Infrastructure Automation at Scale.

Platform & DevOps Engineer — GitOps, Kubernetes, and end-to-end infrastructure automation.

From bare-metal provisioning with Terraform to self-healing Kubernetes clusters managed by ArgoCD. I build platforms that are declarative by design, secure by default, and automated end to end — this site runs on the very homelab it describes.

Engineering Philosophy

I treat infrastructure as a product. My focus is architecting resilient, production-ready systems where manual intervention is the exception, not the norm — from the OS layer up to application configuration, every piece is declarative and version-controlled.

Everything below runs in a single-operator homelab I built and operate as real infrastructure: bare-metal Proxmox hosts, an immutable Talos Kubernetes cluster, GitOps delivery via ArgoCD, a signed-and-attested CI supply chain, and custom tooling where off-the-shelf didn't fit. It's not a demo — it's the platform, and it's the proof.

23
Kubernetes apps
17
Helm charts
14
CI/CD components
18
Managed VMs / LXCs
6
GitOps repos

One Platform, Six Repos

The projects below aren't isolated demos — they're the moving parts of a single platform. Terraform, Ansible, and Komodo provision the physical layer: a dozen service hosts and the VMs of an immutable Talos Kubernetes cluster. On top of it, ArgoCD reconciles every workload from Git, pulling cosign-signed Helm charts from a private OCI registry and secrets sealed by a purpose-built Go CLI.

Two hub repos govern everything else: a CI/CD component catalog owns the pipeline logic every repo includes at a pinned version, and a central Renovate runner owns dependency policy for the whole estate. The same machinery publishes the proof — every repo passes through a sanitize-and-verify pipeline before being mirrored publicly to GitHub.

Diagram: how the six repos form one platform — provisioning, GitOps, delivery, and the two governance hubs
  • proxmox-infra — provisions every host — Terraform → Ansible → Komodo
  • argo-apps — runs the cluster — one ApplicationSet reconciles 23 apps from Git
  • helm-charts — delivers the workloads — 17 cosign-signed charts in an OCI registry
  • kryptos — seals the secrets — declarative YAML in, SealedSecrets out
  • ci-components — owns CI logic — 14 versioned components every pipeline includes
  • renovate — owns dependency policy — one runner updates the whole estate

Featured Projects

GitOps Kubernetes Platform

KubernetesArgoCDGitOpsTalosHelm

A self-healing, production-grade Kubernetes platform on immutable Talos Linux, managing the entire cluster state declaratively through ArgoCD with an app-of-apps pattern — 23 applications across four sync-wave tiers, all reconciled from Git.

  • One ApplicationSet, every app
  • Declarative from OS to app
  • Tiered rollout
KubernetesArgoCDHelmKustomizeTraefikLonghorncert-managerGo

Shared CI/CD Component Catalog

CI/CDGitLabSupply ChaincosignSBOM

A dedicated hub that publishes 14 versioned, typed-input GitLab CI/CD components — plus one shared toolchain image — consumed by every repo in the estate. Releases are cut automatically from Conventional Commits; every artifact is cosign-signed and ships a syft SBOM attestation.

  • One source of truth for CI
  • Automatic SemVer releases
  • Signed + attested by default
GitLab CIcosignsyfttrivygitleaksDockerRenovate

kryptos — Secret-Sealing CLI/TUI

GoKubernetesSecurityCLITUI

A from-scratch Go tool that turns declarative YAML secret configs into Kubernetes SealedSecrets. A cobra CLI plus a charm/huh TUI, with a two-pass derive engine, value generators, and a JSON schema for editor autocomplete — built to gate CI without cluster access.

  • Full-lifecycle CLI + TUI
  • Two-pass derive engine
  • Generators, not literals
Gocobracharm/huhSealedSecretsJSON Schemagoreleaser

Three-Phase Infrastructure as Code

TerraformAnsibleKomodoProxmoxIaC

Bare-metal to running services with a clean tool separation and live-state handoff: Terraform provisions, Ansible configures by reading Terraform state directly, and Komodo reconciles committed TOML to running Compose stacks on every push.

  • Strict phase separation
  • Live-state handoff
  • Push-to-reconcile services
TerraformTerragruntAnsibleKomodoProxmoxDocker Compose

OCI Helm Chart Registry

HelmOCICI/CDPython

17 custom Helm charts authored to a single consistent contract and published to an OCI registry, with a CI pipeline that validates every chart without a live cluster and signs each release with cosign.

  • One chart contract
  • Cluster-free validation
  • Idempotent, signed publishing
HelmOCI RegistryGitLab CIPythoncosignRenovate

Supply-Chain & Dependency Automation

RenovateAutomationSecurityPython

The estate's automation backbone: one centralized Renovate runner keeping every repo current, and a sanitized public-mirror pipeline that scrubs private repositories and force-pushes public GitHub mirrors behind a hard verification gate.

  • One runner for the estate
  • Low-risk auto-merge
  • Layered sanitization
RenovateGitLab CIPythongitleaks

What I Self-Host

A live catalog of services running on the cluster and the Proxmox hosts — all GitOps- or IaC-managed, TLS-terminated, and SSO-gated. (Hostnames are kept private.)

Platform & Infrastructure

  • ArgoCD — GitOps controller (self-managing)
  • Traefik — Ingress controller / edge router
  • cert-manager — Automatic wildcard TLS
  • MetalLB — L2 load balancer
  • Longhorn — Distributed block storage
  • Cloudflared — Cloudflare tunnel ingress
  • Harbor — OCI registry (images + charts)
  • Sealed Secrets — Secret encryption controller

Identity & Data

  • Pocket ID — OIDC identity provider
  • oauth2-proxy — ForwardAuth SSO gate
  • PostgreSQL — Shared relational database
  • Valkey — Cache / session store
  • Headlamp — Kubernetes dashboard
  • Bitwarden — Password manager

Productivity & Media

  • Joplin — Note-taking sync server
  • Memos — Lightweight notes
  • Actual — Budgeting & personal finance
  • DocuSeal — Document signing
  • Paperless-ngx — Document management
  • PrivateBin — Encrypted pastebin
  • SearXNG — Privacy metasearch engine

AI & Self-Hosted Tooling

  • Open WebUI — Multi-model AI chat front-end
  • LiteLLM — LLM proxy / gateway
  • Semaphore — Ansible / Terraform UI
  • Komodo — Compose deployment control plane
  • AdGuard Home — Network-wide DNS filtering (HA pair)
  • Technitium — Authoritative DNS (HA pair)

Technical Skills

Container Orchestration

KubernetesTalos LinuxDockerDocker Compose

GitOps & CI/CD

ArgoCDHelmKustomizeGitLab CI/CDCI/CD ComponentsRenovate

Infrastructure as Code

TerraformTerragruntAnsibleKomodoProxmox VE

Supply-Chain Security

cosignsyft / SBOMtrivygitleaksSealedSecrets

Networking & Ingress

TraefikMetalLBCloudflare Tunnelcert-managerLet's Encrypt TLS

Identity & Access

Pocket ID (OIDC)oauth2-proxyForwardAuth SSOAnsible Vault

Storage & Data

LonghornPostgreSQLValkey

Observability

Metrics ServerResource metrics

Languages & Scripting

GoPythonBashYAML

Cloud & Platforms

AzureCloudflareHarbor (OCI)GitLab

Version Control

GitGitLabGitHub

Certifications

Azure Administrator Associate

Microsoft

Issued: August 2025

Credential ID: 86F88C248C92836B

Get in Touch

Interested in discussing platform engineering, GitOps, or infrastructure automation? Let's talk.