I build operations tooling for containerized infrastructure, networking, and DNS, designed to run anywhere from a homelab to production.
Monitors container images across one or many hosts and drives controlled, health-aware updates: semver-aware classification, one-click upgrades with live console output, and notifications via Slack, Discord, Telegram, SMTP, and webhooks. The middle ground between risky auto-updates and manual patching.
Brings encrypted DNS (DNSCrypt, DoH, Oblivious DoH, Anonymized DNS) to pfSense firewalls with a full management GUI. Signature-verified builds with SLSA provenance for supply-chain assurance.
Backs up, restores, and migrates Portainer stacks as plain, version-controllable Docker Compose files. Supports GitOps workflows, disaster recovery, and environment migration without all-or-nothing database snapshots.
I treat the pipeline as part of the product. Practices I apply across my projects and contributions:
- Default-deny GitHub Actions permissions (
permissions: {}), with each job opting back into the least scope it needs. - Third-party actions pinned to commit SHAs rather than mutable tags, to close supply-chain gaps.
- Layered scanning: secret detection (gitleaks), workflow auditing (actionlint, zizmor), dependency review, Dockerfile and image scanning (hadolint, Trivy), and CodeQL static analysis.
- Signed, attested release artifacts (SLSA provenance) so downstream users can verify what they install.
Container operations · Encrypted DNS · Network security · Backup & migration · CI/CD supply-chain security