Infrastructure should build itself.

Kubernetes on a Raspberry Pi 5 cluster, managed entirely through FluxCD. Automated TLS with cert-manager, network segmented via Ubiquiti VLANs.

• Push to main, FluxCD reconciles within 60 seconds. No manual deploys.
• TLS certificates rotate automatically through Let's Encrypt and cert-manager
• Separate VLANs for IoT, lab, and management traffic

Every feature branch gets its own isolated environment via Azure DevOps Pipelines. Environments spin up on push and tear down on merge.

• Branch-based environments with automatic provisioning and teardown
• Azure Workload Identity federation, so zero credentials live in pipelines
• Helm chart templating with per-environment value overlays

Claude Code generates pipeline configs, reviews Helm charts, and triages deployment failures. An automation layer for the repetitive parts of infrastructure work.

• Pipeline YAML generated with org-specific conventions baked in
• Helm chart review that catches misconfigs before they reach staging
• Deployment failure triage with fix suggestions pulled from build logs

Paperless-ngx running on Kubernetes, backed by Synology NAS storage. Documents get ingested automatically, and the whole config is GitOps-managed.

• Documents go from network scanner to classified archive without manual steps
• Persistent storage on Synology NAS with Samba-backed Kubernetes volumes
• The entire infrastructure is recreatable from a single Git repo

Prometheus, Grafana, and Loki running on the K3s cluster. Centralized metrics, dashboards, and log aggregation for every homelab service.

• Unified dashboards for all services with auto-discovery via ServiceMonitor CRDs
• Alert rules with Slack integration for disk, CPU, and pod restart thresholds
• Log aggregation through Loki with 30-day retention and label-based queries

CrowdSec and Traefik Bouncer protecting the homelab cluster. Community-driven threat intelligence with automatic IP blocking at the ingress layer.

• Community threat intelligence feeds block known malicious IPs before they hit services
• Traefik Bouncer enforces ban decisions at the reverse proxy, zero app-level changes needed
• Dashboard tracks blocked requests, attack patterns, and geographic distribution

A shared library of Helm charts with environment-specific value overlays. One chart interface across dev, staging, and production for every service.

• Unified chart interface for all microservices with sane defaults and per-service overrides
• Environment overlays for dev, staging, and prod without chart duplication
• Automated chart testing with helm-unittest and schema validation in CI

Automated, encrypted backups for every homelab service. Restic handles deduplication and encryption, CronJobs handle scheduling, Synology NAS handles storage.

• Daily incremental backups with client-side encryption and deduplication
• Retention policy: 7 daily, 4 weekly, 6 monthly snapshots pruned automatically
• Restore tests run as a weekly CronJob in the cluster to catch silent failures

Azure Landing Zone provisioned entirely with OpenTofu. Hub-spoke networking, identity, policy assignments, and resource groups as code.

• Hub-spoke network topology with peering, DNS forwarding, and NSG rules
• Azure Policy-as-Code for compliance guardrails across all subscriptions
• Modular structure with reusable child modules for networking, identity, and compute

This site. SvelteKit with static adapter, mdsvex for the blog, Tailwind v4 for styling. Fully prerendered, deployed to Cloudflare Pages.

• Svelte 5 runes with mdsvex compiling Markdown posts to Svelte components
• Tailwind v4 with semantic color tokens and automatic dark mode
• Lighthouse 100/100 across all categories