I build operations tooling for containerized infrastructure, networking, and DNS, designed to run anywhere from a homelab to production.
Monitors container images across one or many hosts and drives controlled, health-aware updates: semver-aware classification, one-click upgrades with live console output, and notifications via Slack, Discord, Telegram, SMTP, and webhooks. On-demand AI analysis summarizes what changed between your current and target version and flags breaking changes before you upgrade.
Brings encrypted DNS (DNSCrypt, DoH, Oblivious DoH, Anonymized DNS) to pfSense firewalls with a full management GUI. Signature-verified builds with SLSA provenance for supply-chain assurance.
Backs up, restores, and migrates Portainer stacks as plain, version-controllable Docker Compose files. Supports GitOps workflows, disaster recovery, and environment migration without all-or-nothing database snapshots.
I treat the pipeline as part of the product. Practices I apply across my projects and contributions:
- Default-deny GitHub Actions permissions (
permissions: {}), with each job opting back into the least scope it needs. - Third-party actions pinned to commit SHAs rather than mutable tags, to close supply-chain gaps.
- Layered scanning: secret detection (gitleaks), workflow auditing (actionlint, zizmor), dependency review, Dockerfile and image scanning (hadolint, Trivy), and CodeQL static analysis.
- Signed, attested release artifacts (SLSA provenance) so downstream users can verify what they install.
Container operations · Encrypted DNS · Network security · Backup & migration · CI/CD supply-chain security