// 04 · FIELD NOTES
Holocron Logs
Technical writeups from the Alliance Fleet: infrastructure, identity, and the road to Cloud and IAM.
Act I · Alliance Fleet Series Read in order
The foundation layer. Nine posts covering the philosophy, hardware, network, and observability decisions behind the fleet. Start here.
01
Transmission Origin
I'm Tima Nlemvo, an IT engineer with 8 years in IT operations. This blog is a technical archive of everything I'm learning by building, breaking, and documenting the Alliance Fleet.
→
02
The Blueprint: What Production-Grade Actually Means
Production-grade infrastructure is not about the hardware. It is about the decisions, constraints, and tradeoffs that shape how a system behaves under failure. This is the philosophy behind the Alliance Fleet.
→
03
The Architecture: Measure Twice, Cut Once
Three nodes, five VLANs, 25+ services, and one rule: every design decision gets documented. This is the architecture of the Alliance Fleet and the reasoning behind every major choice.
→
04
The Network Layer: Hardware, VLAN Segmentation, and Zero-Trust Firewall Design
The Alliance Fleet network runs on a UniFi stack inside a Rackpi T1 10-inch rack. Five VLANs enforce workload isolation across a managed switch, wireless AP, and a Dream Machine gateway that replaced OPNsense after a dual-gateway reliability failure.
→
05
The Fleet Manifest: Strategic Resource Allocation
The full VM and LXC inventory across all three nodes. Resource allocation, VLAN placement, and why each workload lives where it does.
→
06
The Telemetry Core: Full-Stack Observability and Environmental Logic
Full-stack observability built on Telegraf, InfluxDB, and Grafana at 10-second resolution. The pipeline that made root cause analysis possible when all local logs were destroyed.
→
07
Node-A: The Millennium Falcon, High-Performance Compute and AI
Node-A is the AI and ML compute node: Intel Core Ultra 9, 64GB DDR5, and an RTX 4000 Ada passed through via VFIO to a single VM for bare-metal-equivalent GPU access.
→
08
Node-B: The CR90 Corvette, Data Integrity and Operations Hub
Node-B is the data and operations hub: AMD Ryzen 7 PRO with 64GB DDR5 ECC RAM and ZFS storage. ECC matters when you are running a domain controller and a time-series database on the same node.
→
09
Node-C: The Gozanti Cruiser, Security Sentinel
Node-C is the network and security sentinel: Intel i7-7700 with a hardware-modded 2.5GbE NIC via the M.2 slot. It runs Wazuh, AdGuard, NPM, and serves as the Tailscale subnet router.
→
All Posts 27 entries
Act 2 career
Jun 2026 Why I Didn't Migrate Ghost to Azure: The Blog Platform Decision
The original plan was Ghost Pro to Azure VM. A real AZ-104 deployment, production operations, unified monitoring. The actual decision was Ghost Pro to Astro Content Collections on Netlify. Here is why the plan changed, what was built instead, and what that decision says about how infrastructure choices should actually be made.
read →
Act 2 project
May 2026 The Alliance Fleet Backup Architecture: Snapshots, Local Storage, and Azure Offsite
A three-layer backup strategy for a three-node Proxmox cluster. Proxmox snapshots with retention tiers, nightly vzdump to a local external drive on Node-B, and an azcopy pipeline pushing everything to Azure Blob Storage at 3AM. The bugs that nearly killed the first run are worth documenting.
read →
Act 2 field-notes
May 2026 RustDesk Self-Hosted: Free Remote Desktop Without the Cloud Dependency
RustDesk deployed as Bothawui (LXC CT 114) on Node-B at 192.168.20.81. The Azure relay was rejected because Tailscale already handles NAT traversal. Self-hosted means no subscription, no data leaving the fleet, and a relay server that actually understands the network it is running on.
read →
Act 2 field-notes
May 2026 Deploying Home Assistant on an Isolated IoT VLAN: Three Bugs Before Breakfast
Home Assistant (Kashyyyk, VM 116) on VLAN 30 Mustafar. The deployment took an hour. The debugging took three more. A missing VLAN tag on Proxmox net0, Isolate Network silently blocking all inter-VLAN traffic, and a firewall rule source type that only matched the gateway. All three resolved before InfluxDB data started flowing.
read →
Act 2 project
Apr 2026 Hybrid Active Directory Lab: From Forest Promotion to Entra Connect in 48 Hours
Built a Windows Server 2022 domain controller from scratch, stood up a full OU structure with cascading GPOs, domain-joined a Windows 11 Pro workstation, and connected the on-premises forest to Azure via Entra Connect Password Hash Sync. The Server Core mistake cost four hours. The rebuild was worth documenting.
read →
Act 2 project
Apr 2026 Wazuh CVE Digest to Ollama: AI-Powered Vulnerability Remediation Reports
Wazuh already detects vulnerabilities. It scans every enrolled agent, inventories installed packages, and cross-references them against the National Vulnerability Database. This workflow bridges the gap!
read →
Act 2 field-notes
Apr 2026 The K-2SO Architecture: Double-Isolation for a Homelab Observability Bot
A unified observability bot that replaces the sprawl with a single, heavily isolated entry point. It reads everything, queries anything, and can't modify a thing.
read →
Act 2 project
Apr 2026 BD-1: Building a Claude-Powered Discord Bot
A custom Discord bot powered by Anthropic's Claude API. It lives in the Alliance Fleet Discord server and serves as an interactive knowledge assistant.
read →
Act 2 project
Mar 2026 n8n as Infrastructure Glue: 84+ Workflows and Counting
Most homelab automation falls into two categories: scheduled scripts in cron that hope for the best, or one-off webhooks that fire alerts nobody reads. Neither reflects how production environments actually work.
read →
Act 2 project
Mar 2026 Uptime Kuma: Monitoring 25+ Services With Discord Webhook Alerts
Uptime Kuma runs lightweight HTTP/TCP/ping checks against every service endpoint and fires a Discord webhook the moment something goes down. It's the canary - fast, dumb, and reliable.
read →
Act 2 project
Mar 2026 GPU Passthrough on Proxmox: VFIO, IOMMU, and the RTX 4000 Ada
The goal is to pass the entire NVIDIA RTX 4000 Ada GPU through to a single VM. So it has exclusive, bare-metal-equivalent access to the hardware.
read →
Act 2 project
Mar 2026 Deploying Authentik SSO Across 15+ Services: The Full Integration Playbook
Twelve services, twelve passwords. No centralized authentication. No audit trail showing who logged into what and when.
read →
Act 2 project
Mar 2026 Building a TIG Stack for Homelab Observability: Telegraf, InfluxDB, Grafana
Why Build an Observability Stack Running 25+ services across 3 nodes without observability is running blind. You find out something's wrong when a user (you) notices a service is down. By then, the problem has been...
read →
Act 2 writeup
Mar 2026 Chrome Private Network Access vs Your Homelab Portfolio
The Problem My portfolio at tima.dev , hosted on Netlify, a fully public site started showing a Chrome prompt: 'Access other devices on your local network.' When I clicked Block, every Ghost blog feature image broke....
read →
Act 2 project
Mar 2026 Job Radar: Automating My Job Search with n8n and Discord
Job Radar is an n8n workflow that runs every 6 hours and posts matching jobs to a Discord channel.
read →
Act 2 writeup
Mar 2026 NPM Died, So I Rebuilt It: Migrating DNS to Cloudflare in the Same Weekend
Nginx Proxy Manager stopped accepting logins. I spent an hour trying to fix it before realizing the whole container was compromised from a bad initial deployment.
read →
Act 2 writeup
Mar 2026 Tailscale Split DNS and AdGuard: Remote Access Without Opening a Single Port
Access every homelab service from anywhere (office, phone, travel) over HTTPS with valid SSL certificates, without exposing a single port on my home router.
read →
Act 2 writeup
Mar 2026 Partition Expansion on a Live Proxmox VM: 3GB to 128GB Without Data Loss
Partition Expansion on a Live Proxmox VM - From 3GB to 128GB Without Data Loss
read →
Act 2 writeup
Mar 2026 Wazuh Agent Enrollment Across a Multi-VLAN Homelab
This post documents every failure I hit while enrolling 10 agents across a 3-node Proxmox cluster with 4-VLAN segmentation, and the reusable deployment script that came out of it.
read →
Act 2 writeup
Mar 2026 Grafana OAuth With Authentik: The root_url Gotcha
Grafana OAuth with Authentik: The `root_url` Gotcha
read →
Act 2 project
Mar 2026 Zero-Trust Identity Platform: Replacing 12 Passwords with One
This post covers how I deployed Authentik as a centralized identity provider for the fleet: the architecture decisions, the integration work, and the debugging that came with it.
read →
Act 2 project
Mar 2026 SIEM Automation Pipeline: From Zero Visibility to Fleet-Wide Detection
How I built a complete security monitoring pipeline across a 3-node Proxmox homelab, from Wazuh agent enrollment to real-time Discord alerts, and the silent HTTP 400 bug that almost killed the whole thing.
read →
Act 2 project
Mar 2026 GPU AI Platform: Building Local Inference on the Alliance Fleet
Running LLM inference and image generation on a homelab GPU node, and everything that went wrong along the way.
read →
Act 2 writeup
Mar 2026 Deploying Fleet-Wide SIEM Across a Proxmox Cluster
Wazuh an open-source security platform that combines endpoint monitoring, log analysis, vulnerability detection, and regulatory compliance into a single manager-agent architecture.
read →
Act 2 writeup
Mar 2026 NPM and UniFi Firewall Rule Ordering: The Silent Traffic Drop
NPM + UniFi Firewall Rule Ordering - The Silent Traffic Drop
read →
Act 2 writeup
Mar 2026 Wazuh: When to Stop Fighting and Use the Script
Wazuh: When to Stop Fighting and Use the Script The Goal Deploy a full Wazuh SIEM stack - manager, indexer, and dashboard - on a dedicated LXC container in the homelab. Centralized log collection, threat detection, file...
read →
Act 2 writeup
Feb 2026 Diagnosing a Silent Crash With No Logs
Diagnosing a Silent Crash with No Logs Category: Node-A went down on a Sunday morning and left me nothing. No kernel panic. No crash dump. No syslog entries from the window that mattered. The machine was just... off....
read →