I work on the infrastructure and security side of things, and I like keeping those two connected instead of treating security like something you bolt on afterward. Day to day that looks like hypervisors, Kubernetes, IaC pipelines, identity, and the compliance work that ties it together.
Multi-arch k3s cluster running on multiple Raspberry Pi 4's and a Lenovo ThinkCentre. Everything is managed through FluxCD from MrGuato/pi-cluster so I never really touch the cluster directly. Secrets are encrypted with SOPS and age and committed right into the repo. Traefik handles routing, Cloudflare Tunnel gets traffic in without exposing anything, Longhorn does the block storage, and Velero backs everything up to a MinIO bucket on a separate node. The dashboard above is pulling from kube-prometheus-stack.
A rough map of where I spend my time and the tools I tend to reach for.
| Area | Notes |
|---|---|
| Kubernetes | k3s, Helm, FluxCD, Kustomize, Longhorn, Velero. Currently looking at Talos and Omni. |
| IaC | Terraform, Ansible, and Packer. I usually build golden images with Packer, spin them up with Terraform, and let Ansible handle the config drift. |
| CI/CD | GitLab CI and GitHub Actions, with Flux for GitOps. I like keeping scanning (SAST, SBOM, container, IaC) as actual gates in the pipeline so things fail fast. |
| Virtualization | vSphere and ProxMox. Hardened base images and automated patching. |
| Network | FortiGate, Palo Alto, Ubiquiti, Cisco. |
| Identity | Entra ID and Conditional Access. |
| Compliance | Leading a CMMC Level 2 program. Also comfortable with CIS v8, NIST CSF 2.0, and Zero Trust work. |
| Security ops | Sentinel, SentinelOne, Rapid7, Defender XDR, and Tines for SOAR. Good telemetry usually makes detection a lot easier. |
My homelab cluster, fully declarative. Flux reconciles apps and infrastructure from Git, SOPS-encrypted secrets live in the public repo, and Renovate keeps image tags fresh with automated PRs. Velero does restic backups out to MinIO on a separate node, and Longhorn handles distributed block storage across the ARM and x86 nodes. The live dashboard at the top of this README runs on it.
Security research demonstrating zero-trust C2 architecture for autonomous drones in contested RF environments. Built on RHEL 10 with ArduPilot SITL for realistic flight simulation and a WireGuard dual-interface mesh enforcing per-identity tunnel segmentation. Implements a structured threat model (T-01 through T-03) covering RF jamming, link hijacking, and GCS compromise scenarios. GCS stack runs on k3s with Traefik mTLS, FluxCD GitOps, and Prometheus/Loki for full observability. Companion site at vertex-c2.vercel.app documents architecture and threat findings.
Self-hosted Windrose dedicated server for Linux, packaged as a Docker container running SteamCMD and Wine with Xvfb for a headless runtime. A single ./windrose CLI handles setup, lifecycle, status, and updates, with all configuration driven from a .env file so there is no manual JSON editing. Anonymous SteamCMD validates the install on every container start, saves and config persist through bind-mounted volumes, and a healthcheck watches the server process. Backup and restore scripts handle retention, automated builds publish signed images to GHCR, and players join via in-game invite code so there is no port forwarding to deal with. Documentation site is published with Just the Docs.
Containerized game server for Enshrouded, built from scratch on ubuntu:22.04 with WineHQ and SteamCMD. Runs as non-root with semantic versioning and a GitHub Actions pipeline that publishes signed images to GHCR. Getting SteamCMD symlinks and Xvfb lock files to behave in a clean container was more fun than I expected.
A small reusable GitHub Action I wrote for syncing build artifacts to Azure Blob Storage. Published publicly so other folks can use it.
A serverless site on S3, CloudFront, Lambda, API Gateway, and DynamoDB, all provisioned through CloudFormation with least-privilege IAM and a proper deploy pipeline.
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |