Senior Platform Engineer | Kubernetes & GitOps | CISSP, SSCP
Aktualisiert am 18.05.2026
Profil
Freiberufler / Selbstständiger
Remote-Arbeit
Verfügbar ab: 18.05.2026
Verfügbar zu: 100%
davon vor Ort: 0%
Kubernetes
DevOps
IT-Security
Docker
CI/CD
ArgoCD
Ansible
Jenkins
Helm
Linux
Prometheus
Grafana
HashiCorp Vault
Python
Bash
GitOps
Infrastructure as Code
CISSP
Network Security
Monitoring
Cloud Security
Container Security
RBAC
German
Muttersprache
English
Fluent in reading and writing (B2/C1), conversational speaking

Einsatzorte

Einsatzorte

Deutschland, Schweiz, Österreich
möglich

Projekte

Projekte

9 years 8 months
2016-09 - now

Running my own small on-premise data center in Tyrol, Austria

Founder & Managing Director, DevSecOps Engineer  TLS/mTLS PKI
Founder & Managing Director, DevSecOps Engineer 

  • Running my own small on-premise data center in Tyrol, Austria. I built the entire infrastructure from scratch ? bare-metal servers, Kubernetes clusters, CI/CD pipelines ? to provide fully automated web services for regional customers. As Geschäftsführer I handle everything from strategy, finances, and customer relations to compliance and IT security governance. Everything I know isn't just theory ? it's running in production on my own infrastructure, built, funded, and fully documented entirely by myself.
  • Origin and pivot (2019?2020): the GmbH's first major engagement was ilumina-circle com, a spirituality/wellness community and marketplace platform commissioned by an external client. I led development with two freelancers and one employee, delivered the platform end-to-end, and sold the first event tickets ? and then COVID arrived, the shareholders stopped funding, and the contract collapsed. I had to let the team go and independently rebuilt the business model around an automation-driven SaaS approach. Rather than walk away, I chose to finish what I had started: I kept the code I had written, rebuilt the business around automation instead of manpower, and turned the same plugin stack into two productized offerings ? Tagfalter (single-tenant, fully managed WordPress per customer) and Community Sites (community marketplace platform built on BuddyPress + WooCommerce, the direct descendant of ilumina-circle com). Both products now run on the Kubernetes + Ansible substrate (Anduril) I subsequently designed from scratch. The near-bankruptcy is why the platform is engineered the way it is: every manual step is an operator cost I cannot afford, so every manual step became code.
    • DevSecOps & CI/CD Pipeline Engineering:
      • Jenkins Shared Library: Groovy Functions for CI/CD Automation, Semantic Versioning, Docker Lifecycle, ArgoCD Integration
      • GitLab CI Components: reusable, versioned DevSecOps pipeline library (gitleaks secret scanning, Semgrep SAST, PHPStan with SARIF, Trivy container scanning, OWASP ZAP baseline DAST, DefectDojo vulnerability management, WordPress plugin test/release/site-trigger components)
      • GitOps Architecture: ArgoCD App-of-Apps Pattern, Kustomize Overlays, Automated ApplicationSet Generation
      • Security Integration: Shift-Left pipelines ? secret scanning, SAST, container image scanning, DAST against live ArgoCD-deployed URLs, centralised vulnerability tracking in DefectDojo
    • Infrastructure-as-Code & Automation:
      • Ansible Framework: Production-Grade Custom Roles for Cluster Lifecycle, Database, Network, IAM, Mail
      • Configuration Management: Ansible reconciliation driven by Jenkins pipelines on self-hosted GitLab merge events (migrated from a Puppet-based stack in 2025); 5-Layer Governance Structure
      • Terraform: modular repository architecture with per-project state isolation (separate state files for AWS infrastructure and Jenkins credential management), shared module library split into modules/aws, modules/common, modules/security, environment overlays (environments/dev|staging|prod), and cross-project data sharing via terraform_remote_state. AWS scope covers VPC/subnets/compute/EKS; Jenkins scope manages credentials via the Terraform provider.
    • Kubernetes Cluster from Scratch:
      • Bare-Metal 8-node setup: 3-node HA control plane (Keepalived VIP failover) + 5 worker nodes; Rook-Ceph storage, MetalLB load balancing
      • Security: RBAC, NetworkPolicies, Pod Security Standards, TLS/mTLS, Secrets Management (Vault)
      • Lifecycle Management: In-place cluster version upgrades (currently running Kubernetes v1.32); Weave Net ? Calico CNI migration (March 2026) executed on the live production cluster with a planned 15-minute maintenance window ? no unplanned outages, no data loss, full post-migration audit of iptables state
      • Production Services: Hosting platforms (insa.tirol, tagfalter.rothirsch tech), Multi-Tenant Customer Deployments
    • Linux & Network Administration:
      • System Security: Linux Hardening (15+ years), Kernel Tuning, Patch Management
      • Network Infrastructure: nftables/iptables, Nginx/Apache, Strongswan VPN, Bind9 DNS
    • Identity & Access Management:
      • OpenLDAP Multi-Master Replication, Keycloak SSO, PKI & Certificate Management, MFA
    • Database & High-Availability:
      • MariaDB Galera Multi-Master Clustering, MaxScale Database Proxy
      • Automated Backup/Restore Workflows, Zero-Downtime Maintenance
    • Container Architecture:
      • Custom Containerized Services: WordPress, Mail (Postfix/Dovecot/Amavis), IAM (OpenLDAP/Keycloak), Monitoring (Icinga2/Prometheus/Grafana)
      • Multi-Stage Builds, Security Hardening, Multi-Architecture Support (AMD64, ARM, ARM64)
    • Monitoring & Observability:
      • Prometheus, Grafana, ELK Stack (Filebeat, Metricbeat), Icinga2
      • Custom Health Check Endpoints, Security Event Detection
    • API-Driven & Event-Driven Automation:
      • n8n Workflow Automation, GitLab API, ArgoCD API, Kubernetes API, Webhooks
    • In-house Jenkins Pipeline Shared Library (eldamar):
      • Groovy pipeline library with ~15 reusable modules powering CI/CD across the Rothirsch Tech. GmbH platform: Docker build/tag/push orchestration, semantic versioning with automatic git tagging, ArgoCD sync via CLI and webhooks, and Helm chart version bumps against remote chart repositories
      • Designed and written in-house to fit the Rothirsch substrate ? every pipeline step on the platform is backed by a function in this library
    • In-house GitLab CI Components ? DevSecOps pipeline library:
      • Versioned, re-usable CI components hosted on self-hosted GitLab, the GitLab-native counterpart of the Jenkins Shared Library. Consumer projects include each component at a pinned git tag (component: ?/gitleaks@1.0.0) so upgrades are opt-in per consumer.
      • Security-scanning components implementing Shift-Left: gitleaks (secret scanning ? full history on push, diff-only on MRs), semgrep (SAST with PHP security rules), phpstan (static analysis, SARIF output), trivy-image-scan (container image vulnerability scan), zap-baseline-scan (OWASP ZAP passive DAST that waits for the ArgoCD rollout to finish before scanning the live URL).
      • defectdojo-import component uploads every scan report to a central DefectDojo instance (endpoint and token injected as protected CI/CD variables at GitLab group level), giving one consolidated vulnerability view across the whole plugin and container portfolio.
      • WordPress delivery components: wordpress-plugin-tests (PHPUnit + PHPCS + composer), wordpress-plugin-release (patch-bump plugin header version, commit, tag, push to main), wordpress-site-trigger (bump the plugin tag in each downstream site's Dockerfile ? one include per downstream repo).
    • In-house WordPress Plugin & Theme Portfolio:
      • First-party plugin library carrying both product lines (Tagfalter and Community Sites)
      • Notable plugins beyond Woo-Merchants and the Tagfalter Data Porter: post_to_wordpress (multi-target post-syndication), woo-merchants-odoo (Odoo ERP integration for the marketplace product line), wp_secure_login (first-party authentication/authorization, replaces generic third-party login plugins)
      • Custom themes (rtcs-theme, rtsb-theme) round out the product UX
    • End-to-End Test Automation Suite:
      • TypeScript/Playwright test suite covering the same product surface as the in-house plugin portfolio above
      • Helper modules for WP-CLI, IMAP (mail-flow assertions), and Stripe (payment-flow assertions)
      • ?Coverage includes Woo-Merchants registration, post syndication, secure-login flows (login, password reset, password strength), BuddyPress profile flows, double opt-in, and legal modal acceptance ? compliance-relevant paths get the same automated coverage as the happy path

Kubernetes (bare-metal) Docker Helm Kustomize Jenkins (Custom Shared Library) ArgoCD GitLab CI (Custom Components Library) n8n Ansible Terraform (modular per-project state isolation) Bash Python Groovy gitleaks (secret scanning) Semgrep (SAST) PHPStan Trivy (image scan) OWASP ZAP (baseline DAST) DefectDojo (vuln management) nftables Strongswan VPN HashiCorp Vault + External Secrets Operator (K8s Secrets) Prometheus Grafana ELK Stack (Filebeat Metricbeat) Icinga2 MariaDB Galera MaxScale Rook-Ceph Calico MetalLB Nginx Bind9 DNS OpenLDAP Keycloak cert-manager Postfix Dovecot Amavis SpamAssassin ClamAV OpenDMARC OpenDKIM Debian Ubuntu
TLS/mTLS PKI
gladly upon request
Remote
3 years 8 months
2022-09 - 2026-04

Security-First Kubernetes Cluster for critical business applications

DevSecOps & Kubernetes Engineer (Freelance)  RBAC NetworkPolicies
DevSecOps & Kubernetes Engineer (Freelance) 

  • Identity & Access Management (shared team IAM solution ? platform for internal developers):
    • Lead developer for the OpenLDAP Docker project
    • Introduced Keycloak as the central SSO / identity provider component
    • Integration into Kubernetes RBAC and service accounts
  • DevSecOps & CI/CD Security:
    • Co-developing Jenkins CI/CD pipelines within the DevOps team (Groovy)
    • Integration of security checks in CI/CD pipeline (Shift-Left Approach)
    • Automated Vulnerability Scanning and Remediation Workflows
    • GitOps-based deployments with ArgoCD
    • Semantic Versioning Automation with Git integration
    • Container Lifecycle Management (Build/Scan/Tag/Push)
    • ArgoCD Webhook Integration for Event-Driven Deployments
  • Infrastructure-as-Code & Automation:
    • Complete cluster automation with Ansible
    • Bare-Metal Kubernetes Installation from Scratch
    • High-Availability Control Plane Setup
    • Unified Deployment System for Multi-Application Orchestration
  • Kubernetes Security Implementation:
    • Comprehensive Security Hardening at all levels:
      • Host Security: Linux Hardening, SELinux/AppArmor
      • Network Security: NetworkPolicies, Micro-Segmentation
      • Application Security: RBAC, Pod Security Standards
      • Data Security: Encryption at Rest & in Transit
    • Defense-in-Depth principles
    • Certificate Management with cert-manager
    • Secrets Management with External Secrets Operator (ESO) connected to a dedicated Vault system
  • Monitoring & Observability:
    • Checkmk for infrastructure monitoring
    • Prometheus/Grafana Monitoring Stack
    • Security Event Detection & Logging
    • Automated Health Checks
    • Incident Response Procedures
  • Network & Storage:
    • MetalLB Load Balancing for Bare-Metal
    • Nginx Ingress Controller with SSL Passthrough
    • NetworkPolicies for Security Zones
    • Rook-Ceph Distributed Storag?e, CNI Configuration (Calico)

Kubernetes (bare-metal) Docker Helm Jenkins ArgoCD Groovy Ansible Bash Python nftables cert-manager Vault Sealed Secrets OpenLDAP Keycloak Checkmk Prometheus Grafana Rook-Ceph MetalLB Nginx Ingress Calico Jira Confluence Debian Ubuntu
RBAC NetworkPolicies
mgm technology partners GmbH
Remote

Aus- und Weiterbildung

Aus- und Weiterbildung


Certificates and further training:

All certifications detailed on LinkedIn

  • Active Security Certifications
  • CISSP ? Certified Information Systems Security Professional, ISC²
  • SSCP ? Systems Security Certified Practitioner, ISC²
  • CKA ? Certified Kubernetes Administrator (in preparation)
  • AWS Certification ? currently in preparation
  • Terraform ? active use with modular per-project state architecture (AWS VPC/subnets/compute/EKS, Jenkins credential management, shared modules for AWS/common/security, environment overlays)
  • GitLab CI/CD Components ? self-hosted DevSecOps pipeline library (gitleaks, Semgrep, PHPStan, Trivy, OWASP ZAP, DefectDojo) used across WordPress plugin and container repositories


Training & Courses:

  • GitLab CI/CD ? From Zero To Hero, TechWorld with Nana
  • Kubernetes Administrator (CKA), TechWorld with Nana
  • Flutter: Part 01 Introduction, LinkedIn Learning
  • Getting Started with WordPress, LinkedIn Learning
  • Getting Started as an Agile Project Manager, LinkedIn Learning
  • Getting Started with DevOps, LinkedIn Learning
  • ISC² CISSP Certification Exam Preparation, LinkedIn Learning
  • Linux: Email Services, LinkedIn Learning
  • Linux System Engineer: Network Filesystems (NFS/Samba), LinkedIn Learning
  • GDPR for Security Professionals ISC²

Position

Position

  • DevSecOps Engineer
  • Kubernetes & Security Specialist
  • CISSP
  • Senior Platform Engineer

Kompetenzen

Kompetenzen

Top-Skills

Kubernetes DevOps IT-Security Docker CI/CD ArgoCD Ansible Jenkins Helm Linux Prometheus Grafana HashiCorp Vault Python Bash GitOps Infrastructure as Code CISSP Network Security Monitoring Cloud Security Container Security RBAC

Schwerpunkte

On-Premise Infrastructure, Automation & CI/CD
Jenkins, GitLab CI, ArgoCD
Infrastructure-as-Code
Ansible, Python, Bash
Container Orchestration
Kubernetes, Docker
Security-First Architecture
CISSP
IT Security
DevSecOps
Cloud-Native Security
Kubernetes
Monitoring


Produkte / Standards / Erfahrungen / Methoden

Linux
>10 Jahre
Python
>10 Jahre
Bash
>10 Jahre
IT-Security
5-10 Jahre
Network Security
5-10 Jahre
Monitoring (Icinga2)
5-10 Jahre
Kubernetes (bare-metal)
4 Jahre
DevOps
5 Jahre
Ansible
3-5 Jahre
Docker
5 Jahre
Helm
3-5 Jahre
CI/CD
3-5 Jahre
Jenkins
3-5 Jahre
ArgoCD
3-5 Jahre
GitOps
3-5 Jahre
Infrastructure as Code
3-5 Jahre
ELK Stack
3-5 Jahre
Platform Engineering
3-5 Jahre
Bare-Metal
5-10 Jahre
Calico
1-2 Jahre
Rook-Ceph
3-5 Jahre
cert-manager
1-2 Jahre
External Secrets Operator
1-2 Jahre
HashiCopr Vault
1-2 Jahre
Prometheus
1 Jahr
Grafana
1 Jahr
AWS
Currently preparing certficiation
Gitlab CI/CD
1 Jahr
DevSecOps
1 Jahr
SAST (semgrep)
1 Jahr
Secret Scanning (gitleaks)
1 Jahr
Container Security (Trivy)
1 Jahr
DAST (OWASP ZEN)
1 Jahr
DefectDojo
1 Jahr
PHPStan
1 Jahr
Shift-Left Security
1 Jahr

Profil:

  • Senior platform engineer and Kubernetes architect with 15+ years in IT, CISSP- and SSCP-certified, operating as founder and Geschäftsführer of Rothirsch Tech. GmbH (incorporated October 2020; sole proprietor since September 2016). I help DACH organizations ? preferably in regulated or compliance-sensitive sectors ? to design, build, and harden the platforms their business runs on, most often bare-metal Kubernetes, CI/CD automation, and the security controls around them
  • The engagement shape I deliver best is end-to-end ownership of a platform, DevSecOps, or trusted-DevOps initiative ? from conceptualization and architectural decisions through hands-on implementation into operated production ? either leading the scope solo or embedded in an existing DevOps team and working with architecture, security, and process owners to land security and compliance requirements in automated processes. Recent work at mgm technology partners GmbH (2022?2026) is a lived example: a from-scratch, on-premise, high-availability Kubernetes cluster for a critical business application (initially built solo, then grown within the DevOps team), with ArgoCD GitOps, External Secrets Operator + Vault, co-developed Jenkins CI/CD pipelines with shift-left security scanning, and a shared-team IAM platform (OpenLDAP + Keycloak) integrated with Kubernetes RBAC and service accounts ? a developer-facing self-service capability consumed across the internal development teams. I maintain an independent reference proof-point by running my own production platform ? a self-built small on-premise data center in Tyrol that hosts Rothirsch Tech. GmbH's own SaaS products on the same bare-metal Kubernetes substrate I bring to client work, built around a declarative site controller (Anduril) that provides self-service provisioning at the infrastructure layer the Kubernetes API does not reach ? including a production CNI migration from Weave Net to Calico (March 2026) with a planned 15-minute maintenance window, end-to-end owned and documented. I communicate technical decisions directly to engineering, architecture, and security stakeholders ? without a translation layer
  • I work remotely in CET ? project language German or English, async-first on written channels (tickets, code review, documentation, Slack). CISSP and SSCP certification combined with hands-on GDPR/DSGVO experience and hands-on platform engineering are the differentiators I bring to regulated-industry clients


Focus areas:

  • Bare-metal Kubernetes platform engineering
  • Security hardening and GDPR/DSGVO compliance (CISSP, SSCP)
  • CI/CD and GitOps (Jenkins Shared Library, GitLab CI Components, ArgoCD)
  • Shift-left DevSecOps pipelines (gitleaks, Semgrep, PHPStan, Trivy, OWASP ZAP, DefectDojo)
  • Infrastructure-as-Code (Ansible, Terraform modular architecture, Python, Bash) driven by merge events on self-hosted GitLab
  • Observability and incident response


Engagement shape:

  • End-to-end ownership (solo lead or embedded in an existing DevOps team)
  • Remote, CET
  • Async-first collaboration
  • Project language German or English
  • Rothirsch Tech. GmbH contracting vehicle
  • From ?120/hr, project-dependent; negotiable for projects aligned with the ISC² Code of Ethics


ENGAGEMENT FOCUS:
  • I take on one well-scoped platform, security, or infrastructure problem at a time and own it end-to-end ? from architecture through implementation to documented handover
  • The engagement shape I deliver best is a specific problem with clear success criteria, owned by a single senior engineer accountable for the outcome, rather than embedded into large platform teams

TECHNICAL SPECIALIZATION:
  • Bare-metal Kubernetes platform engineering from scratch
  • Security-hardened cluster design
  • CI/CD automation and GitOps (Jenkins Shared Library, GitLab CI Components, ArgoCD)
  • Shift-left DevSecOps pipelines: gitleaks (secrets), Semgrep (SAST), PHPStan, Trivy (container scan), OWASP ZAP (baseline DAST), DefectDojo (centralised vuln management)
  • Infrastructure-as-Code: Ansible and modular Terraform (per-project state isolation, shared modules for AWS/common/security), driven by merge events on self-hosted GitLab
  • Observability and incident response

PROVEN PRODUCTION EXPERIENCE:
  • Recent work at mgm technology partners GmbH (2022?2026): Security-First Kubernetes cluster for critical business applications, with custom Jenkins Shared Library, ArgoCD GitOps, External Secrets Operator + Vault
  • In parallel I operate my own production platform ? a self-built small on-premise data center in Tyrol running the Rothirsch Tech. GmbH SaaS products (Tagfalter, Community Sites) on the same bare-metal Kubernetes substrate I bring to client work. Production CNI migration Weave Net ? Calico (March 2026) executed on the live cluster with a planned 15-minute maintenance window

WORKING STYLE:
  • Remote-first (CET), project language German, asynchronous English via tickets / code review / documentation
  • Currently preparing AWS certification alongside CKA
  • Rothirsch Tech. GmbH contracting vehicle (Innsbruck)
  • I take on one well-scoped platform, security, or compliance problem at a time and own it end-to-end ? from architecture through implementation to documented handove
  • Remote from Tyrol, CET, via Rothirsch Tech. GmbH (Innsbruck)


Availability & Conditions:

  • Availability: Immediately
  • Hourly rate: from ?120, project-dependent
  • Billing entity: Rothirsch Tech. GmbH, FN 542991t, Innsbruck
  • Contract signatory: René Zingerle, Geschäftsführer
  • Remote: Yes, preferred
  • On-site: By arrangement
  • Ethical Principles: Committed to ISC² Code of Ethics


Professional background:
2020 ? today:
Customer: Rothirsch Tech. GmbH


Tasks:

Designing, building, and operating a multi-tenant SaaS platform on bare-metal Kubernetes (Tagfalter) 

  • First-party production workload ? listed here as engineering experience, not as a third-party reference
    • What this engagement demonstrates for a client: I designed, built, and have continuously operated a multi-tenant WordPress/Nextcloud SaaS on bare-metal Kubernetes as a single engineer ? covering the full stack a regulated client would also need me to cover: IAM, secrets, gateway, TLS, GitOps, automation controller, release pipeline, data isolation, lifecycle management, GDPR erasure/portability, and in-house mail. Every design decision and every production incident listed below is real load on a live platform, not a portfolio artifact.
    • Why WordPress: as a solo operator, building and running the platform substrate ? automation, security, release pipeline, mail, storage, IAM ? is already more than one person's scope; layering a bespoke CMS on top would be irresponsible. WordPress is open source, has an enormous community, receives constant third-party security scrutiny, and ships patches on a predictable cadence. That transparency is a deliberate security choice, not a convenience one. A WooCommerce purchase (handled by my own Woo-Merchants plugin) fires a webhook that triggers a Jenkins pipeline, which runs Anduril ? a declarative site controller I wrote as a ~9,000-line Ansible role composed of 75+ modular tasks. Sites are declared as YAML records (type × status × group) and Anduril reconciles the live infrastructure against that declaration ? similar in spirit to a Kubernetes controller, but operating at the provisioning layer where a controller cannot reach (DNS, gateway TLS, MariaDB users, ArgoCD git repo, Vault).
    • What Anduril does on an active WordPress deployment: creates an isolated Kubernetes namespace, provisions a per-site database on MaxScale with a dedicated 32-character MariaDB user stored in HashiCorp Vault (blast-radius isolation ? one compromised site cannot reach another's data), installs per-site TLS / WordPress salt / Docker registry secrets, updates the nginx gateway and copies TLS material to it, writes a Kustomize overlay into the ArgoCD config repository, and hands off to ArgoCD for the Helm rollout and WordPress initialization. The same role also handles grace-period soft deletes (data preserved, deployment torn down), hard removes (database + Vault credentials + namespace), domain migrations (export / import / wp-cli search-replace / DNS cut-over / source cleanup), TLS-only refreshes, and dry-run validation.
    • Operational maturity: fully idempotent (Vault is checked before credential generation; ArgoCD reconciliation makes partial runs safe); compensating logic for DNS propagation, Let's Encrypt rate limits, and production-observed timing scenarios with compensating error handling; per-site blast-radius containment across namespaces, Vault credentials, MariaDB users, and NetworkPolicies; temp files can be preserved (anduril_cleanup_temp=false) for post-mortem; documented runbooks for every named failure mode.
    • Platform architecture ? deliberately managed, not a constraint: Tagfalter customers do not have WordPress admin access, by design. The automation is the product: updates, security patches, and plugin rollouts are handled centrally, so customers never have to. Customer interaction happens only through the native WordPress Customizer (theme/layout adjustments) and a set of self-written frontend plugins that provide curated content editing ? the WordPress backend is never exposed. Plugin and feature changes ride a three-stage release train: a test branch where new work lands and validation runs (test automation in progress), an integration branch that is an opt-in early-access tier for customers who have explicitly committed to receive features first-hand (a voluntary beta channel with a real customer role), and a production branch that is the stable default for all end users. This keeps the blast radius of any change bounded and gives beta-consenting customers a named place in the release process.
    • Privacy & data handling: all customer data is resident in the EU (self-operated small Tyrolean data center, no US sub-processors in the hosting path); per-site database credentials are generated on demand, stored in HashiCorp Vault, and rotatable; sites are isolated at the Kubernetes namespace and NetworkPolicy layer with dedicated MariaDB users per site; CDN77 is the single named sub-processor for content delivery and is disclosed in the Tagfalter AGB. Transactional and newsletter email is delivered by my own in-house mail stack (Postfix / Dovecot / Amavis / OpenDKIM / OpenDMARC, operated by Rothirsch Tech. GmbH on the same Kubernetes substrate) ? transactional email is delivered entirely via our own EU-resident infrastructure. Mail stays inside EU-resident infrastructure at every hop, which removes an entire class of trans-Atlantic sub-processor exposure that competing managed-WordPress hosts carry. GDPR Article 20 (portability) is handled by a self-written frontend plugin, Tagfalter Data Porter, that lets customers export posts, Customizer settings, WooCommerce products, merchants, events, and media as a WXR bundle importable into any other WordPress instance ? no admin involvement, no ticket, no fee. Article 17 (erasure) is driven by declarative inventory state: cancellation moves a site to grace (pods removed, data preserved, 30-day window); expiry moves it to removed, at which point a daily cron job reaps the Kubernetes namespace, MariaDB database and user, Vault credentials, ArgoCD configuration, and DNS records ? fully idempotent, fully auditable


2020 ? today:
Customer: Rothirsch Tech. GmbH


Tasks:
Scalable Mail Infrastructure on Kubernetes

  • A fully containerized, horizontally-scalable mail stack running on my own Kubernetes cluster: Postfix (MSA/MTA), Dovecot (IMAP + LMTP), Amavis (policy orchestration), SpamAssassin, ClamAV, OpenDMARC, OpenDKIM, with central authentication against OpenLDAP. Built as a microservices architecture so each component scales and updates independently; deployed and reconciled via the same GitOps pipeline as every other workload on the substrate
  • Why this matters as a compliance differentiator: this stack is not just a back-office service ? it is the mail path for every product Rothirsch Tech. GmbH operates. Tagfalter transactional mail, Community Sites member signups and marketplace order confirmations, newsletter campaigns, password resets, event notifications, and standalone business mailboxes all flow through this infrastructure. No third-party Email Service Provider is involved at any hop. Mail stays inside EU-resident infrastructure from origin to recipient handoff, which removes an entire class of trans-Atlantic sub-processor exposure that virtually all competing managed-WordPress and community-platform vendors carry. For GDPR Article 28 / Article 30 / DPIA purposes, the sub-processor list for lifecycle mail is simply: Rothirsch Tech. GmbH itself. That is rare in the managed-hosting market and is documented as a named compliance advantage in the Tagfalter and Community Sites product documentation


2019 ? today:

Customer: Rothirsch Tech. GmbH

Tasks:
Extending the platform to a second product line: BuddyPress + WooCommerce community marketplace (Community Sites) 

  • First-party production workload ? listed here as engineering experience, not as a third-party reference
    • What this engagement demonstrates for a client: given an existing platform substrate, I extended it to carry a second, structurally different product line without rewriting the substrate ? the exact shape of work a client needs when a successful internal platform has to stretch to cover a new use case.
    • The platform: a productized WordPress + BuddyPress + WooCommerce platform for community marketplaces with multi-vendor storefronts, member profiles, activity feeds, event calendars, and local business directories. The product grew out of the 2019 agency build of ilumina-circle com (see the founder section above): after the pandemic collapsed that engagement, I kept the plugin stack I had written, moved it onto my own Kubernetes substrate, and turned it into a repeatable product line. Two deployments currently run on the platform ? both operated by Rothirsch Tech. GmbH ? exercising the same substrate in two very different domains: a regional community and marketplace for Tyrol (members: Tiroler, blog: G'schichtn, marketplace: Mårkt, directory: Locals) and ? a community platform with extended governance rules (deployment stack identical to insa.tirol).
    • Technical shape: single-site WordPress with BuddyPress for member profiles and activity streams; WooCommerce + a self-written Woo-Merchants plugin driving Stripe Connect Express payouts (10% platform fee, min ?1.00, Stripe processing included); a self-written event plugin; and a shared custom theme. Users can author posts, events, and WooCommerce products on the shared site; users who want to sell register a merchant entity via Woo-Merchants and appear in the directory. Marketplace payouts are merchant-direct via Stripe; the platform is not a party to the sale contract. All plugins come from the same in-house portfolio ? the investment made for ilumina-circle in 2019 is still earning returns in production in 2026.
    • Substrate reuse: the platform rides the exact same Anduril + ArgoCD + Helm + Vault + MariaDB/MaxScale + CephFS + Kubernetes stack as Tagfalter. Same declarative inventory (type: community_site, status: active|grace|removed), same grace-period lifecycle (30 days), same daily reconciliation cron, same blast-radius-contained per-site credentials. I did not rewrite the platform for the second product ? I extended the controller's type dimension and reused everything else. That reuse is the actual deliverable: one solo operator maintaining two productized web-services lines on one substrate, with one release pipeline and one operational surface.
    • Privacy & data handling: EU-resident self-operated small data center; Stripe Connect Express (EU-resident) is the single payments sub-processor; CDN77 (EU-headquartered) handles content delivery; spam defence is handled by registration- and MFA-gated comments rather than a third-party content filter. Transactional email, password resets, event notifications, marketplace order confirmations, and newsletter campaigns are all delivered by my own in-house mail stack ? same Postfix/Dovecot/Amavis/OpenDKIM/OpenDMARC substrate referenced in the Tagfalter block above. No third-party ESP touches any Community Sites lifecycle mail. GDPR Article 17 is handled at two scopes (per-member and per-deployment) with named Anduril code paths.


2022 ? 2026:
Customer: mgm technology partners GmbH


Tasks:
Secure Kubernetes Cluster 

  • Security-First Kubernetes Cluster Design from Scratch
  • Comprehensive security hardening across all layers. Security automation in CI/CD
  • Successful production deployment for critical business applications

Einsatzorte

Einsatzorte

Deutschland, Schweiz, Österreich
möglich

Projekte

Projekte

9 years 8 months
2016-09 - now

Running my own small on-premise data center in Tyrol, Austria

Founder & Managing Director, DevSecOps Engineer  TLS/mTLS PKI
Founder & Managing Director, DevSecOps Engineer 

  • Running my own small on-premise data center in Tyrol, Austria. I built the entire infrastructure from scratch ? bare-metal servers, Kubernetes clusters, CI/CD pipelines ? to provide fully automated web services for regional customers. As Geschäftsführer I handle everything from strategy, finances, and customer relations to compliance and IT security governance. Everything I know isn't just theory ? it's running in production on my own infrastructure, built, funded, and fully documented entirely by myself.
  • Origin and pivot (2019?2020): the GmbH's first major engagement was ilumina-circle com, a spirituality/wellness community and marketplace platform commissioned by an external client. I led development with two freelancers and one employee, delivered the platform end-to-end, and sold the first event tickets ? and then COVID arrived, the shareholders stopped funding, and the contract collapsed. I had to let the team go and independently rebuilt the business model around an automation-driven SaaS approach. Rather than walk away, I chose to finish what I had started: I kept the code I had written, rebuilt the business around automation instead of manpower, and turned the same plugin stack into two productized offerings ? Tagfalter (single-tenant, fully managed WordPress per customer) and Community Sites (community marketplace platform built on BuddyPress + WooCommerce, the direct descendant of ilumina-circle com). Both products now run on the Kubernetes + Ansible substrate (Anduril) I subsequently designed from scratch. The near-bankruptcy is why the platform is engineered the way it is: every manual step is an operator cost I cannot afford, so every manual step became code.
    • DevSecOps & CI/CD Pipeline Engineering:
      • Jenkins Shared Library: Groovy Functions for CI/CD Automation, Semantic Versioning, Docker Lifecycle, ArgoCD Integration
      • GitLab CI Components: reusable, versioned DevSecOps pipeline library (gitleaks secret scanning, Semgrep SAST, PHPStan with SARIF, Trivy container scanning, OWASP ZAP baseline DAST, DefectDojo vulnerability management, WordPress plugin test/release/site-trigger components)
      • GitOps Architecture: ArgoCD App-of-Apps Pattern, Kustomize Overlays, Automated ApplicationSet Generation
      • Security Integration: Shift-Left pipelines ? secret scanning, SAST, container image scanning, DAST against live ArgoCD-deployed URLs, centralised vulnerability tracking in DefectDojo
    • Infrastructure-as-Code & Automation:
      • Ansible Framework: Production-Grade Custom Roles for Cluster Lifecycle, Database, Network, IAM, Mail
      • Configuration Management: Ansible reconciliation driven by Jenkins pipelines on self-hosted GitLab merge events (migrated from a Puppet-based stack in 2025); 5-Layer Governance Structure
      • Terraform: modular repository architecture with per-project state isolation (separate state files for AWS infrastructure and Jenkins credential management), shared module library split into modules/aws, modules/common, modules/security, environment overlays (environments/dev|staging|prod), and cross-project data sharing via terraform_remote_state. AWS scope covers VPC/subnets/compute/EKS; Jenkins scope manages credentials via the Terraform provider.
    • Kubernetes Cluster from Scratch:
      • Bare-Metal 8-node setup: 3-node HA control plane (Keepalived VIP failover) + 5 worker nodes; Rook-Ceph storage, MetalLB load balancing
      • Security: RBAC, NetworkPolicies, Pod Security Standards, TLS/mTLS, Secrets Management (Vault)
      • Lifecycle Management: In-place cluster version upgrades (currently running Kubernetes v1.32); Weave Net ? Calico CNI migration (March 2026) executed on the live production cluster with a planned 15-minute maintenance window ? no unplanned outages, no data loss, full post-migration audit of iptables state
      • Production Services: Hosting platforms (insa.tirol, tagfalter.rothirsch tech), Multi-Tenant Customer Deployments
    • Linux & Network Administration:
      • System Security: Linux Hardening (15+ years), Kernel Tuning, Patch Management
      • Network Infrastructure: nftables/iptables, Nginx/Apache, Strongswan VPN, Bind9 DNS
    • Identity & Access Management:
      • OpenLDAP Multi-Master Replication, Keycloak SSO, PKI & Certificate Management, MFA
    • Database & High-Availability:
      • MariaDB Galera Multi-Master Clustering, MaxScale Database Proxy
      • Automated Backup/Restore Workflows, Zero-Downtime Maintenance
    • Container Architecture:
      • Custom Containerized Services: WordPress, Mail (Postfix/Dovecot/Amavis), IAM (OpenLDAP/Keycloak), Monitoring (Icinga2/Prometheus/Grafana)
      • Multi-Stage Builds, Security Hardening, Multi-Architecture Support (AMD64, ARM, ARM64)
    • Monitoring & Observability:
      • Prometheus, Grafana, ELK Stack (Filebeat, Metricbeat), Icinga2
      • Custom Health Check Endpoints, Security Event Detection
    • API-Driven & Event-Driven Automation:
      • n8n Workflow Automation, GitLab API, ArgoCD API, Kubernetes API, Webhooks
    • In-house Jenkins Pipeline Shared Library (eldamar):
      • Groovy pipeline library with ~15 reusable modules powering CI/CD across the Rothirsch Tech. GmbH platform: Docker build/tag/push orchestration, semantic versioning with automatic git tagging, ArgoCD sync via CLI and webhooks, and Helm chart version bumps against remote chart repositories
      • Designed and written in-house to fit the Rothirsch substrate ? every pipeline step on the platform is backed by a function in this library
    • In-house GitLab CI Components ? DevSecOps pipeline library:
      • Versioned, re-usable CI components hosted on self-hosted GitLab, the GitLab-native counterpart of the Jenkins Shared Library. Consumer projects include each component at a pinned git tag (component: ?/gitleaks@1.0.0) so upgrades are opt-in per consumer.
      • Security-scanning components implementing Shift-Left: gitleaks (secret scanning ? full history on push, diff-only on MRs), semgrep (SAST with PHP security rules), phpstan (static analysis, SARIF output), trivy-image-scan (container image vulnerability scan), zap-baseline-scan (OWASP ZAP passive DAST that waits for the ArgoCD rollout to finish before scanning the live URL).
      • defectdojo-import component uploads every scan report to a central DefectDojo instance (endpoint and token injected as protected CI/CD variables at GitLab group level), giving one consolidated vulnerability view across the whole plugin and container portfolio.
      • WordPress delivery components: wordpress-plugin-tests (PHPUnit + PHPCS + composer), wordpress-plugin-release (patch-bump plugin header version, commit, tag, push to main), wordpress-site-trigger (bump the plugin tag in each downstream site's Dockerfile ? one include per downstream repo).
    • In-house WordPress Plugin & Theme Portfolio:
      • First-party plugin library carrying both product lines (Tagfalter and Community Sites)
      • Notable plugins beyond Woo-Merchants and the Tagfalter Data Porter: post_to_wordpress (multi-target post-syndication), woo-merchants-odoo (Odoo ERP integration for the marketplace product line), wp_secure_login (first-party authentication/authorization, replaces generic third-party login plugins)
      • Custom themes (rtcs-theme, rtsb-theme) round out the product UX
    • End-to-End Test Automation Suite:
      • TypeScript/Playwright test suite covering the same product surface as the in-house plugin portfolio above
      • Helper modules for WP-CLI, IMAP (mail-flow assertions), and Stripe (payment-flow assertions)
      • ?Coverage includes Woo-Merchants registration, post syndication, secure-login flows (login, password reset, password strength), BuddyPress profile flows, double opt-in, and legal modal acceptance ? compliance-relevant paths get the same automated coverage as the happy path

Kubernetes (bare-metal) Docker Helm Kustomize Jenkins (Custom Shared Library) ArgoCD GitLab CI (Custom Components Library) n8n Ansible Terraform (modular per-project state isolation) Bash Python Groovy gitleaks (secret scanning) Semgrep (SAST) PHPStan Trivy (image scan) OWASP ZAP (baseline DAST) DefectDojo (vuln management) nftables Strongswan VPN HashiCorp Vault + External Secrets Operator (K8s Secrets) Prometheus Grafana ELK Stack (Filebeat Metricbeat) Icinga2 MariaDB Galera MaxScale Rook-Ceph Calico MetalLB Nginx Bind9 DNS OpenLDAP Keycloak cert-manager Postfix Dovecot Amavis SpamAssassin ClamAV OpenDMARC OpenDKIM Debian Ubuntu
TLS/mTLS PKI
gladly upon request
Remote
3 years 8 months
2022-09 - 2026-04

Security-First Kubernetes Cluster for critical business applications

DevSecOps & Kubernetes Engineer (Freelance)  RBAC NetworkPolicies
DevSecOps & Kubernetes Engineer (Freelance) 

  • Identity & Access Management (shared team IAM solution ? platform for internal developers):
    • Lead developer for the OpenLDAP Docker project
    • Introduced Keycloak as the central SSO / identity provider component
    • Integration into Kubernetes RBAC and service accounts
  • DevSecOps & CI/CD Security:
    • Co-developing Jenkins CI/CD pipelines within the DevOps team (Groovy)
    • Integration of security checks in CI/CD pipeline (Shift-Left Approach)
    • Automated Vulnerability Scanning and Remediation Workflows
    • GitOps-based deployments with ArgoCD
    • Semantic Versioning Automation with Git integration
    • Container Lifecycle Management (Build/Scan/Tag/Push)
    • ArgoCD Webhook Integration for Event-Driven Deployments
  • Infrastructure-as-Code & Automation:
    • Complete cluster automation with Ansible
    • Bare-Metal Kubernetes Installation from Scratch
    • High-Availability Control Plane Setup
    • Unified Deployment System for Multi-Application Orchestration
  • Kubernetes Security Implementation:
    • Comprehensive Security Hardening at all levels:
      • Host Security: Linux Hardening, SELinux/AppArmor
      • Network Security: NetworkPolicies, Micro-Segmentation
      • Application Security: RBAC, Pod Security Standards
      • Data Security: Encryption at Rest & in Transit
    • Defense-in-Depth principles
    • Certificate Management with cert-manager
    • Secrets Management with External Secrets Operator (ESO) connected to a dedicated Vault system
  • Monitoring & Observability:
    • Checkmk for infrastructure monitoring
    • Prometheus/Grafana Monitoring Stack
    • Security Event Detection & Logging
    • Automated Health Checks
    • Incident Response Procedures
  • Network & Storage:
    • MetalLB Load Balancing for Bare-Metal
    • Nginx Ingress Controller with SSL Passthrough
    • NetworkPolicies for Security Zones
    • Rook-Ceph Distributed Storag?e, CNI Configuration (Calico)

Kubernetes (bare-metal) Docker Helm Jenkins ArgoCD Groovy Ansible Bash Python nftables cert-manager Vault Sealed Secrets OpenLDAP Keycloak Checkmk Prometheus Grafana Rook-Ceph MetalLB Nginx Ingress Calico Jira Confluence Debian Ubuntu
RBAC NetworkPolicies
mgm technology partners GmbH
Remote

Aus- und Weiterbildung

Aus- und Weiterbildung


Certificates and further training:

All certifications detailed on LinkedIn

  • Active Security Certifications
  • CISSP ? Certified Information Systems Security Professional, ISC²
  • SSCP ? Systems Security Certified Practitioner, ISC²
  • CKA ? Certified Kubernetes Administrator (in preparation)
  • AWS Certification ? currently in preparation
  • Terraform ? active use with modular per-project state architecture (AWS VPC/subnets/compute/EKS, Jenkins credential management, shared modules for AWS/common/security, environment overlays)
  • GitLab CI/CD Components ? self-hosted DevSecOps pipeline library (gitleaks, Semgrep, PHPStan, Trivy, OWASP ZAP, DefectDojo) used across WordPress plugin and container repositories


Training & Courses:

  • GitLab CI/CD ? From Zero To Hero, TechWorld with Nana
  • Kubernetes Administrator (CKA), TechWorld with Nana
  • Flutter: Part 01 Introduction, LinkedIn Learning
  • Getting Started with WordPress, LinkedIn Learning
  • Getting Started as an Agile Project Manager, LinkedIn Learning
  • Getting Started with DevOps, LinkedIn Learning
  • ISC² CISSP Certification Exam Preparation, LinkedIn Learning
  • Linux: Email Services, LinkedIn Learning
  • Linux System Engineer: Network Filesystems (NFS/Samba), LinkedIn Learning
  • GDPR for Security Professionals ISC²

Position

Position

  • DevSecOps Engineer
  • Kubernetes & Security Specialist
  • CISSP
  • Senior Platform Engineer

Kompetenzen

Kompetenzen

Top-Skills

Kubernetes DevOps IT-Security Docker CI/CD ArgoCD Ansible Jenkins Helm Linux Prometheus Grafana HashiCorp Vault Python Bash GitOps Infrastructure as Code CISSP Network Security Monitoring Cloud Security Container Security RBAC

Schwerpunkte

On-Premise Infrastructure, Automation & CI/CD
Jenkins, GitLab CI, ArgoCD
Infrastructure-as-Code
Ansible, Python, Bash
Container Orchestration
Kubernetes, Docker
Security-First Architecture
CISSP
IT Security
DevSecOps
Cloud-Native Security
Kubernetes
Monitoring


Produkte / Standards / Erfahrungen / Methoden

Linux
>10 Jahre
Python
>10 Jahre
Bash
>10 Jahre
IT-Security
5-10 Jahre
Network Security
5-10 Jahre
Monitoring (Icinga2)
5-10 Jahre
Kubernetes (bare-metal)
4 Jahre
DevOps
5 Jahre
Ansible
3-5 Jahre
Docker
5 Jahre
Helm
3-5 Jahre
CI/CD
3-5 Jahre
Jenkins
3-5 Jahre
ArgoCD
3-5 Jahre
GitOps
3-5 Jahre
Infrastructure as Code
3-5 Jahre
ELK Stack
3-5 Jahre
Platform Engineering
3-5 Jahre
Bare-Metal
5-10 Jahre
Calico
1-2 Jahre
Rook-Ceph
3-5 Jahre
cert-manager
1-2 Jahre
External Secrets Operator
1-2 Jahre
HashiCopr Vault
1-2 Jahre
Prometheus
1 Jahr
Grafana
1 Jahr
AWS
Currently preparing certficiation
Gitlab CI/CD
1 Jahr
DevSecOps
1 Jahr
SAST (semgrep)
1 Jahr
Secret Scanning (gitleaks)
1 Jahr
Container Security (Trivy)
1 Jahr
DAST (OWASP ZEN)
1 Jahr
DefectDojo
1 Jahr
PHPStan
1 Jahr
Shift-Left Security
1 Jahr

Profil:

  • Senior platform engineer and Kubernetes architect with 15+ years in IT, CISSP- and SSCP-certified, operating as founder and Geschäftsführer of Rothirsch Tech. GmbH (incorporated October 2020; sole proprietor since September 2016). I help DACH organizations ? preferably in regulated or compliance-sensitive sectors ? to design, build, and harden the platforms their business runs on, most often bare-metal Kubernetes, CI/CD automation, and the security controls around them
  • The engagement shape I deliver best is end-to-end ownership of a platform, DevSecOps, or trusted-DevOps initiative ? from conceptualization and architectural decisions through hands-on implementation into operated production ? either leading the scope solo or embedded in an existing DevOps team and working with architecture, security, and process owners to land security and compliance requirements in automated processes. Recent work at mgm technology partners GmbH (2022?2026) is a lived example: a from-scratch, on-premise, high-availability Kubernetes cluster for a critical business application (initially built solo, then grown within the DevOps team), with ArgoCD GitOps, External Secrets Operator + Vault, co-developed Jenkins CI/CD pipelines with shift-left security scanning, and a shared-team IAM platform (OpenLDAP + Keycloak) integrated with Kubernetes RBAC and service accounts ? a developer-facing self-service capability consumed across the internal development teams. I maintain an independent reference proof-point by running my own production platform ? a self-built small on-premise data center in Tyrol that hosts Rothirsch Tech. GmbH's own SaaS products on the same bare-metal Kubernetes substrate I bring to client work, built around a declarative site controller (Anduril) that provides self-service provisioning at the infrastructure layer the Kubernetes API does not reach ? including a production CNI migration from Weave Net to Calico (March 2026) with a planned 15-minute maintenance window, end-to-end owned and documented. I communicate technical decisions directly to engineering, architecture, and security stakeholders ? without a translation layer
  • I work remotely in CET ? project language German or English, async-first on written channels (tickets, code review, documentation, Slack). CISSP and SSCP certification combined with hands-on GDPR/DSGVO experience and hands-on platform engineering are the differentiators I bring to regulated-industry clients


Focus areas:

  • Bare-metal Kubernetes platform engineering
  • Security hardening and GDPR/DSGVO compliance (CISSP, SSCP)
  • CI/CD and GitOps (Jenkins Shared Library, GitLab CI Components, ArgoCD)
  • Shift-left DevSecOps pipelines (gitleaks, Semgrep, PHPStan, Trivy, OWASP ZAP, DefectDojo)
  • Infrastructure-as-Code (Ansible, Terraform modular architecture, Python, Bash) driven by merge events on self-hosted GitLab
  • Observability and incident response


Engagement shape:

  • End-to-end ownership (solo lead or embedded in an existing DevOps team)
  • Remote, CET
  • Async-first collaboration
  • Project language German or English
  • Rothirsch Tech. GmbH contracting vehicle
  • From ?120/hr, project-dependent; negotiable for projects aligned with the ISC² Code of Ethics


ENGAGEMENT FOCUS:
  • I take on one well-scoped platform, security, or infrastructure problem at a time and own it end-to-end ? from architecture through implementation to documented handover
  • The engagement shape I deliver best is a specific problem with clear success criteria, owned by a single senior engineer accountable for the outcome, rather than embedded into large platform teams

TECHNICAL SPECIALIZATION:
  • Bare-metal Kubernetes platform engineering from scratch
  • Security-hardened cluster design
  • CI/CD automation and GitOps (Jenkins Shared Library, GitLab CI Components, ArgoCD)
  • Shift-left DevSecOps pipelines: gitleaks (secrets), Semgrep (SAST), PHPStan, Trivy (container scan), OWASP ZAP (baseline DAST), DefectDojo (centralised vuln management)
  • Infrastructure-as-Code: Ansible and modular Terraform (per-project state isolation, shared modules for AWS/common/security), driven by merge events on self-hosted GitLab
  • Observability and incident response

PROVEN PRODUCTION EXPERIENCE:
  • Recent work at mgm technology partners GmbH (2022?2026): Security-First Kubernetes cluster for critical business applications, with custom Jenkins Shared Library, ArgoCD GitOps, External Secrets Operator + Vault
  • In parallel I operate my own production platform ? a self-built small on-premise data center in Tyrol running the Rothirsch Tech. GmbH SaaS products (Tagfalter, Community Sites) on the same bare-metal Kubernetes substrate I bring to client work. Production CNI migration Weave Net ? Calico (March 2026) executed on the live cluster with a planned 15-minute maintenance window

WORKING STYLE:
  • Remote-first (CET), project language German, asynchronous English via tickets / code review / documentation
  • Currently preparing AWS certification alongside CKA
  • Rothirsch Tech. GmbH contracting vehicle (Innsbruck)
  • I take on one well-scoped platform, security, or compliance problem at a time and own it end-to-end ? from architecture through implementation to documented handove
  • Remote from Tyrol, CET, via Rothirsch Tech. GmbH (Innsbruck)


Availability & Conditions:

  • Availability: Immediately
  • Hourly rate: from ?120, project-dependent
  • Billing entity: Rothirsch Tech. GmbH, FN 542991t, Innsbruck
  • Contract signatory: René Zingerle, Geschäftsführer
  • Remote: Yes, preferred
  • On-site: By arrangement
  • Ethical Principles: Committed to ISC² Code of Ethics


Professional background:
2020 ? today:
Customer: Rothirsch Tech. GmbH


Tasks:

Designing, building, and operating a multi-tenant SaaS platform on bare-metal Kubernetes (Tagfalter) 

  • First-party production workload ? listed here as engineering experience, not as a third-party reference
    • What this engagement demonstrates for a client: I designed, built, and have continuously operated a multi-tenant WordPress/Nextcloud SaaS on bare-metal Kubernetes as a single engineer ? covering the full stack a regulated client would also need me to cover: IAM, secrets, gateway, TLS, GitOps, automation controller, release pipeline, data isolation, lifecycle management, GDPR erasure/portability, and in-house mail. Every design decision and every production incident listed below is real load on a live platform, not a portfolio artifact.
    • Why WordPress: as a solo operator, building and running the platform substrate ? automation, security, release pipeline, mail, storage, IAM ? is already more than one person's scope; layering a bespoke CMS on top would be irresponsible. WordPress is open source, has an enormous community, receives constant third-party security scrutiny, and ships patches on a predictable cadence. That transparency is a deliberate security choice, not a convenience one. A WooCommerce purchase (handled by my own Woo-Merchants plugin) fires a webhook that triggers a Jenkins pipeline, which runs Anduril ? a declarative site controller I wrote as a ~9,000-line Ansible role composed of 75+ modular tasks. Sites are declared as YAML records (type × status × group) and Anduril reconciles the live infrastructure against that declaration ? similar in spirit to a Kubernetes controller, but operating at the provisioning layer where a controller cannot reach (DNS, gateway TLS, MariaDB users, ArgoCD git repo, Vault).
    • What Anduril does on an active WordPress deployment: creates an isolated Kubernetes namespace, provisions a per-site database on MaxScale with a dedicated 32-character MariaDB user stored in HashiCorp Vault (blast-radius isolation ? one compromised site cannot reach another's data), installs per-site TLS / WordPress salt / Docker registry secrets, updates the nginx gateway and copies TLS material to it, writes a Kustomize overlay into the ArgoCD config repository, and hands off to ArgoCD for the Helm rollout and WordPress initialization. The same role also handles grace-period soft deletes (data preserved, deployment torn down), hard removes (database + Vault credentials + namespace), domain migrations (export / import / wp-cli search-replace / DNS cut-over / source cleanup), TLS-only refreshes, and dry-run validation.
    • Operational maturity: fully idempotent (Vault is checked before credential generation; ArgoCD reconciliation makes partial runs safe); compensating logic for DNS propagation, Let's Encrypt rate limits, and production-observed timing scenarios with compensating error handling; per-site blast-radius containment across namespaces, Vault credentials, MariaDB users, and NetworkPolicies; temp files can be preserved (anduril_cleanup_temp=false) for post-mortem; documented runbooks for every named failure mode.
    • Platform architecture ? deliberately managed, not a constraint: Tagfalter customers do not have WordPress admin access, by design. The automation is the product: updates, security patches, and plugin rollouts are handled centrally, so customers never have to. Customer interaction happens only through the native WordPress Customizer (theme/layout adjustments) and a set of self-written frontend plugins that provide curated content editing ? the WordPress backend is never exposed. Plugin and feature changes ride a three-stage release train: a test branch where new work lands and validation runs (test automation in progress), an integration branch that is an opt-in early-access tier for customers who have explicitly committed to receive features first-hand (a voluntary beta channel with a real customer role), and a production branch that is the stable default for all end users. This keeps the blast radius of any change bounded and gives beta-consenting customers a named place in the release process.
    • Privacy & data handling: all customer data is resident in the EU (self-operated small Tyrolean data center, no US sub-processors in the hosting path); per-site database credentials are generated on demand, stored in HashiCorp Vault, and rotatable; sites are isolated at the Kubernetes namespace and NetworkPolicy layer with dedicated MariaDB users per site; CDN77 is the single named sub-processor for content delivery and is disclosed in the Tagfalter AGB. Transactional and newsletter email is delivered by my own in-house mail stack (Postfix / Dovecot / Amavis / OpenDKIM / OpenDMARC, operated by Rothirsch Tech. GmbH on the same Kubernetes substrate) ? transactional email is delivered entirely via our own EU-resident infrastructure. Mail stays inside EU-resident infrastructure at every hop, which removes an entire class of trans-Atlantic sub-processor exposure that competing managed-WordPress hosts carry. GDPR Article 20 (portability) is handled by a self-written frontend plugin, Tagfalter Data Porter, that lets customers export posts, Customizer settings, WooCommerce products, merchants, events, and media as a WXR bundle importable into any other WordPress instance ? no admin involvement, no ticket, no fee. Article 17 (erasure) is driven by declarative inventory state: cancellation moves a site to grace (pods removed, data preserved, 30-day window); expiry moves it to removed, at which point a daily cron job reaps the Kubernetes namespace, MariaDB database and user, Vault credentials, ArgoCD configuration, and DNS records ? fully idempotent, fully auditable


2020 ? today:
Customer: Rothirsch Tech. GmbH


Tasks:
Scalable Mail Infrastructure on Kubernetes

  • A fully containerized, horizontally-scalable mail stack running on my own Kubernetes cluster: Postfix (MSA/MTA), Dovecot (IMAP + LMTP), Amavis (policy orchestration), SpamAssassin, ClamAV, OpenDMARC, OpenDKIM, with central authentication against OpenLDAP. Built as a microservices architecture so each component scales and updates independently; deployed and reconciled via the same GitOps pipeline as every other workload on the substrate
  • Why this matters as a compliance differentiator: this stack is not just a back-office service ? it is the mail path for every product Rothirsch Tech. GmbH operates. Tagfalter transactional mail, Community Sites member signups and marketplace order confirmations, newsletter campaigns, password resets, event notifications, and standalone business mailboxes all flow through this infrastructure. No third-party Email Service Provider is involved at any hop. Mail stays inside EU-resident infrastructure from origin to recipient handoff, which removes an entire class of trans-Atlantic sub-processor exposure that virtually all competing managed-WordPress and community-platform vendors carry. For GDPR Article 28 / Article 30 / DPIA purposes, the sub-processor list for lifecycle mail is simply: Rothirsch Tech. GmbH itself. That is rare in the managed-hosting market and is documented as a named compliance advantage in the Tagfalter and Community Sites product documentation


2019 ? today:

Customer: Rothirsch Tech. GmbH

Tasks:
Extending the platform to a second product line: BuddyPress + WooCommerce community marketplace (Community Sites) 

  • First-party production workload ? listed here as engineering experience, not as a third-party reference
    • What this engagement demonstrates for a client: given an existing platform substrate, I extended it to carry a second, structurally different product line without rewriting the substrate ? the exact shape of work a client needs when a successful internal platform has to stretch to cover a new use case.
    • The platform: a productized WordPress + BuddyPress + WooCommerce platform for community marketplaces with multi-vendor storefronts, member profiles, activity feeds, event calendars, and local business directories. The product grew out of the 2019 agency build of ilumina-circle com (see the founder section above): after the pandemic collapsed that engagement, I kept the plugin stack I had written, moved it onto my own Kubernetes substrate, and turned it into a repeatable product line. Two deployments currently run on the platform ? both operated by Rothirsch Tech. GmbH ? exercising the same substrate in two very different domains: a regional community and marketplace for Tyrol (members: Tiroler, blog: G'schichtn, marketplace: Mårkt, directory: Locals) and ? a community platform with extended governance rules (deployment stack identical to insa.tirol).
    • Technical shape: single-site WordPress with BuddyPress for member profiles and activity streams; WooCommerce + a self-written Woo-Merchants plugin driving Stripe Connect Express payouts (10% platform fee, min ?1.00, Stripe processing included); a self-written event plugin; and a shared custom theme. Users can author posts, events, and WooCommerce products on the shared site; users who want to sell register a merchant entity via Woo-Merchants and appear in the directory. Marketplace payouts are merchant-direct via Stripe; the platform is not a party to the sale contract. All plugins come from the same in-house portfolio ? the investment made for ilumina-circle in 2019 is still earning returns in production in 2026.
    • Substrate reuse: the platform rides the exact same Anduril + ArgoCD + Helm + Vault + MariaDB/MaxScale + CephFS + Kubernetes stack as Tagfalter. Same declarative inventory (type: community_site, status: active|grace|removed), same grace-period lifecycle (30 days), same daily reconciliation cron, same blast-radius-contained per-site credentials. I did not rewrite the platform for the second product ? I extended the controller's type dimension and reused everything else. That reuse is the actual deliverable: one solo operator maintaining two productized web-services lines on one substrate, with one release pipeline and one operational surface.
    • Privacy & data handling: EU-resident self-operated small data center; Stripe Connect Express (EU-resident) is the single payments sub-processor; CDN77 (EU-headquartered) handles content delivery; spam defence is handled by registration- and MFA-gated comments rather than a third-party content filter. Transactional email, password resets, event notifications, marketplace order confirmations, and newsletter campaigns are all delivered by my own in-house mail stack ? same Postfix/Dovecot/Amavis/OpenDKIM/OpenDMARC substrate referenced in the Tagfalter block above. No third-party ESP touches any Community Sites lifecycle mail. GDPR Article 17 is handled at two scopes (per-member and per-deployment) with named Anduril code paths.


2022 ? 2026:
Customer: mgm technology partners GmbH


Tasks:
Secure Kubernetes Cluster 

  • Security-First Kubernetes Cluster Design from Scratch
  • Comprehensive security hardening across all layers. Security automation in CI/CD
  • Successful production deployment for critical business applications

Vertrauen Sie auf Randstad

Im Bereich Freelancing
Im Bereich Arbeitnehmerüberlassung / Personalvermittlung

Fragen?

Rufen Sie uns an +49 89 500316-300 oder schreiben Sie uns:

Das Freelancer-Portal

Direktester geht's nicht! Ganz einfach Freelancer finden und direkt Kontakt aufnehmen.