Home

Homelab

DevSecOps Exploration Lab

A self-hosted environment built on Proxmox to move from pure DevOps into DevSecOps.

Overview

After shifting my career focus toward DevSecOps, I realized that studying security tools in isolation is useless. To understand how networking, automation, CI/CD, and monitoring actually mesh together, I built a self-hosted bare-metal lab on Proxmox.

This wasn't about building a flawless production platform; it was a sandbox designed to validate ideas, break things, and find out what happens after the security scanners start flooding you with alerts.

The Architecture & Hard Choices

I didn't just follow standard tutorials; I chose my stack based on operational trade-offs:

  • Networking (OPNsense): I deployed OPNsense as the gateway to replicate AWS-style network segmentation and routing. I evaluated pfSense first but chose OPNsense for its lighter resource footprint and cleaner interface.

  • VPN (WireGuard vs. OpenVPN): I initially set up OpenVPN for remote access but quickly tore it down due to annoying certificate management overhead. WireGuard proved significantly simpler and faster.

  • OS (Ubuntu vs. Alpine): I wanted to use Alpine Linux everywhere to keep resources minimal. In practice, compiling security agents and Prometheus exporters on Alpine's musl libc became a dependency nightmare. I pivoted and standardized on Ubuntu for operational sanity.

  • Target Application: I deployed NodeGoat (Dockerized) because it is intentionally vulnerable and perfect for testing attack surfaces.

  • CI/CD & DevSecOps Pipeline: Integrated GitHub Actions with self-hosted runners. The pipeline orchestrates SonarQube (SAST), Trivy (SCA/Container scanning), and Nuclei (DAST) to generate actionable SBOMs and vulnerability reports.

  • Observability & SIEM: Centralized logs and metrics using Wazuh (SIEM), Prometheus, Grafana, and Fluent Bit. I also hooked up Suricata inside OPNsense for IDS alerting.

Key Realizations (What the Docs Don't Tell You)

Building this lab taught me more about production realities than any certification:

  1. Tool installation is the easy part. Tuning them is where the real work begins. Out-of-the-box security tools generate massive noise and false positives.

  2. Visibility ≠ Security. Having centralized logs in Wazuh or pretty dashboards in Grafana means nothing if you don't know what attack signatures look like or how to respond to them.

  3. Operational simplicity wins. A highly secure, over-engineered system that is too painful to maintain will eventually be bypassed or abandoned.

  4. Tool overlap is real. Many scanners do the same things. It’s far more important to understand the underlying security concepts (threat modeling) than to collect badges for using 50 different tools.

Current Backlog & Open Challenges

The lab is a continuous work in progress. I am currently running experiments to figure out:

  • How to effectively tune IDS/SIEM alerts without years of enterprise SOC experience.

  • Why certain application-layer attacks bypass Suricata IDS signatures but show up clearly in reverse proxy logs.

  • Establishing a pragmatic triage framework to prioritize security findings when engineering resources are tight.