Infrastructure

I run my own production infrastructure because I care about three things: data sovereignty, reliability, and systems that behave predictably under failure.

Everything is declarative. Everything is reproducible. If something breaks, rollback is a boot-menu option, not a weekend.

What I Run (High-Level)

• Hardware: Dedicated bare-metal host (details available on request).
• Dedicated NixOS host with reproducible configuration (flakes), atomic upgrades, and rollbacks.
• Multi-IP, multi-subnet design for redundancy and failure isolation.
• Authoritative DNS (BIND9) with recursion disabled, rate limiting, and tightly-scoped zone transfer policies.
• Automated wildcard TLS via DNS-01 using RFC2136 dynamic updates (TSIG-authenticated) so cert renewals are hands-off.
• Reverse proxy and HTTPS termination via Caddy, including HTTP/3.
• Rootless containers (Podman) managed declaratively through NixOS/systemd.
• Encrypted secrets (agenix) and automated backups with retention policies.

Post-Quantum Security (Pragmatic, Layered)

Post-quantum is a moving target, so the design is defense-in-depth:

• Post-quantum/hybrid SSH key exchange (OpenSSH sntrup761x25519-sha512@openssh.com).
• WireGuard VPN with a Rosenpass post-quantum key exchange overlay (PSK rotation on the order of minutes), designed to mitigate "store now, decrypt later."

DNS Redundancy (Why It's Not Just "I Run BIND")

The design goal is resilience when the most common failure modes happen:

• One IP is unreachable.
• One subnet is degraded.
• A full data center or provider has issues.

Services (Public Examples)

• definitelynot.ai - Unicode-security tooling and demos
• look.definitelynot.ai - WebGPU ML demo ("Observatory")

Why This Matters (Recruiter-Relevant)

• Production operations: monitoring, backups, rollback, incident-friendly design.
• Security posture: explicit threat modeling and layered controls, not checkbox security.
• Systems thinking: DNS, TLS automation, firewalling, and deployment all treated as one system.