I design and build production infrastructure for organizations that can't afford downtime. Zero-trust networking, container orchestration, observability pipelines, and custom application development when nothing off the shelf fits.
If a good tool exists and it's mature enough for production, I'll use it. If it doesn't exist, I write it. Python, Rust, C, JavaScript, whatever the problem calls for. Custom PCB design, container orchestration, full stack web apps. I don't stay in one lane.
Most infrastructure ends up designed around the vendor's interests. I build it around yours.
Most infrastructure tends to serve the vendor first and the operator second. I build it the other way around.
Defense in depth is the starting point, not something bolted on later. Every layer assumes the one above it has been compromised. Least privilege everywhere: every process gets the minimum access it needs and nothing more. Edge nodes hold nothing of value. Sessions expire and tokens rotate. Secrets never touch disk without encryption.
Every layer assumes the one above it is already compromised. Edge nodes are intentionally stateless. If someone gets a subpoena to your VPS provider, they get nothing useful. Sessions expire and tokens rotate. Secrets don't hit disk unencrypted. Your data lives on hardware you physically control.
If a mature open source tool solves the problem, I use it. When the right tool doesn't exist, I build it. Database, API, UI, deployment pipeline. Everything ships with documentation the next person can actually follow.
I evaluate tools honestly. If something open source is mature and does the job, I deploy it. But quite often nothing on the shelf actually solves the problem. The memory system my AI agents use, the orchestration platform, the IoT controllers in my house. Those all exist because the gap was real and nobody had filled it. And they're documented well enough that someone else could maintain them.
The end result is infrastructure that stays up, stays secure, and actually belongs to you.
The end result is infrastructure you actually own and understand, top to bottom.
No implicit trust between tiers. Access narrows at every layer.
Nothing gets trusted by default. Access narrows at every layer.
If it runs, it's monitored. If it fails, you know first.
If it's running, it's being monitored. If something breaks, I'll know before you do.
Custom applications when off-the-shelf doesn't cut it.
When the right tool doesn't exist, I write it. From hardware to UI.
Designed to survive failures, not just avoid them.
Designed to keep running when things go wrong at 3am.
Tools I use daily to build and run production infrastructure. Nothing here is padding.
Everything listed here is something I've put into production, maintained, or built myself. I don't list tools I've only read the docs for.
Systems I designed, deployed, and still operate.
I built these, deployed them, and keep them running. They're in production right now.
Multi-tier network design where edge nodes are intentionally stateless. VPS relays perform TLS passthrough only. They never see plaintext. WireGuard tunnels encrypt traffic between nodes. Authentik and Traefik handle authentication: SSO, IP whitelists, and geoblocking. A compromised edge node yields exactly nothing.
Edge nodes are intentionally stateless. VPS relays handle L4 passthrough and nothing else. No plaintext, no keys, no stored data. If someone compromises an edge node, they get nothing useful. WireGuard encrypts the tunnels. Authentik and Traefik handle auth: SSO, IP whitelists, geoblocking.
Traffic flows: Internet → Edge (L4 relay) → WireGuard tunnel → Traefik → security middleware → Service. Each layer narrows what reaches the next: geoblocking, threat intelligence, mesh-only access, then user authentication at the door.
Traffic path: Internet → Edge (L4 relay) → WireGuard tunnel → Traefik → security middleware → Service. Each layer strips out more noise. By the time a request reaches an actual service, the attack surface is a pinhole.
70+ containers across multiple Docker Compose stacks with health checks, auto-restart, automated updates, and custom images. Prometheus, Loki, and Grafana handle metrics, logs, and dashboards. Alertmanager handles notifications when something breaks. Every incident gets a post-mortem.
70+ containers across multiple Compose stacks. I build custom images, write health checks, handle automated updates, and run a full PLG observability stack. Prometheus for metrics, Loki for logs, Grafana for dashboards, Alertmanager for notifications. Every incident gets tracked and reviewed. Everything's monitored and aggregated.
Orchestration platform for AI coding agents. Git webhooks trigger isolated workspaces per task. Each agent has persistent memory with semantic search and can open PRs automatically. Written in Python, top to bottom.
I built this because nothing like it existed. Git webhooks trigger AI agents in isolated workspaces. Each agent has persistent memory with semantic search, a system I also wrote from the ground up. They open PRs, review code, and run automated patrols. The entire back office is custom software.
SSO across 20+ services via OIDC/SAML. Hardware FIDO2 tokens for MFA. Automated provisioning and deprovisioning. One identity provider controls access to everything.
SSO across 20+ services via OIDC/SAML. Hardware FIDO2 tokens for MFA. No TOTP, no SMS, no phishing surface. One identity provider controls access to everything. Revoke an account and it's locked out everywhere instantly.
Custom-designed PCB with 5-channel MOSFET-driven voltage regulation, buck converter power supply, current sensing with analog comparator, and ESP8266 microcontroller. Fabricated via JLCPCB, running ESPHome firmware integrated with Home Assistant.
Designed the schematic, laid out the PCB, had it fabbed by JLCPCB. 12V input, buck converter to 5V, linear reg to 3.3V for the ESP8266. Five MOSFET-driven PWM outputs with smoothing, supports up to 30V DC. Built-in current sensing via comparator to the ESP's ADC. Runs ESPHome firmware, talks to Home Assistant over WiFi. Deployed throughout the house controlling LED strips.
Problem, approach, result. From my own production infrastructure.
I run all of this myself. These aren't hypothetical architectures.
Cloud-hosted infrastructure with data on third-party servers, growing VPS costs, and vendor lock-in risk. Moved all data and compute on-premises. VPS nodes reduced to stateless L4 relays with WireGuard mesh for encrypted transit. VPS bill cut by over 50%. Zero plaintext on any external node. Can swap providers in hours, not weeks.
Was paying too much for VPS hosting and my data lived on someone else's hardware. Moved everything on-prem, turned the VPS nodes into dumb L4 relays. WireGuard encrypts everything in transit. Cut the VPS bill by over 50%. If a provider gets weird, I migrate in hours. They never had my data anyway.
Separate credentials for 20+ services with manual user management. Deployed Authentik as central identity provider with OIDC/SAML integration and hardware FIDO2 tokens for MFA. One account controls access to everything. Disable it once, locked out everywhere instantly. Zero phishable authentication surface.
Had 20+ services with separate logins. Rolled out Authentik as the single identity provider. OIDC and SAML for every service that supports it. Hardware FIDO2 keys for MFA. No TOTP, no SMS, nothing phishable. Kill one account and every door closes at once.
Manual code review, no automated patrol, and repetitive ops tasks consuming hours. Built a custom agent platform with persistent memory, semantic search, webhook triggers, and isolated workspaces. Agents now open PRs, run security patrols, and generate daily briefings. One person manages 70+ containers with AI handling the routine work.
I was spending too many hours on routine ops. Built an agent platform from scratch: persistent memory with semantic search, webhook-triggered workspaces, automated PR creation. The agents run security patrols, review code, and produce daily briefings. I manage 70+ containers and the AI handles the repetitive grind.
I'm available for freelance infrastructure work and consulting. If you need systems that run reliably without constant attention, I'd like to hear about it.
Available for freelance work and consulting. If you need someone who can build things that work and explain why they work, send me an email.
So you're the type who views source and tries things to see what happens. That tells me quite a bit about you.
The other side of this site is accurate. Nothing on it is made up. But it's wearing its interview clothes. This side is closer to how I actually think about the work.
I've been building and running my own infrastructure for years. A good chunk of it is off-the-shelf open source. Traefik, Docker, Prometheus, Authentik. When a mature tool exists and it does the job, I use it. I'm not going to rewrite Nginx for the sake of it. But quite often, nothing on the shelf actually solves the problem. The AI agent platform, the persistent memory system with semantic search, the custom IoT hardware throughout my house. Those all started as gaps nobody else had filled.
My security model is straightforward: every layer assumes the one above it is already compromised. Edge nodes are stateless on purpose. Data lives on hardware you physically possess. If a provider disappears tomorrow or triples their pricing, your infrastructure keeps running.
I'm honest about tradeoffs. I'd rather suggest a simpler approach upfront than let scope creep eat your budget. I build what's actually needed, document what matters, and stick around after deployment.
If any of that sounds useful, my email's right above this.