SecureBytes Platform
Self-managed Proxmox cluster running production-style network and security infrastructure — wildcard TLS, public status page, and selective Cloudflare Tunnel exposure.
What's running
A pair of Lenovo Tiny / SFF nodes — a P920 workstation as the heavy compute box and a ThinkCentre M710q as the lightweight node. Networking from a Netgate 2100 running pfSense Plus, a UniFi USW-Lite-8-PoE switch, and a UniFi U7 Pro AP, all managed through a self-hosted UniFi controller on the cluster itself.
The interesting parts
Wildcard TLS via Cloudflare DNS-01
Every internal service resolves to *.lab.securebytes.net with a valid cert. Let's Encrypt wildcard provisioned through Cloudflare's DNS-01 challenge using acme.sh. Renewal is automated. The API token is scoped strictly to edit DNS on the securebytes.net zone, nothing else.
Selective public exposure via Cloudflare Tunnel
Two services exposed publicly — a Grafana ops dashboard at ops.securebytes.net and the Uptime Kuma status page. Admin paths gated by Cloudflare Access with email-OTP. No port forwards, no public IP exposure — the tunnel daemon dials out to Cloudflare edge.
Internal DNS that actually works
Pi-hole v6 holds records for every *.lab.securebytes.net hostname pointing at the nginx proxy. pfSense DNS Rebind protection needed an Alternate Hostnames entry — a gotcha that silently breaks hostname access in the default config.
Public-from-day-one repository discipline
Full operational reference with internal IPs lives in private Gitea. The public GitHub version is sanitized — same architecture, runbooks, and design decisions, no operational secrets. After a May 2026 audit found IPs leaking through commit history, the dual-repo workflow was tightened.
Roadmap
Stack