JIT
NL

Notebook

From the notebook .

Field notes, ideas, opinions and the occasional detour — short, practical writing on networking, security, infrastructure, the homelab and whatever else I'm tinkering with.

Idea notes

Could open-source IAM replace Active Directory and Entra ID?

Where midPoint plus Authentik can replace the Microsoft identity stack in a hybrid Windows/Linux shop — and where it can't. A thought experiment, not a build.

  • Identity
  • Architecture
  • Security

When your gateway hijacks DNS

An internal site that wouldn't load, a resolver that was never asked, and the dead-IP query that proved a 'helpful' gateway was answering DNS behind my back.

  • DNS
  • Security
  • Networking
  • Homelab
Idea notes

Why we're keeping venv, for now

I measured uv against our pin-everything dependency policy. It fits — and we're still staying on stdlib venv. The why is more interesting than the verdict.

  • Python
  • Tooling
  • AI Agents

Giving an AI agent the keys, safely

Wiring our identity agent into a secrets manager without handing it the kingdom — read-only by default, segregation of duties, and writes you have to mean.

  • AI Agents
  • Security
  • Secrets Management

How the agent fleet is wired, in five layers

From a typed request to a guarded action against a real system — a walk down the stack that turns Claude Code into a fleet of homelab operators: the CLI, the shared agent-core, the agents, their skills, and the actions they perform.

  • AI Agents
  • Architecture
  • Homelab

Skills, MCP, and where the credentials belong

A simple question — do our agents need MCP? — that quietly turned into a clearer picture of skills, MCP servers, and the identity layer sitting underneath both.

  • AI Agents
  • MCP
  • Security

Teaching an AI agent to speak Technitium

Building a DNS skill for our network agent — and the two-layer permission model that hid our zones in plain sight.

  • Homelab
  • DNS
  • Automation

Phase 2: internal DNS and the bootstrap chicken-and-egg

Standing up an authoritative internal resolver as code — split-horizon, encrypted upstreams, and the moment the new DNS box couldn't resolve its own installer.

  • Homelab
  • DNS
  • Security

On-demand Docker updates for when Watchtower blinks

Teaching my agent to update Docker stacks within policy — including the source-built ones that have no image to pull.

  • Docker
  • Homelab
  • Automation

Phase 1: a golden image, and why SeaBIOS won this round

Building the cloud-init template every VM clones from — and learning the hard way that UEFI + cloud images + a serial console hides your boot failures.

  • Homelab
  • Proxmox
  • Automation

Phase 0: read the house before you renovate

The first phase changes nothing — it just reads live state and proves how wrong the plan already was. Discovery is the cheapest phase and the most valuable.

  • Homelab
  • IaC
  • Proxmox

Rebuilding my homelab as code, with an agent riding shotgun

Starting a phased, infrastructure-as-code rebuild of the homelab — and pairing with an AI agent that does the typing while I keep the judgement.

  • Homelab
  • IaC
  • Automation

Hardening SSH on a fresh Ubuntu box

The five-minute baseline I apply to every new server before it goes anywhere near a network.

  • Linux
  • Security
  • Homelab

Why my homelab lives behind VLANs

Segmentation isn't just an enterprise checkbox — here's how I split a single Proxmox node into safe zones.

  • Networking
  • Proxmox
  • Security

A Cisco ISE MAB fallback that won't lock you out

A critical-auth VLAN so a dead RADIUS server doesn't take a whole floor offline.

  • Cisco
  • ISE
  • 802.1X