Vik Upadhyay - Automation and Cybersecurity Portfolio

About Me

I'm Vik, an IT Service Desk Advisor at Trust Systems, an MSP based in Cirencester. My work spans frontline support, infrastructure troubleshooting, and the networking layers underneath, covering systems, connectivity, and device administration. Much of that work comes down to structured troubleshooting, accurate incident ticketing, and knowing when an issue needs to be escalated cleanly. In my own time, I build small automation tools to reduce routine admin work and make repeat fixes easier to apply.

Current Role IT Service Desk Advisor at Trust Systems

CompTIA Certified PenTest+, Security+, Network+, A+

Chemistry Graduate I graduated in Chemistry from the University of Warwick in 2024 and worked as an Analytical Chemist at Campden BRI. After five months, I decided to transition into IT, where my skills and approach were a better fit.

Experience Snapshot

My work covers user support, infrastructure platforms, and the network paths that connect them. The common thread is structured troubleshooting, accurate incident ticketing, and steady escalation when an issue needs to move on.

Automation Workflow

In my own time, I build small workflows for repetitive admin tasks so the output is clearer, the steps are easier to repeat, and routine fixes are less dependent on memory.

PowerShell

A compact Windows recovery sequence that groups cache cleanup, integrity checks, image repair, disk checks, and Explorer restart into one repeatable support pass.

# Cached thumbnail reset & DISM/SFC checks
Get-ChildItem "$env:userprofile\AppData\Local\Microsoft\Windows\Explorer" -Filter "thumbcache_*" | Remove-Item -Force
sfc /scannow
dism /online /cleanup-image /restorehealth
chkdsk C: /f /r
Stop-Process -Name explorer -Force; Start-Process explorer.exe

Linux

system-refresh brings Debian and Ubuntu maintenance into one logged command, wrapping package repair, service health, journal review, trim operations, Docker checks, and a final summary into one repeatable pass.

#!/usr/bin/env bash
# system-refresh (Debian/Ubuntu + systemd)
set -u
set -o pipefail

LOG_DIR="/var/log/system-refresh"
TS="$(date +%Y%m%d-%H%M%S)"
LOG_FILE="$LOG_DIR/system-refresh-$TS.log"

: "${ENABLE_UPGRADE:=1}"
: "${ENABLE_DOCKER_CHECK:=1}"
: "${ENABLE_SMART_CHECK:=0}"

run_step() {
  local name="$1"; shift
  echo; echo "===== $name ====="
  "$@" || true
}

run_step "APT: update" apt-get update
run_step "DPKG: configure pending" bash -c 'dpkg --configure -a || true'
run_step "APT: upgrade" apt-get upgrade -y
run_step "Disk: fstrim -av" fstrim -av
run_step "Docker: disk usage" docker system df

echo; echo "Log saved to: $LOG_FILE"

CLI output control

A small shell detail I use in personal workflows is output redirection, depending on whether I want live terminal output or a silent run that relies on the script log.

Without redirection sudo system-refresh

Dumps service checks, package activity, Docker status, and the final summary to the terminal while still writing the log file.

With redirection sudo system-refresh >/dev/null 2>&1

Runs silently by discarding standard output and standard error. The command still runs, and the script log is still written separately.

Practical shell patterns

The same approach carries across other day-to-day admin tasks: decide whether the goal is visibility, logging, filtering, or quick triage, then shape the command around that.

Live output and log copy sudo system-refresh | tee refresh.log

Shows the command output in the terminal while writing a copy to a local log file for review afterwards.

Journal filtering journalctl -p warning..alert --since "24 hours ago"

Filters the journal to higher-severity entries when I need a shorter view of recent warnings and errors.

Quick incident triage systemctl --failed && docker ps --format "table {{.Names}}\t{{.Status}}"

Gives a fast first pass on failed services and container state before moving into deeper troubleshooting.

Network reconnaissance

Enumerate hosts on the network with Nmap.

for ip in $(seq 1 254); do
  open_ports=$(nmap -p 1-65535 --open -T4 192.168.0.$ip | awk '/^[0-9]+\\/tcp[[:space:]]+open/ {print $1}' | cut -d/ -f1)
  for port in $open_ports; do
    nc -vz 192.168.0.$ip $port
  done
done

Web Recon with Zed Attack Proxy

Use OWASP ZAP on Kali Linux to spider a public target and export the in-scope URLs it discovers.

How ZAP works Spider via local API

ZAP runs locally, crawls the target subtree, and exposes scan progress and discovered URLs through its API.

What ZAPscan.sh does ./ZAPscan.sh https://example.com

The script checks the API, starts the spider, waits for completion, and writes the collected URLs to a deduplicated text file.

Script excerpt

#!/usr/bin/env bash
set -euo pipefail

TARGET_URL="${1:-${TARGET_URL:-}}"
ZAP_BASE_URL="${ZAP_BASE_URL:-http://127.0.0.1:8080}"
OUTPUT_FILE="${OUTPUT_FILE:-./zap-urls.txt}"
ZAP_API_KEY="${ZAP_API_KEY:-}"

echo "Checking ZAP API at $ZAP_BASE_URL ..."
curl -fsS "$(api_url '/JSON/core/view/version/?')" >/dev/null || {
  echo "Could not reach the ZAP API at $ZAP_BASE_URL." >&2
  exit 1
}

View full ZAPscan.sh Expand script

#!/usr/bin/env bash
set -euo pipefail

# Discover URLs within an authorised target using the OWASP ZAP spider API.
#
# Usage:
#   ./ZAPscan.sh https://example.com
#
# Optional environment variables:
#   TARGET_URL    Target URL if no positional argument is supplied
#   ZAP_BASE_URL  ZAP API base URL (default: http://127.0.0.1:8080)
#   ZAP_API_KEY   ZAP API key, if enabled
#   OUTPUT_FILE   Output file path (default: ./zap-urls.txt)

TARGET_URL="${1:-${TARGET_URL:-}}"
ZAP_BASE_URL="${ZAP_BASE_URL:-http://127.0.0.1:8080}"
OUTPUT_FILE="${OUTPUT_FILE:-./zap-urls.txt}"
ZAP_API_KEY="${ZAP_API_KEY:-}"

usage() {
  cat <<'EOF' >&2
Usage: ./ZAPscan.sh https://example.com

Runs an OWASP ZAP spider against the supplied target and writes a sorted,
deduplicated list of discovered URLs to OUTPUT_FILE.
EOF
  exit 1
}

if [[ -z "$TARGET_URL" ]]; then
  usage
fi

api_url() {
  local path="$1"
  if [[ -n "$ZAP_API_KEY" ]]; then
    printf "%s%s&apikey=%s" "$ZAP_BASE_URL" "$path" "$ZAP_API_KEY"
  else
    printf "%s%s" "$ZAP_BASE_URL" "$path"
  fi
}

json_value() {
  local key="$1"
  python3 -c 'import json,sys; print(json.load(sys.stdin)[sys.argv[1]])' "$key"
}

urlencode() {
  python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1], safe=""))' "$1"
}

echo "Checking ZAP API at $ZAP_BASE_URL ..."
curl -fsS "$(api_url '/JSON/core/view/version/?')" >/dev/null || {
  echo "Could not reach the ZAP API at $ZAP_BASE_URL." >&2
  echo "Start ZAP in desktop or daemon mode and confirm the API is listening." >&2
  exit 1
}

ENCODED_TARGET="$(urlencode "$TARGET_URL")"

echo "Starting spider for $TARGET_URL ..."
SCAN_ID="$(
  curl -fsS "$(api_url "/JSON/spider/action/scan/?url=${ENCODED_TARGET}&recurse=true&subtreeOnly=true&contextName=&userName=")" |
    json_value scan
)"

echo "Spider scan id: $SCAN_ID"

while true; do
  STATUS="$(
    curl -fsS "$(api_url "/JSON/spider/view/status/?scanId=${SCAN_ID}&")" |
      json_value status
  )"
  echo "Spider progress: ${STATUS}%"
  [[ "$STATUS" == "100" ]] && break
  sleep 2
done

echo "Collecting discovered URLs ..."
RESULTS_RESPONSE="$(curl -fsS "$(api_url "/JSON/core/view/urls/?baseurl=${ENCODED_TARGET}&")")"

python3 - "$OUTPUT_FILE" <<'PY' <<<"$RESULTS_RESPONSE"
import json
import sys

output_file = sys.argv[1]
data = json.load(sys.stdin)
urls = sorted(set(data.get("urls", [])))

with open(output_file, "w", encoding="utf-8") as f:
    for url in urls:
        f.write(url + "\n")

print(f"Wrote {len(urls)} URLs to {output_file}")
PY

echo "Done."

Professional Tooling

Day-to-day exposure across remote support, ticketing, device management, monitoring, and infrastructure platforms.

Technical Breadth

Cross-platform familiarity built through frontline support work and personal VikOps systems.

Networking and Security

I work across network faults from physical and link-layer issues through to routing, path analysis, and enumeration.

VikOps

HomeonTV is the main walkthrough. VikOps covers the backend systems behind the site: automation packages, edge delivery, protected routes, OpenWrt VPN routing, Raspberry Pi services, and validation paths.

Project walkthrough

Technical work behind vikonkeys.com.

This stage covers Apple TV control surfaces, smart-home automation, secure deployment paths, and the engineering decisions behind the build.

01 active scene of 04

01 • Home automation / HomeonTV Apple TV native control paths

HomeonTV adds a control surface to tvOS.

Built from an Xcode project and shaped around the Apple TV remote, the app focuses on room navigation, accessory context, and real-time control.

Swift + tvOS HomeKit accessory routing Authorization-aware states Large-screen UI decisions

HomeonTV dashboard showing the project on a premium Apple TV style interface — HomeonTV dashboard

Remote-first architecture Navigation, focus management, and control depth are designed around tvOS constraints rather than borrowed from phone UI habits.

Accessory intelligence Power, brightness, volume, mute, fan speed, hue, saturation, colour temperature, and camera-related surfaces all feed into the experience.

02 • Apple TV / Smart home integrations Live control surfaces

The control layer is built for rooms, scenes, and live context.

This is where the product thinking shows up: choosing which controls deserve immediacy on screen, how to move between rooms without friction, and how to keep the interface stable while still exposing rich device behaviour.

Room views Responsive control states Hue and brightness flows Readable at distance

HomeonTV light controls with brightness, hue, saturation, and colour temperature adjustments — Accessory controls

HomeonTV room view showing grouped accessories and status context — Room context

Readable motion Surface changes are intentional, not noisy, so the interface still feels calm on a large display.

House-wide reach Homes, rooms, and accessory detail views behave like connected layers rather than isolated screens.

03 • Infrastructure / Cloud / Self-hosting Deployment and automation path

Behind the polished UI is a deployment mindset that cares about speed, control, and secure exposure.

Cloudflare Pages, access controls, Home Assistant automations, webhook actions, and self-hosted services all sit in the same engineering picture. The point is not only to build features, but to make them ship cleanly and operate reliably.

Cloudflare Pages Secure access patterns Webhook orchestration VikOps discipline

Sanitized webhook action panel showing an automation and deployment-oriented workflow — Automation response surface

Operational focus

Builds, route protection, automation triggers, and deployment checks stay part of the workflow instead of becoming afterthoughts once the UI looks finished.

Cross-device automation Pushcut, Home Assistant, REST calls, and personal VikOps systems are used as working systems with a clear operational role.

04 • Engineering mindset / Certifications Problem solving and systems depth

The final layer is how the work gets approached: diagnostics first, documentation second, and polish without losing operational clarity.

That mindset is reinforced by hands-on MSP delivery and certifications that map back to real troubleshooting, networking, security, and endpoint work rather than sitting separately as badges.

CompTIA A+ Network+ Security+ PenTest+

Enterprise support discipline Windows environments, device fleets, monitoring, service-desk triage, and endpoint remediation.

Network and security depth Practical networking, secure access thinking, and stronger instincts around where systems fail under pressure.

Support workflows Secure-by-default habits Diagnostics and escalation Continuous technical growth

Working principle

Investigate signal first. Narrow blast radius. Automate the repeated path. Preserve clarity for the next person touching the system.

Readable handoff Measured rollout Traceable changes

This scene covers a custom control surface for Apple TV, designed around the remote, home structure, and live control states.

tvOS implementation Accessory UX Custom project execution

This scene covers room switching, live status, and control depth arranged for readability on a television display.

Distance-readable UI Home context Responsive controls

This scene ties the interface work back to the systems underneath it: secure service exposure, practical cloud delivery, and real automations that make the environment useful outside a screenshot.

Cloudflare Pages Access control Automation workflow

This scene covers the working approach behind the build: secure defaults, clean diagnostics, maintainable fixes, and documented changes.

MSP delivery Networking and security Operational clarity

HomeonTV publish

HomeonTV

HomeonTV is the Apple TV project shown in the main walkthrough. The published repository is available on GitHub for the app structure, navigation model, and HomeKit-facing implementation.

Swift tvOS HomeKit Published on GitHub

View HomeonTV on GitHub View GitHub Profile

HomeonTV dashboard on Apple TV — Repository: github.com/vikonkeys/homeontv

OpenWrt / NordVPN / per-device routing

Per-device VPN routing on OpenWrt without breaking the main LAN.

This build started as a NordLynx-style OpenWrt question and ended on the supported router path: a Nord manual OpenVPN profile bound to tun0, exposed through an unmanaged interface, then pinned to a single television with policy-based routing and a dedicated VPN firewall zone.

The result was a separate India-bound path for one client while the rest of the network stayed on the normal UK route. TV-side leak checks confirmed the tunnel was handling IPv4 and DNS correctly, and the remaining streaming block was traced to VPN exit-IP reputation rather than a local DNS or IP leak.

OpenWrt snapshot OpenVPN on tun0 Per-device kill-switch DNS and IPv6 checks

Routing model Indiavpn was bound to tun0, a dedicated india table carried the target host, and the TV kept its own path without hijacking the rest of the LAN.

Firewall posture Masquerading and LAN to VPN forwarding were handled in LuCI, with a per-device WAN block used as the kill-switch so the TV could not silently fall back to the normal exit.

Validation outcome Tunnel bring-up, public IP checks, DNS leak tests, and IPv6 checks confirmed the routing path was correct. The remaining streaming issue was provider-IP detection, not a misconfigured tunnel.

Published evidence is sanitized before display. Internal addresses, hostnames, and low-level config details are masked where they are not needed for the story.

Sanitized terminal output showing OpenVPN tunnel creation and successful session initialization on OpenWrt — Sanitized tunnel bring-up

OpenWrt LuCI zone settings showing the dedicated VPN zone for the routed interface — VPN zone settings in LuCI

OpenWrt LuCI firewall zone overview showing LAN, WAN, and VPN forwarding paths — Forwarding and masquerade overview

VikOps script library

Windows and Linux maintenance snippets in one place.

This drawer groups the practical support snippets already used elsewhere on the site into OS-specific sections. The new Windows maintenance block was checked for PowerShell syntax and keeps its destructive scope limited to temp paths and standard maintenance commands.

PowerShell Bash

Windows DISM, SFC, cleanup, inventory

Windows repair pass

The original DISM and SFC recovery block stays here as the shorter integrity-first option when the goal is repair before broader cleanup.

# Cached thumbnail reset & DISM/SFC checks
Get-ChildItem "$env:userprofile\AppData\Local\Microsoft\Windows\Explorer" -Filter "thumbcache_*" | Remove-Item -Force
sfc /scannow
dism /online /cleanup-image /restorehealth
chkdsk C: /f /r
Stop-Process -Name explorer -Force; Start-Process explorer.exe

Windows maintenance pass

Run from an elevated PowerShell session. This pass updates third-party apps, cleans old temp data, trims SSDs, and prints startup and driver inventory without touching user files directly.

$ErrorActionPreference='Stop'

# 1) Update third-party apps
winget source update
winget upgrade --all --include-unknown --accept-source-agreements --accept-package-agreements

# 2) Component store cleanup (safe)
DISM /Online /Cleanup-Image /StartComponentCleanup

# 3) Prune temp files older than 7 days (safe; keeps fresh installers/logs)
$limit=(Get-Date).AddDays(-7)
Get-ChildItem "$env:TEMP","$env:WINDIR\Temp" -Recurse -ErrorAction SilentlyContinue |
  Where-Object { $_.LastWriteTime -lt $limit } |
  Remove-Item -Recurse -Force -ErrorAction SilentlyContinue

# 4) SSD/TRIM + consolidate free space
defrag /C /L /O

# 5) Show startup items so you can disable junk in Task Manager
Get-CimInstance Win32_StartupCommand |
  Sort-Object Name |
  Format-Table Name, Command, Location -AutoSize

# 6) Quick driver inventory (spot ancient third-party drivers)
pnputil /enum-drivers | findstr /i "Published Name Driver date Provider Name Class Version"

Linux Refresh, recon, and ZAP snippets

system-refresh

system-refresh wraps package repair, trim operations, Docker checks, and a logged summary into one Debian or Ubuntu maintenance pass.

#!/usr/bin/env bash
# system-refresh (Debian/Ubuntu + systemd)
set -u
set -o pipefail

LOG_DIR="/var/log/system-refresh"
TS="$(date +%Y%m%d-%H%M%S)"
LOG_FILE="$LOG_DIR/system-refresh-$TS.log"

: "${ENABLE_UPGRADE:=1}"
: "${ENABLE_DOCKER_CHECK:=1}"
: "${ENABLE_SMART_CHECK:=0}"

run_step() {
  local name="$1"; shift
  echo; echo "===== $name ====="
  "$@" || true
}

run_step "APT: update" apt-get update
run_step "DPKG: configure pending" bash -c 'dpkg --configure -a || true'
run_step "APT: upgrade" apt-get upgrade -y
run_step "Disk: fstrim -av" fstrim -av
run_step "Docker: disk usage" docker system df

echo; echo "Log saved to: $LOG_FILE"

Network reconnaissance

A simple host and port loop for Nmap plus Netcat, useful when a flat LAN needs a quick first pass before moving into more selective scans.

for ip in $(seq 1 254); do
  open_ports=$(nmap -p 1-65535 --open -T4 192.168.0.$ip | awk '/^[0-9]+\\/tcp[[:space:]]+open/ {print $1}' | cut -d/ -f1)
  for port in $open_ports; do
    nc -vz 192.168.0.$ip $port
  done
done

Web Recon with Zed Attack Proxy

Use OWASP ZAP on Kali Linux to spider an authorised public target and export the in-scope URLs it discovers.

Script excerpt

#!/usr/bin/env bash
set -euo pipefail

TARGET_URL="${1:-${TARGET_URL:-}}"
ZAP_BASE_URL="${ZAP_BASE_URL:-http://127.0.0.1:8080}"
OUTPUT_FILE="${OUTPUT_FILE:-./zap-urls.txt}"
ZAP_API_KEY="${ZAP_API_KEY:-}"

echo "Checking ZAP API at $ZAP_BASE_URL ..."
curl -fsS "$(api_url '/JSON/core/view/version/?')" >/dev/null || {
  echo "Could not reach the ZAP API at $ZAP_BASE_URL." >&2
  exit 1
}

View full ZAPscan.sh Expand script

#!/usr/bin/env bash
set -euo pipefail

# Discover URLs within an authorised target using the OWASP ZAP spider API.
#
# Usage:
#   ./ZAPscan.sh https://example.com
#
# Optional environment variables:
#   TARGET_URL    Target URL if no positional argument is supplied
#   ZAP_BASE_URL  ZAP API base URL (default: http://127.0.0.1:8080)
#   OUTPUT_FILE   Output file path (default: ./zap-urls.txt)
#   ZAP_API_KEY   API key if the local ZAP instance requires one

TARGET_URL="${1:-${TARGET_URL:-}}"
ZAP_BASE_URL="${ZAP_BASE_URL:-http://127.0.0.1:8080}"
OUTPUT_FILE="${OUTPUT_FILE:-./zap-urls.txt}"
ZAP_API_KEY="${ZAP_API_KEY:-}"

if [[ -z "$TARGET_URL" ]]; then
  echo "Usage: $0 https://example.com" >&2
  exit 1
fi

api_url() {
  local path="$1"
  if [[ -n "$ZAP_API_KEY" ]]; then
    printf '%s%sapikey=%s' "$ZAP_BASE_URL" "$path" "$ZAP_API_KEY"
  else
    printf '%s%s' "$ZAP_BASE_URL" "$path"
  fi
}

echo "Checking ZAP API at $ZAP_BASE_URL ..."
curl -fsS "$(api_url '/JSON/core/view/version/?')" >/dev/null || {
  echo "Could not reach the ZAP API at $ZAP_BASE_URL." >&2
  exit 1
}

echo "Starting spider for $TARGET_URL ..."
SCAN_ID=$(curl -fsS "$(api_url "/JSON/spider/action/scan/?url=${TARGET_URL}&recurse=true")" | sed -n 's/.*"scan":"\\([0-9]\\+\\)".*/\\1/p')

if [[ -z "$SCAN_ID" ]]; then
  echo "Could not start the ZAP spider." >&2
  exit 1
fi

while :; do
  STATUS=$(curl -fsS "$(api_url "/JSON/spider/view/status/?scanId=${SCAN_ID}")" | sed -n 's/.*"status":"\\([0-9]\\+\\)".*/\\1/p')
  [[ "$STATUS" == "100" ]] && break
  sleep 2
done

curl -fsS "$(api_url '/JSON/core/view/urls/?')" |
  grep -o 'https\\?://[^"]*' |
  sort -u > "$OUTPUT_FILE"

echo "Saved discovered URLs to $OUTPUT_FILE"

Raspberry Pi systems

Raspberry Pi infrastructure sequence

This sequence covers a Pi 5 baseline, VLAN-aware network segmentation, packet-level DHCP validation, and an ARM64 Active Directory join path linking Linux back into a Windows-centric environment.

Platform Pi 5, Debian 12, NVMe boot, multiple NICs

Focus Segmentation, DHCP services, identity, verification

Source Commands, logs, and validation traces

The base system already looks like infrastructure: Debian bookworm on a Pi 5, NVMe root storage, extra mounted volumes, and enough network interfaces to support routing and segmentation experiments cleanly.

Debian bookworm Pi 5 Model B Samsung NVMe root Layered storage

The Pi was turned into a VLAN-aware bridge with separate logical interfaces, DHCP ranges for multiple networks, forwarding enabled, and nftables handling the egress NAT path. It moved the design into a working routed service layer.

br0.10 and br0.20 dnsmasq scopes nftables masquerade Forwarding enabled

Packet capture confirms that clients on the VLAN-backed segment were completing the DHCP flow through the Pi. It takes the work from configuration into observed behaviour.

tcpdump on br0.10 DHCPOFFER DHCPACK Client lease record

Joining an ARM64 Debian system to Active Directory pulled Linux back into a Windows-centric environment using chrony for Kerberos timing, DNS pointed at the domain controller, and realmd plus SSSD for identity integration.

ARM64 Linux realmd and adcli SSSD Kerberos-safe time sync

System notes

Raspberry Pi VikOps track

01 active scene of 04

01 • Pi 5 VikOps chassis Hardware and operating baseline

Pi 5 became the base system for network and identity work.

The rest of the work depends on a stable, inspectable base. The focus here is clear storage, temperature, interface, and OS visibility before more network complexity is introduced.

System inventory

Linux Pi5 6.12.25+rpt-rpi-2712 #1 SMP PREEMPT Debian
Debian GNU/Linux 12 (bookworm)
Raspberry Pi 5 Model B Rev 1.0
nvme0n1 PM991 NVMe Samsung 512GB
eth0 UP 192.168.0.5/24
eth1 UP 192.168.0.139/24
eth2 UP 192.168.0.86/24
vcgencmd measure_temp -> temp=53.2'C

Boot path NVMe-root setup with extra attached storage for VikOps data and application volumes.

Interface layout Multiple wired interfaces available before VLAN-aware bridging is introduced.

Operational signal Temperature and throttling checks confirm stable hardware behaviour under load.

02 • VLAN and DHCP segmentation Bridge, services, and NAT path

Segmentation was built as a working service layer.

The commands cover the whole chain: bridge membership, VLAN subinterfaces, address assignment, DHCP scopes, NAT, and service enablement.

Service bring-up

sudo bridge vlan add vid 10 dev eth1 pvid untagged
sudo bridge vlan add vid 20 dev eth2 pvid untagged
sudo ip link add link br0 name br0.10 type vlan id 10
sudo ip addr add 192.168.10.1/24 dev br0.10
sudo ip link add link br0 name br0.20 type vlan id 20
sudo ip addr add 192.168.20.1/24 dev br0.20
interface=br0.10
dhcp-range=br0.10,192.168.10.100,192.168.10.200,12h
interface=br0.20
dhcp-range=br0.20,192.168.20.100,192.168.20.200,12h
sudo nft add rule ip nat postrouting oif "eth0" masquerade

Layer 2 to Layer 3 Bridge VLAN membership and routed subinterfaces are both present in the configuration path.

DHCP scopes Independent pools were defined for each VLAN-backed network instead of reusing one flat segment.

Egress control nftables was used to turn the Pi into a viable outbound path instead of a passive test host.

03 • Packet-level verification Trace and validate

The DHCP path was shown in traffic, not only in service status.

The capture shows the full exchange from discovery through ACK, including the Pi offering and assigning the lease on the segmented network.

Packet capture

sudo tcpdump -ni br0.10 -vvv -e 'port 67 or 68'
0.0.0.0.68 > 255.255.255.255.67: DHCP Discover
192.168.10.1.67 > 192.168.10.158.68: DHCP Offer
0.0.0.0.68 > 255.255.255.255.67: DHCP Request
192.168.10.1.67 > 192.168.10.158.68: DHCP ACK
Your-IP 192.168.10.158
Server-ID 192.168.10.1
Hostname: VINAYAK-PC

Observed client A Windows endpoint on the VLAN successfully negotiated a lease through the Pi-managed path.

Verification style tcpdump was used as a direct truth source instead of relying only on UI dashboards or assumptions.

Validation Packet capture shows the configured DHCP path working on the VLAN-backed segment.

04 • Active Directory join on ARM64 Linux Identity bridge

Identity integration brought the Pi into a Windows-centred environment.

It links Linux infrastructure work to the Windows Server and Active Directory experience shown elsewhere on the site.

Join sequence

DEBIAN_FRONTEND=noninteractive apt-get install -y chrony realmd sssd-ad sssd-tools adcli samba-common-bin
sed -i "s/^#?pool .*/pool 192.168.0.22 iburst/" /etc/chrony/chrony.conf
realm discover Vik.Server
realm join --verbose --user=Administrator Vik.Server
pam-auth-update --enable mkhomedir
realm permit --all
kinit -V [email protected]
id "MOU-WLAN\Administrator"

Cross-platform depth Linux administration is being tied back into Active Directory rather than shown as a separate hobby lane.

Kerberos-aware setup Time sync and DNS were explicitly handled before joining, which is the detail that usually breaks rushed AD integrations.

Site context It ties Linux infrastructure work back to the Windows Server and support work shown elsewhere on the site.

Technical backend

Backend systems and service checks

This section covers the Pi, Cloudflare edge, Home Assistant, Scrypted, Homebridge, and related self-hosted services. It shows service checks, configurations, and validation notes.

Evidence Automations, bridge configs, edge checks, and hardening scripts

Style Sanitized snippets, live pulse, and operator-readable summaries

Scope Running services, checks, and selected internal details

Backend modules

Service modules

01 active surface of 05

Ops pulse Checking live posture...

Public services Awaiting snapshot

Protected route Awaiting snapshot

DNS posture Awaiting snapshot

Last check Standby

01 • Ops Pulse Live service and edge posture

Edge checks

I configured checks for Pages, R2 media, protected Access routes, DNS answers, and certificate posture. The values shown here come from the live production stack.

Live check snapshot

service=vikonkeys-pages status=healthy latency_ms=138
service=media.vikonkeys.com status=healthy cache=hit
tunnel=vikontls.cloudflareaccess.com status=protected route=up
dns=www.vikonkeys.com status=correct provider=cloudflare
tls=vikonkeys.com mode=edge-managed posture=clean

Source These values are drawn from the live production stack.

Scope The output is limited to the edge layer and excludes private service detail.

Checks The module shows site health and access posture in one place.

Access setup The Pi-side Cloudflared service runs as a daemon with a token file under /etc/cloudflared and restricted permissions.

Fetching current service checks...

Pages health R2 delivery Access protection DNS answers

Use environment demo Inspect Cloudflare Access

02 • Service Topology Pi-hosted stack and public edge

Topology

I mapped Cloudflare Pages and R2 at the edge, Access for protected routes, and a Pi-hosted service layer running Home Assistant, Homebridge, Scrypted, Mosquitto, Matter server, Portainer, Homer, and another containerised service. Internal bridge certificates support private service paths, while internal hostnames stay private.

Route notes

[public] www.vikonkeys.com -> Cloudflare Pages
[public] media.vikonkeys.com -> R2 custom domain
[protected] vikontls.cloudflareaccess.com -> Access boundary
[private] Pi stack -> homeassistant / homebridge / scrypted / mosquitto / matter-server / homer
[sanitized] internal hostnames and management paths stay private

Boundary The map separates public routes, protected routes, and private services.

Services The observed service inventory shows Cloudflared, Home Assistant, Homebridge, Scrypted, Mosquitto, Matter server, Portainer, Homer, and another web service on the same node.

Validation The topology is based on the current service inventory and route notes.

Certificates A private bridge certificate is in place for internal service use with a multi-year validity window.

Select a node to inspect the sanitized route notes.

Public Pages R2 media Home Assistant Scrypted Homebridge Portainer

Inspect Cloudflare Access

03 • DNS Lockdown Hardening and blast-radius control

DNS lockdown

I wrote a shell script that disables local DNS daemons, removes proxy-DNS settings from cloudflared, rewrites resolv.conf, and inserts iptables and ip6tables drops on port 53. Validation comes from saved rules and a final socket check on port 53.

Hardening script

apk add --no-cache iptables ip6tables busybox-extras
for svc in dnsmasq unbound bind knot-resolver stubby smartdns; do
  rc-service "$svc" stop || true
  rc-update del "$svc" default || true
done
sed -i '/^\s*proxy-dns.*$/d' /etc/cloudflared/config.yml
printf 'nameserver %s
' "$ROUTER_IP" > /etc/resolv.conf
lock_chain iptables
lock_chain ip6tables
iptables-save > /etc/iptables/rules-save
ip6tables-save > /etc/ip6tables/rules-save
ss -tulpn | grep ':53' || log 'none (expected)'

Goal The script keeps DNS resolution on a known path.

Enforcement The rules are enforced at the host boundary with iptables and ip6tables.

Validation The script saves the rules and checks for listeners on port 53 at the end of the run.

iptables ip6tables cloudflared Resolver control

Review service topology

04 • Automation Webhook, snapshot, and stateful logic

Automation

I configured a Pushcut camera preview sequence and a two-hour heating boost automation with timers, restart mode, HVAC capability checks, fallbacks, and reset behaviour. Validation comes from the package logic, service calls, and timer state handling shown here.

Package flow

automation:
  - id: pushcut_garden_view_dynamic_preview
    trigger: binary_sensor.garden_view_motion -> on
    action: camera.snapshot -> /config/www/garden_view_latest.jpg
    delay: 00:00:01
    action: rest_command.pushcut_garden_view_preview
  - id: heating_boost_2h_finish
    trigger: timer.finished entity_id=timer.heating_boost_2h
    action: climate.turn_off
    fallback: set_hvac_mode off | heat + eco_temp
    reset: input_boolean.heating_boost_2h -> off

Triggers Each example starts from a clear event or entity change, including a call_service trigger path for the heating boost start.

Fallbacks The heating automation includes fallback logic and reset behaviour.

Validation The configuration shows the trigger path, service calls, timer handling, and reset path.

Pushcut preview Camera snapshot timer.finished HVAC fallbacks

Jump to webhook project

05 • Camera Bridge HomeKit, Scrypted, and stream validation

Camera bridge

I configured a HomeKit bridge for the TC82 stream, reviewed Homebridge and Scrypted extraction output, and wrote a Python validator that probes RTSP or stream URLs while redacting credentials in its output. Validation comes from ffprobe results, error classification, and saved output.

Bridge notes

def redact_url(url):
  # hide credentials before writing results
if url.startswith('rtsp://'):
  args += ['-rtsp_transport', 'tcp', '-stimeout', '5000000']
result = subprocess.run(args, timeout=8, check=False)
reason = classify_error(stderr_text, timeout=False)
json.dump({'results': results}, out_path, indent=2)
operator_recommendation = 'Try ONVIF first, then RTSP if needed'

Bridge settings The bridge configuration covers codec, frame rate, resolution, and audio handling.

Redaction The validator redacts sensitive stream credentials before writing results.

Validation The validator records ffprobe results and classifies failure types.

Certificate An internal bridge certificate is in place with a validity window from November 2025 through February 2028.

Failure classes The validator explicitly classifies dns, auth, timeout, network, codec, and not found errors instead of treating ffprobe failures as one opaque bucket.

HomeKit bridge Scrypted Homebridge ffprobe validation

Ask for walkthrough

tvOS Browser Deployment Surface

Built and deployed browser capability into a tvOS environment as a practical test of platform limits, packaging decisions, and reliable delivery on a device that was not designed for that workflow.

Home Assistant Webhook Automations

Built Home Assistant packages around Pushcut and REST commands so camera motion can snapshot, notify, deep-link into live views, and hand control back cleanly. The useful part is the flow design, state handling, and guardrails around each action.

Cloudflare One Access Surface

Used Cloudflare One to place identity-aware access boundaries in front of personal subdomains so private services remain reachable without being left open to the public internet.

Open Cloudflare Access

Support and Infrastructure Delivery

Hands-on work supporting Windows environments, Windows Server, device fleets, monitoring stacks, and end-user issues within an MSP setting.

Live Environment Lookup

This Cloudflare-backed diagnostics tool checks your public IP, browser, device, timezone, language, and available network metadata on demand, then shows the raw payload for anyone who wants to inspect the response.