Security Lab Portfolio

Tristan Stiller

ECE student at Vanderbilt University building production-grade security infrastructure. Automated threat detection and response pipeline processing live honeypot attacks, with defense-in-depth across 4 VLANs and 38+ containerized services. Publishing a public AI-enriched threat intelligence feed with STIX 2.1 IOCs from live attacks.

1,300+
Daily Honeypot Alerts
<30s
Detect → Block
7
Wazuh Agents
4
VLANs (802.1Q)
21
Uptime Monitors
SR-IOV
16 Virtual Functions
129K+
IOC Sessions Indexed
View Threat Intel API GitHub

Electrical and Computer Engineering at Vanderbilt University, Class of 2027. I design, deploy, and operate production security infrastructure that processes live internet threats around the clock.

Seeking internships in security engineering, infrastructure, and networking. Currently studying for CompTIA Network+, CCNA, and Security+.

Security
Wazuh · CrowdSec · Suricata · Greenbone · Cowrie
Networking
OPNsense · VLANs · IPv6 · SR-IOV · WireGuard
Infrastructure
Proxmox · Docker · LXC · Ansible · Caddy · Cloudflare
Automation
N8N · Python · Bash · Grafana · Prometheus
// Architecture

Lab Overview

A bare-metal Proxmox hypervisor running 4 VMs and 10 LXC containers (38 Docker containers) with SR-IOV networking, multi-VLAN segmentation, and a full security stack - processing live internet attacks 24/7.

Network Architecture - Trust Boundaries & Enforced Access Paths
Internet
Comcast WAN · IPv4 + IPv6 DHCPv6-PD
OPNsense · VM 102
Suricata IPS · WireGuard VPN · NAT · DNS Intercept
Default-deny · All DNS → Technitium
LAN
192.168.1.0/24
2601:…:12aa::/64
Proxmox · Caddy · Wazuh
Docker (37ct) · Technitium
CrowdSec · Authentik SSO
Prometheus · Grafana
IoT · VLAN 30
192.168.30.0/24
ULA fdc8:…:30::/64
Home Assistant
Zigbee · Z-Wave
Alexa (Lambda)
Guest · VLAN 40
192.168.40.0/24
ULA fdc8:…:40::/64
Internet-only access
Client isolation
No inter-VLAN routing
DMZ · VLAN 99
192.168.99.0/24
ULA fdc8:…:63::/64
Cowrie SSH Honeypot
WAN:22 → :2222
AI deception (llama.cpp)
Cloudflare Tunnels
Outbound-only · Zero inbound ports
Authentik SSO
Forward auth · 23 services
ZeroSSL Wildcard
*.101904.xyz · acme.sh
// What I Built vs. What I Configured

Custom Engineering

The difference between installing software and building systems. These are components I designed, wrote, and debugged from scratch.

SOAR Pipeline (Wazuh → N8N → CrowdSec → OPNsense)

Custom alert enrichment workflow: Wazuh fires on level 10+ events → N8N enriches with GeoIP → CrowdSec bans for 24h → OPNsense pf table blocks at the firewall. Dual-blocking with automatic expiry sync.

custom-built soar automation

AI-Augmented Honeypot

Local LLM (GPT-OSS 20B via llama.cpp) generates realistic shell responses for unknown commands. Attackers see fake DB credentials, bash history, and system info instead of "command not found."

custom-built llm deception

26 Custom Wazuh Detection Rules

Hand-written rules for Cowrie (100050-100061), Authentik SSO (100100-100108), and Caddy access logs (100200-100204). Static field mapping, JSON decoder integration, evaluation ordering.

custom-built detection-engineering

Daily Security Digest

Automated 8AM briefing via N8N cron: queries Wazuh API for alert counts, top attacker IPs, firewall state table, and CrowdSec ban summary. Posts to Discord with severity-colored embeds.

custom-built workflow

IPv6 DNS Enforcement + Transport Hardening

Full IPv6 DNS interception mirroring the IPv4 posture: pf rdr inet6 on all interfaces forces port 53 → Technitium. KEA DHCPv6 (assisted mode, O-flag) + radvd RDNSS advertise Technitium's ULA IPv6 address. All encrypted DNS transports blocked: DoT (853 TCP), DoQ (8853 UDP), and DoH to 33 known providers on port 443 - Cloudflare and Quad9 explicitly allowed. Persistent patch script repairs kea-dhcp6.conf and radvd.conf after every OPNsense config regeneration.

custom-built ipv6 dns-hardening doh-blocked

Local AI Voice Assistant (ha-voice)

Fully local, offline voice pipeline across 3 ESPHome ESP32-S3 mic satellites. Parakeet TDT 0.6B STT via Wyoming protocol with OpenVINO CPU EP (~160ms inference). FastAPI intent router: sub-50ms for simple commands using fuzzy semantic scoring with gap-ratio disambiguation; LLM compound routing for multi-entity commands. Piper TTS responses. Discord bridge for cross-channel control. All inference on-premises - no cloud STT or TTS.

custom-built llm on-prem-stt esphome openvino

Public Threat Intel Feed (STIX 2.1 + TAXII 2.1)

AI-enriched threat intelligence API (v1.0.0-beta) publishing IOCs from 129K+ live honeypot sessions. Attack data classified by local LLM, mapped to MITRE ATT&CK, served as streaming STIX 2.1 bundles or via a spec-compliant TAXII 2.1 endpoint with cursor pagination. No API key required.

custom-built llm stix-2.1 taxii-2.1 mitre-attack

Docker Crash Watcher

Custom systemd service monitoring Docker container exits. Posts Discord embeds on non-zero exit codes with 10-minute per-container cooldown to prevent alert storms. Ignores graceful stops (SIGTERM).

custom-built monitoring

Automated Vulnerability Scanning Pipeline

Scheduled Greenbone/OpenVAS scans run MWF at 3AM via cron. Auto-starts the CT, runs full network scans across all VLANs, and shuts down after completion to conserve resources. Results feed into Wazuh for correlation with real-time alerts.

custom-built vulnerability-management automation
// Principles

Design Philosophy

Default-deny firewall posture with explicit allow rules per service and VLAN
Defense-in-depth - every layer enforces its own security controls independently
Centralized telemetry - 7 Wazuh agents correlating firewall, host, and honeypot events
Automated response with safety guardrails - CrowdSec bans at the firewall, not the host
Separation of vulnerability posture management (Greenbone) and real-time enforcement (Wazuh/CrowdSec)
Zero-trust external access - Cloudflare Tunnels + Authentik SSO + Google Auth MFA, zero inbound ports
// Automated Threat Response

Detection → Enrichment → Response Pipeline

A fully automated SOAR pipeline that detects attacks on the honeypot, enriches alerts with threat intelligence, and blocks malicious IPs at the firewall - all within 30 seconds, with no human intervention required.

Attacker
Public Internet
OPNsense NAT
WAN:22 → DMZ
Cowrie Honeypot
VLAN 99 (DMZ) + AI
Wazuh Agent
JSON Log Ingestion
Wazuh Manager
Rule Matching
N8N SOAR
Enrichment + Routing
CrowdSec
24h Ban Decision
OPNsense pf
WAN Block Rule
Threat Intel API
STIX 2.1 + MITRE

Stage 1: Cowrie SSH Honeypot + AI Deception

A medium-interaction SSH honeypot in an isolated DMZ (VLAN 99) with public SSH (WAN port 22) redirected via OPNsense NAT. Captures credential stuffing, shell commands, and malware drops from real attackers.

  • Isolated in DMZ VLAN 99 - no lateral movement to production networks
  • AuthRandom authentication: randomly accepts credentials after 1-3 attempts to maximize session depth
  • Fake SSH banner: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 - looks like a vulnerable Debian 7 server
  • AI-augmented responses - local llama.cpp (GPT-OSS 20B) generates realistic Ubuntu 20.04 server terminal output, with fake DB credentials, bash history, and crontabs to maximise attacker dwell time
  • Malware downloads captured to disk, monitored by Wazuh FIM with VirusTotal integration

Stage 2: Wazuh SIEM - Detection Engineering

26 custom rules across 3 rule files process JSON logs from Cowrie, Authentik SSO, and Caddy reverse proxy. The native JSON decoder extracts fields; rules use static field tags and ordered evaluation for precise matching.

  • Cowrie rules (100050-100061): connection, login success/fail, commands, file download/upload, brute-force frequency, dangerous commands (wget/curl/reverse shells), cryptominer detection, persistence attempts
  • Authentik rules (100100-100108): auth failures, brute-force (5 in 60s), flow execution, admin API mutations, 401/403 responses, worker task failures
  • Caddy rules (100200-100204): 4xx/5xx errors, 403 blocks (CrowdSec), web scanning detection (10+ 4xx in 30s)
  • Level 10+ alerts automatically trigger the N8N SOAR pipeline
  • Level 12 FIM events (malware artifacts) trigger VirusTotal hash lookup

Stage 3: N8N SOAR - Enrichment & Auto-Block

Three custom N8N workflows process Wazuh alerts in real time, enrich them with threat intelligence, and execute automated response actions.

  • Alert Enrichment + Auto-Block: receives webhook from Wazuh integratord → enriches with ipwho.is GeoIP → categorizes by severity/type → posts color-coded Discord embed → triggers CrowdSec ban
  • CrowdSec Auto-Block: dual-blocks attackers - CrowdSec 24h ban + OPNsense n8n_blocklist pf table (WAN inbound block rule)
  • Daily Security Digest: 8AM cron queries Wazuh API for overnight alert summary, top attacking IPs, pf state table stats → Discord briefing
  • Blocklist sync cron every 2h: reconciles CrowdSec ban list with OPNsense pf tables, removes expired IPs

Stage 4: Public Threat Intel Feed

Attack data from the SOAR pipeline is published as a free, public threat intelligence API. Sessions are classified by a local LLM and mapped to MITRE ATT&CK techniques.

  • 129K+ sessions indexed, 28K+ indicators, 20 VT-enriched malware samples from live attacks
  • Streaming STIX 2.1 - async generator pages DB in batches; no OOM risk. TLP:CLEAR marking, kill chain phases, MITRE ATT&CK relationships
  • TAXII 2.1 endpoint - spec-compliant Envelope format, cursor pagination, added_after incremental sync, X-TAXII-Date-Added-Last header
  • AI classification via GPT-OSS 20B (local llama.cpp) with deterministic rule-based fallback
  • MITRE ATT&CK: T1110 brute force, T1110.004 credential stuffing, malware deployment, cryptominer installation
  • Rate limiting, pagination, filtering by threat level / attack type / time range. Released as v1.0.0-beta
  • Source: github.com/Tristan1019-user/honeypot-threat-intel
SOAR Pipeline - Recent Activity
  • 00:14BLOCKED 198.51.100.23 🇨🇳 Beijing, CN - dual-block: CrowdSec 24h ban + OPNsense pf WAN rule
  • 00:14ENRICHED 198.51.100.23 - AS4134 China Telecom · ipwho.is GeoIP
  • 00:14ALERT Rule 100057 - Cowrie: SSH brute-force · 14 attempts in 60s from 198.51.100.23
  • 00:12BLOCKED 203.0.113.47 🇷🇺 Moscow, RU - dual-block: CrowdSec 24h + OPNsense pf
  • 00:12ENRICHED 203.0.113.47 - AS12389 Rostelecom · ipwho.is GeoIP
  • 00:11ALERT Rule 100058 - Cowrie: Reverse-shell attempt · bash -i >& /dev/tcp/...
  • 00:09MALWARE Rule 100055 - File captured: a3f8d2e1... SHA256 → VirusTotal lookup triggered
  • 00:04SYNC Blocklist reconciliation complete - 13 active bans · 2 expired IPs purged from OPNsense pf table
  • 00:01DIGEST Daily security briefing posted to Discord #runner - 1,847 alerts · 23 critical · 7 new bans
Sample data - representative of live pipeline activity
N8N SOAR Workflow Editor
N8N workflow editor - visual SOAR pipeline with webhook triggers, API enrichment, and dual-block execution
Discord Security Alerts
Discord #runner - real-time auto-block notifications with GeoIP enrichment and severity-colored embeds
// Architecture Decisions

Why I Built It This Way

→ Why block at the firewall, not the host?

CrowdSec and OPNsense pf tables enforce bans at the network perimeter. Host-level blocking (iptables, fail2ban) only protects one service - a firewall rule blocks the attacker from reaching anything, including services that don't have their own IPS.

→ Why dual-block (CrowdSec + OPNsense pf)?

CrowdSec bans expire automatically (24h TTL). OPNsense alias config persists across reboots but pf tables don't auto-populate from aliases. The 2-hour sync cron reconciles both - live pf table for immediate blocking, alias config for reboot persistence.

→ Why an AI honeypot?

Standard Cowrie returns "command not found" for ~80% of attacker commands, which is a dead giveaway. The LLM generates plausible Ubuntu 20.04 server output (fake DB credentials, bash history, crontabs), keeping attackers engaged longer and capturing more TTPs. Uses GPT-OSS 20B via llama.cpp locally - no API costs, no data exfiltration.

→ Why custom Wazuh rules instead of default rulesets?

Default Wazuh rules don't understand Cowrie's JSON schema or Authentik's structured logs. Custom rules with decoded_as: json and field-level matching extract attacker IPs, usernames, and commands directly from the JSON, enabling precise alerting and correlation that generic syslog rules can't achieve.

// Defense in Depth

Security Architecture

A layered security stack with 7 Wazuh agents across 4 VLANs, automated threat response, and continuous vulnerability assessment.

OPNsense Firewall

Stateful firewall with Suricata IPS (ET-Pro rules, netmap mode on WAN), multi-VLAN routing, NAT, and DNS interception. Acts as the network's root of trust.

firewallIDS/IPSsuricata

Wazuh SIEM

Centralized SIEM with 7 active agents on Proxmox, Docker, Caddy, OPNsense, Cowrie, Zenbook, and workstation. 26 custom rules, FIM, and VirusTotal integration.

siemdetection7-agents

Cowrie Honeypot + AI

SSH honeypot in DMZ VLAN 99 with AI-generated responses via local llama.cpp LLM. Captures credentials, commands, and malware from real attackers daily.

honeypotllmdmz

CrowdSec IPS

Collaborative behavioral IPS. Receives ban decisions from N8N SOAR pipeline and enforces at the OPNsense firewall. 24h TTL with automatic expiry.

ipsautomationthreat-intel

Greenbone Vulnerability Scanner

OpenVAS in a Kali LXC with RAM-constrained sequential scanning (max_hosts=1, max_checks=3). Automated 3x/week via cron - Monday (core infra), Wednesday (Docker), Friday (all LXCs). Results posted to Discord. CT auto-starts for scan, stops after.

vuln-scanopenvassequential-scan

Authentik SSO + Cloudflare Access

Domain-level forward auth across 23 services. Cloudflare Access gates external apps with Google MFA; Authentik provides OIDC SSO for all internal services via Caddy.

ssozero-trustmfa
Wazuh SIEM - 24h Overview
1,847
Total Alerts
23
Level 10+
7 / 7
Agents Active
26
Custom Rules
RuleDescriptionHitsLevel
100052Cowrie: SSH login failed8476
100057Cowrie: SSH brute-force - 10+ in 60s31210
100054Cowrie: Attacker ran command2348
100204Caddy: Web scan - rapid 4xx errors419
100058Cowrie: Payload / reverse-shell1812
100055Cowrie: Malware download captured712
proxmox
docker
caddy
opnsense
cowrie
workstation
zenbook
CrowdSec - Active Decisions
13
Active Bans
338
Blocked (30d)
2
Enforcement Points
IPOriginRemainingReasonVia
198.51.100.23🇨🇳 CN22h 14mssh-brute-forceWazuh SOAR
203.0.113.47🇷🇺 RU19h 33mssh-brute-forceWazuh SOAR
192.0.2.156🇻🇳 VN16h 08mmalware-downloadWazuh SOAR
198.51.100.89🇰🇷 KR14h 51mssh-brute-forceWazuh SOAR
203.0.113.201🇺🇸 US11h 22mhttp-web-scanCaddy Bouncer
192.0.2.78🇧🇷 BR8h 45mssh-brute-forceWazuh SOAR
198.51.100.112🇮🇳 IN5h 19mcryptominer-deployWazuh SOAR
IPs are RFC 5737 documentation addresses - representative sample
Wazuh GeoIP Attack Map
Wazuh GeoIP - geographic distribution of attack origins targeting the honeypot
OPNsense Firewall Rules
OPNsense firewall rules - default-deny posture with explicit per-VLAN allow rules and DNS interception
CrowdSec Security Engine
CrowdSec Security Engine - scenario metrics, alert history, and bouncer enrollment
Greenbone Scan Results
Greenbone - vulnerability scan results with CVE severity
Suricata IDS/IPS
Suricata - IDS/IPS alerts from OPNsense WAN interface

Access Control Stack

Multi-layer identity and access management with zero-trust principles. No inbound firewall ports - all external access via Cloudflare Tunnels.

  • Cloudflare Access enforces Google account allowlisting before any app is reachable
  • Authentik SSO provides domain-level forward auth for 23 internal services via Caddy reverse proxy
  • OIDC/SAML with embedded outpost - outpost passthrough handles OAuth callbacks without redirect loops
  • Vaultwarden for credential management (self-hosted Bitwarden with its own 2FA)
  • SSO exclusions for services with native auth: Jellyfin (API key), Vaultwarden (own 2FA), Home Assistant
Scheduled Cron
MWF 3AM CST
CT 111 Auto-Start
Greenbone/OpenVAS
Scan Targets
Mon: Core · Wed: Docker
Fri: All LXCs
CVE Results
CVSS severity scoring
Discord #runner
Findings embed
CT 111 Auto-Stop
RAM reclaimed
// Network Architecture

Advanced Networking

Enterprise-grade networking with SR-IOV, multi-VLAN segmentation, IPv6 dual-stack, hardened DNS, and zero-exposure external access.

SR-IOV - Mellanox ConnectX-5

16 Virtual Functions on a ConnectX-5 dual-port 25GbE NIC, each assigned directly to VMs and containers for near-native network I/O with hardware-level traffic isolation.

  • Each VM/LXC gets a dedicated SR-IOV VF - bypasses the host network stack entirely
  • VF-level VLAN tagging enforced at the PF for DMZ isolation (VLAN 99)
  • Trust and spoofcheck configured per-VF via Proxmox hookscripts for persistence across reboots
  • PCIe passthrough for OPNsense (full NIC control) and Unraid (SATA controller)

IPv6 Dual-Stack + DNS Enforcement

Full IPv6 deployment with ULA addressing for VLANs and a complete DNS enforcement posture that mirrors IPv4 - both transports equally hardened.

  • VLANs use ULA fdc8:7f3a:1e2b::/48; SLAAC via radvd (M=0, O=1 assisted mode) with RDNSS advertising Technitium's IPv6 address
  • KEA DHCPv6 responds to INFORMATION-REQUEST with DNS options (stateless DHCPv6 - addresses from SLAAC, DNS from DHCPv6)
  • OPNsense pf rdr inet6 intercepts all IPv6 port 53 traffic on every VLAN → Technitium fdc8:7f3a:1e2b:1::2
  • DoT (853 TCP), DoQ (8853 UDP) blocked on all LAN interfaces. DoH blocked to 33 known providers via firewall alias; Cloudflare and Quad9 explicitly permitted
  • Persistent patch script repairs radvd.conf and kea-dhcp6.conf after every OPNsense config regeneration (runs every 10 min via cron)
  • avahi-daemon on OPNsense bridges mDNS across LAN, VLAN 30, VLAN 40, and workstation for AirPlay, HomeKit, and Spotify Connect discovery

4 VLAN Segmentation

Production (default), IoT (VLAN 30), Guest (VLAN 40), DMZ (VLAN 99). Inter-VLAN routing only through OPNsense with explicit per-service allow rules. Default-deny between all zones.

802.1Qisolationdefault-deny

Technitium DNS - Hardened (IPv4 + IPv6)

Self-hosted recursive DNS with Cloudflare and Quad9 DoH upstreams. OPNsense intercepts ALL DNS (port 53) on both IPv4 and IPv6 via pf rdr rules - clients cannot bypass it. DoT (853), DoQ (8853), and DoH to 33 known providers explicitly blocked. mDNS reflected across VLANs via avahi for AirPlay and HomeKit discovery.

dns-hardeningipv4+ipv6dot-doq-blockedmdns-reflector

Cloudflare Tunnels + Caddy

Outbound-only tunnels replace port forwarding. Caddy reverse proxy with ZeroSSL wildcard cert (*.101904.xyz) routes to all internal services. Zero inbound firewall exposure.

zero-exposurewildcard-tlszerocssl

WireGuard VPN (OPNsense)

Site-to-site and remote-access VPN terminated directly on OPNsense. Firewall rules enforce the same VLAN segmentation and default-deny posture for VPN clients as local traffic - no split-tunnel bypass.

wireguardvpnfirewall-integrated

UniFi Enterprise Wireless

Managed access points with SSID-to-VLAN mapping, client isolation, and centralized controller for configuration and monitoring.

enterprise-wifivlan-mappingmanaged
OPNsense Dashboard
OPNsense - firewall dashboard with interface traffic and state table
Technitium DNS
Technitium DNS - query analytics and blocked domains
UniFi Dashboard
UniFi - wireless network topology and client overview
// Automation & Ops

Automation, IaC & Monitoring

Infrastructure-as-code, workflow orchestration, automated monitoring, and Git-backed configuration management.

Ansible - Infrastructure as Code

Configuration management playbooks for LXC containers and host-level settings. Package installation, service configuration, and security baselines - all version-controlled.

iacautomationidempotent

N8N - SOAR Workflows

3 active SOAR workflows: Alert Enrichment + Auto-Block, CrowdSec Dual-Block, and Daily Security Digest. Webhook-triggered by Wazuh integratord for real-time response.

soarworkflowswebhooks

Prometheus + Grafana + Exportarr

Time-series monitoring with Prometheus scraping node-exporter (host metrics) and Exportarr (Sonarr/Radarr/Prowlarr). Grafana dashboards for resource utilization and service health.

prometheusgrafananode-exporter

Uptime Kuma

21 monitors covering every service endpoint. HTTP/HTTPS checks, TCP port probes, and DNS resolution tests with alerting on degradation.

uptime21-monitorsalerting

Git Config Backup

Private GitHub repo backing up all critical configs: Caddyfile, Wazuh rules/decoders, OPNsense config.xml, compose files, Cowrie plugins. Weekly automated push via cron.

gitbackupweekly-cron

Database Layer

PostgreSQL (Authentik, Wiki.js), MariaDB (media apps), Redis (caching), SQLite (N8N, Uptime Kuma). Each workload uses the appropriate data store.

postgresqlmariadbredis
Grafana Dashboard
Grafana - host resource utilization, container metrics, and service health via Prometheus + Exportarr
Uptime Kuma
Uptime Kuma - 21 service monitors with heartbeat tracking and response time graphs
// Hardware & Hypervisor

Infrastructure

Bare-metal Proxmox VE hypervisor with PCIe passthrough, SR-IOV networking, GPU acceleration, and ordered boot sequencing.

Proxmox VE - Single-Node Hypervisor

Intel i9-13900KF bare-metal running 4 QEMU/KVM VMs and 10 LXC containers with UEFI boot, PCIe passthrough, and deterministic startup ordering.

  • Boot order: Cowrie → OPNsense → DNS → Cloudflared → CrowdSec (15s buffer) → Caddy → Docker → UniFi → Wazuh → Home Assistant → Uptime Kuma → Ansible → Unraid
  • GPU passthrough: Intel ARC A380 to Docker LXC for hardware-accelerated transcoding
  • SR-IOV: 16 VFs on ConnectX-5, each assigned to a VM/LXC - no software bridge
  • USB passthrough for Zigbee/Z-Wave controllers to Home Assistant
  • All VMs/CTs set to onboot: 1 - full lab recovers unattended after power loss

Unraid NAS

Network-attached storage VM with parity-protected array. NFS/SMB exports mounted into Docker LXC for media and compute workloads. SATA controller passed through via PCIe.

naspcie-passthroughnfs

Docker LXC - 38 Containers

Privileged LXC with 16 cores, 24GB RAM, GPU passthrough, and Unraid NFS mounts. Runs 38 containers including all media, monitoring, SSO, threat intelligence, and automation stacks.

38-containersgpuprivileged

NVIDIA BlueField-2 DPU

Data Processing Unit for hardware-accelerated networking experimentation. SmartNIC capabilities with OVS offload and isolated management plane. Currently in standalone testing - integration planned alongside SR-IOV.

dpusmartnicexperimental

Mellanox ConnectX-5

Dual-port 25GbE NIC with 16 SR-IOV Virtual Functions. Each VF assigned to a VM/LXC for line-rate networking without software bridge overhead.

25gbesr-iov16-vfs

Home Assistant + Local AI Voice + Alexa

Smart home automation with a fully local AI voice pipeline: 3 ESPHome ESP32-S3 satellites → wyoming-parakeet STT (OpenVINO, ~160ms) → custom intent router → HA actions in <50ms. Custom AWS Lambda skill for Alexa hybrid cloud/edge fallback. No cloud dependency for voice.

ioton-prem-voiceaws-lambdaesphome

Utilities

IT Tools, CyberChef, Stirling PDF, Wiki.js, Adminer, Notifiarr - operational tools for day-to-day administration and incident investigation.

cyberchefwikitooling
Proxmox Dashboard
Proxmox VE - hypervisor dashboard with VM/LXC resource allocation