weekend one: proxmox, a bastion, and three things i forgot¶
June 1, 2026 · 5 min read · homelab
A weekend ago I had a Lenovo ThinkCentre M70q in a box, two pieces of paper with passwords on them, and a vague plan. By Sunday night the box was a hypervisor running a hardened bastion VM — and I'd had to reconfigure Proxmox once because I forgot to plug in the ethernet cable.
The plan said: get a hypervisor up, build a bastion VM, take a snapshot, be done. The plan didn't say what would actually be hard. Three days in I knew.
the thinkcentre and the cheap decision¶
The hardware decision was made months ago — a Lenovo M70q Gen 5, 16GB DDR5, 256GB NVMe. A small mini-PC that pulls ~13W idle and fits behind a monitor. The rack-server aesthetic is fun but the M70q does the same work, quieter, on less power, and frees up rent on a closet I don't have.
Two small decisions inside that, both worth naming:
- ext4 over ZFS. ZFS wants more RAM than I have to spare, and there's no redundancy benefit with a single disk anyway. The kind of person who tells you "ZFS or nothing" usually has a rack and a spare drive. I have neither.
- Headless after first boot. The graphical installer is nicer for picking disks and typing in network settings, but the moment Proxmox boots into a stable state the monitor and keyboard come off. The box lives behind a router with one ethernet cable and one power cable. That's the whole point of a server.
That was Saturday morning, planned. Saturday afternoon is where it got interesting.
three things I got wrong on day one¶
1. The router admin page wouldn't load. I sat there refreshing http://192.168.0.1 for a minute thinking "did the router brick itself?" before noticing my laptop was still connected to the DITO modem's WiFi, not the TP-Link I'd just plugged in. Wrong SSID. When a network device is unreachable, first check what network you're on.
2. The Proxmox dashboard wouldn't load either. I'd configured Proxmox on 192.168.1.50/24 because that's what muscle memory said. The router was on 192.168.0.0/24. Even after I fixed the subnet, the dashboard still wouldn't come up. After ten minutes of paging through ip a and ss -tulpn I noticed the ethernet cable on the M70q wasn't plugged in. (Yes, really.) Physical layer before network layer. Always.
3. Both WiFi networks were broadcasting. The DITO modem and the TP-Link AX3000 were both blasting 2.4GHz + 5GHz from a meter apart. My phone auto-connected to whichever signal happened to be stronger when I picked it up, so devices ended up on different networks without anyone telling me. I turned off the modem's WiFi entirely (kept it as a wired uplink only) and the chaos settled.
None of these are exotic. All three are the kind of thing you'd find in any "common SRE mistakes" listicle. Doing them all in 90 minutes on your own homelab teaches you they're common for a reason — and that your fluency in someone else's environment doesn't transfer cleanly when you're alone with new cables.
the bastion was a deliberate detour¶
Once Proxmox was up I built a bastion VM before doing anything else. Ubuntu Server 24.04, 2 cores, 2GB RAM, static IP at 192.168.0.10, key-only SSH, root login disabled. Took a Proxmox snapshot called clean-bastion the moment it was hardened.
The bastion is a legacy pattern. Modern remote-access design is mesh VPN — Tailscale, NetBird, Twingate — where each node has its own identity and the bastion isn't the security perimeter. So why build one first?
Because the pattern is still everywhere. VPN concentrators, regulated environments, the SSH ProxyJump setup you'll inherit at any older shop. It's worth doing once by hand so you know what mesh VPN is actually replacing. Eventually the bastion in my homelab gets demoted to "Tailscale subnet router + admin tooling host" — but the muscle memory of standing one up from scratch is something I want before I let the newer abstraction hide it.
That's the pattern-first principle the whole 60-month thing is built on. Build the older shape on purpose. Earn the right to use the newer abstraction.
what surprised me¶
The thing I expected to be hard — Proxmox install on unfamiliar hardware — was the easy part. The hard parts were the bits I'd taken for granted: which WiFi I was on, whether the cable was plugged in, whether the subnet I'd typed matched what the router was actually doing.
Working at scale at a big employer hides this. Someone else owns the cable, the subnet, the gateway, the DHCP scope. When you do it yourself in your apartment, every layer is suddenly load-bearing on your attention.
That's the whole point. The next sixty months are about deliberately walking down to each of those layers, one at a time, and looking at it on purpose. This weekend was layer zero.
stillness between commits.