Break things. Fix them. Learn.
This site runs on an Intel NUC hosted at home, behind a standard fiber connection. Its main purpose is to serve as an experimentation ground for testing server configurations, automation scripts, and open source security tools.
Not a professional website — a homelab: we break things, fix them, and learn.
| Tool | Role | Link |
|---|---|---|
| 🔒 CrowdSec | Community IDS/IPS | Dashboard |
| ☁️ Cloudflare | CDN · WAF · DNS · DDoS | Dashboard |
| 📊 BetterStack | Monitoring · Alerts · Logs | Status page |
| 🌐 Hugo | Static site generator | gohugo.io |
| 🛡️ ModSecurity | Local WAF · OWASP CRS 4.x | OWASP CRS |
| ⚡ nginx | Reverse proxy · TLS 1.3 | nginx.org |
Three articles that capture the spirit of this homelab:
script-src 'sha256-...' piling up📚 Full documentation is in Documentation and automation scripts in Scripts.
If you discover a bug, misconfiguration, or security vulnerability on this server, please report it. This homelab is public and I learn from my mistakes.
📨 Responsible disclosure: www.arleo.eu/security.txt
Any contribution to improving security is welcome.
Jmr
published on 
The LoveIt theme’s typewriter animation (TypeIt) stopped working on the home after adding Mermaid diagrams to posts. Cause: a #id-1 DOM selector shared between both libraries. When Mermaid finds an orphan block in a home summary, its initialization crashes, and the JS init chain stops before reaching TypeIt. Fix: add `
The Cloudflare plugin in hugo-mcp v2.0 implements 3 cache purge modes (full, partial, smart). The partial mode computes the linked URLs to invalidate (canonical + sitemap + RSS + listing + home) to preserve 95% of the CDN cache on every modification. Concretely: 6 URLs purged instead of wiping everything. This post details the computation, the pitfalls, and why smart became the default.
A security stack audit on the homelab NUC reveals redundant double WAF inspection: ModSecurity + OWASP CRS load 11,872 rules into memory despite SecRuleEngine Off, running in parallel with CrowdSec AppSec which already covers the same surface. After removing the ModSecurity nginx module and five other targeted fixes, nginx drops from ~520 MB to ~27 MB PSS. Same security, memory footprint divided by 20.
The security stack had six stacked layers:
hugo-mcp v2.0.0 introduces a Python plugin-system that lets anyone add hooks after each create_page / update_page / delete_page operation. 200 lines of code for the core, 3 production plugins shipped (IndexNow, Google Indexing, Cloudflare). This post explains the design, the trade-offs, the security posture, and shows how to write your own plugin in 5 minutes.
On May 9, 2026, I switched arleo.eu from Grav (PHP CMS) to Hugo (Go static site generator) in a single session. Atomic flip (≈ 0 second downtime), 22 legacy articles migrated under /posts/ with SEO aliases to preserve Google-indexed URLs, BetterStack /ping monitoring intact throughout the operation.
The code and migration script are open source: github.com/jmrGrav/grav-to-hugo-migration.
