Systems Engineering  ·  CompTIA Security+

Securing Systems
Understanding Why They Work

I create security-first, documented, production-grade infrastructure, where every architectural decision has a record and every incident has a post-mortem. The work can be found in my repository.

Explore my Projects

Lab Architecture

Read the Operations Log

Core capabilities and design principles behind a production-grade homelab. Hover to see why each decision was made.

Network Security

  • OPNsense Edge Routing & Firewalling
  • VLAN Segmentation across 20+ endpoints
  • B.A.T.M.A.N. Advanced L2 Mesh
  • Suricata IDS/IPS

Untrusted IoT devices have no lateral movement path to operational systems. The L2 mesh is structurally decoupled from L3 routing — DHCP and firewalling remain solely on OPNsense, not on the mesh nodes themselves.

Observability

  • Loki · Grafana · Alloy · Prometheus
  • Centralized Log Aggregation
  • Cross-Service Alerting Pipelines
  • Suricata & Docker Integration

The LGAP stack provides unified telemetry across all bare-metal hosts, VMs, Docker stacks, and the OPNsense firewall. Deployed as a prerequisite to Wazuh XDR — security visibility requires log correlation before it requires detection.

Containerization

  • Modular Docker Compose Stacks
  • Ansible-Driven Provisioning
  • SOPS + age Secrets Management
  • Cloudflare Zero-Trust Ingress

All services are deployed from version-controlled configuration — not from memory. No inbound ports are open; all external access routes through Cloudflare Tunnels. Secrets never appear in plaintext in version control.

Data Integrity

  • BTRFS with CoW Semantics
  • Native Bit-Rot Protection
  • Snapshot Management via btrbk

BTRFS was chosen over ZFS specifically for native kernel support. In a frequent-update Arch environment, DKMS-based ZFS would be a reliability liability — kernel updates and out-of-tree modules don't belong in the same upgrade window.

Pre-Boot Security

  • LUKS Full-Disk Encryption
  • Six-Month Key Rotation Schedule
  • tinyssh Pre-Boot Remote Access
  • systemd-boot Fallback Snapshots

LUKS is enforced across all bare-metal systems; no two systems share a key. tinyssh enables remote LUKS unlock before the main SSH daemon initializes — a critical capability during disaster recovery when physical access isn't available.

Availability

  • Automated 3-2-1 Strategy
  • btrbk + rClone + AWS Glacier
  • Warm Failback Hardware

Cross-host SSH replication uses btrbk's restricted helper to limit key exposure. A 6-month Glacier rotation keeps offsite storage costs contained. Warm failback hardware with a validated rollback path means recovery is a procedure, not a crisis.

Profile & Credentials

Professional Portrait

Knowing something is not the same as understanding it.

I've been running Linux since before I had a reason to. What started as teenage curiosity, Linux forums and breaking things to see what happened, became the foundation that I've spent the last year formalizing: first in the form of certifications and learning, and then the homelab infrastructure that began in March.

The distinction I care about isn't between knowing the answer and not knowing it, but between knowing the answer and understanding why it works. When something breaks, and breaks in a novel way, you want the foundation to know where to start looking instead of desperately grasping for the manual. That is why I'm looking for a team where I can learn to bridge the gap between what I've been engineering and what real production-scale calls for.

My homelab features production-grade tooling, built on a purposefully unstable core, and stable edge: VLAN-segmented network on OPNsense, full-disk encryption across all bare-metal systems, an automated 3-2-1 backup pipeline, and a centralized observability stack, running on the Unstable branch of Arch Linux to introduce the instability that you can't be exposed to without real scale. Every architectural decision is captured as an ADR before or during implementation. Every incident has a post-mortem. While you can't simulate the collaboration of an enterprise environment when you work alone, you can build the habits that make it second-nature. If this curiosity and desire to grow fits your team:

Get in touch

CompTIA Security+

Validates my ability to assess target networks, implement secure protocols, and establish baseline security postures across enterprise environments.

Verify Credential

Google Cybersecurity

Focused on SIEM log analysis, packet inspection, and writing Python automation to parse and respond to live security events.

Verify Credential

Google Network Security

A deep dive into defensive architecture, hardening edge routers, establishing secure VPNs, and enforcing Zero-Trust models.

Verify Credential

Operations Log

View on GitHub

My homelab is broken down into two phases. Before March 2026: Move fast, break things. After March 2026: documentation-first, every decision has a record before or during deployment: Architecture Overview, ADRs, post-mortems, and incident reports live below. This is everything I thought I knew, what I realized I didn't understand, and how I bridged that gap.

View full repository

Let's Connect

I'm always happy to talk shop: whether it's infrastructure engineering, homelab architecture, or anything in between

Contact Me

Open to systems administration and engineering roles where security is paramount.
NYC-based or Remote.