Living Infrastructure-as-Code

VDB Manor
AI-Powered Homelab

What happens when a non-developer wants to treat their home like an enterprise data center? By leveraging Claude Code as a real-time infrastructure partner, I built and now maintain a production-grade network, and a comprehensive smart home stack - all without writing a single line of code alone.

Here is the blueprint for my self-taught, AI-powered homelab.

111
Git Commits
12
Living Docs
12
PoE Cameras
4
VLANs
705
HA Entities
6
Managed Switches
01
Design Principles
🔒
Local-First / Privacy
All video and automations stay local. No cloud subscriptions. No third-party access to cameras.
$
Zero Monthly Fees
No recurring costs. Reolink NVR records 24/7 locally. HA runs on owned hardware. WireGuard VPN for remote access.
🔩
Reliability Over Cleverness
Wired PoE over Wi-Fi. Hardware watchdog for auto-recovery. Proven solutions over bleeding edge.
🛡
VLAN Segmentation
802.1Q isolation across 4 VLANs. IoT devices can't reach the network. HA reaches in via dual-home.
Value Engineering
Best-in-class prosumer gear. Netgear multi-gig core, Grandstream tri-band APs, Reolink AI cameras.
🏠
WAF Certified
Family-friendly UX. Clean installs. No visible wires. Usable by spouse and kids without a manual.
02
Network Architecture
🌐
XMission Fiber
2 Gbps Symmetric
🛡
Firewalla Gold Plus
192.168.5.1
Router • Firewall • DHCP • WireGuard VPN
Core Switch — Netgear MS108EUP
192.168.5.11
8-Port 2.5G PoE++ • Network Backbone
VLAN 1
📡
3× Grandstream APs
GWN7674 Master + 2× GWN7665
Tri-band Wi-Fi 6E
VLANs 10 / 20 / 30 / 99
📷
Security Switch GS316EPP
192.168.5.14
16-port PoE • SFP uplink
12 cameras + NVR
VLAN 30
🤖
Home Assistant
Dual-Home Interface
192.168.5.20
192.168.99.20
Proxmox VM • HP Elite Mini
DUAL
💻
Office / Work / Gaming
Unmanaged Switch • 2.5G
VLAN 10 access only
🔌
Panel POE Trunk GS308EP
192.168.5.15
Room Distribution • Firewalla P3 direct
🏠
Living Room Switch
VLANs 10 / 30 / 99
🛏
Master Bedroom Switch
VLANs 10 / 99
📱
HA Dashboard Tablet
Galaxy Tab A9+ • PoE
03
🔐
VLAN Security Model
VLAN 1 — Management
192.168.5.x
  • Infrastructure only: switches, APs, Proxmox, HA
  • No client devices ever
  • Emergency admin access via Core Port 4
VLAN 10 — Main
192.168.10.x
  • Family devices, work laptops, gaming
  • Inter-VLAN management access for admins
  • WPA3-SAE (VDB_Manor SSID)
VLAN 30 — Cameras
192.168.30.x
  • 12 Reolink cameras + NVR — fully isolated
  • No outbound internet (except push alerts)
  • Only HA and admin devices can reach in
VLAN 99 — IoT
192.168.99.x
  • Smart plugs, TVs, feeders, garage doors
  • Blocked from ALL local networks
  • HA reaches in via dual-home interface
04
The Brain — HP Elite Mini 800 G9
Proxmox VE 9.1.6
  • Intel i5-13500 (14C/20T) + 32GB DDR5
  • Hardware watchdog — auto-reboot on hang
  • NIC offload fix for e1000e stability
  • Daily VM snapshots, keep-last=5
Home Assistant OS 17.1 — VM 100
  • 705 entities across all integrations
  • Dual-home: VLAN 1 + VLAN 99 simultaneously
  • Zigbee (ZBT-2) + Z-Wave (ZWA-2) + Google Coral
  • Reolink, ESPHome, Samsung, Tuya, Sonos
Services VM (VM 102) — Docker Stack
  • Frigate NVR — 12 cameras, Coral TPU, semantic search + face recognition
  • Immich — local Google Photos replacement, 192.168.5.23:2283
  • Mosquitto — MQTT broker for Frigate → Home Assistant events
  • AdGuard Home — LXC CT 101, network-wide DNS filtering
  • 4TB WD SN7100 NVMe at /mnt/data — Frigate clips + Immich library
Resilience Stack
  • Proxmox + all VMs auto-start on power cycle
  • HA native backups + Google Drive offsite
  • Firewalla offline alerts on all critical devices
  • lm-sensors CPU/NVMe temp monitoring
05
Home Assistant Automations
Automation
CCTV Workday Schedule
WoL wakes basement TV at 8:30 AM, turns off at 5:30 PM. Checks Google Calendar for PTO/holidays and skips those days.
Automation
House Secure LED
Visual green-light confirmation when all sensors are secure. Automated "Night Mode" routine that locks down the home and pushes a detailed list of any security exceptions to my phone.
Automation
Package Detection
AI-triggered notification when a package is spotted at the front door. Same snapshot + deep-link flow as visitor alert.
Automation
Auto Cat Feeder
Triggers the smart pet feeder at 7:30 AM and 7:30 PM daily. No conditions — fires every day regardless of presence.
06
What This Infrastructure Unlocks

The hard part is already done. VLAN segmentation, a hypervisor, dual-home networking, local AI hardware, and a living documentation system mean every future project plugs into an existing foundation instead of starting from scratch.

Local AI-Powered Surveillance LIVE

Frigate NVR is deployed and running on the Services VM — 12 cameras at native resolution, Google Coral TPU processing at ~10ms per frame, zero cloud dependency.

  • Real-time person, vehicle, and animal detection on all 12 cameras
  • Semantic search (CLIP) and face recognition (FaceNet/ArcFace) enabled
  • Zones + motion masks on 7 cameras; bird tracking on garden cameras
  • HA integration via MQTT — Frigate events trigger automations directly
Room-Level Presence Awareness

The incoming Bluetooth proxy (OLIMEX ESP32-POE) + existing Zigbee mesh + phone tracking create the foundation for room-aware automations that know where the family actually is.

  • Lights, climate, and music that follow you room to room
  • "Nobody's home" mode — arm cameras, cut standby power, adjust thermostat
  • Kid-specific bedtime automations tied to their room presence
  • Eliminate "is anyone downstairs?" — HA just knows
One Box, Many Services

Proxmox on a 14-core i5 with two empty expansion bays means new services are a VM away — no new hardware, no new network config, no new power draw.

  • Jellyfin / Plex — local media server for the family, streamed to every TV
  • Local file cloud — Nextcloud or Syncthing replacing Google Drive / iCloud
  • Ad blocking — Pi-hole or AdGuard Home as a Proxmox LXC, network-wide
  • Game servers — Minecraft or Valheim for the kids, isolated on their own VLAN
Energy Visibility & Control

8+ Zigbee smart plugs already report power draw to HA. Adding a whole-home energy monitor turns the house into a real-time energy dashboard.

  • Per-device and per-room energy consumption tracking
  • Automated standby power kill — TVs, gaming consoles, office equipment
  • Monthly cost-per-device breakdowns on the HA dashboard
  • Alerts when something pulls unexpected wattage (appliance failure early warning)
Infinite IoT Without Risk

The VLAN 99 "zero trust" model + HA dual-home means every new device is isolated by default. The architecture scales without compounding security risk.

  • Add 50 more devices — none can see each other or the home network
  • New smart locks, sensors, or appliances just land on VLAN 99 and work
  • ESPHome custom devices (air quality, water leak, soil moisture) with zero cloud
  • Matter/Thread devices via the ZBT-2 — future-proof protocol support
Complexity That Doesn't Compound

Most homelabs hit a wall where the owner is the only one who knows how it works. This one has a living knowledge base that any Claude Code session can pick up instantly.

  • Onboard a friend or family member to manage the system if needed
  • Disaster recovery with full context — rebuild from docs, not memory
  • Every future project starts with Claude already knowing the full picture
  • The more you build, the smarter the system gets — not harder to maintain
07
The Claude Code Workflow

Every physical or configuration change follows this loop. Scott describes what happened — Claude handles all the edits, presents exactly what changed and where, and Scott reviews before anything is committed.

1
Describe a confirmed change in plain English
Scott
2
Surgical edits to all affected docs — only the specific changed items
Claude Code
3
Writes dated CHANGELOG entry listing every file and line touched
Claude Code
4
Reviews the summary — checks every file and line reference
Scott
5
Commits & pushes to GitHub — infrastructure state locked in
Scott
Brainstorming ≠ Committing

Docs never update during planning or exploration sessions. Claude only makes changes when a real-world action is explicitly confirmed — "cable moved", "config saved", "rule applied". Speculation stays in chat.

Surgical by Protocol

Entire sections are never rewritten. Claude edits only the specific lines that changed, preserving history and avoiding drift. Every edit is listed with file name and line number so the review is fast and exact.

Git Is the Audit Trail

Every infrastructure change produces a commit. The git history is the timeline of the homelab — every AP move, every firewall rule, every new device, timestamped and attributable.

08
The Planning Workflow

For major projects — migrations, new service deployments, multi-step infrastructure changes — a single-model session isn't enough. The answer: spec-driven configuration. Two Opus sessions design and adversarially validate the plan before a single command runs.

Brainstorm the next logical project — scope, sequencing, long-term fit with the stack
Scott + Claude
Opus writes the full spec — hardware, config order, dependencies, rollback
Claude Opus
Second Opus reads the spec cold — finds new risks, gaps, and contradictions
Claude Opus
Scott walks the spec phase-by-phase — terminal commands, UI config, system changes
Scott
Sonnet co-pilots each step — validates state, answers questions, catches unexpected output
Claude Sonnet
Proof Case: Proxmox Migration

The bare-metal HAOS → Proxmox VM migration was the first project run through this workflow. Too many moving parts — BIOS settings, bridge networking, VM provisioning order, HA restore sequence — to improvise in a single session.

  • Opus 1 produced the full spec: hardware setup, network bridge config, VM provisioning, HA restore procedure, rollback decision tree
  • Opus 2 pressure-checked it cold — caught missing VLAN bridge config that would have severed HA’s IoT interface
  • Merged spec handed off — Scott ran each phase at the terminal with Sonnet co-piloting, validating state and fielding questions at every checkpoint
  • Result: zero downtime, all VMs online, HA fully operational within 2 hours
Why Two Models?

A single model anchors to its own plan. A second Opus instance has no attachment to the first draft — it reads it with genuinely fresh eyes and is prompted to find failure modes, not validate the plan.

  • Model 1 optimizes for completeness — every step, every dependency, every config value
  • Model 2 optimizes for failure — what breaks, what’s out of order, what’s missing
  • The merge is the spec — adversarially validated before any config is touched
  • Same discipline as spec-driven software development, applied to infrastructure
09
📄
Living Documentation System
CLAUDE.md
Project BrainContext, personas, protocols, domain knowledge routing table
CHANGELOG
Change LogEvery change, dated, with affected files — the single intake point
network
Network TopologyPhysical hierarchy, switch ports, QoS, emergency recovery
vlans
VLANs & SSIDsVLAN IDs, subnets, SSIDs, isolation rules, dual-home config
firewall
Firewall RulesDNS blocks, inter-VLAN policy, Firewalla L3 rules
devices
Device RegistryEvery device: IP, VLAN, group, VPN clients, static reservations
smarthome
Smart Home & HAServer specs, peripherals, cameras, Frigate strategy, expansions
automations
HA AutomationsEvery automation & script with YAML + plain-English descriptions
entities
705 HA EntitiesSanitized live API export — re-exportable anytime via curl + jq
10
🔧
What We Built Together — The Journey
Phase 1 — Foundation
  • Migrated all docs from Gemini gems into structured markdown
  • Created CLAUDE.md with personas, protocols, domain routing
  • Built the changelog-driven update workflow
  • Audited topology, resolved doc inconsistencies
Phase 2 — Enrichment
  • Populated full device inventory from Firewalla export
  • Built HA automation docs with YAML + plain English
  • Created entity reference workflow (API export + jq sanitizer)
  • Caught and purged sensitive data from git history
Phase 3 — Hardening
  • Full network security audit (12 findings resolved)
  • Cross-document consistency validation
  • Added second garage door controller & documented both
  • Scoped Proxmox migration using dual-Opus planning workflow
Phase 4 — Migration & Resilience
  • Bare-metal HAOS → Proxmox VM (zero downtime restore)
  • Diagnosed & fixed Intel NIC hardware hang
  • Enabled hardware watchdog for auto-reboot on kernel hang
  • Added Proxmox VE integration, scheduled backups, monitoring
Phase 5 — Services & Storage
  • Services VM (VM 102) stood up with full Docker stack
  • AdGuard Home deployed on LXC CT 101 — network-wide DNS filtering
  • Mosquitto MQTT broker wired to Home Assistant
  • 4TB WD SN7100 NVMe installed, formatted, mounted at /mnt/data
  • Immich deployed — local photo management library live
Phase 6 — AI Surveillance
  • Frigate NVR 0.17.1 deployed — all 12 cameras at native resolution
  • Google Coral TPU configured — ~10ms inference per frame
  • Zones + motion masks on 7 cameras; bird tracking enabled
  • Semantic search (CLIP) and face recognition (FaceNet) live
  • Full HA integration via MQTT + HACS; detection triggers automations
11
💡
Why This Works — The Secret Sauce
CLAUDE.md Is Everything

The project instruction file gives Claude Code deep context on every conversation start:

  • Who I am: tech-savvy product leader, not a coder — explain as you go
  • Safety rails: warn before touching management ports, never rewrite whole sections
  • Domain routing: "IP question? Check devices.md. Camera question? smarthome.md."
  • Change protocol: only update docs on confirmed changes, never during brainstorming
  • File index: Claude knows exactly where every piece of information lives
The Multiplier Effect

What makes an AI-assisted homelab fundamentally different:

  • Instant recall: "What's on Core Port 6?" — answered in seconds from docs
  • Cross-domain reasoning: VLAN change? Claude checks firewall, devices, HA impact
  • Incident response: NIC hang at midnight → root cause + fix + docs in one session
  • Security auditor: found sensitive data in git, purged history, built safe export pipeline
  • Migration partner: planned, executed, and documented Proxmox migration end-to-end
The Killer Feature
Ask Anything.
Get the Right
Answer Instantly.

Every Claude Code session opens with complete knowledge of the entire infrastructure — every device IP, every VLAN rule, every switch port, every automation, every camera. No searching forums. No digging through old notes. No "I think it was on port 6?"

Ask a question in plain English and get an answer that accounts for your specific network topology, your specific firewall rules, and your specific devices — with the exact next step to take.

homelab-docs — claude code
"Which switch port is my NVR on?"
Security Switch Port 1, VLAN 30, IP 192.168.30.182. Firewall blocks all internet except pushx.reolink.com for push alerts.
"I want to add a smart lock to the front door."
Put it on VDB_IoT (VLAN 99). Internet-blocked by default. HA reaches it via the dual-home interface at 192.168.99.20. Use Zigbee via ZBT-2 for local-only control.
"My Proxmox host went down — what do I check?"
Check journalctl for e1000e NIC hangs first — that's the known failure mode. Watchdog auto-reboots within 45s. If not, power cycle. HA VM auto-starts. Verify at 192.168.5.21:8006.

The Non-Developer's Superpower

I'm a Senior Director of Product — not a sysadmin, not a developer. I built and maintain a segmented VLAN network, Proxmox hypervisor, 12-camera AI surveillance stack, local photo management platform, network-wide ad blocking, and a full smart home system — version-controlled, fully documented, and continuously extended. Every major project starts with an adversarially-validated spec. Every change gets committed. Every future Claude Code session opens with complete context. This is what AI-assisted infrastructure looks like.

Proxmox Home Assistant 802.1Q VLANs Firewalla Frigate NVR Immich Docker AdGuard Home Coral TPU Reolink ESPHome Claude Code Git
VDB Manor — Lehi, Utah — Built with Claude Code — April 2026