Innovation Labs
Pixel City Infrastructure
The physical backbone of Pixel City — a growing home lab running self-hosted services, security research tooling, SDR radio, and virtualisation from a rack in the office.
Overview
The lab started as a single machine running a few Docker containers and grew into a multi-machine platform with dedicated roles — a Kali box for security tooling and Docker services, a Proxmox node for virtualisation, a managed switch for network control, and more hardware in the pipeline.
Everything is segmented and intentional. Services that need to be isolated are isolated. Lab VMs that simulate attack targets live on a separate internal bridge with no external access. The WiFi card enables passive wireless monitoring. The RTL-SDR dongle opens up a full RF intelligence layer.
It's not finished — it never will be. That's the point.
Hardware
Physical Machines
Specialist Hardware
Running Services
All services self-hosted on the Kali Box via Docker, managed through Portainer. Accessible on the local network and via friendly hostnames through Nginx Proxy Manager.
Infrastructure
Security & Monitoring
Self-Hosting
Virtualisation — Proxmox
The Proxmox node runs an isolated lab network on a separate internal bridge with no external access — a clean environment for attack and defence practice. Lab VMs can't reach the real LAN; they only talk to each other.
A Windows 10 VM on the main bridge handles general Windows testing with full internet access. The isolated lab currently holds a Metasploitable 2 target and a dedicated Kali attack VM.
The next major expansion is a full Active Directory lab — Windows Server domain controller, workstations with deliberate misconfigurations, and a Wazuh SIEM to see every attack from the blue side in real time.
Proxmox VE 9.2.2
vmbr0 — real LAN (internet access)
│ VM 102 — win10
│ Windows 10 — 4GB RAM / 60GB disk
│
vmbr1 — isolated (no external access)
VM 100 — metasploitable2
Metasploitable 2 — 512MB / 8GB
Vulnerable target
VM 101 — kali-lab
Kali Linux 2026.2 — 2GB / 80GB
Attacker VM
Planned (vmbr1)
Windows Server 2012 R2 DC
Windows 10 domain workstations
OWASP WebGoat
Wazuh SIEM
Network Design
Current network is a flat LAN — everything on one subnet through the ISP router. Planned architecture introduces a proper firewall appliance and full VLAN segmentation once the OPNsense box is configured.
Planned VLAN Layout
Network Diagram — Current
Roadmap