From 6fcdaa9f84ead6bdcf3ae7c1007e0752e538f471 Mon Sep 17 00:00:00 2001 From: patrickbeane Date: Wed, 27 May 2026 10:27:14 -0400 Subject: [PATCH] docs(profile): refresh Gitea infrastructure profile --- README.md | 159 +++++++++++++++++++++++------------------------- README.template | 159 +++++++++++++++++++++++------------------------- 2 files changed, 152 insertions(+), 166 deletions(-) diff --git a/README.md b/README.md index 54f0c03..6c372c3 100644 --- a/README.md +++ b/README.md @@ -1,126 +1,119 @@ -# 🛡️ Patrick Beane +# Patrick Beane -**SRE | Security Engineer | Self-Hosted Infra & Detection** +**Infrastructure & Security Engineer | SRE | Cloud-Native Platforms** -I design and operate **security-first, self-hosted infrastructure** focused on detection, resilience, and sovereignty. -My lab functions as a live production environment where threat intelligence, automation, and reliability engineering intersect. +I design and operate a self-directed production infrastructure platform focused on security automation, reliability engineering, observability, vulnerability management, and recoverability. + +The environment spans Kubernetes, Linux, multi-cloud infrastructure, identity controls, threat detection, backup verification, and public operational dashboards. My goal is to build systems that are secure-by-default, observable in production, and recoverable under failure. --- -## 🛰 The Fleet (10 Nodes) +## Production Infrastructure Overview -> This environment blends production, research, and continuous experimentation. -> Availability and controls are intentionally tuned per node role. +This environment blends production operations, security research, and continuous infrastructure improvement. Services are distributed across cloud and self-hosted nodes, with each node scoped to a specific operational role to reduce blast radius and simplify ownership. -| Node | Role | Specs | Status | -| :--- | :--- | :--- | :--- | -| **Argus** | SIEM / Brain / node-health Failover | Xeon E5-2660v2 (1 core) | 🟢 Online | -| **Triton** | High Performance Compute | EPYC 9634 (8 cores) | 🟢 Online | -| **Ares** | Gitea / Kubernetes Management Node (MicroK8s) | Ryzen 9 9950X (8 cores) | 🟢 Online | -| **Zephyrus** | Container Host | Ryzen 9 7950X (4 cores) | 🟢 Online | -| **Iris** | NGINX / PHP Edge | Vultr | 🟢 Online | -| **Vault** | Secrets Management | GCP (Vaultwarden) | 🟢 Online | -| **Apollo** | Intel Dashboard (Flask) | AWS | 🟢 Online | -| **Hermes** | Public API (Frontend) | Oracle Cloud | 🟢 Online | -| **Hades** | Public API (Backend) | Oracle Cloud | 🟢 Online | -| **Zeus** | Monitoring / Metrics NOC | Xeon Gold 6150 (1 core) | 🟢 Online | +| Node | Primary Role | Function | +| :--- | :--- | :--- | +| **Argus** | Security telemetry and failover automation | Threat detection, event correlation, and node-health automation | +| **Triton** | Observability and internal tooling | Prometheus, Grafana, Authelia, code-server, CrowdSec bouncers | +| **Ares** | Kubernetes and source control | Gitea, PostgreSQL, Valkey, CI runners, Kubernetes control plane | +| **Zephyrus** | Container hosting | Docker workloads and service hosting | +| **Iris** | Edge services | NGINX/PHP ingress and public-facing services | +| **Vault** | Secrets and identity-adjacent services | Vaultwarden and protected internal services | +| **Apollo** | Threat intelligence dashboard | Flask-based analytics and reporting | +| **Hermes** | Public API frontend | Public API and frontend service layer | +| **Hades** | Public API backend | Backend service support for public APIs | +| **Zeus** | Monitoring and metrics | Centralized observability and service-health tracking | --- -## 🌐 Infrastructure Strategy +## Infrastructure Strategy -- **Compute Layer:** Zen 5 (9950X), Zen 4 (7950X), EPYC 9634 for sustained workloads. -- **Edge Layer:** Oracle Cloud & Vultr for low-latency public ingress. -- **Sentinel Layer:** **Argus SIEM** correlating telemetry and enforcing distributed decisions across nodes. -- **Observability:** Zeus as the centralized NOC and metrics authority. +- **Compute layer:** Heterogeneous self-hosted and cloud infrastructure scoped by workload type +- **Edge layer:** Cloud and VPS ingress for public services and low-latency routing +- **Security telemetry:** Multi-node detection and mitigation workflows using CrowdSec and custom automation +- **Observability:** Centralized monitoring with Prometheus, Grafana, Netdata, exporters, and public dashboards +- **Resilience:** Automated health checks, DNS failover, backup verification, and role-scoped service design --- -## 🛡️ Detection & Response Lifecycle +## Security Detection and Response -- **Triage:** Telemetry ingested from 7 active nodes into the Argus engine. -- **Escalation:** Post-exploitation indicators (e.g. webshells) trigger immediate `PERM_BAN`. -- **Retention:** - - 24 hours for lower confidence scenarios - - 14 days for high-confidence IOCs - - 7 days for offender watchlist -- **Notification:** High-severity events dynamically pushed to Discord. +Security controls are integrated directly into the platform rather than handled as one-off manual checks. + +Current detection and response patterns include: + +- Telemetry ingestion from 7 active nodes +- CrowdSec-based detection and mitigation +- MITRE ATT&CK mapping for selected security events +- Escalation logic for high-confidence indicators +- Watchlist and retention policies based on event confidence +- High-severity event notifications through Discord +- Runtime visibility through public and private dashboards --- -## 🛠 The Arsenal +## Technical Stack -**Languages:** Python (Flask, Gunicorn), Bash, JavaScript (React, Node.js) -**Infrastructure:** Kubernetes (K8s), Docker, Caddy, NGINX -**Security:** Argus (Custom SIEM), CrowdSec, Trivy, SQLite, Vaultwarden -**Observability:** Prometheus, Blackbox Exporter, Node Exporter -**Backups:** Borgmatic, Rsync.net (Encrypted Offsite) +**Languages:** Python, Bash, JavaScript, React, Node.js +**Infrastructure:** Kubernetes, Docker, Caddy, NGINX, Linux +**Security:** CrowdSec, Trivy, Authelia, OIDC, MFA, Fail2Ban, Vaultwarden +**Cloud and Networking:** AWS, GCP, Oracle Cloud, Vultr, Cloudflare, DNS automation +**Observability:** Prometheus, Grafana, Netdata, Blackbox Exporter, Node Exporter, cAdvisor +**Backups:** Borgmatic, encrypted offsite backups, restore verification +**CI/CD and Source Control:** Git, GitHub Actions, Gitea, container image scanning +**Infrastructure as Code:** Terraform --- -### 🧠 Supporting Tooling & Concepts +## Operational Metrics -Actively used across this environment or in adjacent projects: - -- **Security & Identity:** Fail2Ban, MITRE ATT&CK mapping, OIDC, Authelia, MFA, TLS hardening -- **Infrastructure & Cloud:** Linux (Debian/Ubuntu), Terraform, AWS, GCP, Oracle Cloud, Vultr -- **CI / Ops:** Git, GitHub Actions, container image scanning -- **Observability (Extended):** Grafana, Netdata +Current platform highlights: +- 10-node distributed infrastructure environment +- 7-node security telemetry and detection footprint +- `107096` lines of custom code across infrastructure, security, and automation projects +- `1366` commits since January 1 across active repositories +- Automated failover between AWS and peer infrastructure +- Public dashboards for uptime, vulnerabilities, backups, threat telemetry, and service health +- Multiple daily encrypted Borgmatic snapshots shipped offsite +- Recurring backup verification and restore-oriented operational workflows --- -## ⚡ Efficiency Metrics - -- **Codebase Growth:** `107096` lines of custom code across all our repositories -- **Commit Velocity:** `1366` commits since Jan 1 -- **Ares:** Ryzen 9 9950X sustaining ~0.06 load avg while running Gitea and a Kubernetes control plane -- **Resilience:** Automated failover between AWS and peer nodes - -## 📈 Activity +## Activity ![Commit heatmap](public/heatmap.svg) --- -### 🧩 Deployment Patterns -- **Reverse Proxy:** Caddy/NGINX (Cloudflare where applicable) -- **Observability:** Prometheus + Node Exporter + cAdvisor -- **Lifecycle:** Watchtower for controlled auto-updates -- **Access Control:** Authelia where exposed -- **Management:** Portainer (loopback-bound where possible) +## Deployment Patterns -> Nodes are intentionally heterogeneous. -> Each host is scoped to its role to reduce blast radius and cognitive load. +- **Reverse proxy:** Caddy and NGINX, with Cloudflare where applicable +- **Observability:** Prometheus, Grafana, Node Exporter, Blackbox Exporter, cAdvisor, Netdata +- **Access control:** Authelia, OIDC, MFA, TLS hardening, and protected reverse-proxy routes +- **Lifecycle management:** Controlled container updates and service monitoring +- **Service isolation:** Nodes scoped by role to reduce blast radius and simplify recovery +- **Backup strategy:** Encrypted offsite backups with recurring verification --- -#### 📍 Triton -Primary high-density services node running: -- Prometheus + Grafana -- Code-server -- Authelia -- Trilium -- CrowdSec bouncers +## Selected Public Projects -Optimized for sustained workloads and observability aggregation. - ---- - -### 🔗 Live Projects -- **Threat Decisions & Telemetry:** `threats.beane.me` -- **Threat Intelligence & Analytics:** `intel.beane.me` -- **Vulnerability Scanning (Trivy):** `vuln.beane.me` -- **Backups & Restore Verification:** `backups.beane.me` +- **Portfolio:** `beane.me` +- **Threat Decisions and Telemetry:** `threats.beane.me` +- **Threat Intelligence and Analytics:** `intel.beane.me` +- **Vulnerability Scanning and Trends:** `vuln.beane.me` +- **Backup and Restore Verification:** `backups.beane.me` - **Threat Decision Observability:** `observe.beane.me` -- **Source Control (Gitea + K8s):** `git.beane.me` +- **Health and Failover Dashboard:** `health.beane.me` +- **Source Control:** `git.beane.me` +- **Terraform Threat Modeling:** `tfstride.beane.me` --- -## 🚜 Resource Management +## Engineering Philosophy -- **Compute Density:** Kubernetes control plane with Postgres and CI workloads on Zen 5 hardware -- **Sovereignty:** All code, telemetry, and backups remain self-hosted -- **Backups:** Multiple daily encrypted Borgmatic snapshots shipped offsite +Production systems should be observable, automated, recoverable, and secure from the start. -> *"Production systems should be observable, automated, recoverable, and secure from the start."* +I focus on infrastructure that explains itself: clear telemetry, deterministic automation, evidence-backed security findings, documented recovery paths, and controls that improve reliability without slowing delivery. diff --git a/README.template b/README.template index cc5fddd..07aa5cc 100644 --- a/README.template +++ b/README.template @@ -1,126 +1,119 @@ -# 🛡️ Patrick Beane +# Patrick Beane -**SRE | Security Engineer | Self-Hosted Infra & Detection** +**Infrastructure & Security Engineer | SRE | Cloud-Native Platforms** -I design and operate **security-first, self-hosted infrastructure** focused on detection, resilience, and sovereignty. -My lab functions as a live production environment where threat intelligence, automation, and reliability engineering intersect. +I design and operate a self-directed production infrastructure platform focused on security automation, reliability engineering, observability, vulnerability management, and recoverability. + +The environment spans Kubernetes, Linux, multi-cloud infrastructure, identity controls, threat detection, backup verification, and public operational dashboards. My goal is to build systems that are secure-by-default, observable in production, and recoverable under failure. --- -## 🛰 The Fleet (10 Nodes) +## Production Infrastructure Overview -> This environment blends production, research, and continuous experimentation. -> Availability and controls are intentionally tuned per node role. +This environment blends production operations, security research, and continuous infrastructure improvement. Services are distributed across cloud and self-hosted nodes, with each node scoped to a specific operational role to reduce blast radius and simplify ownership. -| Node | Role | Specs | Status | -| :--- | :--- | :--- | :--- | -| **Argus** | SIEM / Brain / node-health Failover | Xeon E5-2660v2 (1 core) | 🟢 Online | -| **Triton** | High Performance Compute | EPYC 9634 (8 cores) | 🟢 Online | -| **Ares** | Gitea / Kubernetes Management Node (MicroK8s) | Ryzen 9 9950X (8 cores) | 🟢 Online | -| **Zephyrus** | Container Host | Ryzen 9 7950X (4 cores) | 🟢 Online | -| **Iris** | NGINX / PHP Edge | Vultr | 🟢 Online | -| **Vault** | Secrets Management | GCP (Vaultwarden) | 🟢 Online | -| **Apollo** | Intel Dashboard (Flask) | AWS | 🟢 Online | -| **Hermes** | Public API (Frontend) | Oracle Cloud | 🟢 Online | -| **Hades** | Public API (Backend) | Oracle Cloud | 🟢 Online | -| **Zeus** | Monitoring / Metrics NOC | Xeon Gold 6150 (1 core) | 🟢 Online | +| Node | Primary Role | Function | +| :--- | :--- | :--- | +| **Argus** | Security telemetry and failover automation | Threat detection, event correlation, and node-health automation | +| **Triton** | Observability and internal tooling | Prometheus, Grafana, Authelia, code-server, CrowdSec bouncers | +| **Ares** | Kubernetes and source control | Gitea, PostgreSQL, Valkey, CI runners, Kubernetes control plane | +| **Zephyrus** | Container hosting | Docker workloads and service hosting | +| **Iris** | Edge services | NGINX/PHP ingress and public-facing services | +| **Vault** | Secrets and identity-adjacent services | Vaultwarden and protected internal services | +| **Apollo** | Threat intelligence dashboard | Flask-based analytics and reporting | +| **Hermes** | Public API frontend | Public API and frontend service layer | +| **Hades** | Public API backend | Backend service support for public APIs | +| **Zeus** | Monitoring and metrics | Centralized observability and service-health tracking | --- -## 🌐 Infrastructure Strategy +## Infrastructure Strategy -- **Compute Layer:** Zen 5 (9950X), Zen 4 (7950X), EPYC 9634 for sustained workloads. -- **Edge Layer:** Oracle Cloud & Vultr for low-latency public ingress. -- **Sentinel Layer:** **Argus SIEM** correlating telemetry and enforcing distributed decisions across nodes. -- **Observability:** Zeus as the centralized NOC and metrics authority. +- **Compute layer:** Heterogeneous self-hosted and cloud infrastructure scoped by workload type +- **Edge layer:** Cloud and VPS ingress for public services and low-latency routing +- **Security telemetry:** Multi-node detection and mitigation workflows using CrowdSec and custom automation +- **Observability:** Centralized monitoring with Prometheus, Grafana, Netdata, exporters, and public dashboards +- **Resilience:** Automated health checks, DNS failover, backup verification, and role-scoped service design --- -## 🛡️ Detection & Response Lifecycle +## Security Detection and Response -- **Triage:** Telemetry ingested from 7 active nodes into the Argus engine. -- **Escalation:** Post-exploitation indicators (e.g. webshells) trigger immediate `PERM_BAN`. -- **Retention:** - - 24 hours for lower confidence scenarios - - 14 days for high-confidence IOCs - - 7 days for offender watchlist -- **Notification:** High-severity events dynamically pushed to Discord. +Security controls are integrated directly into the platform rather than handled as one-off manual checks. + +Current detection and response patterns include: + +- Telemetry ingestion from 7 active nodes +- CrowdSec-based detection and mitigation +- MITRE ATT&CK mapping for selected security events +- Escalation logic for high-confidence indicators +- Watchlist and retention policies based on event confidence +- High-severity event notifications through Discord +- Runtime visibility through public and private dashboards --- -## 🛠 The Arsenal +## Technical Stack -**Languages:** Python (Flask, Gunicorn), Bash, JavaScript (React, Node.js) -**Infrastructure:** Kubernetes (K8s), Docker, Caddy, NGINX -**Security:** Argus (Custom SIEM), CrowdSec, Trivy, SQLite, Vaultwarden -**Observability:** Prometheus, Blackbox Exporter, Node Exporter -**Backups:** Borgmatic, Rsync.net (Encrypted Offsite) +**Languages:** Python, Bash, JavaScript, React, Node.js +**Infrastructure:** Kubernetes, Docker, Caddy, NGINX, Linux +**Security:** CrowdSec, Trivy, Authelia, OIDC, MFA, Fail2Ban, Vaultwarden +**Cloud and Networking:** AWS, GCP, Oracle Cloud, Vultr, Cloudflare, DNS automation +**Observability:** Prometheus, Grafana, Netdata, Blackbox Exporter, Node Exporter, cAdvisor +**Backups:** Borgmatic, encrypted offsite backups, restore verification +**CI/CD and Source Control:** Git, GitHub Actions, Gitea, container image scanning +**Infrastructure as Code:** Terraform --- -### 🧠 Supporting Tooling & Concepts +## Operational Metrics -Actively used across this environment or in adjacent projects: - -- **Security & Identity:** Fail2Ban, MITRE ATT&CK mapping, OIDC, Authelia, MFA, TLS hardening -- **Infrastructure & Cloud:** Linux (Debian/Ubuntu), Terraform, AWS, GCP, Oracle Cloud, Vultr -- **CI / Ops:** Git, GitHub Actions, container image scanning -- **Observability (Extended):** Grafana, Netdata +Current platform highlights: +- 10-node distributed infrastructure environment +- 7-node security telemetry and detection footprint +- `REPLACE_ME_LOC` lines of custom code across infrastructure, security, and automation projects +- `REPLACE_ME_COMMITS` commits since January 1 across active repositories +- Automated failover between AWS and peer infrastructure +- Public dashboards for uptime, vulnerabilities, backups, threat telemetry, and service health +- Multiple daily encrypted Borgmatic snapshots shipped offsite +- Recurring backup verification and restore-oriented operational workflows --- -## ⚡ Efficiency Metrics - -- **Codebase Growth:** `REPLACE_ME_LOC` lines of custom code across all our repositories -- **Commit Velocity:** `REPLACE_ME_COMMITS` commits since Jan 1 -- **Ares:** Ryzen 9 9950X sustaining ~0.06 load avg while running Gitea and a Kubernetes control plane -- **Resilience:** Automated failover between AWS and peer nodes - -## 📈 Activity +## Activity ![Commit heatmap](public/heatmap.svg) --- -### 🧩 Deployment Patterns -- **Reverse Proxy:** Caddy/NGINX (Cloudflare where applicable) -- **Observability:** Prometheus + Node Exporter + cAdvisor -- **Lifecycle:** Watchtower for controlled auto-updates -- **Access Control:** Authelia where exposed -- **Management:** Portainer (loopback-bound where possible) +## Deployment Patterns -> Nodes are intentionally heterogeneous. -> Each host is scoped to its role to reduce blast radius and cognitive load. +- **Reverse proxy:** Caddy and NGINX, with Cloudflare where applicable +- **Observability:** Prometheus, Grafana, Node Exporter, Blackbox Exporter, cAdvisor, Netdata +- **Access control:** Authelia, OIDC, MFA, TLS hardening, and protected reverse-proxy routes +- **Lifecycle management:** Controlled container updates and service monitoring +- **Service isolation:** Nodes scoped by role to reduce blast radius and simplify recovery +- **Backup strategy:** Encrypted offsite backups with recurring verification --- -#### 📍 Triton -Primary high-density services node running: -- Prometheus + Grafana -- Code-server -- Authelia -- Trilium -- CrowdSec bouncers +## Selected Public Projects -Optimized for sustained workloads and observability aggregation. - ---- - -### 🔗 Live Projects -- **Threat Decisions & Telemetry:** `threats.beane.me` -- **Threat Intelligence & Analytics:** `intel.beane.me` -- **Vulnerability Scanning (Trivy):** `vuln.beane.me` -- **Backups & Restore Verification:** `backups.beane.me` +- **Portfolio:** `beane.me` +- **Threat Decisions and Telemetry:** `threats.beane.me` +- **Threat Intelligence and Analytics:** `intel.beane.me` +- **Vulnerability Scanning and Trends:** `vuln.beane.me` +- **Backup and Restore Verification:** `backups.beane.me` - **Threat Decision Observability:** `observe.beane.me` -- **Source Control (Gitea + K8s):** `git.beane.me` +- **Health and Failover Dashboard:** `health.beane.me` +- **Source Control:** `git.beane.me` +- **Terraform Threat Modeling:** `tfstride.beane.me` --- -## 🚜 Resource Management +## Engineering Philosophy -- **Compute Density:** Kubernetes control plane with Postgres and CI workloads on Zen 5 hardware -- **Sovereignty:** All code, telemetry, and backups remain self-hosted -- **Backups:** Multiple daily encrypted Borgmatic snapshots shipped offsite +Production systems should be observable, automated, recoverable, and secure from the start. -> *"Production systems should be observable, automated, recoverable, and secure from the start."* +I focus on infrastructure that explains itself: clear telemetry, deterministic automation, evidence-backed security findings, documented recovery paths, and controls that improve reliability without slowing delivery.