# Mission: A Rock-Solid Homelab — and the Skills to Run Real Infrastructure

## Why
Thomas runs a 13-guest Proxmox homelab (media stack, Home Assistant, self-hosted
services) that the household depends on. He wants it to be genuinely resilient and
secure — survive a disk failure, a bad update, or an intrusion attempt without losing
data or weekends. Crucially, he wants the *transferable* version of each skill: the same
concept as it appears in a professional IT / infrastructure role (DR plans, change
management, network segmentation, vulnerability management), so the homelab doubles as a
career on-ramp.

## Success looks like
- Can recover any guest from backup within a known RTO, and state his RPO out loud.
- The host runs default-deny at the firewall; he can read and justify every open port.
- SSH/identity is least-privilege (no root password login); he can explain why in interview terms.
- He can name his blast-radius risks (privileged container, single-disk, exposed services) and has reduced them.
- Patching is routine and unattended where safe; he tracks security CVEs, not just "apt upgrade."
- He can map each homelab practice to its enterprise equivalent (3-2-1 → DR/BCP, firewall → segmentation, etc.).

## Constraints
- Learns best from short, interactive lessons with one tangible win each (see [[NOTES.md]]).
- Single physical host, 4 cores / 16 GB, SSD + NVMe, no second machine *yet* — off-site/second-copy advice must account for this.
- Real production system in daily use — changes must be safe and reversible; no risky live experiments without a rollback.
- Already competent: built the whole stack (Docker, VPN, Cloudflare Tunnel, Tailscale, LVM-thin, cron monitoring). Teach at intermediate→advanced level. Do **not** re-explain fundamentals he clearly knows.

## Out of scope (for now)
- Kubernetes / clustering / HA Proxmox (single host; revisit if a second node appears).
- Rewriting the media-stack app configs — this is about the platform's resilience & security, not the apps.
- Cloud migration. The point is to run *his own* infra well.