Andrew Stephen Werner

Infrastructure & Automation

Developing Strata, a declarative cloud provisioning tool with Cluster API pivot automation functionality. Inspired by the question, "what if a computer worm could provision a cloud?" I've been trying to get Google Gemini to code it and right now the repository is a little messy. I will see if I can keep Gemini disciplined with StrictDoc for requirements management and OpenViking for organizing context. If I end up bringing it to web with a graphical user interface (GUI), I would use Qwik for its phenomenal Google Lighthouse scores. Flutter sounded great for native applications, but I've found its functionality lacking for my projects. Tauri provides native mobile and desktop support to Qwik apps by linking native APIs to webviews (I like the looks of Servo as a browser engine, but its compatibility and stability needs to improve before I can use it). Inspired by Spotify, I'm also interested in using Vite's module federation for micro-frontend development.
Cloudflare is great for web domain registration, denial of service attack protection, and tunneling private networks to the public. This website showcases its free web hosting capability.
Building a distributed private cloud with full disk encryption and remote attestation to protect from BootKit malware (using Kubernetes, Flatcar Container Linux, Clevis [TPM & Tang], and Keylime). I am interested in using hardware security modules (HSMs) and PKCS#11 to wrap data encryption keys (DEKs) with key encryption keys (KEKs) and store them in a remote key management system (KMIP). I've thought about using Kepler and Sonoff S31 smart plugs (industrial control systems are expensive and unncessarily complicated for small data centers. I've got two small CyberPower CP1500PFCLCD uninterruptible power supplies (UPS) that attempt to protect my computers from power surges and brownouts by regulating the voltage of the electricity supplied to them. I was careful to choose a UPS model that can be programmed with Network UPS Tools and the Tripp Lite SRCOOL12KE air conditioner is on my wishlist for when I build a rack for my servers. Smart plugs are modular IoT edge infrastructure that can be secured on an air gapped network and isolated in a VLAN [I like SONiC for switches and VyOS is okay for routers (I'm thankful for their charitability in open sourcing their rolling release and understand the monetization of their work with their commercial long-term support (LTS) release. I interpret their product to be mostly a very convenient configuration layer that sews together underlying FOSS tools such as FRR, VPP, strongSwan, HAProxy, etc.)]. The smart plugs support Redfish and can be used with MediK8s for automatic node remediation [like if the computers' operating systems gets stuck and can't shutdown, the smart plug can be programmed to turn off and on the power to fix it]) with Tasmota firmware (the screws always strip. Being careful with a drill jig and a small bit worked for me. I didn't bother to solder I just used test leads like this video) to monitor energy consumption and compute cycles (what % of the power bill is used by what % of the smart plug is used by what % of the compute cycles?) like miles on a car to itemize tax deductions.
I've been looking into Ceph (Rook) for its multi-site, geographically redundant, high availablility (HA), learning about RADOS gateway S3 data bucket lifecycle policies for automating data migration between hot/warm/cold tiers based on usage.
Planning a monolithic repository for applications with static code analysis tooling (using Git [Scalar, Large File Storage (LFS), Forgejo and Codeberg], Opengrep).
Architecting CI/CD pipelines capable of monorepo scale (using Nix, Bazel, and Argo).
Creating containers with minimal attack surfaces, scanning them for vulnerabilities, signing them, and hosting them in a private repository (using Podman, Canonical Rockcraft, Trivy, Sigstore Cosign, and Artifact Hub).
Securing my cloud (using Wazuh SIEM/XDR, Suricata, and ClamAV with additional YARA rules for ring 3/userland protection. Studying Tetragon policies for ring 0/kernel. Fun fact: the ring paradigm comes from Multics). I want a micro-cut shredder (even though fire is better) and the Proton 1100 degaussing wand. It seems like affordable entrypoint to the realm of degaussing. I would still use ShredOS before waving the wand, though.
I'm amazed at what consumer hardware is capable of. eBay is a great resource for cheap enterprise hardware. Not everybody needs the latest and greatest. Smart people, like NASA's Apollo 13 mission crew and ground support, or Matt Damon’s characters in The Martian and Good Will Hunting, flourish despite resource constraints. The privacy and security risk of leaking trade secrets and sensitive information to public AI models is concerning. Houston, we have a problem.