SShortSingh.
Back to feed

How one homelab operator redesigned his network after hosting public cloud workloads

0
·1 views

A homelab operator running a Proxmox-based setup initially placed all workloads — including a NAS, workstation, and Kubernetes cluster — on a single flat /24 subnet. The design became untenable after he stood up an Akash provider, a Kubernetes cluster that accepts real tenant workloads from the internet, leaving public containers on the same broadcast domain as his personal infrastructure. Concerned about east-west traffic risks and the inability to apply per-workload firewall policies, he rearchitected the network along data-centre principles. Each project now gets its own VLAN, its own /24 subnet, and its own firewall policy at the routing boundary, with no default trust between segments. The redesign, anchored by OPNsense and a Cisco Nexus switch, draws on commercial data-centre isolation models to bound fault radius and enforce distinct security postures per workload.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

On-Call, Incident Response, and Incident Management Are Not the Same Thing

Many DevOps and SRE teams mistakenly treat on-call, incident response, and incident management as interchangeable terms, leading to alert fatigue and unclear responsibilities. In reality, these are three distinct stages of the incident lifecycle, collectively referred to as the SRE Trinity. On-call focuses on ensuring round-the-clock coverage through schedules, rotations, and escalation policies. Incident response deals with actively diagnosing and restoring a broken service as quickly as possible. Incident management takes the longer view, analyzing root causes and implementing changes to prevent future failures.

0
ProgrammingDEV Community ·

Why Software Interfaces Should Adapt to Each User, Not Stay Fixed for All

A new perspective in software development challenges the long-standing assumption that a single interface should be served identically to every user. Most software today couples logic — what an interface does — with visuals — how it looks — into the same codebase, meaning design decisions made once apply to everyone regardless of context. This approach made sense when software was simple, but as products scaled to billions of users with vastly different needs, the limitation became more apparent. The argument is that interface logic, such as a checkout flow or search bar, is stable across users, while visual presentation should vary based on who is viewing it. Separating these two layers could allow interfaces to dynamically adapt their layout and emphasis for each individual, rather than reflecting a single designer's assumptions about an imagined user.

0
ProgrammingDEV Community ·

browser-use Team Launches Open-Source AI Video Editor Powered by Coding Agents

The browser-use team released video-use in April 2026, an open-source tool that lets AI coding agents such as Claude Code and Codex edit video files entirely through shell access. Instead of processing raw frames, the system converts footage into a phrase-level Markdown transcript using ElevenLabs Scribe, allowing the AI to 'read' the video rather than watch it. The tool uses an ffmpeg orchestration layer to express edits as structured JSON data, then renders a final output file without requiring any manual timeline or menu interaction. Since its launch, the project has accumulated over 13,000 GitHub stars, with more than 3,000 added in a single week by early July 2026. The reviewer tested it across podcast recordings, product demos, and travel footage, describing it as one of the fastest-growing repositories in the browser-use organisation.

0
ProgrammingDEV Community ·

Logit-Level Filtering Proposed as Stronger Defense Against LLM Jailbreaks

A new open-source tool called resk-logits aims to address security gaps in large language models by intercepting token probability distributions before text is generated, rather than scanning outputs after the fact. Traditional guardrails, regex filters, and audits operate post-sampling, meaning a jailbreak has already occurred at the logit level by the time they detect it. The tool uses Aho-Corasick pattern matching on the GPU to suppress harmful token sequences proactively, with claimed processing speeds under one millisecond for over 10,000 patterns. Developed by Resk Security, the library is available on GitHub and PyPI. The developers argue that while audits and output filters remain useful, true LLM security requires intervening at the point where token decisions are actually made.

How one homelab operator redesigned his network after hosting public cloud workloads · ShortSingh