Labs / Documentation / Infrastructure Practice

Projects

Practical labs and support projects focused on networking, infrastructure, warehouse technology, and systems administration.

Part 1: UniFi Network Segmentation Part 2: Self-Hosted Infrastructure Part 3: Security and Access Control Part 4: Storage and Recovery Part 5: Monitoring and Automation Part 6: Dynamic DNS and Secure Service Publishing Part 7: Personal Website Infrastructure
Coming soon
Part 1: Zebra Printer Management System Part 2: MDA Measurement System and AWS Greengrass Integration
Part 1: Onboarding Automation Lab Part 2: Enterprise Identity Integration

Project library

Home Lab Network Project - Part 1

UniFi Network Segmentation

Home Lab Overview

A production-like home infrastructure environment focused on networking, virtualization, storage, self-hosting, and automation. The environment evolved from a single server into a segmented infrastructure supporting media services, IoT devices, and home automation.

Overview

Designed and implemented a segmented home network using a UniFi Dream Router, two distribution switches, and one wireless access point. The goal was to separate trusted devices, IoT devices, guest users, infrastructure devices, and hosted services into different networks while maintaining controlled internet access.

Topology

  • ISP connection into UniFi Dream Router
  • UniFi Dream Router uplinked to two distribution switches
  • Wireless access point connected for VLAN-based Wi-Fi networks

Networks

  • Default Network - Management / switch infrastructure
  • Residence Network - Main personal devices
  • IoT Network - Smart home and low-trust devices
  • Guest Network - Guest Wi-Fi access
  • DMZ Network - Server and self-hosted services

Key Concepts

  • VLAN segmentation
  • NAT/PAT for internet access
  • Inter-VLAN routing
  • Layer 3 firewall rules
  • Network isolation
  • Management network separation

Implementation Notes

Out of the box, the UniFi Dream Router provides automatic NAT/PAT for internet access, similar to most home routers. I also learned that VLANs alone do not automatically secure networks from each other because inter-VLAN routing is allowed by default.

To improve security, I created firewall rules to block communication between the private Class C networks while still allowing each VLAN to access the internet. This helped isolate IoT, guest, and DMZ devices from my main residence and management networks.

Resume-Style Summary

Designed a segmented UniFi home network using VLANs, managed switching, and Layer 3 firewall policies to isolate management, residence, IoT, guest, and DMZ networks while maintaining controlled internet access through NAT/PAT.

Home Lab Network Project - Part 2

Self-Hosted Infrastructure

Overview

Built a dedicated server environment using Proxmox VE as the primary hypervisor to consolidate services and provide a platform for learning virtualization, storage, and self-hosting. The environment evolved from simple game servers into a production-like media and infrastructure ecosystem.

Virtualization Platform

  • Proxmox VE hypervisor
  • Virtual machine isolation
  • Resource allocation
  • Service consolidation

Storage Platform

  • TrueNAS SCALE virtual machine
  • ZFS storage pools
  • RAIDZ protection
  • SMB shares

Media Stack

  • Jellyfin
  • Sonarr
  • Radarr
  • Prowlarr
  • Jellyseerr
  • Recyclarr

Download Services

  • qBittorrent
  • SABnzbd
  • FlareSolverr

Infrastructure Services

  • Nginx Proxy Manager
  • Reverse proxy services
  • DNS management
  • HTTPS certificates

Key Concepts

  • Hypervisors
  • Virtual machines
  • Self-hosting
  • ZFS
  • Reverse proxies
  • Service publishing

Implementation Notes

After building a dedicated server, Proxmox became the foundation of the environment. TrueNAS was later added for centralized storage. The system eventually expanded into a complete media ecosystem hosted within a dedicated DMZ network.

Resume-Style Summary

Built a self-hosted infrastructure utilizing Proxmox VE, TrueNAS SCALE, and a full media stack while providing centralized storage and reverse proxy services.

Home Lab Network Project - Part 3

Security and Access Control

Overview

Implemented segmentation and firewall policies to secure services while allowing only required communication between trusted devices and networks.

Trusted Access

  • Main PC access to server network
  • Controlled management access

Media Access

  • IoT devices access to media services
  • Smart TVs isolated from Residence network

VPN Connectivity

  • VPN tunnel dedicated to server network
  • Fail-closed behavior when tunnel unavailable
  • Entire home network excluded from VPN

Key Concepts

  • Layer 3 firewall policies
  • Inter-VLAN routing
  • DMZ architecture
  • Least privilege access
  • VPN tunnels

Implementation Notes

Network segmentation introduced challenges when services needed to communicate. Firewall rules were adjusted to provide only necessary access while preserving isolation.

Resume-Style Summary

Implemented Layer 3 firewall policies and selective inter-VLAN communication to secure DMZ services and isolate server traffic through dedicated VPN connectivity.

Home Lab Network Project - Part 4

Storage and Recovery

Overview

Designed a storage platform utilizing TrueNAS SCALE and ZFS to provide centralized storage, redundancy, snapshots, and file recovery.

ZFS Concepts

  • Pools
  • VDEVs
  • RAIDZ
  • Datasets

Snapshot Strategy

  • Media pool - monthly snapshots
  • Archive pool - weekly snapshots

File Recovery

  • SMB shares
  • Windows Previous Versions support

Key Concepts

  • ZFS
  • RAIDZ
  • Snapshots
  • Storage pools
  • Hardware pass-through
  • Backup strategies

Implementation Notes

Initially, disks were presented to TrueNAS through virtual disks. After experiencing storage issues and approximately 40 TB of data loss, storage was redesigned using direct hardware pass-through to improve reliability and simplify management.

Resume-Style Summary

Designed a ZFS-based storage platform utilizing TrueNAS SCALE, hardware pass-through, and snapshot-based recovery to provide centralized storage and file restoration capabilities.

Home Lab Network Project - Part 5

Monitoring and Automation

Overview

Introduced Home Assistant to provide automation and environmental monitoring while integrating IoT devices into the segmented network.

Presence Detection

  • Sensor near desk
  • Automatically enables fan

Environmental Controls

  • Temperature monitoring
  • Cooling tests when temperature exceeds threshold

IoT Integration

  • Smart devices isolated on IoT network
  • Controlled access to media services

Key Concepts

  • Event-driven automation
  • Home Assistant entities
  • Presence detection
  • Sensors
  • IoT integration

Implementation Notes

What began as experimentation evolved into practical automations that improved comfort and provided additional experience integrating IoT devices with segmented infrastructure.

Resume-Style Summary

Implemented Home Assistant automations utilizing presence detection and environmental sensors while maintaining secure integration with IoT devices.

Home Lab Network Project - Part 6

Dynamic DNS and Secure Service Publishing

Overview

Implemented Dynamic DNS and reverse proxy services to securely publish self-hosted applications using custom domain names and trusted SSL certificates. This eliminated browser security warnings and provided secure remote access to services hosted within the DMZ network.

DNS Management

  • Domain registrar and DNS hosting
  • Custom subdomains
  • Dynamic DNS updates
  • External accessibility

Examples

  • Media service subdomain
  • Additional self-hosted application subdomains

Reverse Proxy Services

Nginx Proxy Manager was implemented to centralize access to internal applications.

  • Reverse proxy services
  • Centralized access
  • SSL certificate management
  • Internal service publishing

SSL Certificates

Trusted SSL certificates were obtained and automatically renewed.

  • HTTPS encryption
  • Trusted browser connections
  • Elimination of "Not Secure" warnings
  • Simplified access to self-hosted services

External Access

Only HTTP and HTTPS services are forwarded through the firewall. All other services remain internal to the network.

  • TCP 80 (HTTP)
  • TCP 443 (HTTPS)

Key Concepts

  • Dynamic DNS
  • DNS resolution
  • Reverse proxies
  • SSL certificates
  • HTTPS encryption
  • Service publishing
  • Port forwarding

Implementation Notes

Initially, self-hosted services generated browser warnings due to untrusted certificates. Implementing domain names and reverse proxies with trusted SSL certificates provided secure access and removed these warnings.

This experience also provided additional context from my Helpdesk and Service Analyst roles. Many internal web applications utilized self-signed or internally trusted certificates, which often resulted in browser warnings requiring users to manually continue to the site. Building this infrastructure helped me better understand certificate trust, HTTPS encryption, and why these warnings occurred.

Technologies

  • Dynamic DNS
  • Nginx Proxy Manager
  • HTTPS
  • SSL certificates
  • DNS
  • Port forwarding
  • Domain names

Resume-Style Summary

Implemented Dynamic DNS, reverse proxy services, and trusted SSL certificates to securely publish self-hosted applications while centralizing external access through HTTPS and improving understanding of certificate trust and web security.

Home Lab Network Project - Part 7

Self-Hosted Personal Website Infrastructure

Overview

Designed and deployed a self-hosted static portfolio website using Windows Server, IIS, and Nginx Proxy Manager. The goal was to build a professional web presence while expanding hands-on experience with DNS, SSL certificates, reverse proxying, and lightweight service hosting.

While web development is not my primary focus, I used foundational HTML, CSS, local validation, and AI-assisted development to create, customize, and refine the site before deploying it into my self-hosted infrastructure.

Domain and DNS Management

  • Purchased and configured domains including icebunny.me
  • Initially used DuckDNS with router-based Dynamic DNS updates
  • Experimented with DMZ VPN placement for hosted services
  • Migrated to direct DNS records for a more stable configuration
  • Updated A and CNAME records for the primary site and future services

Web Server Deployment

  • Built a lightweight static site with HTML and CSS
  • Validated the site locally before production deployment
  • Hosted the site on a minimally provisioned Windows Server
  • Configured IIS for low-resource static website hosting
  • Integrated the web server into an existing self-hosted environment

External Access and Security

  • Configured Nginx Proxy Manager as the reverse proxy
  • Re-established SSL certificate management with Let's Encrypt
  • Published the website securely over HTTPS
  • Prepared DNS and proxy structure for additional subdomains

Skills Demonstrated

  • Web server administration
  • Reverse proxy configuration
  • DNS and domain management
  • SSL certificate deployment
  • Network troubleshooting
  • Self-hosted infrastructure management
  • AI-assisted development

Technologies

  • Windows Server
  • IIS
  • Nginx Proxy Manager
  • DNS Management
  • Dynamic DNS
  • DuckDNS
  • SSL / Let's Encrypt
  • HTML / CSS
  • Self-Hosted Infrastructure

Resume-Style Summary

Designed and deployed a self-hosted static portfolio website using Windows Server, IIS, Nginx Proxy Manager, DNS records, and trusted SSL certificates to establish a secure professional web presence and support future self-hosted subdomains.

Skills Demonstrated

Infrastructure Skills Practiced

  • Network segmentation
  • VLAN design
  • Firewall policies
  • Inter-VLAN routing
  • Virtualization
  • ZFS administration
  • Storage architecture
  • Backup and recovery
  • Reverse proxies
  • IIS administration
  • DNS management
  • SSL certificate deployment
  • VPN technologies
  • Service hosting
  • Infrastructure management
  • Home automation

Active Directory Automation - Part 1

Onboarding Automation Lab

Overview

Created an Active Directory lab environment to automate user onboarding tasks and better understand enterprise account provisioning workflows. The lab was built using two virtual machines: a Windows Server domain controller and a Windows 10 client used to connect, test, and interact with Active Directory.

The project was inspired by high-volume onboarding during my Helpdesk / Service Analyst role, where the team received approximately 40-50 user onboarding requests per week.

Virtual Machines

  • Windows Server
  • Windows 10 client

Services

  • Active Directory Domain Services
  • Active Directory Users and Computers
  • PowerShell Active Directory Module

Automation Goals

The original goal was to reduce repetitive onboarding work by automating account creation based on existing Active Directory user attributes.

  • Create new Active Directory users
  • Generate temporary passwords
  • Match job title and description
  • Assign department information
  • Place users into the correct OU based on office location
  • Assign managers
  • Copy group membership from an existing user or matching job title
  • Avoid copying Office licensing groups
  • Export created usernames and passwords to a CSV
  • Rescan created users to verify enabled status

User Creation

The script creates new AD users using first and last name formatting and generates a username in first.last format.

Password Generation

A randomized temporary password is generated for each account.

OU Placement

The script searches Active Directory for an OU matching the user's office location and creates the user in that OU.

Manager Assignment

If a manager name is provided, the script searches Active Directory and assigns the manager attribute.

Group Membership Copying

The script can copy group memberships from either a specific existing user or the first enabled user with a matching job title. This helped standardize access based on similar roles.

License Group Filtering

Office licensing groups were excluded from being copied to avoid issues with hybrid account provisioning where pre-licensed accounts could break later onboarding steps.

CSV Output

The script exports created usernames, passwords, and enabled status to a CSV file for tracking and validation.

Lessons Learned

This lab helped reinforce how Active Directory provisioning works in an enterprise environment, including user attributes, OU structure, group-based access, manager assignments, PowerShell automation, hybrid identity limitations, licensing considerations, and the risks of copying existing accounts.

One lesson learned was that reusing disabled accounts can create problems if old user data or attributes remain on the account. While it may reduce account creation time, it can also introduce cleanup and security concerns.

Technologies

  • Windows Server
  • Windows 10
  • Active Directory Domain Services
  • PowerShell
  • Active Directory PowerShell Module
  • CSV export
  • Group membership automation
  • OU-based provisioning

Sanitized Script Sample

A cleaned portfolio-safe PowerShell sample is available with placeholder domain and output paths. 

# Active Directory Onboarding Automation - Sanitized Portfolio Sample
Import-Module ActiveDirectory

function New-RandomPassword {
    param ([int]$Length = 14)

    $characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()"
    return -join ((1..$Length) | ForEach-Object {
        $characters[(Get-Random -Minimum 0 -Maximum $characters.Length)]
    })
}

function Get-OUByOffice {
    param ([Parameter(Mandatory)][string]$Office)

    $safeOffice = $Office.Replace("'", "''")
    $ou = Get-ADOrganizationalUnit -Filter "Name -eq '$safeOffice'" |
        Select-Object -First 1

    return $ou.DistinguishedName
}
Download full PowerShell sample

Resume-Style Summary

Built an Active Directory lab using Windows Server and Windows 10 virtual machines to automate user onboarding with PowerShell, including account creation, OU placement, manager assignment, group membership copying, license group filtering, password generation, and CSV-based validation.

Active Directory Automation - Part 2

Enterprise Identity Integration

Overview

One of the first challenges encountered during onboarding automation was understanding that Active Directory accounts were only one part of the identity process. Certain environments required employee identifiers from Kronos Workforce Management, which were used by downstream applications for authentication, timekeeping, and employee access.

This was my first exposure to how Windows and Active Directory interact with external enterprise applications and how user attributes extend beyond simple account creation.

Identity Concepts Learned

  • Identity dependencies
  • Employee IDs
  • Application integration
  • Authentication workflows
  • Provisioning processes

Standard Access

  • Job title
  • Department
  • Manager
  • OU placement
  • Security groups

Licensing Groups

License groups were intentionally excluded because assigning licenses too early could interfere with hybrid account synchronization.

Distribution Groups

Distribution groups required separate consideration from security groups since they affected communication rather than permissions.

Network Share Permissions

Access to departmental shares required group-based permissions and careful copying of existing user access patterns.

Access Concepts Learned

  • RBAC (Role-Based Access Control)
  • Security groups
  • Distribution groups
  • Group-based permissions
  • Hybrid identity environments
  • File share access

Lessons Learned

The project demonstrated that user onboarding extends beyond simply creating accounts. A complete onboarding process involves identity creation, group memberships, licensing considerations, file share permissions, email distribution groups, external application dependencies, employee IDs, and hybrid identity synchronization.

This experience helped reinforce many of the processes encountered during high-volume onboarding in production environments.

Resume-Style Summary

Expanded an Active Directory automation lab to model enterprise identity integration workflows, including employee ID dependencies, role-based access, security and distribution group planning, network share permissions, licensing considerations, and hybrid identity synchronization requirements for high-volume onboarding.

Operations Support - Part 1

Zebra Printer Management System

Overview

Developed a PowerShell GUI tool to simplify Zebra label printing workflows in a warehouse environment. The tool was created to replace the manual process of opening multiple PuTTY sessions, connecting to different Zebra printers, and pasting ZPL scripts individually.

The project was also influenced by prior Helpdesk experience, where some internal support tools were built using PowerShell-based interfaces.

Problem

Printing test labels or operational labels required manually connecting to Zebra printers over the network using PuTTY. This process became repetitive when working with multiple printers or different label types.

Solution

Built a PowerShell Windows Forms GUI that allows the user to select the desired label type and target printer from a simple interface. PowerShell then connects directly to the selected printer over TCP and sends the prepared ZPL script without requiring a PuTTY session.

Features

  • GUI-based printer selection
  • GUI-based label selection
  • Prebuilt ZPL templates
  • TCP connection to Zebra printers
  • Multi-printer support
  • Reduced manual PuTTY usage
  • Repeatable label printing workflow

Technologies

  • PowerShell
  • Windows Forms
  • Zebra Programming Language
  • TCP/IP
  • Zebra printers
  • PuTTY replacement workflow

Sanitized Script Sample

A cleaned portfolio-safe PowerShell sample is available with placeholder printer names, reserved documentation IP addresses, generic label codes, and printing disabled by default. 

# Zebra Printer Management System - Sanitized Portfolio Sample
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing

$printers = [ordered]@{
    "Warehouse Printer 1 - 192.0.2.10" = "192.0.2.10"
    "Warehouse Printer 2 - 192.0.2.11" = "192.0.2.11"
    "Warehouse Printer 3 - 192.0.2.12" = "192.0.2.12"
}

# Set to $true only in a controlled lab or authorized production environment.
$script:EnableActualPrinting = $false

function Add-Log {
    param([string]$Message)

    $timestamp = Get-Date -Format "HH:mm:ss"
    $activityLog.AppendText("[$timestamp] $Message`r`n")
}
Download full PowerShell sample

Resume-Style Summary

Developed a PowerShell Windows Forms application to manage Zebra printer label workflows by replacing manual PuTTY-based TCP sessions with a GUI-driven tool for selecting printers, choosing predefined ZPL labels, and sending print jobs directly over the network.

Operations Support - Part 2

MDA Measurement System and AWS Greengrass Integration

Overview

Supported the deployment and troubleshooting of Measurement Dimensioning Apparatus (MDA) scales used within warehouse operations. These systems interface with handheld scanners, label printers, WMS applications, and AWS Greengrass Edge servers to provide automated package measurements for fulfillment workflows.

Initial Setup

  • Configure wireless adapter to join the warehouse SSID
  • Assign an available IP address
  • Clone the MDA MAC address to the wireless adapter
  • Verify network connectivity

Device Configuration Concepts

  • Wireless networking
  • MAC addresses
  • IP addressing
  • DHCP versus static addressing
  • Network troubleshooting

Device Configuration Notes

One challenge encountered was that the wireless adapter could successfully associate to the SSID before proper addressing and MAC cloning were completed, making connectivity troubleshooting more difficult.

Connected Systems

  • Measurement scales
  • Label printers
  • Handheld scanners
  • Warehouse Management Systems (WMS)

Edge Server Concepts

  • Edge computing
  • IoT architecture
  • Client-server communication
  • Remote datacenter connectivity

Edge Server Communication

The MDA device communicates with an AWS Greengrass Edge server responsible for interfacing with warehouse endpoint devices. The edge server resides remotely in a European datacenter rather than locally, introducing additional latency considerations.

Measurement Workflow

  1. Handheld scanner requests measurements
  2. Request traverses the network and WAN
  3. AWS Greengrass Edge server receives the request
  4. MDA scale provides dimensions
  5. Measurements are returned to the scanner
  6. Information is logged for the 3PL customer

Systems Involved

  • Handheld scanners
  • MDA scales
  • AWS Greengrass Edge Server
  • WMS applications
  • Datacenter infrastructure

Workflow Concepts

  • XML data exchange
  • IoT workflows
  • Request-response communication
  • Application dependencies

Troubleshooting

After resolving wireless adapter configuration issues, connectivity problems remained. Investigation revealed that a Next-Generation Firewall was blocking Telnet port 2112 required for MDA communication.

  • Verifying network paths
  • Confirming server accessibility
  • Identifying blocked ports
  • Coordinating firewall changes

Troubleshooting Concepts

  • Port connectivity testing
  • Next-Generation Firewalls
  • Application traffic flows
  • Network security policies
  • End-to-end troubleshooting

Hardware

  • Measurement Dimensioner Apparatus (MDA)
  • Wireless adapters
  • Handheld scanners
  • Label printers

Infrastructure

  • AWS Greengrass
  • IoT Edge Server
  • WMS
  • XML

Networking

  • Wi-Fi
  • MAC addressing
  • IP addressing
  • Telnet (TCP 2112)
  • Firewall troubleshooting
  • WAN connectivity

Resume-Style Summary

Supported warehouse IoT infrastructure by configuring measurement dimensioning systems, troubleshooting wireless connectivity, integrating AWS Greengrass Edge servers, and resolving firewall issues affecting XML-based communication between handheld scanners, WMS applications, and endpoint devices.