Featured Projects
Proxmox Infrastructure as Code
A comprehensive Infrastructure-as-Code (IaC) solution orchestrating the full lifecycle of heterogeneous compute resources (LXC, Linux VMs, Windows VMs) and a production-grade Talos Linux Kubernetes cluster.
Key Technical Highlights
- Three-Phase Workflow: Strict separation of concerns: Terraform (VM provisioning via Proxmox API), Ansible (Talos cluster lifecycle via talosctl), and GitLab CI/CD (Docker service deployment).
- Immutable Kubernetes OS (Talos Linux): API-only cluster management with no SSH access. All node configuration is declarative via machine config patches (common.yaml, controlplane.yaml, worker.yaml) applied through talosctl.
- High Availability: 6-node cluster — 3 control planes (2 CPU / 4 GB / 50 GB) with a Layer 2 VIP at 10.40.0.40 backed by a 3-node etcd quorum, and 3 workers (4 CPU / 6 GB / 100 GB) for workloads.
- 13 Ansible Playbooks: Full Talos cluster lifecycle coverage — generate-configs, apply-configs, bootstrap, apply-rbac, configure-workload-tiers, verify, diagnostics, upgrade, reboot, shutdown, startup, health-check, and reset.
- 9-Stage CI/CD Pipeline: Includes ShellCheck linting, pre-flight infrastructure checks, automated backups, and checksum-based idempotency to skip unchanged services.
Technologies
Architecture Overview
flowchart LR
A[Terraform
Proxmox API] -->|Provisions VMs| B[Ansible
talosctl]
B -->|Bootstraps| C[GitLab CI/CD
9-Stage Pipeline]
A -->|Creates Infrastructure| A1["• LXC Containers
• Linux / Windows VMs
• Talos Linux VMs
• Auto-generate inventory"]
B -->|Talos Lifecycle| B1["• Generate & apply configs
• Bootstrap etcd cluster
• Apply RBAC + workload tiers
• Upgrade / reboot / reset
• Health-check & diagnostics"]
C -->|Docker Services| C1["• Auto-detect changed services
• Validate + pre-flight checks
• Automated backup
• Deploy with health verify
• Idempotent (checksum-based)"]
Enterprise Kubernetes Homelab
A self-healing, production-grade Kubernetes platform running on Talos Linux, implementing the "App-of-Apps" GitOps pattern to manage the entire cluster state declaratively via ArgoCD.
Key Technical Highlights
- Advanced GitOps Pattern: Utilizes ArgoCD ApplicationSets with Git directory generators for "zero-touch" onboarding of new applications.
- Custom Tooling (kryptos): Developed a custom Go CLI to handle secret lifecycle management, generating SealedSecrets with strong encryption and validation.
- Resiliency: Features fully automated monitoring, ingress management (Traefik), and distributed storage (Longhorn).
- 100% Declarative: Every component, from the Talos OS machine config patches to the 13 deployed applications across 14 infrastructure components, is defined in Git and reconciled by ArgoCD.
- Enterprise SSO: Implemented Keycloak-based identity management with OAuth2-Proxy middleware for centralized authentication across multiple applications via OIDC protocol.
- Integrated CI/CD: GitLab Runner with Kubernetes executor and Garage S3-compatible object storage for distributed cache, enabling scalable container builds.
Technologies
Architecture Overview
flowchart TB
Git[Git Repository
argo-apps] --> ArgoCD[ArgoCD
GitOps Controller]
ArgoCD --> AppSet[ApplicationSet
Git Directory Generator]
AppSet --> |Auto-discovers| Apps[Applications
apps/*]
Apps --> Infra[Infrastructure Layer]
Apps --> Services[Application Layer]
Infra --> Traefik[Traefik Ingress]
Infra --> Cert[cert-manager]
Infra --> Storage[Longhorn Storage]
Services --> App1[Keycloak SSO]
Services --> App2[GitLab Runner]
Services --> App3[FreshRSS]
Services --> App4[pgAdmin]
Services --> App5[11 More...]
OCI Helm Chart Registry
A production-ready OCI-compliant Helm chart registry designed for modularity, testing, and secure distribution.
Key Technical Highlights
- Modern Distribution: Charts are packaged and published to an OCI registry, following modern Helm v3 standards.
- Cluster-Free Testing: Innovative CI pipeline that validates charts using helm template and PyYAML to ensure correctness without requiring a live K8s cluster.
- Idempotent Publishing: Automated pipelines with smart version detection (Semantic Versioning) to prevent overwrite conflicts and ensure release integrity.
- Catalog: Maintains 11+ custom-built production charts including complex stateful applications (PostgreSQL, generic microservices).
Technologies
CI/CD Pipeline
flowchart LR
charts[charts/
Chart.yaml
values.yaml
templates/]
gitlab[GitLab CI
5-stage
pipeline]
validate[Validate
Package
Publish
helm template
+ PyYAML]
registry[OCI Registry
homelab/
helm-charts]
charts --> gitlab --> validate --> registry
Enterprise Network Architecture
A production-grade network infrastructure implementing enterprise security patterns with VLAN segmentation, dual-DC Active Directory, and secure remote access.
Key Technical Highlights
- Network Segmentation: 6 VLANs isolating management, infrastructure, services, IoT, guest, and DMZ networks with strict firewall rules between zones.
- High Availability: Dual-DC Windows Server 2016 deployment providing redundant DNS, DHCP, and Active Directory services across the entire infrastructure.
- Security-First Design: OPNsense firewall with stateful packet filtering, CrowdSec IPS for collaborative threat intelligence, and comprehensive logging for all inter-VLAN traffic.
- Remote Access: WireGuard VPN for secure, high-performance remote administration with automatic DNS resolution for all internal services.
Technologies
Network Topology
flowchart TB
Internet[Internet] --> OPNsense[OPNsense Firewall
Stateful Firewall + IDS/IPS]
OPNsense --> VLAN10[VLAN 10 - Management
10.10.0.0/24]
OPNsense --> VLAN20[VLAN 20 - Infrastructure
10.20.0.0/24]
OPNsense --> VLAN30[VLAN 30 - Storage
10.30.0.0/24]
OPNsense --> VLAN40[VLAN 40 - Services
10.40.0.0/24]
OPNsense --> VLAN50[VLAN 50 - IoT
10.50.0.0/24]
OPNsense --> VLAN60[VLAN 60 - Guest
10.60.0.0/24]
VLAN10 --> DC1[Windows Server DC1
AD + DNS + DHCP]
VLAN10 --> DC2[Windows Server DC2
AD + DNS + DHCP]
VLAN40 --> Talos[Talos Linux Cluster
6 nodes · VIP 10.40.0.40]
VLAN10 --> Admin[Admin Access]
Admin -.VPN.- WG[WireGuard VPN]
