Post 006

Node-C: The Gozanti Cruiser, The Security Sentinel

Category: Networking / Security / Edge Computing

Post 005 covered the node that holds the data. This final post covers the node that watches over all of it.

The Gozanti Cruiser (OptiPlex 7050) is the fleet's security baseline. Small but mighty, its primary function is interdiction and network control. If the Gozanti goes down, the security perimeter collapses. So it's built to stay up.

While the Millennium Falcon runs AI inference and the CR90 Corvette manages data and operations, the Gozanti's job: keep security monitoring, DNS filtering, and availability tracking online regardless of what happens to the rest of the cluster.

1. Core Specs

Dual-NIC Hardware Mod

To extend networking capability, I added a second NIC:

• Onboard: Intel i219-LM (1GbE)
• Expansion: Realtek RTL8125 2.5GbE, installed in the M.2 2230 A+E Key slot (traditionally for WiFi cards)

This mod gives an SFF desktop multi-gigabit connectivity. When the node previously hosted OPNsense, the 2.5GbE NIC was passed directly to the OPNsense VM for bare-metal packet processing.

2. The OPNsense Migration

In earlier iterations, Node-C ran OPNsense as a dedicated firewall VM with hardware NIC passthrough.

But persistent issues with the ISP modem releasing IP addresses in which this caused reliability problems. A gateway that intermittently drops the connection defeats the purpose.

I consolidated to the UniFi Dream Machine as the single gateway/firewall. IP lease instability gone.

3. Workload Distribution: The Security Perimeter

Why Wazuh lives here: The SIEM needs independence from the data tier. If Node-B requires maintenance, security monitoring can't go dark. Placing Wazuh on the same node as DNS filtering and the reverse proxy means security analysis happens closest to the attack surface.

4. Traffic Flow

How an external request moves through the stack:

Internet
  │
  ▼
UniFi Dream Machine (firewall, threat management, inter-VLAN routing)
  │
  ▼
VLAN 40 ─── Nginx Proxy Manager (TLS termination, rate limiting)
  │
  ▼
VLAN 20 ─── Authentik-ChainCode (SSO challenge — MFA, policy evaluation)
  │
  ▼
VLAN 20 ─── Backend Service (Grafana, n8n, OpenWebUI, etc.)

5. Remote Access: Tailscale

┌─────────────────────────────────────────────────────────────┐
│                    TAILSCALE OVERLAY                        │
├─────────────────────────────────────────────────────────────┤
│  100.x.x.10 ──► Node-A (Millennium Falcon)                  │
│  100.x.x.11 ──► Node-B (CR90 Corvette)                      │
│  100.x.x.12 ──► Node-C (Gozanti Cruiser) ◄─ Subnet Router   │
│  100.x.x.20 ──► Selected VMs/Containers                     │
└─────────────────────────────────────────────────────────────┘

The Gozanti advertises the management subnet to authorized Tailscale clients. Remote devices on the tailnet reach infrastructure without any ports exposed to the public internet.

Tailscale over raw WireGuard because WireGuard requires a publicly reachable endpoint, manual key distribution, and peer management. Tailscale handles NAT traversal, key rotation, and ACLs through a control plane. For a solo operator, managed control plane for reduced complexity is the right call.

Management stations Independence (home desktop), Lady Luck (Dell Pro 14 Plus), and The Ghost (Dell Latitude 7350) all access the fleet through this overlay.

6. Defense in Depth: The Full Security Stack

Across the fleet, security is layered. No single failure compromises the environment:

Layer 1  — PERIMETER:    UniFi Dream Machine (firewall + threat management)
Layer 2  — NETWORK:      VLAN segmentation + inter-VLAN firewall rules
Layer 3  — ACCESS:       Tailscale zero-trust overlay (no exposed ports)
Layer 4  — IDENTITY:     Authentik-ChainCode + MFA (TOTP/WebAuthn)
Layer 5  — INGRESS:      Nginx Proxy Manager (TLS termination, rate limiting)
Layer 6  — DNS:          AdGuard (ad/tracker/malware domain blocking)
Layer 7  — SECRETS:      Vaultwarden (self-hosted Bitwarden)
Layer 8  — DETECTION:    Wazuh SIEM/XDR (log aggregation, threat detection, FIM)
Layer 9  — ALERTING:     n8n → Admiral Ackbar (Discord notifications)
Layer 10 — MONITORING:   Telegraf → InfluxDB → Grafana + Uptime Kuma

If Authentik goes down, firewall and VLAN rules still isolate services. If a threat bypasses the DMZ, Wazuh detects the activity and Admiral Ackbar alerts immediately. Each layer is independently valuable and collectively resilient.

7. Separation of Concerns

Dedicating the Gozanti to security and network services means:

Maintenance is modular. Reboot the Falcon for a kernel parameter change or take the Corvette offline for a ZFS scrub without dropping security monitoring.

Security is hardened. The SIEM has its own hardware resources. AI inference or database queries on other nodes can't slow down threat detection.

Detection is always on. SIEM, DNS filtering, and availability monitoring form a baseline that survives any single-node failure. Same architectural pattern used in enterprise SOC environments.

Series Wrap-Up

That's the Alliance Fleet. Three nodes, 25+ services, four VLANs, ten security layers, and one incident that tested the entire design.

From Post 001 through here, the series covered the philosophy, the architecture, the service inventory, the observability pipeline, and each node in detail. Every post stands alone, but together they tell the story of how enterprise IT principles translate into infrastructure you build and operate yourself.

The fleet is a living system. Infrastructure is never finished. The homelab-infrastructure repo tracks what's in progress: UDM automated response, Grafana dashboard buildout, Proxmox Backup Server, Terraform provisioning, and more.

The Holocron is open. Transmissions will continue.