There’s a particular kind of dread that comes with SSH-ing into a machine you set up two years ago. You don’t remember what’s running. You’re not sure which config file is authoritative. The service you need is up, but you couldn’t tell anyone why, and you’re afraid to touch anything in case you break it.

That’s not infrastructure. That’s debt with a power cord.

My personal stuff ran exactly like that for years. Every new project meant another server config done by hand, another package installed with a vague plan to document it later, another thing that would stop working on the next rebuild. Automations I’d forgotten were still running. Critical services with no idea how they got configured.

The breaking point was a threat intelligence setup I needed for some security research. I had the tools, I knew how to use them, and standing up a clean environment took longer than the actual research. Next time I needed it I’d be starting from scratch again. That’s not a workflow. That’s a punishment.

The business framing

Something shifts when you start treating home infrastructure the way a small business would treat production systems. Not in budget or complexity — in discipline.

A three-person dev shop doesn’t wing it the way I was winging mine. They have version-controlled config so they know what changed when something breaks. They have reproducible environments so a new person isn’t starting from tribal knowledge. They have centralized access control instead of a spreadsheet of passwords. They know when something stops working before a user does.

None of that requires money. It requires taking it seriously.

The decision to go all-in on Ansible

I looked at the options. NixOS is genuinely elegant but it’s a full mental model shift and I wasn’t ready to commit. Kubernetes is the right answer to a different question. Chef and Puppet are more operational overhead than I wanted for a one-person shop.

Ansible fit because it maps to how I already think. Tasks run on hosts, in order, with predictable outcomes. I could write useful automation in an afternoon. The ceiling is high enough that I still haven’t hit it.

The harder call was committing to test-driven development for the roles. Writing a failing test before writing the task felt like friction. It’s not. Every single time I’ve skipped that discipline I’ve paid for it in debugging time. Without exception.

What “business-grade” actually means here

Not PCI compliance in a spare bedroom. It means:

  • Every host is built from Ansible. Not “mostly Ansible.” If it’s not in a role, it doesn’t run on my network.
  • Environments are disposable. Any host can be rebuilt from scratch in one playbook run. Packer images give me a clean starting point every time.
  • Identity is centralized. Keycloak handles auth for everything. One set of credentials, OIDC across every service.
  • The lab documents itself. This blog exists because decisions made and then forgotten are the same as decisions never made.

What’s coming

The rest of this series covers the specific choices: why Keycloak has to come before everything else, how TDD changes the way I write roles, what a self-hosted AI development environment actually looks like in practice, and how to run a home security research capability without a SOC budget.

The archaeology phase is over.