Infrastructure is the product.

Executed a live migration of production workloads from Azure to GCP with zero downtime. The strategy involved a parallel-run phase where both clouds handled traffic simultaneously, giving us a rollback window with no user impact.

Key areas:

- IAM redesign: Mapped Azure AD roles to GCP IAM with least-privilege service accounts. Removed overly-permissive legacy roles that had accumulated over years.

- Networking: Re-architect VNet → VPC. Set up VPC peering, Private Service Connect, and re-established BGP sessions with the on-prem network.

- Perimeter security: Replaced Azure Firewall with Cloud Armor. Wrote DDoS policies and WAF rules that matched the original ruleset while adding improvements.

- Data migration: BigQuery migrations via Datastream. Cloud SQL for PostgreSQL with minimal replication lag.

- CI/CD pivot: Migrated Azure DevOps pipelines to Cloud Build and GitHub Actions without disrupting release cadence.

Three-node etcd k3s cluster on OVH's Madrid LocalZone. Every node is provisioned by OpenTofu (ovh/ovh provider) and bootstrapped by Ansible.

Architecture decisions:

- etcd quorum: 3 masters, no dedicated worker nodes at this scale. All masters are schedulable. Etcd data backed up to Backblaze B2.

- Ingress: Traefik as the ingress controller. IngressRoute CRDs for precise routing control. TLS handled by cert-manager (Let's Encrypt ACME HTTP-01).

- Storage: Longhorn for distributed block storage. Replicated across 2 nodes for redundancy (3rd node = witness). Used by Matrix Synapse, Grafana, InfluxDB.

- Secrets: Kubernetes Secrets encrypted at the API server level. External secrets fed via SOPS-encrypted Ansible vars at bootstrap time.

- Monitoring: Grafana + InfluxDB + Mosquitto for MQTT telemetry from homelab sensors.

- GitOps: ArgoCD watches the shellnet-infrastructure and xavifortes.com repos. Sync is automated with self-heal enabled.

Full on-premises lab running production-grade workloads on consumer hardware. Two Proxmox 8.4 nodes, a TrueNAS SCALE NAS, and a Ubiquiti Unifi stack for networking.

Infrastructure:

- almond (Ryzen 7 5800X / 64GB): kubeadm k8s cluster (3 VMs), k3s-ha node, LXCs for cloudflared, WireGuard, PostgreSQL, Minecraft, coder-server, ttyd.

- peanut (Ryzen 5 3600 / 32GB): TrueNAS SCALE (ZFS with spinning + SSD pool), Home Assistant OS, nginx proxy manager, AdGuard Home, Homarr dashboard, PostgreSQL replica.

- Networking: Ubiquiti UDM-Pro as router. VLANs for homelab, IoT, trusted, and guest. A DMZ VLAN for anything externally accessible. Dedicated IP from ISP with custom BGP routing.

- Remote access: WireGuard VPN for LAN access. cloudflared for zero-trust tunnel to select services. All inbound ports blocked except the explicit allow-list.

- Backups: All VM/LXC configs backed up to B2 via Proxmox Backup Server. TrueNAS ZFS snapshots replicated offsite.

Running game servers at scale is real systems administration. Persistent state, latency SLAs, backup automation, mod pipeline management — the same skills, different workloads.

Minecraft:

- Platform: LXC container on almond (Proxmox), 8GB RAM allocated, dedicated virtual CPU cores.

- Automation: Custom scripts for mod update pipelines (HUGO datapack, Cobblemon, UHC modes). Automated backups on schedule to B2. Crash-loop detection with auto-restart.

- Networking: Routed through GRA8 HAProxy on :25565. Cloudflare Spectrum for DDoS protection on the Minecraft port.

Project Zomboid & RimWorld:

• Dedicated server instances with persistent world state managed as Proxmox VM snapshots.

• Network latency optimisation: dedicated NICs, CPU pinning, NUMA-aware scheduling for consistent tick rates.

• Player save file management automated with versioned backups.