can afford it one day, lol. ISP plan is depressing though. 1000/40 Mbps with Spectrum in West Hills. I want 1000/1000. (I can literally see the Spectrum office out the window, lmao.) Might need to downgrade the speeds soon though. So might get worse. Especially the upload. Money. (Current job at LAUSD pays less than In-N-Out, lmao. Apparently, I'm not qualified for anything? You may hear me ramble about them throughout this blog.)

UDM-SE is the router, Pro Max 16 PoE as the main switch, APs are all Wi-Fi 7 capable, one is a U7 Pro Max and the other is a U7 Pro. Unfortunately, due to a bad Ethernet run that lets PoE through but only 100 Mbps Ethernet, one AP is meshed to another. Still gets me over 1 Gbps speeds over the air, so I'm happy enough. If I got the money, I'll rip and replace the run. (Re-terminating didn't help for whatever reason. Maybe I damaged the cable when running it.)

2 active Wi-Fi SSIDs, 1 disabled unless needed.

CatNet, a 6-GHz capable network. WPA3-Personal. Designed for high speed networking. Users are placed in the Native Network by default, if additional network access is needed, VLAN can be changed with Magic VLAN if needed.

KitNet, a legacy 2.4 GHz and 5 GHz-only network. WPA2-Personal. Designed for slower or legacy devices. PPSK can put the device on the IoT Network, the Guest Network, or the Neighbor Network. Used to have roommates, each roommate got their own PPSK too. I'm using PPSK instead of WPA-Enterprise because I want max compatibility with most devices. For example, few IoT devices support WPA-Enterprise.

LegacyNet, a WEP network. WEP has been broken, I know. That's why it's off most of the time. Devices that connect are placed in a heavily isolated VLAN with the Wiimmfi DNS servers delivered through DHCP. Almost zero LAN access is allowed. As you can probably guess, it's for legacy Nintendo consoles that only support WEP, like the Nintendo DS. (Hey, the Iwata era was Nintendo's golden years!)

Planning to set up another SSID with WPA3-Enterprise soon. CatCo, perhaps? CatCoNet? CaliCoNet? Gotta workshop some names, lol. Going to have it point to a RADIUS server on Authentik (or maybe something else) once I set that up. Still thinking about how I'm going to implement that. Want to make sure that devices with a device certificate can connect with no problem and once a user logs in, the user cert should be provided, which will put you in the right VLAN. (Don't want to copy the mess that is the second largest school district in America... Don't even get me started.)

Made sure to segment my network as well to prevent any threats from spreading between networks. UniFi Zone-Based Firewall used and configured. Still working on moving things around, so there are some unused networks right now.

VPN to home using WireGuard (primarily) and L2TP/IPSec for compatibility with legacy clients or the built in Windows VPN client. Also can use UniFi Teleport for an instant VPN.

Home phone is an Ubiquiti Phone Touch Max. UniFi Talk for VoIP. No nonsense, easy to use, and gorgeous phones.

Cameras are all Ubiquiti cameras. Got them working with Alexa and other assistants with Scrypted. That way, they act like mostly normal cameras I can use with Alexa. Don't want to show off the inside of my home, so here's the devices.

Scrypted runs on my Home Assistant Yellow box. As mentioned, helps my enterprise UniFi cameras work like normal smart cameras you could buy at a big box store.

Home Assistant also acts as a middleman between UniFi and my August lock so I can use a UniFi access card (or my finger) against my G4 Doorbell and it'll send a webhook to HA to unlock the door. Janky, I know, but it works.

DNS is run with Pi-Hole and Windows Server DNS. It's on a Docker on my UnRAID NAS, but planning to move it to the HA Yellow soon.

Equipment, Storage and Compute

Main host for most things is my UnRAID NAS. Unraid Pro, 8700K (free from a friend), 32 GB RAM (half from one friend, half from a coworker), almost 32 TB of drives. (Why that much storage? I got no idea what data I'm hoarding anymore, lmao)

As mentioned, I also have a Home Assistant Yellow that runs some other things related to home automation.

And recently, I got a small Lenovo ThinkCenter PC from a coworker. (Thanks, Daniel!) Going to use that to replicate some workloads on my NAS. Running Windows Server 2025 Core with the Hyper-V role installed. (Almost all my Windows Servers run Core if they're not intended to be used interactively. Saves resources, speeds up patching, and reduces attack surface.)

Another coworker gave me another desktop. (Thanks, Stephen!) Still gotta lug it home, install an OS, and figure out what to do with it, lol.

Docker

Below is just a little snippet of the Docker containers I already have running on my UnRAID NAS. I can explain more later. I use NGINX Proxy Manager for my reverse proxy. Simple to use, handles certificate renewals for me, (mostly) stress free, and all access outside of the Docker network uses HTTPS. Oh, and Cloudflare Argo Tunnels help host some of my applications without opening my network to anyone.

Can Cloudflare please move this to a better place? And stop rearranging things, lol.

Identity and Security

I already have a pre-existing Entra ID tenancy and local AD (for privileged users only). Entra ID is configured passwordless with strong multifactor auth by default, and users are not created in local AD unless a specific need is identified (like management of my Windows Server farm) to reduce attack surface. (AD users can't be made passwordless to my knowledge (unless you use password not required, lmao), and AD doesn't support FIDO, passkeys, or Microsoft Authenticator for login.)

Self-hosting email is a nightmare, so I use Exchange Online for my email. (Drop me a line! hello (at) andritolion (•) com)

I also have a PKI infrastructure configured. Root made with OpenSSL/XCA and the myCatLAN Local Directory Sub CA 01 is operated with ADCS. CRLs are published to the Internet at crl.andritolion.com. AIA at ca.andritolion.com. Site hosted with Azure Static Web Sites because I'm poor, lol. But gets the job done well at zero cost to me. The actual CRL files are stored on a private GitHub repo. (helps with historical versioning for auditing too!) Scheduled task on the ADCS host pushes to GitHub using the API every 8 hours.

All machines on local AD have a certificate from ADCS that protects the RDP session and ensures trust. 

I have some pre-existing Intune policies deployed, but I no longer have Intune licenses because I'm poor, lol. Below is a little snippet of the policies I have deployed, including a policy that provisions device certificates issued from ADCS. These certificates are to be used to authenticate Intune devices to my UniFi network using EAP-TLS. Now my Intune license expired before I could implement that, but I'd be interested in completing this. 

Authentik handles access control to multiple on-prem hosted applications that don't support OAuth. Federated with Entra for identities. (Users should only be created in Entra and are synced to Authentik. Users also never need to log into Authentik directly, they just log into Entra ID.) Some apps don't even have any native authentication at all. In that case, I use Authentik's Proxy Provider with NGINX Proxy Manager to control access to those applications.

Planning to make Authentik do a bit more on-prem tasks, perhaps for RADIUS auth. Stay tuned!

Cat Tax

Of course, I can't mention my cat without paying the tax, so here you go. His name is Milo. He's an adorable boy.

That's all?

Think that's all the interesting things I can think of on the top of my head right now. I'll post more if I set up anything new or want to share some more about something I haven't covered. Posts might not come in a regular cadence, but I'll try my best. Topics may range anywhere from how exhausted I am from working 3 jobs to something cool I got working. If you find something boring or annoying, let me know and I'll switch things up a bit. Again, my email is hello (at) andritolion (•) com. Now I gotta scram! Still need $300 to make rent. Want to help? Buy my cat a treat! https://coff.ee/andritolion