I work on the infrastructure and security side of things, and I like keeping those two connected instead of treating security like something you bolt on afterward. Day to day that looks like hypervisors, Kubernetes, IaC pipelines, identity, and the compliance work that ties it together.
Multi-arch k3s cluster running on a Raspberry Pi 4 and a Lenovo ThinkCentre I picked up secondhand. Everything is managed through FluxCD from MrGuato/pi-cluster so I never really touch the cluster directly. Secrets are encrypted with SOPS and age and committed right into the repo. Traefik handles routing, Cloudflare Tunnel gets traffic in without exposing anything, Longhorn does the block storage, and Velero backs everything up to a MinIO bucket on a separate node. The dashboard above is pulling from kube-prometheus-stack.
A rough map of where I spend my time and the tools I tend to reach for.
| Area | Notes |
|---|---|
| Kubernetes | k3s, Helm, FluxCD, Kustomize, Longhorn, Velero. Currently looking at Talos and Omni. |
| IaC | Terraform, Ansible, and Packer. I usually build golden images with Packer, spin them up with Terraform, and let Ansible handle the config drift. |
| CI/CD | GitLab CI and GitHub Actions, with Flux for GitOps. I like keeping scanning (SAST, SBOM, container, IaC) as actual gates in the pipeline so things fail fast. |
| Virtualization | vSphere and ProxMox. Hardened base images and automated patching. |
| Network | FortiGate, Palo Alto, Ubiquiti, Cisco. |
| Identity | Entra ID and Conditional Access. |
| Compliance | Leading a CMMC Level 2 program. Also comfortable with CIS v8, NIST CSF 2.0, and Zero Trust work. |
| Security ops | Sentinel, SentinelOne, Rapid7, Defender XDR, and Tines for SOAR. Good telemetry usually makes detection a lot easier. |
My homelab cluster, fully declarative. Flux reconciles apps and infrastructure from Git, SOPS-encrypted secrets live in the public repo, and Renovate keeps image tags fresh with automated PRs. Velero does restic backups out to MinIO on a separate node, and Longhorn handles distributed block storage across the ARM and x86 nodes. The live dashboard at the top of this README runs on it.
Containerized game server for Enshrouded, built from scratch on ubuntu:22.04 with WineHQ and SteamCMD. Runs as non-root with semantic versioning and a GitHub Actions pipeline that publishes signed images to GHCR. Getting SteamCMD symlinks and Xvfb lock files to behave in a clean container was more fun than I expected.
A small reusable GitHub Action I wrote for syncing build artifacts to Azure Blob Storage. Published publicly so other folks can use it.
A serverless site on S3, CloudFront, Lambda, API Gateway, and DynamoDB, all provisioned through CloudFormation with least-privilege IAM and a proper deploy pipeline.
