The conventional advice for an engineer with public ambition is: open source everything, write public READMEs, accept that your homelab is also your résumé. The conventional advice is well-meaning and, for most production environments, wrong. Showing technical signal does not require exposing the operational interior of the systems that produced it. The two can be separated, and separating them is usually the right call.
The asymmetry
A public surface is marketing. A private surface is operations. Different audiences, different incentives, different risk profiles. Mixing them looks transparent and is actually noise: a public dashboard that exposes service hostnames helps no recruiter and helps every opportunistic scanner. A repository that publishes your docker-compose.yml teaches nothing useful about your engineering and tells anyone who is curious the exact version of the database engine you forgot to update.
The asymmetry is sharper than it looks. The public surface is read by humans skimming for signal in seconds. The private surface is read by automated tooling, indexed forever, and cached even when you delete it. The "I'll publish and refactor later" assumption breaks in the second case, because there is no "later" that erases what was scraped on day one.
Show the shape, not the address
Most of what makes a project legible to a technical reader is the shape: what was solved, what stack carried the weight, where the agent helped, what stayed human-owned, what failed and got rebuilt. None of that requires a repository URL. A short case study with stack, agent role, and outcome — three paragraphs, no link — communicates everything a thoughtful reader actually needs.
The same logic applies one level up. Listing the services on a private cloud (TimescaleDB, MQTT, MinIO, central SSO, secrets manager, self-hosted CI runner) tells a reader something real about your engineering. Listing the hostnames does not, and it doubles as a target list. Pick the part that carries signal; drop the part that only carries risk.
Tailnet-private as a primitive
The technical move that makes this posture cheap is treating a Wireguard mesh — Tailscale, in my case — as a primitive private subnet for everything operational. Services run behind a reverse proxy, the reverse proxy listens on a tailnet address, no public port is exposed, and the DNS names resolve only on the mesh. The cost of admission to anything operational is "be authorised on the tailnet." There is no scanner-visible attack surface to harden, because there is no scanner-visible surface at all.
This is not novel architecture. What is worth noting is that it changes what "show your work" can mean. Once the operational layer is structurally private, the public layer becomes pure narrative — case studies, notes, a homepage. No one is missing anything, because there is nothing public to miss.
The public-link discipline
Once you commit to the split, the public link list is short, deliberate, and easy to defend. Mine is the homepage itself, a GitHub profile that hosts only what is intentionally public, a work email, and a LinkedIn entry. That is the entire reachable surface. Anything else lives on the tailnet or in a private channel.
The discipline is in the negative space. No public dashboards. No public Grafana. No public status page. No public inventory of services, hostnames, or stack versions. No "you can clone my homelab" repo. Each of those is a thing some engineers do, each is fine in moderation, and each is something I have decided is not worth the eventual cost.
What this costs
The honest cost of this stance is that you lose the cheap forms of public credibility — GitHub-stars-as-résumé, flashy homelab dashboards, public proof-of-skill for skimmers. Two deliberate exceptions exist: the [luxorliving-integration](https://github.com/Pauhe/luxorliving-integration) (production-grade HACS integration, 200+ tests, full CI) and [milestack](https://github.com/Pauhe/milestack) (Solidity auditing toolkit with Slither + Foundry CI). These are polished public artifacts that show *shape* without exposing operational surfaces or homelab internals. The audience that requires more noise is not the one that hires for serious work, so the cost remains bounded.
The compensating benefit is that everything you do publish carries more weight. A field note is read because there are only a few of them. A case study is taken seriously because nothing else is competing for attention on the same page. The signal-to-noise ratio of the public surface goes up, precisely because the surface is small.
The summary in one line
Public surface is sales; private surface is operations. Show shape, not addresses. Make the operational layer structurally private so the public layer can stay pure narrative. Defend the negative space — what you choose not to publish is part of the design.
The same boundary logic appears in agents-without-keys and what SCADA practice teaches about AI systems.