Under the hood

Every tool that keeps the Workshop running, each with its job in a line. Open source where it counts, hardened at the edge, and watched by its own monitors. None of it is exotic, and that is the point: these are off-the-shelf parts, assembled with care.

The AI

Local models run on the machine in the room, so private work stays private. The leading frontier models sit one switch away through the same gateway, for when a task needs more horsepower.

Open WebUI

Chat front end for every model, local or frontier

Ollama

Runs the language models locally on the platform

Li

LiteLLM

One private gateway in front of every model

Claude

Anthropic’s frontier models, reached through the gateway

ChatGPT

OpenAI’s models, on tap for heavier reasoning

Gemini

Google’s models, available through the same switch

Edge and access

How the Workshop reaches the world without leaving a door open.

Cloudflare

Edge security, Zero Trust Access, and the tunnel

Caddy

Reverse proxy and automatic HTTPS

CrowdSec

Detects attacks and bans IPs at the edge

Tailscale

Private mesh VPN back to the platform

Security

This is a security professional’s home lab, so the defenses are the work, not an afterthought. Protection is layered at the edge and on the host. The live internals, the counts of blocked attempts and banned addresses, stay private on purpose. What is shown here is the posture, not the playbook.

Zero Trust Access

Every service sits behind identity-aware login. No public passwords to guess.

Web app firewall

Managed rulesets inspect every request at the edge before it reaches the box.

Bot & AI defense

Automated bots and AI scrapers are challenged and blocked, not served.

Rate limiting

Floods of requests are throttled automatically before they ever land.

Geo blocking

Traffic from the highest-abuse regions is turned away at the edge.

CrowdSec threat intel

Known-malicious IPs are banned in real time, informed by a global community.

No open ports

Nothing is exposed to the internet directly. Traffic arrives through an outbound-only tunnel.

Hardened host

FileVault encryption, secure boot, firewall, and least-privilege accounts on the Mac itself.

Scheduled scanning

The public surface is probed on a schedule by automated external checks, so weak spots surface early.

Eyes on it

If something breaks, the Workshop is the first to know.

Uptime Kuma

Watches every service and alerts on downtime

Dozzle

Live container logs in the browser

Portainer

Visual control panel for the containers

Pu

Workshop Pulse

Custom power, cost, and utilization meter

The platform

The ground everything stands on.

Docker

Runs everything in isolated containers

Code Server

VS Code in the browser for remote work

Homepage

The private operations dashboard

Homebrew

Installs and updates the host tools

The platform

A compact, always-on Apple Silicon host that runs the entire workshop