← Home District
🖥️

HOME LAB

Pixel City Infrastructure

Active Self-Hosted Kali Linux Proxmox VE Docker

The physical backbone of Pixel City — a growing home lab running self-hosted services, security research tooling, SDR radio, and virtualisation from a rack in the office.

The lab started as a single machine running a few Docker containers and grew into a multi-machine platform with dedicated roles — a Kali box for security tooling and Docker services, a Proxmox node for virtualisation, a managed switch for network control, and more hardware in the pipeline.

Everything is segmented and intentional. Services that need to be isolated are isolated. Lab VMs that simulate attack targets live on a separate internal bridge with no external access. The WiFi card enables passive wireless monitoring. The RTL-SDR dongle opens up a full RF intelligence layer.

It's not finished — it never will be. That's the point.

20+ Services Running
3 Physical Machines
3 Active VMs
40TB+ Storage (planned)
💀
Kali Box
Live — Docker host + security platform
CPUIntel Core i5-3470 @ 3.2GHz (4c/4t)
RAM8GB
Storage120GB SSD
OSKali Linux 6.x
WiFiAlfa AWUS036ACH — monitor mode + injection
SDRRTL2832U dongle — 24 MHz to 1.766 GHz
LocationRack-mounted
⚙️
Proxmox Node
Live — VM host
CPUAMD FX-8350 Eight-Core @ 4.0GHz (8c/8t)
RAM16GB
OS Drive238.5GB SSD — Proxmox OS + ISO storage
VM Drive931.5GB HDD — LVM thin pool (all VM disks)
OSProxmox VE 9.2.2
VirtualisationAMD-V enabled
🔀
HP ProCurve 1810G
Live — managed switch
TypeManaged Layer 2 Gigabit switch
RoleCore switch — all lab devices
FutureVLAN tagging once pfSense/OPNsense is live
🛡️
Dell OptiPlex SFF
Planned — OPNsense firewall router
StatusBoots fine — needs dual-port Intel NIC
RolepfSense/OPNsense — VLAN firewall, VPN, DMZ
Next stepBuy low-profile Intel NIC, install, configure
💾
HP MicroServer Gen8
Planned — NAS (TrueNAS SCALE)
StatusNot yet purchased
OSTrueNAS SCALE
Target40TB+ RAIDZ2 — SMB + NFS + backups
🖥️
Main PC — Spectra Indigo
Live — daily driver
CPUIntel i9-12900KF (16c / 24t)
RAM32GB
OSWindows 11
Storage~30TB across JBOD caddy + externals
📶
Alfa AWUS036ACH
Live — WiFi adapter
ChipsetRealtek RTL8812AU
BandsDual band — 2.4GHz + 5GHz (AC1200)
CapabilityMonitor mode + packet injection confirmed
Driverrtw88_8812au — kernel built-in, no install
Used forKismet IDS, passive WiFi recon, KaliDash
📡
RTL-SDR Dongle
Live — software defined radio
ChipsetRTL2832U + R820T tuner
Range~24 MHz to 1.766 GHz
AntennaRTL-SDR Blog V3 Dipole Kit (arrived Jun 2026)
TargetsADS-B, NOAA satellites, 433MHz IoT, FM/DAB
📟
Raspberry Pi
Owned — not yet configured
Planned rolePi-hole DNS ad-blocking for the whole network
StatusSetup pending

All services self-hosted on the Kali Box via Docker, managed through Portainer. Accessible on the local network and via friendly hostnames through Nginx Proxy Manager.

Service What it does Status
Portainer CEDocker management UI — all containers, stacks, volumesLive
Nginx Proxy ManagerReverse proxy — friendly hostnames + HTTPSLive
Uptime KumaService monitoring — uptime checks, alertsLive
HomarrHome lab dashboard — tiles linking to all servicesLive
GiteaSelf-hosted Git server — private reposLive
DashdotLive server stats — CPU, RAM, disk, networkLive
Service What it does Status
KismetWireless IDS — continuous WiFi monitor, device tracking, deauth detectionLive
NtopngLive LAN traffic analysis — flows, bandwidth, protocolsLive
KaliDashPython GUI — 127 bash scripts across WiFi, network, SDR, OSINT, crackingLive
OWASP Juice ShopDeliberately vulnerable web app — web security practiceStandby
DVWADamn Vulnerable Web App — SQL injection, XSS practiceStandby
Wazuh SIEMCentralised security logs from all machines + alertingPlanned
T-Pot HoneypotDecoy system — logs attack attempts in real timePlanned
Service What it does Status
VaultwardenSelf-hosted Bitwarden — password manager via HTTPSLive
WhooglePrivate self-hosted Google search — no trackingLive
KavitaeBook / manga / comic / PDF reader and libraryLive
MealieRecipe manager — import, organise, and plan mealsLive
AdventureLogTravel tracker and trip plannerLive
BentoPDFPrivacy-first PDF toolkit — merge, split, compress, convertLive
n8nWorkflow automation platformLive
Crafty ControllerMinecraft server manager — Java Edition 1.21.4 vanillaLive
JellyfinMedia server — stream Sonarr/Radarr contentPlanned
ImmichGoogle Photos replacement — auto-backup from phonePlanned
Paperless-ngxDocument scanning + OCR — searchable archivePlanned
Pi-holeDNS ad-blocking for the whole networkPlanned

VM Lab

The Proxmox node runs an isolated lab network on a separate internal bridge with no external access — a clean environment for attack and defence practice. Lab VMs can't reach the real LAN; they only talk to each other.

A Windows 10 VM on the main bridge handles general Windows testing with full internet access. The isolated lab currently holds a Metasploitable 2 target and a dedicated Kali attack VM.

The next major expansion is a full Active Directory lab — Windows Server domain controller, workstations with deliberate misconfigurations, and a Wazuh SIEM to see every attack from the blue side in real time.

VM INVENTORY
Proxmox VE 9.2.2
  vmbr0 — real LAN (internet access)
  │  VM 102 — win10
  │    Windows 10 — 4GB RAM / 60GB disk
  │
  vmbr1 — isolated (no external access)
     VM 100 — metasploitable2
       Metasploitable 2 — 512MB / 8GB
       Vulnerable target
     VM 101 — kali-lab
       Kali Linux 2026.2 — 2GB / 80GB
       Attacker VM

Planned (vmbr1)
  Windows Server 2012 R2 DC
  Windows 10 domain workstations
  OWASP WebGoat
  Wazuh SIEM

Current network is a flat LAN — everything on one subnet through the ISP router. Planned architecture introduces a proper firewall appliance and full VLAN segmentation once the OPNsense box is configured.

10
Management
Firewall, Proxmox, TrueNAS — admin access only
20
Servers
Docker services, Plex/Jellyfin, self-hosted apps
30
Lab / VMs
Proxmox VMs with controlled access rules
40
Offensive Security
Fully isolated — no outbound except controlled rules
50
Home LAN
Daily driver PCs — normal internet access
60
IoT
Smart plugs, TVs, consoles — isolated from lab
CURRENT TOPOLOGY (FLAT LAN)
Internet │ ▼ [ISP Router] │ └── [HP ProCurve 1810G — Managed Switch] │ ├── Main PC — daily driver ├── Kali Box — Docker + security platform ├── Proxmox Node │ ├── vmbr0 → win10 VM (LAN access) │ └── vmbr1 (isolated) │ ├── metasploitable2 │ └── kali-lab ├── Xbox, PS5, Sony TV ├── 2× Amazon Echo ├── 3× TP-Link Smart Plugs ├── Light Strip └── Tuya device, Espressif device
PLANNED TOPOLOGY (SEGMENTED)
Internet │ ▼ [ISP Router] — untrusted zone │ ├── TV, consoles, IoT, smart home devices │ ├── [DMZ Machine] — public-facing │ ├── Web server / game servers │ └── Nextcloud │ └── [OPNsense Firewall] ← lab boundary │ └── Trusted lab zone (new subnet) ├── VLAN 10 — Management ├── VLAN 20 — Servers (Kali Box) ├── VLAN 30 — Lab (Proxmox) ├── VLAN 40 — Offensive Security (isolated) └── Raspberry Pi — Pi-hole DNS
📡
SDR Intelligence Platform
  • ADS-B aircraft tracking — live overhead map via dump1090
  • AIS ship tracking — 161–162 MHz
  • ACARS — real aircraft data-link messages
  • POCSAG pager decoding — 153 MHz
  • rtl_433 — decode IoT devices on 433 MHz
  • RF band scanner — map everything transmitting near the house
🟣
Purple Team AD Lab
  • Windows Server 2022 DC with deliberate misconfigurations
  • BloodHound + SharpHound — graph AD attack paths
  • Kerberoasting, Pass-the-Hash, DCSync practice
  • Wazuh SIEM — see every attack from the blue side
  • Write detection rules for the attacks just run
🏠
IoT Research
  • Identify and map all smart home devices
  • Tuya local API — control without the cloud
  • Analyse what devices phone home — block telemetry
  • rtl_433 decode for TP-Link plugs and mystery Espressif device
  • Home Assistant — unified smart home control
🍯
Honeypot Ecosystem
  • T-Pot on Proxmox — 20+ honeypot types, Kibana dashboard
  • SSH honeypot — log every credential pair tried
  • HTTP honeypot — fake admin panels, log payloads
  • Feed into Wazuh for pattern analysis
  • See real attack traffic from the internet within hours
💾
NAS + Storage
  • HP MicroServer Gen8 — TrueNAS SCALE
  • 4× 10–12TB drives in RAIDZ2
  • SMB + NFS shares, iSCSI for Proxmox
  • ZFS snapshots every 4–6 hours
  • Offsite backup to Backblaze B2
🔧
Infrastructure as Code
  • Ansible — automated config across all machines
  • Terraform + Proxmox — spin VMs up/down as code
  • Grafana + Prometheus — metrics dashboards for everything
  • k3s Kubernetes cluster across Proxmox VMs