A showcase of my journey building resilient infrastructure and automating workflows.

πŸ›‘οΈ Ez-Lab: Cloud-Native Edge Infrastructure

Infrastructure as Code / DevSecOps / GitOps

Architected and provisioned a resilient, bare-metal microservices environment on a Raspberry Pi 5. This project operates as a production edge cluster protected by Zero Trust principles and automated delivery pipelines.

  • Architecture & Orchestration: Docker Compose managing the *Arr Stack, internal APIs, and Pi-hole for network-wide DNS filtering.
  • CI/CD & GitOps: Automated a zero-downtime software delivery pipeline utilizing GitHub Actions and Watchtower to build, push to a private registry (GHCR), and deploy cross-platform containers.
  • Zero Trust Security: Secured internal network traffic and bypassed ISP CGNAT by deploying Cloudflare Tunnels and Tailscale mesh VPNs, successfully eliminating public-facing open ports.
  • Observability & Chaos Engineering: Deployed Prometheus and Grafana for real-time cluster telemetry and visualization, alongside custom Chaos Agents simulating container failures to validate auto-recovery policies.
  • Status: Production 🟒

πŸ“Έ Live Infrastructure Status (Portainer)

Portainer Dashboard Production

Tech Stack: Docker GitHub Actions Cloudflare Zero Trust Python Linux Bash Prometheus Grafana

πŸ”— View Repository

☁️ MyssTic Warden: Enterprise AWS Architecture

Infrastructure as Code / Event-Driven / Zero Trust

Designed and provisioned a highly available, event-driven AWS architecture from scratch using Terraform, focusing on immutable infrastructure, configuration management, and automated incident response.

  • IaC & Remote State: Fully managed via Terraform with state locked in DynamoDB and encrypted in S3 (AES-256).
  • Shift-Left Security & IAM: Enforced security compliance via Checkov and Trufflehog directly in the pipeline. Replaced all static deployment credentials with secure AWS OIDC (OpenID Connect) federation.
  • Configuration Management: Standardized base setups and system packages securely across AWS instances utilizing automated Ansible playbooks.
  • Zero Trust Networking: Custom VPC architecture isolating public DMZs from private database subnets, strictly controlled via Security Groups.
  • Database Isolation: Multi-AZ PostgreSQL deployment on Amazon RDS, integrated with AWS Secrets Manager for dynamic, zero-touch credential injection.
  • Serverless Chaos Response: Implemented an event-driven observability pipeline. CloudWatch monitors EC2 CPU anomalies, triggering an SNS topic that invokes a Python AWS Lambda function to push critical alerts directly to a Telegram Bot.
  • Status: Production 🟒

Tech Stack: Terraform AWS (EC2, VPC, RDS, IAM) Serverless (Lambda, SNS) Python CloudWatch

πŸ”— View Infrastructure Repository

πŸ—ΊοΈ The SRE Roadmap (Engineering Log)

Continuous Learning / Documentation

I am publicly documenting my transition to Site Reliability Engineering through a structured 11-Phase Roadmap.

  • Phase 1-9.5 (Completed): Infrastructure Hardening, Zero-Trust Architecture, Shift-Left Security workflows, Ansible Automation, and Multi-Arch CI/CD pipelines.
  • Phase 10 (Current Focus): Advanced Cloud Security, Hardening, FinOps optimization, and Hybrid Edge SOC development.
  • Phase 11 (The Final Boss): Kubernetes Orchestration & GitOps with ArgoCD.

πŸ‘‰ View Full Roadmap & Progress

πŸ“„ Knowledge Base Modernization (Konecta)

Docs-as-Code / Process Optimization

Led an initiative to modernize internal technical documentation for Tier 2 Support agents.

  • Problem: Critical troubleshooting info was scattered across legacy static sites and PDFs.
  • Solution: Migrated content to a Docs-as-Code system using MkDocs, enabling version control and faster search.

Tech Stack: MkDocs Markdown Git


❌ Before: Legacy Static Site

Legacy Documentation

βœ… After: Docs-as-Code (MkDocs)

Modern MkDocs System

🌐 SRE Portfolio & Live Telemetry

Hybrid Cloud / GitOps / Multi-Architecture CI/CD

More than just a static website, this portfolio is a live demonstration of Enterprise Cloud Architecture. The frontend fetches real-time telemetry from a Golang API, deployed across a dual-environment infrastructure: a local Raspberry Pi Edge cluster (Staging) and an AWS Graviton EC2 instance (Production), entirely managed through a Zero-Intervention GitOps pipeline.

  • Frontend: Hugo + Nginx (Alpine Slim)
  • Backend: Golang 1.26 REST API (Distroless Container)
  • Infrastructure: AWS (ECR, Route53, VPC) + Raspberry Pi (Edge)
  • Security & Routing: Traefik Ingress + Let’s Encrypt (Prod) / Cloudflare Zero-Trust (Staging).

πŸ—οΈ Live Architecture

graph TD
    classDef dev fill:#1a1b26,stroke:#7aa2f7,stroke-width:2px,color:#c0caf5
    classDef cicd fill:#24283b,stroke:#bb9af7,stroke-width:2px,color:#c0caf5
    classDef edge fill:#152515,stroke:#44aa44,stroke-width:2px,color:#fff
    classDef cloud fill:#221535,stroke:#ff9900,stroke-width:2px,color:#fff
    classDef net fill:#1f2335,stroke:#7aa2f7,stroke-width:1px,color:#a9b1d6

    %% FLUJO DE CΓ“DIGO
    Developer((πŸ’» Ezequiel)):::dev -->|git push| GitHub{πŸ™ GitHub Actions Engine}:::cicd

    subgraph "CI/CD DevSecOps Gates"
        GitHub -->|1. Audit| Trufflehog[πŸ•΅οΈβ€β™‚οΈ Trufflehog Secrets]:::cicd
        GitHub -->|2. Lint| Hadolint[🐳 Hadolint Docker]:::cicd
        GitHub -->|3. Scan| Trivy[πŸ›‘οΈ Trivy Vulnerabilities]:::cicd
    end

    %% ENRUTAMIENTO POR RAMAS (LOGICA DEL PIPELINE)
    Trivy -->|Branch: develop| GHCR[(πŸ“¦ GitHub Registry)]:::cicd
    Trivy -->|Branch: main| ECR[(🐳 AWS ECR Private)]:::cloud

    %% ENTORNO STAGING (RASPBERRY PI)
    subgraph "Ez-Lab Environment (Staging Edge)"
        GHCR -.->|Auto Pull| WatchtowerPi[πŸ”„ Watchtower Agent]:::edge
        WatchtowerPi -->|Deploy :stage| WebStage["πŸ–₯️ Frontend (Hugo)"]:::edge
        WatchtowerPi -->|Deploy :stage| APIStage["βš™οΈ Telemetry (Go)"]:::edge
        WebStage -.->|CORS Fetch| APIStage
    end

    %% ENTORNO PRODUCCIΓ“N (AWS)
    subgraph "MyssTic Warden Environment (Production Cloud)"
        ECR -.->|IAM Auth Pull| WatchtowerAWS[πŸ”„ Watchtower Agent]:::cloud
        WatchtowerAWS -->|Deploy :prod| WebProd["πŸ–₯️ Frontend (Nginx)"]:::cloud
        WatchtowerAWS -->|Deploy :prod| APIProd["βš™οΈ Telemetry (Go)"]:::cloud

        Route53((🌐 Route 53)):::cloud --> Traefik[πŸ”€ Traefik Ingress]:::cloud
        Traefik -->|Path: /| WebProd
        Traefik -->|Path: /api/health| APIProd
        WebProd -.->|Internal VPC Fetch| APIProd
    end
πŸ“‘ root@ez-lab:~# ./telemetry.sh
⏳ Wait
  • $ Establishing Zero-Trust handshake...

Tech Stack: Golang Hugo Nginx AWS ECR GHCR GitOps

πŸ”— View Portfolio Source Code