Introduction: Efficiency and Architecture
In today’s IT landscape, the ability to abstract hardware and manage resources efficiently is fundamental. To demonstrate my mastery of virtualization and networking concepts, I designed and implemented a Private Cloud based on Proxmox VE.
The choice of an Intel N100 mini PC was driven not only by the price/performance ratio (€200) but also by the technical challenge of optimizing concurrent workloads with low power overhead, ensuring good resilience, and testing the boundaries of this infrastructure.
While this environment is primarily for testing, with strategic resource management, it achieves an excellent balance between reliability, efficiency, and speed—effectively replicating a professional infrastructure. This model is ideal for small businesses looking to embrace Data Sovereignty.
Data Sovereignty is the concept that data is subject to the laws of the country or region where it was generated (sometimes referred to as data residency), ensuring privacy, security, and governance over one’s information systems.
Technology Mapping: From Bare Metal to Cloud
Below is how the components of my Proxmox environment map to services offered by Amazon AWS:
| Local Component | AWS Equivalent | Core Function |
|---|---|---|
| Debian VM (KVM) | Amazon EC2 | Isolated and persistent workloads. |
| LXC Containers | Amazon ECS / Fargate | Low-latency, high-density microservices. |
| Nginx Proxy Manager | Application Load Balancer | TLS termination and traffic routing. |
| nftables / UFW | Security Groups / NACL | Packet filtering and network segregation. |
| Wireguard VPN | AWS Client VPN | Secure Out-of-Band (OOB) management access. |
| Bash & Systemd | AWS Systems Manager | Automation, CI/CD, and lifecycle management. |
Security and Hardening: “Defense in Depth”
In an exposed environment, security is never optional. I have selected two lightweight services, Vaultwarden and Navidrome, along with Jellyfin. The latter must be managed efficiently to avoid server overload, RAM saturation, or CPU thermal throttling, which could lead to system instability or hardware damage.
I implemented a multi-layered defense strategy to protect these critical services:
- Identity and Access: SSH access is strictly limited to asymmetric keys, eliminating the brute-force attack vector.
- Network Security: I use nftables for granular control. Unlike standard firewalls, nftables allows me to manage traffic between Proxmox VMs and containers with surgical precision.
- Intrusion Prevention: Tools like Fail2Ban and SSHGuard monitor logs in real-time, while rkhunter and ClamAV ensure file system integrity.
- Anti-Spoofing: Targeted modifications to
host.confto prevent host-level spoofing attacks.
Automation and the Linux Philosophy
The transition from Windows to Linux marked a paradigm shift: “Everything is a file”.
I manage deployment and maintenance through a personal library of Bash scripts and Systemd units. This approach provides transparent logging and scheduled backup workflows, granting a level of flexibility that pre-packaged control panels often limit.
Automation Example: Service Management
I use custom scripts to orchestrate the restart of Docker containers within VMs after system updates, ensuring network dependencies are active before application boot.
# This is a configuration file for the Fail2Ban Jail.
# Open the reference file with an editor like vi, nano, or vim.
vim /etc/fail2ban/jail.local
# Insert the code block to manage bans for IPs that fail authentication
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1