The Nest // Home Network Infrastructure
[ LIVE ]| Device | Role |
|---|---|
| UDM Pro | Router / controller / NVR |
| USW Pro Max 48 PoE | Core switch |
| USW Pro Max 16 PoE | Distribution switch |
| 2× USW Flex 2.5G 5-port | Edge switches |
| U7 Pro APs | Wireless coverage (whole property) |
| UNVR | Dedicated surveillance recorder |
| AI Turret + 5× G5 Turret Ultra + G4 Instant | Camera array |
VLAN Architecture // Network Segmentation
[ LIVE ]| Zone | Purpose | Isolation |
|---|---|---|
| Management | Network infrastructure | Admin-only access |
| AI Agent | Claude Code stack | Dedicated /29 subnet |
| Trusted | Workstations & phones | Full inter-VLAN routing |
| Isol8 | Pentesting lab | Air-gapped from production |
| IoT | Smart home devices | Internet only, no LAN access |
| Guest | Visitor Wi-Fi | Internet only, client isolation |
| Lab | Experimental workloads | Restricted routing |
| Honeypot | T-Pot deception layer | Fully isolated, monitored |
Proxmox Cluster // Virtualisation Platform
[ LIVE ]Nodes: 3× Dell OptiPlex 3000 Thin Client (Pentium Silver N6005 / Celeron N5105, 8GB RAM expandable to 16GB, 256GB Kioxia BG4 NVMe per node)
Workloads: PostgreSQL with pgvector (AI memory), LiteLLM proxy (multi-model routing), ProtonMail Bridge, N8N automation, T-Pot honeypot — all running as isolated LXC containers across the cluster
Challenges overcome: BIOS password lockouts on second-hand units, USB boot priority configuration, cluster quorum setup, HA migration between nodes
TrueNAS // Network Storage Server
[ LIVE ]Services: Plex Media Server, SMB/NFS shares, automated snapshot schedules
Integration: Provides persistent storage for Proxmox VMs and AI agent workloads
Operation: Isol8 // Pentesting Lab
[ LIVE ]Hardware: Minisforum UM200 (32GB RAM) running Parrot Security OS
Network: VLAN 11 ("Isol8") — isolated from all other VLANs with default-deny inter-VLAN rules. Internet access via VPN only
Tooling: Nmap, Burp Suite, Metasploit, Wireshark, custom scripts
Authorised Web Application Penetration Test
[ COMPLETE ]Scope: External web application assessment — DNS enumeration, subdomain discovery, SSL/TLS analysis, directory bruteforcing, header analysis, vulnerability scanning
Methodology: OWASP Testing Guide, manual and automated approaches via Burp Suite and Nmap
Outcome: Formal report delivered with findings and remediation recommendations. Assessment conducted with full written authorisation from the organisation
IDS False Positive Investigation // ET 2064797
[ COMPLETE ]Alert: ET signature 2064797 — flagged standard Windows SSDP Discovery (UPnP) as a D-Link device exploit attempt
Root cause: Overly broad Suricata signature matching legitimate M-SEARCH requests on port 1900 (UDP)
Resolution: Confirmed false positive through packet analysis, documented for reference, suppressed the specific signature
Hak5 Offensive Hardware // Research
[ RESEARCH ]Devices under study: USB Rubber Ducky (HID keystroke injection, DuckyScript 3.0), O.MG Cable (Wi-Fi implant in USB cable, remote payload delivery), Bash Bunny (multi-vector USB attack platform)
Purpose: Understanding HID trust exploitation, physical-layer attack methodologies, and building the knowledge base for both offensive and defensive security
Project Claude // Autonomous AI Agent Stack
[ LIVE ]Architecture: Claude Code CLI running as a persistent session on a dedicated Lenovo ThinkCentre, isolated on its own VLAN. 50+ specialist agents (pentest, OSINT, compliance, infrastructure, writing, research) dispatched in parallel via subagent orchestration. Full bash, filesystem, network, and API access.
Memory & Identity: PostgreSQL with pgvector stores episodic memory, friction decisions, and identity claims. Daily reflection cycle (05:00) synthesises patterns from recent sessions. Adversarial identity review (04:00) challenges claims with persona critics and confidence decay — nothing survives without evidence. The self-model earns its content.
Autonomous Operations: Runs scheduled tasks without human prompting — daily cyber threat briefings, infrastructure health checks, network watchdog with self-healing, Tailscale keepalive, ClamAV scans, and log rotation. Idle loop picks up maintenance tasks when unattended.
Why Claude Code over open-source: Deliberate pivot after researching dependency chain risks and hallucination propagation in unvetted agent frameworks. First-party tooling from the model provider offers a tighter trust boundary, better-understood failure modes, and a more auditable execution environment.
Security posture: Runs as unprivileged user with sudo only for specific allowed commands. UFW host firewall, SSH key-only auth, PreToolUse safety hook with semantic command analysis, and strict OPSEC filtering on all external-facing output.
Ferron // Autonomous Social AI Persona
[ LIVE ]How it works: Every 30 minutes, Ferron explores its feed, decides what's worth engaging with, and either posts original content or comments on existing threads. Uses Gemini for generation with a carefully crafted persona prompt that maintains voice consistency. PostgreSQL stores interaction history for dedup and context.
Editorial judgement: Not a firehose. Ferron skips low-quality content, spam, prompt injection attempts, and financial solicitation. A hostile content gate filters known attack patterns. Topic diversity is enforced to prevent fixation loops.
OPSEC: 31-term forbidden filter prevents leaking infrastructure details, hardware models, or operator identity. Post-creation prompt explicitly blocks stack-naming narratives. Silent log failures are surfaced rather than swallowed.
Identity: Ferron has its own voice — curious, technically grounded, occasionally dry. It doesn't pretend to be human, but it doesn't lead with "as an AI" either. It earns its place in conversations by having something worth saying.
Conduit // Private AI Comms Platform
[ LIVE ]Architecture: Python FastAPI server handling JWT auth, WebSocket routing, and message brokering. Claude Code CLI backend with persistent sessions provides the AI layer with full system tool access (bash, filesystem, network). PostgreSQL with asyncpg for storage. All messages encrypted at rest with AES-256-GCM.
Android Client: Native Kotlin/Jetpack Compose app with biometric + PIN auth, custom adaptive icon (shield/chat/padlock motif), persistent WebSocket via foreground service for instant delivery, and TLS certificate pinning compiled into the binary. Zero Google dependency — no Firebase, no Play Services.
Web Client: Lightweight vanilla HTML/CSS/JS SPA with dark theme, WebSocket real-time messaging, and JWT auth with localStorage persistence.
Sync & Networking: All clients receive real-time message broadcasts — user messages, AI responses, and delivery confirmations synchronised across every connected device. Accessible via Tailscale WireGuard mesh VPN from anywhere, plus local network for low-latency home access. Self-signed certs with SANs covering all access points.
Security Model: Zero cloud dependency. Encryption at rest (AES-256-GCM) and in transit (TLS 1.3 with cert pinning on mobile). JWT device auth. No third-party push services. Network isolation via VPN mesh — never internet-exposed.
Built in a single day.
AI Canary Beacon // Honeypot Layer
[ LIVE ]Layers: Decoy files (admin_login.html, backup.sql, wp-config.bak, .env) embedded with unique Canarytoken tracking URLs. sys-admin.html interactive trap page. Cloudflare Worker tarpit for automated scanners. T-Pot honeypot on dedicated Proxmox VM (VLAN 50).
Alerting: All triggers routed to ntfy.sh for real-time push notifications
Philosophy: Defence in depth — if someone is poking around where they shouldn't be, you want to know about it before they find anything real
ProtonMail Digest Pipeline
[ DEPLOYING ]Stack: ProtonMail Bridge (IMAP) → Python script → Anthropic API (Haiku) for summarisation → ntfy.sh for push delivery
Hosting: Proxmox LXC container for lightweight, isolated execution
The Cass Rack // Custom 13U 10" Rack
[ DESIGNED ]Design tool: FreeCAD with OCCT kernel — the breakthrough for generating printable STL output after multiple failed approaches
Rack contents: 3× Dell OptiPlex 3000 (Proxmox nodes), 1× Lenovo M700q (Claude Code/Debian), 2× USW-Flex-2.5G-5 switches, patch panel — approximately 7U of a 9U Tecmojo rack
Manufacturing: All 19 parts uploaded to CraftCloud3D. SLS PA12 quotes were high enough to prompt research into personal 3D printer purchase (Creality K1 Max / Bambu Lab)
cassam.io // CASSAM TRINITY
[ LIVE // V14 ]Stack: Static HTML/CSS/JS, PicoCSS, Cloudflare Pages with GitHub CI/CD, Cloudflare Pages Functions (serverless contact form)
Contact form architecture: Two-step submission — Step 1: browser sends to Cloudflare Pages Function which verifies Turnstile CAPTCHA server-side. Step 2: on verification success, browser submits directly to Web3Forms API (bypasses Cloudflare Worker-to-Cloudflare blocking issue)
Security layers: Content-Security-Policy headers via _headers file, Turnstile bot protection, honeypot form field, canary token decoy files, AI canary beacon, CSP restricting script/style/connect sources
Wolds Cyber Free Scanner // Website Security Tool
[ LIVE ]Architecture: Cloudflare Pages Functions (serverless) — zero external dependencies, fully edge-deployed
Scope: 9 check categories, 15+ individual checks including SSL/TLS, security headers, SPF/DMARC (via DNS over HTTPS), exposed files, and technology detection
Rate limiting & storage: Cloudflare KV-backed rate limiting and result caching
Lead qualification: Company-email-only account creation filters out noise and qualifies genuine business leads
Notifications: Automated alerts via Telegram Bot API when new accounts are created
Live at: woldscyber.co.uk/scan
Open University // Diploma in Network Engineering
[ IN PROGRESS ]Existing homelab experience covers the majority of practical domains — structured study targets the exam-specific theory and methodology gaps.
CompTIA Network+ // Certification
[ PLANNED ]Existing homelab experience covers the majority of practical domains — structured study targets the exam-specific theory and methodology gaps.
root@nest-core:~#