Skip to main content
Homelab Journal

Mario

// Network Security Engineer

Homelab Infrastructure

Welcome
#

Enterprise SASE security by day, homelab tinkerer by night. I’m Mario, a Network Security Engineer at Palo Alto Networks managing one of PANW’s largest global deployments (100K+ users, 34 regions). This journal documents what happens when you bring that mindset home — a 4-node Proxmox cluster running 50+ services with proper security, observability, and AI-assisted automation.

Built with AI — This site is created with the help of Claude Code. The diagrams, banners, and even some of the writing are AI-assisted. It’s an experiment in human-AI collaboration for technical documentation. Resume →

What’s Running
#

Homelab Infrastructure Overview

Featured Content
#

Wazuh XDR Implementation
#

Deploying open-source extended detection and response across the homelab — from manager setup to Graylog integration. Enterprise-grade threat detection on a homelab budget.

4-Layer Agentic Architecture
#

How I organize AI-assisted automation into composable layers: Justfile → Commands → Skills → Agents. Each layer has a single responsibility.

PAN-OS Certificate Automation
#

Automated certificate lifecycle management across firewall and reverse proxy — where security engineering meets infrastructure automation.

Explore by Interest
#

I want to understand how something works → Reference documentation organized by topic — Security, Networking, Infrastructure, Automation, Observability, and AI Tooling.

I want to follow a step-by-step guide → Detailed tutorials with prerequisites, verification steps, and troubleshooting tips.

I want to read lessons learned → Deep dives, post-mortems, and discoveries from building and breaking things.

Recent

I Built 15 Blog Posts Before Noticing My Own Site Was Broken

·652 words·4 mins
Lesson-Learned Meta Hugo Web-Design
TL;DR # My technical blog was squeezing code blocks, tables, and ASCII diagrams into a 650px column designed for novel paragraphs. One CSS line fixed it. The real lesson: defaults optimized for one use case silently degrade another. The Problem I Didn’t See # I’d been publishing posts for months. Tutorials with wide code blocks. Architecture posts with ASCII flow diagrams. Tables comparing tools and alternatives. Every single one was being crushed into 65ch — roughly 650 pixels of width.

How I Got Every Device Named in My Firewall Logs (Without Active Directory)

·3564 words·17 mins
Intermediate Tutorial Lesson-Learned Firewall Networking Automation Homelab Panos User-Id Dhcp Unifi
TL;DR # A Python script that identifies every device on your network in PAN-OS traffic logs, without Active Directory. Combines Pi-hole DNS, UniFi Controller, and DHCP leases into one priority merge. 124 devices named on my PA-440. Before: 1 2 3 192.168.10.128 → 8.8.8.8 user: unknown 192.168.30.240 → 1.1.1.1 user: unknown 172.30.50.77 → 52.26.132.60 user: unknown After:

One MCP Server to Rule Them All: Unifying 9 Homelab Services

·1460 words·7 mins
Advanced Architecture Tutorial Mcp Proxmox Automation Claude-Code Infrastructure Dns Prometheus Graylog Semaphore
The Problem: Six Interfaces for One Question # “Is anything broken in my homelab?” Answering that question used to mean: SSH into Proxmox to check guest status. Curl the Pi-hole API for DNS health. Open Grafana to scan Prometheus alerts. Check Graylog for error spikes. Look at Semaphore for failed automation runs. Glance at Caddy logs for 502s.

Building a Safe Auto-Update System for Docker After a 2 AM Outage

·1422 words·7 mins
Intermediate Lesson-Learned Tutorial Docker Automation Containers Updates Semaphore Infrastructure
The 2 AM Wake-Up Call # I woke up to find my CI/CD platform had been down for 8 hours. Semaphore, the Ansible automation engine that manages my entire homelab, was stuck in a crash loop: 1 2 3 /usr/local/bin/server-wrapper: line 295: syntax error: unexpected "&&" /usr/local/bin/server-wrapper: line 295: syntax error: unexpected "&&" /usr/local/bin/server-wrapper: line 295: syntax error: unexpected "&&" The same error, repeating every few seconds. The container would start, hit the broken entrypoint script, crash, and restart. Endlessly.

Automating PAN-OS Root Store Updates with pan-chainguard and Semaphore

·1170 words·6 mins
Intermediate Tutorial Palo-Alto Semaphore Ssl-Decryption Certificates Automation
Overview # If you’re running SSL decryption on a Palo Alto firewall, you’ve probably hit this: a user reports they can’t access a website, and it turns out the site’s CA certificate isn’t in your firewall’s trusted root store. PAN-OS only updates its built-in root store on major software releases, which means between upgrades your firewall’s trust anchors slowly go stale.

Consolidating PAN-OS Certificate Management with Caddy + Semaphore

·688 words·4 mins
Architecture Panos Caddy Semaphore Ansible Certificates Automation Infrastructure Security
The Problem # My PAN-OS firewall (GlobalProtect VPN portal at vpn.mareoxlan.com) needs a valid TLS certificate. I had a dedicated LXC (30122) running acme.sh with a Cloudflare DNS-01 challenge to issue a wildcard cert, then a PAN-OS deploy hook to push it to the firewall via the XML API. It worked, but it was a single-purpose VM doing the same job my Caddy reverse proxy already does – Caddy auto-renews *.mareoxlan.com via the same Cloudflare DNS-01 mechanism.