Skip to content
Arthur Vogel
DE EN

IT-Security · Cloud · Network Engineer

Arthur Vogel

Datacenter, Zero-Trust & Cloud-Native · 20+ years of IT infrastructure

View experience Get in touch
Portrait of Arthur Vogel

Experience

  1. Current Position

    IT Security & Network Engineer

    • Member of the steering committee for Zero Trust and SD-WAN infrastructure
    • Designing distributed WAN connectivity with MPLS and Zero Trust optimisation of the enterprise network
    • Several proof-of-concepts with open-source solutions, including a NAC system based on PacketFence
    • Vulnerability management with OpenVAS – regular scans and analysis
    • Firewall administration with Barracuda – policies, segmentation, VPN
    • NAC architecture with Aruba ClearPass and PacketFence
    • Switching with Aruba and H3C, WLAN operations with Aruba controllers
    • Logging and monitoring with Graylog, Grafana and PostgreSQL
    • AI strategy: evaluating different AI vendors, multi-agent orchestration with a declarative approach via Skills and MCP interfaces
    • Automation of infrastructure-adjacent processes with AI-assisted vibe coding and local LLMs
    • Administration of the central GitLab platform
    • Containerisation and workload operations with Docker Swarm
    • Application development for documentation and self-service provisioning

  2. TeleData GmbH

    Datacenter Manager

    • Direct line management of the datacenter team
    • Member of the leadership team and technical advisor to executive management
    • Multisite datacenter concept and IT strategy planning
    • Leading the DevOps environment with GitLab, Puppet, Ansible and Terraform
    • Building a highly available container platform with Docker Swarm
    • Pre-sales, consulting and partner management
    • Project leadership across multiple parallel infrastructure projects
    • Recruiting, onboarding, performance reviews and team development

  3. TeleData GmbH

    Senior Cloud Architect / Linux Specialist

    • Cloud computing and DevOps in datacenter network environments
    • Design and operations of CloudStack and OpenNebula
    • KVM virtualisation in clustered operations
    • Backup and storage architecture for compute and data
    • Linux administration and infrastructure automation
    • Version control and IaC with GitLab, Puppet, Ansible, Terraform

  4. Stadler Anlagenbau GmbH

    Head of IT

    • Built up the in-house IT department including datacenter (IT service insourcing)
    • Planning, project leadership and construction of a datacenter
    • Operating the datacenter to deliver software and services worldwide
    • Commercial and personnel management of IT departments across all sites
    • Training and development of IT specialists
    • Endpoint security with Sophos EDR – policies, detection, incident response
    • Planning and administration of IT security software, telephony solutions, switches and routers
    • Concepts for data backup and high availability
    • Ensuring cost-effectiveness and optimising digital processes
    • Ensuring IT compliance
    • Linux administration, backups with Veeam, migration of services into Docker environments

  5. ics it-systems GmbH

    Managing Director / Consultant

    • Company leadership with personnel responsibility
    • Planning and administration of IT security solutions
    • Planning and administration of network and telephony solutions for enterprise customers
    • Linux administration

  6. Wehrle & Johnson IT-Systemhaus

    Consultant Network Engineering / IT Security

    • IT project leadership with personnel responsibility
    • Building and leading the service department
    • Planning and administration of IT security software, telephony solutions, switches and routers
    • Employee training in network engineering and IT security
    • Consulting and pre-sales support
    • Linux administration

  7. Bechtle IT-Systemhaus Friedrichshafen

    Systems Engineer

    • Planning and administration of network and security infrastructure for enterprise customers
    • Implementation of switching, routing and firewall solutions
    • Service and support activities in enterprise environments

Skills

Security & NAC

Endpoint, network and perimeter security with a focus on Network Access Control, EDR/XDR and Zero Trust architectures. Designing and operating security policies and detection solutions in enterprise environments.

  • Sophos EDR
  • Aruba ClearPass
  • PacketFence
  • Macmon
  • Barracuda
  • Sophos Firewall
  • IDS/IPS
  • EDR/XDR
  • NAC
  • Security policies
  • Zero Trust architecture

Show details →

Where I apply this

NAC with Aruba ClearPass and PacketFence rolled out in production at the current employer — 802.1X authentication on wired ports and WLAN clients, captive portal for guests, MAC Authentication Bypass for printers. Sophos EDR rolled out across multiple sites at Stadler — policies, detection tuning, incident response workflows. Firewall policies in Barracuda with site-to-site VPN and per-site segmentation.

Architectural approach

As a steering committee member at the enterprise level, I am designing the staged transition from the classic perimeter model to a Zero Trust architecture — identity-first, microsegmentation, continuous verification. Explored in depth in my own CloudManager project: mTLS mesh between all components, dynamic trust-score-based access decisions.

Vulnerability Management

Vulnerability scanning, CVE triage and supply-chain security including SBOM management. Custom trust-score engine in CloudManager (agent-based, posture reports).

  • OpenVAS
  • Trivy
  • Vulnerability scanning
  • CVE triage
  • SBOM
  • Supply-chain security

Show details →

Where I apply this

OpenVAS for regular authenticated and unauthenticated scans on the enterprise network, including analysis and prioritisation by CVSS and exploitability. Trivy for container image scans and SBOM generation in the CloudManager CI pipelines.

Custom trust-score engine

Inside CloudManager I built an agent-based posture-reporting engine: local agents on every host capture CVE status, Cosign signature verification, configuration drift and mesh connectivity. From this a dynamic trust score per host is calculated and used for routing and access decisions. Supply-chain security is enforced through end-to-end image signing (Cosign), SBOM tracking and reproducible builds.

Network & WAN

Switching, routing and WLAN in enterprise environments along with WAN concepts using MPLS and SD-WAN. Network segmentation as the foundation for Zero Trust architectures.

  • HPE/Aruba
  • Cisco
  • H3C
  • Ruckus
  • Switching
  • Routing
  • WLAN controllers
  • MPLS
  • SD-WAN
  • Segmentation

Show details →

Where I apply this

HPE/Aruba switching with AOS-CX at the current site. Cisco Catalyst and H3C in earlier environments (Bechtle, ics, Stadler) — switching, routing, VLAN design. Aruba controllers for campus-wide WLAN including VLAN pooling, rogue-AP detection and captive portal.

WAN design

Designing distributed WAN connectivity with MPLS and Zero Trust optimisation of the enterprise network — staged migration from a fully meshed MPLS topology to an SD-WAN model with identity-based path decisions. Segmentation through VRFs at the provider layer, microsegmentation through NAC policies at the endpoint layer.

Virtualization

Multi-hypervisor environments with both open-source and enterprise solutions. Design, operations and migration between platforms.

  • Proxmox
  • KVM
  • CloudStack
  • OpenNebula
  • VMware

Show details →

Where I apply this

Multi-hypervisor experience across all roles: Proxmox in my own lab and CloudManager, KVM in clustered operations at TeleData, CloudStack and OpenNebula in TeleData datacenter environments, VMware vSphere during the Stadler datacenter build-out.

Cluster architecture

Cluster setups with live migration, HA concepts and shared storage via Ceph or NetApp — failover within seconds. Inside CloudManager I use Proxmox as a hypervisor adapter: the platform abstracts cluster operations across all providers behind a unified API. Backup integration via Veeam and Restic.

Container & Cloud-Native

CNCF ecosystem as a learning track and certification path. Docker Swarm running in production, Kubernetes with a GitOps toolchain in build-out.

  • Docker
  • Docker Swarm (production)
  • Kubernetes (in progress)
  • GitOps
  • ArgoCD
  • Helm
  • Traefik

Show details →

Where I apply this

Docker Swarm running in production at TeleData as a highly available container platform — 50+ services across multiple worker nodes with automatic reconciliation. Still in active use at the current employer for workload hosting.

Kubernetes learning path

In parallel, an intensive Kubernetes learning path with K3s (CloudManager) and Rancher — currently preparing for CKA → CKAD → CKS. GitOps workflows with ArgoCD as an architectural principle, Helm for deployments, Traefik as ingress with automated Let’s Encrypt. The CNCF tool stack guides adapter selection in CloudManager — Prometheus, Loki, Cosign and Trivy all belong to the same family.

Automation & IaC

Infrastructure as Code, CI/CD pipelines and configuration management. Secrets management with OpenBao plus image signing and supply-chain hardening with Cosign.

  • GitLab CI/CD
  • Puppet
  • Ansible
  • Terraform
  • OpenTofu
  • Cosign
  • OpenBao

Show details →

Where I apply this

GitLab CI/CD for build pipelines with multi-stage templates, administered as the central solution at the current employer. Puppet at TeleData for traditional configuration management, Ansible for ad-hoc provisioning and rollouts, Terraform/OpenTofu for cloud-provider IaC inside CloudManager.

Secrets management

OpenBao (a HashiCorp Vault fork) as a self-hosted secrets backend — all platform secrets are stored encrypted with auto-unsealing via Shamir split. Cosign signs every container image I build — runtime verifies before start, and no image without a valid signature gets to run. End-to-end IaC-driven workflow: every infrastructure change is a pull request.

AI & Agents

Vendor-agnostic, declarative multi-agent approach with Skills and MCP interfaces. Local LLMs and vibe coding for process automation.

  • Multi-agent orchestration
  • Declarative approach with Skills and MCP interfaces
  • Local LLMs
  • Vibe coding for process automation

Show details →

Where I apply this

Multi-agent orchestration across different AI vendors — Anthropic Claude, Mistral, OpenAI and local Ollama models. Declarative approach via the Claude Agent SDK with Skills and MCP interfaces: specialised agents (frontend, backend, security, tests, review) are orchestrated on demand rather than hard-coded.

Vibe coding with reviewer-in-the-loop

AI-assisted vibe coding for infrastructure automation — agents read architecture docs, generate code, validate it against schemas, and I review and curate. CloudManager and this CV site were both built this way. Local LLMs for sensitive context, cloud LLMs for complex reasoning tasks — a GDPR-aware routing decision per use case.

SIEM & Observability

Centralised log management, metrics and dashboards. AI-assisted log analysis for faster triage and correlation.

  • Graylog (log management)
  • Grafana
  • Prometheus
  • Loki
  • AI-assisted log analysis

Show details →

Where I apply this

Graylog as the log aggregator at the current employer with index-based full-text search, pipeline rules for structuring and alert routing to Pushover and email. Grafana dashboards for network and application metrics, Prometheus as the time-series backend, Loki for structured log storage in CloudManager.

AI-assisted log analysis

Anomaly detection and pattern recognition across sources — typical use cases: brute-force patterns in auth logs, unusual egress connections, container restart spikes. The AI pre-classifies, the ops team makes the final call. Significantly reduces false positives compared to rule-based SIEMs.

Datacenter & Storage

Building and operating datacenter infrastructure with multisite designs and high availability. Storage, backup and IPAM/DCIM solutions for enterprise environments.

  • NetApp
  • Ceph
  • MinIO
  • SAN/NAS architectures
  • Backup with Veeam
  • NetBox (IPAM/DCIM)

Show details →

Where I apply this

Full-scale datacenter build-out at Stadler Anlagenbau (IT service insourcing) including 24/7 availability for the global delivery of software and services — design, project leadership, commissioning. Multisite datacenter concept as a technical advisor at TeleData.

Storage architectures

NetApp for enterprise block/file storage, Ceph as a distributed storage cluster in CloudManager, MinIO as an S3-compatible self-hosted solution. SAN/NAS architectures with Fibre Channel and 10/25 GbE fabrics. Veeam for backups with application-aware snapshots, Restic for container backups. NetBox as the source of truth for IPAM and DCIM.

Operations & Methodology

Operating NOC structures with 24/7 monitoring, alerting and incident response. Structured project leadership, IT strategy and GitOps practices in day-to-day work.

  • NOC structures
  • 24/7 monitoring
  • Alerting
  • Incident response
  • Change management
  • ITSM
  • Proof-of-concepts
  • IT strategy
  • Project leadership
  • GitOps practices

Show details →

Where I apply this

Building and leading NOC structures with 24/7 monitoring and incident response workflows — at TeleData as datacenter manager, at Stadler during the insourcing build-out, currently as a technical advisor. Change management following ITIL processes with clearly defined approval gates for production.

Methodology

Proof-of-concept methodology for strategic tool selection — for example NAC (PacketFence vs. ClearPass vs. Macmon), EDR (Sophos vs. CrowdStrike), container platform (Swarm vs. Kubernetes). Multi-project leadership in the datacenter role with parallel infrastructure projects. GitOps as an operational paradigm — everything versioned, everything reviewable, everything rollback-capable.

Compliance

Applying common security and process standards in infrastructure and operations environments. Focus on information security, data protection and service management.

  • ISO 27001
  • BSI IT-Grundschutz
  • GDPR
  • ITIL

Show details →

Where I apply this

ISO 27001 awareness in datacenter leadership at TeleData — controls, documentation, internal audits. BSI IT-Grundschutz-Praktiker certification, applying the BSI building blocks in the current enterprise environment — modelling the IT scope, risk analysis, control catalogue.

Compliance as an architectural driver

GDPR compliance in tool selection and architecture — for example the EU-provider-first strategy in CloudManager with structured compliance metadata per integration (data location, DPA, certifications). A UI filter hides non-compliant integrations. ITIL for service management processes. For me, compliance is an architectural driver, not an afterthought.

Certifications

Completed

  • BSI IT-Grundschutz-Praktiker BSI
  • AEVO / Certified Vocational Trainer IHK
  • CCNA – Cisco Certified Network Associate Cisco
  • LPIC – Linux Professional Institute Certification Linux Professional Institute
  • Kubernetes Training (Training provider) 2024

In preparation

  • CKA – Certified Kubernetes Administrator CNCF / Linux Foundation In preparation
  • CKAD – Certified Kubernetes Application Developer CNCF / Linux Foundation In preparation
  • CKS – Certified Kubernetes Security Specialist CNCF / Linux Foundation In preparation

Education

  • State-certified Technician in Information Technology · Elektronikschule Tettnang
  • Prior vocational training: Mechatronics technician

Personal Project

CloudManager

Personal learning project on modern infrastructure and secure networking in the age of AI. Multi-cloud management platform with a declarative product manifest, an mTLS mesh and a trust-score engine — built entirely with open source and AI-assisted vibe coding.

Zero-trust onion model
Technology stack
Mesh network

What is CloudManager?

CloudManager is a self-hosted cloud management platform for European SaaS providers — multi-cloud, GDPR-compliant, with no vendor lock-in. Products are defined as declarative manifests (cloudmanager.yml) inside the repository; the release process is reduced to git push.

Architecturally it follows a three-layer principle: Layer 0 (Core) is always available — local backup, DNS, firewall, SSL, monitoring. Layer 1 consists of modular adapters (Storage, Backup, AI, …). Layer 2 is products composed from adapters (“Backup as a Service”, “AI as a Service”). Core rule: Layer 0 keeps working even if every adapter fails.

Multi-cloud across 9 providers

A unified API for Hetzner, IONOS, Netcup, Exoscale, OVHcloud, Proxmox, DigitalOcean, Vultr and bare metal — create, delete and scale servers, snapshots, volumes and floating IPs independently of the provider. EU-first strategy for GDPR compliance, US providers as an option with explicit consent.

13 integration categories

Modular adapters for every infrastructure domain: VPN (Tailscale, Headscale) · DNS (Hetzner, Cloudflare, Route 53) · Firewall (Hetzner, OPNsense, pfSense, UFW) · Storage (S3, MinIO, Wasabi, NetApp, B2, GCS, Azure) · Backup (Restic) · Monitoring (Prometheus, Uptime Kuma) · Logging (Loki, Elasticsearch) · Email (SMTP, Mailgun, SendGrid) · Certificates (Let’s Encrypt, ZeroSSL) · CI/CD (GitLab CI) · Git (Forgejo, Gitea, Codeberg, GitLab) · Notifications (Pushover, Slack, Discord, Telegram, ntfy) · AI/LLM (Mistral, OpenAI, Aleph Alpha, Ollama, vLLM).

A universal OpenAiCompatibleAdapter talks to any OpenAI-compatible endpoint — cloud API or self-hosted GPU server, no difference.

Zero Trust security stack

  • mTLS mesh on every host via the CloudManager agent — no plaintext traffic on the internal network
  • OpenBao as a self-hosted secrets backend (HashiCorp Vault fork) with auto-unsealing
  • Trust-score engine — agent-based posture reports capture CVE status, Cosign signature verification and configuration drift, combining them into a dynamic trust score per host
  • Cosign signs every container image we build, the runtime verifies before start
  • Trivy scans images in CI for vulnerabilities, SBOM generation as a build artefact
  • Headscale for the mesh VPN spanning all sites and cloud providers

GDPR compliance built in

Each of the ~50 integration types carries structured compliance metadata: GDPR-compliant (yes/no), data locations, company headquarters, EU datacenter, DPA availability, certifications (ISO 27001, SOC 2, BSI C5, HDS). The UI shows compliance badges on every integration card; a toggle filter hides non-compliant ones.

Tech stack

Backend: TypeScript · Express.js · PostgreSQL 16 · pg-boss (job queue, crash-safe via PostgreSQL). Frontend: React 18 · Vite · Tailwind · TanStack Query · Lucide Icons. Infra: Docker · Traefik · OpenTofu · Cloud-Init · GitLab CI/CD.

Numbers (as of v5.20.0)

334+ REST endpoints · 21 frontend pages · 129 integration types · 50 database migrations · 530+ backend tests · 0 TypeScript errors.

Why I use this as a job-search reference

CloudManager is my hands-on learning track for the topics I am designing in my current role — Zero Trust architecture, multi-cloud, GitOps, container orchestration, vulnerability management. It was built with AI-assisted vibe coding: declarative Skill/MCP definitions, multi-agent orchestration and a human reviewer in the loop. The platform also runs this CV site, among other things.

Layered diagram of the zero-trust security model in CloudManager
Zero-trust onion model
Overview of the CloudManager technology stack with CNCF components
Technology stack
Topology of the Headscale mesh VPN across multiple cloud providers
Mesh network

Other Projects

DevForge

Self-learning multi-vendor AI orchestrator as a CloudManager module with a Zero Trust security model.

In development
  • TypeScript strict
  • Express
  • React 18
  • PostgreSQL 16
  • TimescaleDB
  • pg-boss
  • OpenBao
  • Headscale
  • Socket.IO
  • Keycloak (Phase 2)

Show details →

Purpose

DevForge is my multi-vendor AI orchestrator, integrated as a module inside CloudManager. Tasks can be delegated to AI agents (Anthropic Claude, Google Gemini, OpenAI Codex, Mammoth, local Ollama) through a unified chat UI, a CLI or directly from GitLab issues. The orchestrator routes tasks intelligently to the best-fit provider, learns from results (success rate, cost, latency) and tracks costs in real time.

Security model

A Zero Trust security model with four independent enforcement layers:

  1. Identity & Auth — Keycloak SSO with OIDC (Phase 2), service-to-service via mTLS over the Headscale mesh
  2. Network — no direct internet access for agents; all outbound calls route through an egress proxy with an allowlist
  3. Process isolation — every task runs in its own ephemeral container with resource-limited cgroups
  4. Audit & anomaly detection — every provider call is logged in TimescaleDB with provenance; anomalies trigger automatic isolation

Technical highlights

  • Cost tracker in TimescaleDB as a hypertable — sub-second queries across millions of token-usage events
  • pg-boss job queue (PostgreSQL-based, crash-safe) for asynchronous task distribution with retry and dead-letter handling
  • OpenBao for API-key storage of every provider — keys are never logged in plaintext or sent to the frontend
  • Real-time updates via Socket.IO behind a Traefik reverse proxy
  • Reactive UI stack with React 18 and TanStack Query

Why this matters for the role

DevForge demonstrates layered security architecture combined with modern cloud-native practice. It is my answer to “How do I integrate AI into an enterprise environment without compromising the compliance posture?” — and at the same time it is the tool I use to evolve CloudManager and this CV site itself.

TrustCompass

Self-hosted Zero Trust and compliance assessment platform delivered as multi-tenant SaaS.

In development
  • TypeScript strict
  • Express API
  • React + Vite (PWA)
  • PostgreSQL
  • Redis
  • Docker Compose
  • Mailpit (dev)

Show details →

Purpose

TrustCompass is a self-hosted platform for Zero Trust and compliance assessments. Multi-tenant SaaS, shipped as a Docker Compose stack — one instance, many tenants, clean data separation. It directly addresses the question: “How far along is my organisation on the road to a Zero Trust architecture, and where does it stand against the obligations from GDPR, BSI IT-Grundschutz and ISO 27001?”

Features

  • Assessment engine — structured questionnaires (modular per framework) with weighted scoring
  • Maturity scoring — quantitative classification per domain (Identity, Network, Endpoint, Data, Application, Visibility, Automation)
  • Gap analysis — automated identification of control gaps with prioritisation by risk and effort
  • Multi-tenant isolation — data separation at the database level, auth via JWT plus tenant claim, no tenant crossing possible

Technical highlights

  • PWA for offline assessments in audit situations without stable connectivity
  • Docker Compose stack as an all-in-one deployment — Postgres, Redis, API, frontend and Mailpit (dev) come up with a single command
  • Port-offset strategy in the dev environment so the stack runs alongside other projects on the same host
  • Strictly typed API layer with shared types between backend and frontend

Why this matters for the role

TrustCompass is the direct link between my BSI IT-Grundschutz-Praktiker certification and my current steering-committee work on Zero Trust migration. It translates theoretical frameworks into measurable, periodically repeatable assessments — with the explicit goal of producing honest feedback rather than checkbox compliance.

Levit (formerly Gemeinde-Manager)

Self-hosted church management system as a free alternative to ChurchTools — running in production for CG Ravensburg.

Production
  • React 18
  • TypeScript
  • Tailwind CSS
  • Node.js + Express
  • PostgreSQL 16
  • Traefik v3.6
  • Hetzner Cloud DNS API
  • GitLab CI/CD
  • web-push (VAPID)
  • Let's Encrypt (acme-client)

Show details →

Purpose

Levit is my production-running church management system for the Christliche Gemeinde Ravensburg — started as a personal contribution to my church and grown into a free, self-hosted alternative to ChurchTools. Currently on version 11.x with continuous releases.

Features (excerpt)

Member and family management · service rota planning with conflict detection · event management with sign-up · sermon and media archive · finance and donation tracking · communication via email (SMTP smarthost) and web push (VAPID) · GDPR-compliant subject access and erasure functions · role-based access control with fine-grained permissions.

Technical highlights

  • Reverse proxy with wildcard TLS — Traefik v3.6 with *.levit-cloud.de via Let’s Encrypt, automated certificate rotation
  • DNS automation — direct integration with the Hetzner Cloud DNS API for automatic A-record management per tenant
  • GitLab CI/CD on a self-hosted instance (gitlab.levit-cloud.de) — build, test, image build, automated deploys to staging and production
  • Web push notifications with VAPID — no third-party services like OneSignal, everything inside our own stack
  • PostgreSQL 16 with domain-driven migrations and a schema that has stayed backward-compatible across three major versions

Why this matters for the role

Levit is my end-to-end production proof across the full spectrum: frontend, backend, database, DevOps, CI/CD, DNS automation, TLS management, notifications, GDPR. It has been running stably under real load for years — and it keeps me sharp on exactly the topics I design professionally.

InfoBoard

Personal Progressive Web App in the Miro style — an infinite-canvas pinboard with news aggregation, AI briefing and spaced-repetition flashcards.

Production
  • Node.js 22 + TypeScript strict
  • Express
  • React 18 + Vite + Tailwind
  • PostgreSQL 16
  • IndexedDB (idb)
  • Service Worker / Workbox
  • pg-boss
  • Anthropic Claude · OpenAI TTS + Whisper
  • Restic (backup sidecar)
  • Docker Compose

Show details →

Purpose

InfoBoard is my personal PWA for knowledge organisation — an infinite Miro-style pinboard combined with news aggregation, an AI-assisted morning briefing (text + audio) and spaced-repetition flashcards. Single-user, offline-first, installable on macOS, iPad and iPhone. Live at infoboard.levit-cloud.de.

Features

  • Infinite canvas with notes, images, web clippings and flashcards — all on an endlessly pannable surface
  • News aggregation through RSS/JSON feeds, scheduled via pg-boss jobs
  • AI morning briefing — Claude condenses news, calendar events and pinboard updates into a text briefing, OpenAI TTS produces the audio version for my walks
  • Spaced-repetition flashcards with the FSRS algorithm for personal study
  • Whisper transcription for voice notes pinned directly to the board

Technical highlights

  • Offline-first with IndexedDB persistence and service-worker caching — the board works fully without connectivity, syncing once back online
  • Workbox for cache strategies and background sync
  • Restic sidecar container for encrypted backups into my own S3 bucket
  • Deployed as a CloudManager tenant — the platform runs the InfoBoard stack as a product, proving the multi-tenant capability of CloudManager under real-world conditions

Why this matters for the role

InfoBoard validates the CloudManager tenant model in real operation — a non-trivial product with database, API, PWA and backup sidecar that is fully described and deployed via the CloudManager manifest. It also showcases offline-first architecture, a discipline that many traditional web stacks neglect.

Lernwerk

Self-hosted PWA for several parallel learning paths — pentesting, Kubernetes certifications, languages — reachable only over a Headscale mesh.

In development
  • React 18 + Vite + Tailwind v3
  • shadcn/ui
  • Node.js 22 LTS + Fastify
  • Drizzle ORM
  • PostgreSQL 17
  • Redis 7 + BullMQ
  • pnpm Workspaces + Turborepo
  • Lucia Auth
  • Caddy (internal CA)
  • Headscale-only (no public DNS)
  • GitLab CI/CD

Show details →

Purpose

Lernwerk is my self-hosted PWA for lifelong learning — structured learning paths for pentesting, Kubernetes certifications (CKA/CKAD/CKS) and languages. Markdown-first content, spaced repetition with FSRS for reviews, a Pomodoro timer for sessions, a wiki for cross-references, and a lab inventory to track hands-on exercises.

Features

  • Learning paths as a Markdown hierarchy with linked modules, exercises and notes
  • FSRS spaced repetition for flashcards — a modern algorithm noticeably more precise than classic SM-2
  • Pomodoro timer with session tracking per learning path
  • Wiki mode for cross-references and personal glossaries
  • Lab inventory — tracking hands-on pentesting exercises (HackTheBox, TryHackMe) and Kubernetes clusters used to prepare for certification

Technical highlights

  • Headscale-only deployment — Lernwerk is not reachable on the public internet, only through my private mesh VPN. Caddy with an internal certificate authority, no Let’s Encrypt needed
  • pnpm Workspaces + Turborepo — monorepo with separate packages for API, web and shared types
  • Drizzle ORM for type-safe database access without code generation
  • Self-hosted GitLab Runner inside the mesh — the entire CI/CD loop stays on the private network
  • Lucia Auth for secure session handling with Argon2id hashing

Why this matters for the role

Lernwerk demonstrates my Headscale-only deployment pattern — a complete stack that intentionally has no public attack surface. The architecture is a direct answer to the question “How do I host internal tools securely without relying on VPN concentrators or DMZ reverse proxies?”. It is also the practical study loop for my ongoing CKA/CKAD/CKS preparation.

civolt

Local energy operating system for distributed energy communities — § 42c-EnWG-compliant energy sharing, AI-driven, fully self-hosted.

In development
  • Node.js + TypeScript
  • Docker Compose
  • n8n (workflow engine)
  • Anthropic Claude API
  • Fronius (PV)
  • Tesla Powerwall (pypowerwall)
  • Loxone (smart home)
  • PostgreSQL

Show details →

Purpose

civolt is my local energy operating system for distributed energy communities. It connects PV systems, battery storage and smart-home systems into a § 42c-EnWG-compliant energy sharing community — AI-driven and fully self-hosted. The direct use case is my own PV installation and Powerwall, plus the option of integrating neighbouring systems into the same sharing model.

Integrations

  • Fronius — direct pull of inverter data (generation, feed-in, self-consumption)
  • Tesla Powerwall via pypowerwall — state of energy, charge/discharge control, event subscriptions
  • Loxone Miniserver — smart-home control of consumers (heat pump, EV wallbox, pool pump)
  • Anthropic Claude API — AI-assisted load forecasting and optimisation of the self-consumption ratio based on weather, tariff and comfort constraints

Technical highlights

  • n8n as a workflow engine — visually editable automation pipelines for sensor-to-actuator logic, with versioning and rollback
  • § 42c-EnWG compliance — metering and billing logic for energy sharing between multiple participants, with statutory data handling
  • Docker Compose stack as a single-host deployment on a low-power mini-PC backed by a UPS
  • Self-hosted architecture — no data sent to vendor clouds; all control logic stays on the local network

Why this matters for the role

civolt combines IoT integration, regulatory compliance and AI-assisted optimisation — all in a self-hosted stack. It shows that I can think and build outside the classic enterprise infrastructure context, with a clear regulatory framework and real physical consequence (every wrong decision shows up on the next electricity bill).

Finanzportal

React SPA for personal financial planning with AI-assisted market analysis through the Anthropic Claude API.

In development
  • React 18 + Vite
  • TypeScript
  • Tailwind CSS
  • shadcn/ui
  • Anthropic Claude API
  • CSV import (Trade Republic)

Show details →

Purpose

The Finanzportal is my personal React SPA for financial planning with AI-assisted market analysis. Portfolio management across multiple asset classes (precious metals, ETFs, crypto), CSV import from Trade Republic, market sentiment and recommendations via the Anthropic Claude API.

Features

  • Portfolio management — positions across precious metals, ETFs, equities and crypto assets
  • Trade Republic CSV import — automated ingestion of brokerage exports with mapping to the internal schema
  • AI-assisted market analysis — Anthropic Claude provides data-grounded recommendations, sentiment analyses and market forecasts, always with transparent reasoning
  • Visualisation — portfolio composition, performance over time, asset-class diversification

Technical highlights

  • shadcn/ui for the component library — no external CDN, every component built locally on top of Tailwind
  • Strict TypeScript across the entire project
  • Anthropic Claude API integration with prompt caching for cost control
  • Pure client-side app — no personal data leaves the device except for the explicitly requested AI analysis

Why this matters for the role

Finanzportal is my smallest, most focused AI use case: practical integration of the Anthropic API into an everyday workflow, with privacy awareness around what gets shipped to the LLM provider. Small in scope, clear in execution — and useful enough that I run it daily.

Contact

E-Mail

Earliest start date
October 1, 2026