Sebastian Malieni

Guided by a Senior Cybersecurity Architect.

• Secure networking: Engineered a Hub-and-Spoke VPN architecture using MikroTik and WireGuard to securely integrate remote appliances (IoT, smart TVs, admin clients) into a private, VLAN-segmented environment.
• Host virtualization: Deployed and managed a Fedora-based KVM/QEMU virtualization host, utilizing bridge networking and custom systemd sequencing to ensure high availability of core services.
• Container orchestration: Orchestrated a K3s (Kubernetes) cluster to host self-healing microservices, managing persistent storage (PVCs) and traffic routing via Nginx Ingress.
• Security & isolation: Implemented a Zero-Trust model by enforcing strict inter-VLAN firewall rules on RouterOS and centralizing network-wide DNS security via Pi-hole.
• Automation as code: Developed Ansible playbooks for automated VM provisioning and environment consistency, leveraging AI-assisted development to rapidly iterate on complex automation logic.
• Infrastructure observability: Designed and deployed a centralized monitoring platform using a GLP stack (Grafana, Loki, Prometheus) and Uptime Kuma. Implemented proactive alerting and real-time dashboarding to track host metrics, container health, and network uptime across the hybrid environment.
• Management isolation: Architected the observability stack within a dedicated QEMU VM to ensure monitoring persistence during cluster-wide maintenance or failures.

Production infrastructure delivered to and actively running at Fundación Huésped — a Buenos Aires HIV/AIDS research NGO that tracks biological samples across freezers and liquid nitrogen storage.

• Container packaging: Containerized a legacy PHP/Apache biobank application using Docker Compose, enabling reproducible, single-command deployment on any Linux machine — replacing a fragmented manual setup process the foundation adopted immediately into production.
• Service orchestration: Designed a multi-service Docker Compose stack (web, database, backup) with strict network isolation, placing the MariaDB instance on an internal-only Docker network unreachable from outside the container stack.
• Security & isolation: Applied least-privilege DB credentials, enforced a no-secrets-in-repo policy via .env templating, and architected network segmentation to minimize the attack surface of an NGO production system.
• Data resilience: Implemented an automated daily mysqldump backup service with 7-day rotating retention, ensuring operational continuity without exposing credentials in the process list.
• Cloud architecture design: Proposed a cost-optimized AWS migration (EC2 + Nginx + Terraform) tailored to NGO budget constraints, delivering infrastructure-as-code for the proposed cloud environment.
• CI pipeline: Integrated GitHub Actions to validate Docker builds and Terraform configurations on every push, ensuring infrastructure changes are tested before reaching the production server.

GitHub Actions CI/CD pipeline deploying a SvelteKit site to GitHub Pages via a two-repo GitOps pattern.

• Pipeline design: implemented a GitHub Actions workflow triggered on every push to main, running a sequential quality gate (type-check → build) before deploying — ensuring broken output never ships.
• Two-repo GitOps: source code stays in a private repository; only the compiled artifact is pushed to a separate public repository served via GitHub Pages at a custom domain.
• Reproducible builds: replaced npm install with npm ci to guarantee lockfile-exact installs across all runs, eliminating dependency drift between local and CI environments.
• Least-privilege deployment: scoped the Personal Access Token to the public Pages repository only, limiting the blast radius of a potential credential leak.
• Dependency caching: enabled npm cache on the Node.js setup step to reduce install time on successive runs.
• Pinned action versions: all third-party actions locked to major version tags to prevent silent upstream changes and supply chain risk.

• Built local high-availability lab scenarios using Fedora and QEMU/KVM virtualization.
• Configured NGINX load balancing and cloud-init based instance bootstrapping for repeatable tests.
• Validated fault tolerance and service distribution behaviors under controlled conditions.

• Provisioned a RHEL 9.5 virtual lab environment with multiple disks and automated initialization via cloud-init.
• Scripted QEMU VM lifecycle commands to streamline administration and lab repeatability.
• Applied SSH hardening controls to improve secure remote access practices.