This repository documents the infrastructure supporting a fictional organization called Tosh Systems.
The objective is to replicate enterprise IT environments using Microsoft 365 cloud services, virtualization, containerization, networking, automation, and security — built and documented as if supporting a real organization.
This repository contains sanitized documentation and example configurations of my homelab environment.
- No real credentials, API keys, or secrets are included
- All domains, IP addresses, and identifiers are redacted or replaced with placeholders
- Configuration files are provided as examples only
This project is intended to demonstrate architecture, security practices, and system design, not expose a live environment.
- UGREEN DXP4800 Plus (Intel Pentium Gold 8505, 8GB DDR5)
- Crucial P310 500GB NVMe (hypervisor boot drive)
- 4x HDD bays (expanding for storage + redundancy)
- Hypervisor: Proxmox VE
- Identity & Cloud: Microsoft 365 / Entra ID, Intune (planned)
- Containers: Docker + Docker Compose
- Networking: Tailscale (secure remote access)
- Monitoring: Grafana + Uptime Kuma
- Media Server: Jellyfin
- Web Access: Nginx Proxy Manager (reverse proxy + SSL)
- DNS: Pi-hole (internal DNS) & Cloudflare (external DNS + domain)
Diagrams are redacted to remove sensitive network details. See docs/architecture/ for full documentation.
| Service | Purpose | Status |
|---|---|---|
| Microsoft Entra ID | Cloud identity + access | Planned |
| Microsoft Intune | Endpoint management | Planned |
| Exchange Online | Planned | |
| Proxmox VE | Hypervisor | Planned |
| Tailscale | Zero trust vpn | Planned |
| Jellyfin | Media server | Planned |
| Nginx Proxy Manager | Reverse proxy + SSL | Planned |
| Pi-hole | Internal DNS + Ad blocking | Planned |
| Cloudflare | External DNS + Domain | Planned |
| Docker | Container runtime | Planned |
| Grafana | Monitoring dashboard | Planned |
| Uptime Kuma | Service uptime monitoring | Planned |
| Layer | Implementation |
|---|---|
| Identity | Entra ID + Conditional Access + MFA |
| Access Gateway | Cloudflare Access (Entra-integrated SSO for self-hosted apps) |
| Network | Tailscale zero trust mesh |
| Proxy | Nginx Proxy Manager access lists |
| Application | Per service authentication |
| Secrets | .env files, never committed |
| DNS | Pi-hole internal, Cloudflare external |
See docs/security/ for full details.
| Study | Description | Status |
|---|---|---|
| Entra ID Identity Design | Tenant setup, users, groups, roles, naming conventions | Planned |
| Intune Endpoint Management | Device enrollment, compliance, configuration profiles | Planned |
| Conditional Access | Zero trust access policies + MFA enforcement | Planned |
| Microsoft 365 DNS | Domain verification, Exchange, SPF/DKIM/DMARC via Cloudflare | Planned |
| Proxmox Setup | Hypervisor install + VM architecture | Completed |
| Tailscale Access | Zero trust remote access implementation | Ongoing |
| Reverse Proxy | Nginx Proxy Manager + SSL setup | Planned |
| DNS Architecture | Pi-hole + Cloudflare split DNS | Planned |
| Monitoring Stack | Grafana + Uptime Kuma deployment | Planned |
| Jellyfin | Media server behind reverse proxy | Planned |
| Authentication | Multi layer auth implementation | Planned |
| Automation | Alerting and script automation | Planned |
| Backups | Proxmox Backup Server setup | Planned |