Now

A living snapshot of work, homelab, and what I am shipping — deeper than a bio, lighter than a résumé.

Last updated · May 2026 Zürich, CH IT · Security · Platform habits
At a glance

Snapshot

Homelab and day-job snapshot below. The same threads appear on the home page as History and Certifications, as a stack list on Uses, with more room for narrative in the sections that follow.

5
Separate K3s clusters (own control planes & failure domains)
18
Pods on the primary x86 node · 11 namespaces
7.8k+
Threat events caught by CrowdSec (across clusters)
11
Uptime monitors · telegram and email notifications when something drifts

Certifications & education

Professional

Day job & focus

I operate as an IT Specialist & Support Engineer in enterprise environments: incidents, changes, documentation, and keeping production boring on purpose. In parallel I lean into threat-aware operations — structured logging, detection-minded troubleshooting, and tooling that makes anomalies visible instead of noisy.

Stack-wise I regularly touch what you see on Uses: Azure and hybrid identity, SIEM-style thinking (Splunk / ELK-class tools), EDR surfaces, network diagnostics (Wireshark, Nmap), and secure delivery patterns borrowed from the homelab (Git, containers, least privilege).

If you are hiring: I am strongest where support discipline meets security curiosity — reliable runbooks, honest postmortems, and infrastructure that can be rebuilt from declarative configs.

Infrastructure

The five-cluster journey

Most homelab stories start with a single Raspberry Pi. Mine did too — then it became a deliberate practice in isolated K3s clusters, each with its own control plane so failure and blast radius stay teachable.

  1. Cluster 1 — Raspberry Pi 4 (4 GB)

    First K3s: AdGuard Home, Pi-hole, and the rude introduction to namespaces and PodSecurity. Where I learned that a single ARM board can still run a real orchestrator.

  2. Cluster 2 — Raspberry Pi 4 (4 GB)

    Jellyfin and media workflows: persistent volumes, library hygiene, and why hardware acceleration matters (spoiler: a Pi cannot transcode its way out of a paper bag).

  3. Cluster 3 — Raspberry Pi 4 (8 GB)

    Backups & Git: Restic, Gitea, cron automation. The cluster that proved infrastructure without backups is just a countdown to regret.

  4. Cluster 4 — Raspberry Pi 4 (8 GB)

    The experiment box: new tools, broken configs, intentional rebuilds. Where I got fast at recovery because I caused most of the failures on purpose.

  5. Cluster 5 — MacBook Pro (i5, 8 GB, 1 TB SSD)

    The culmination: x86, QuickSync, and everything the Pis taught — applied to one machine that can actually pass /dev/dri into Jellyfin and behave like a serious edge server.

Why five clusters?

One cluster teaches basics; several teach patterns. Separate planes forced me to think about storage on ARM vs x86, ingress behavior under load (Traefik vs NGINX), exposure models (Cloudflare Tunnels vs direct publish), sharing CrowdSec signals across surfaces, and why everything must become YAML and Git — because you cannot click-ops five estates by hand.

Primary node — services & lessons carried forward

Service Role Lesson from earlier clusters
Jellyfin Media server GPU / QuickSync vs ARM software transcode
Immich Photo backup Storage growth and retention discipline
Gitea Git hosting Multi-cluster repo strategy
AdGuard Home DNS filtering Network-wide DNS from cluster 1
Filebrowser Lightweight files Prefer small tools over bloated suites
Portainer Cluster UI Visual ops for speed; Git for truth
Uptime-Kuma Monitoring 11 checks — email when reality diverges
Trilium Runbooks & notes Every fix documented for the next 2 a.m.
CrowdSec + Fail2ban Hardening Reuse rulesets across estates
Tailscale Remote access Zero open ports where possible
Watchtower Updates Automation beats “I will patch later”
279
Tracks in Jellyfin after fixing a scanner edge case (Unicode paths)
12 GB
Photos synced into Immich
54 °C
Idle CPU temp after taming default integrity scanners (was ~96 °C)
~1200
Fan RPM at idle vs ~6500 before fixing misbehaving jobs
Hard lessons

Six hard lessons

Patterns that survived contact with real hardware — expand any card for the story.

PodSecurity labels are universal — and easy to forget

Every new namespace still needs the right PodSecurity posture. I learned it on cluster 1, forgot it on 2–5, and burned the same twenty minutes each time until it became muscle memory.

kubectl label namespace <name> pod-security.kubernetes.io/enforce=privileged --overwrite
“Helpful” Ubuntu scanners vs small machines

AIDE, rkhunter, and friends are built for different scale. On a Pi they peg CPU; on the MacBook they drove ~96 °C and a screaming fan. Masking the timers and removing the daily cron entries brought thermals back to sensible idle.

sudo systemctl mask aidecheck.timer dailyaidecheck.timer
sudo rm -f /etc/cron.daily/aide-check /etc/cron.daily/rkhunter
ARM vs x86: acceleration changes the product

Jellyfin on Pi meant direct play and patience. Passing Intel QuickSync through to the container turned transcoding from “85% CPU meltdown” into a ~5% background task — the difference between toy and dependable.

volumes:
  - name: dri
    hostPath:
      path: /dev/dri
The fifteen-hour metadata mystery

After permissions, tags, NFO files, library rebuilds, and even spinning up an alternate player for A/B tests, the culprit was silent scanner behavior on folders with Arabic script in the path. Renaming the directory made 279 tracks appear instantly — a good reminder that “no errors” is not the same as “correct.”

Declarative infrastructure compounds

With multiple clusters, every fix becomes a manifest in Git. New cluster? Apply. Disaster? kubectl apply from backup. I can rebuild any of the five estates in well under an hour — homelab as rehearsal for production discipline.

Each cluster has a personality

One stays boring-stable; one is the media workhorse; one is paranoid about backups; one is chaos and monthly rebuilds; the last is the showpiece. You do not need five — but each taught something the previous could not, and mistakes from cluster 2 prevent disasters on cluster 5.

Shipping

What I am building

Software and sites where first-party hosting and clear threat models matter — aligned with the stack on Uses.

mocipher.com

This site: static HTML/CSS/JS on Cloudflare Pages, Workers + KV, strict CSP, no framework bloat. The admin panel and APIs are part of how I dogfood “small surface, high clarity.”

Homepage →

PSSM & Notey

Self-built password management and encrypted notes — AES-256, zero-knowledge angles, and sync on infrastructure I control. Practical security engineering, not slide decks.

Details on Uses →

Private family apps

I also maintain a small set of internal, family-facing applications — auth, backups, and UX polish without handing the data model to consumer SaaS. Names and screenshots stay private; the goal is durability and trust, not marketing.

Write-ups when they are sharable →

Away from keyboard

Life

Based in Zürich: gym, markets, trading charts when the market opens politely, and the occasional late-night kubectl anyway.

I still treat the homelab as a living résumé — if production Kubernetes is intimidating, practicing declarative recovery at home makes the enterprise version feel familiar instead of magical.

Want the full tool matrix, security stack, and hardware picture? That lives on one page on purpose.

Open Uses Contact

Inspired by the Now movement — a page you can refresh when the season changes.