Infrastructure as Code (IaC)

Architecture and provisioning of Microsoft Azure infrastructure, Datadog, and PagerDuty using Terraform and OpenTofu, applying Infrastructure as Code (IaC) principles, automation, and monitoring for scalable infrastructure management.

Oracle

• Implementation of Infrastructure as Code (IaC) principles for the standardization and administration of Oracle databases on Microsoft Azure virtual machines (Rocky Linux).
• Automated installation, patching, and initialization were achieved using Ansible playbooks, ensuring reproducibility, compliance, and automation.
• Database provisioning included password policies, user accounts, and permissions, integrated into continuous deployment workflows for secure and scalable infrastructure management.
• Migration of preconfigured Oracle Linux database VMs to Rocky Linux (RHEL) VMs
• Introduction of SchemaSpy for automated database schema analysis and documentation, improving transparency, maintainability, and knowledge transfer.

Automated Linux VM Baseline Configuration with Ansible

• Creation, extension, and refactoring of Ansible playbooks for the baseline configuration of Linux virtual machines (Rocky Linux (RHEL), Oracle Enterprise Linux, Ubuntu).
• This included automated installation of packages and repositories, deployment of ClamAV, patch management, and user administration (consistent UIDs across systems, group management, distribution of SSH public keys, user deprovisioning, sudo permissions) and SSHd hardening.
• Additionally, Postfix was configured to use a smarthost for sending cron job emails. These tasks applied Infrastructure as Code (IaC) principles to ensure automation, reproducibility, and standardized infrastructure management.

Ansible‑Driven Microservice Deployment and Secrets Management

• Deployment of in-house developed microservices using Ansible, including the extension of playbooks for automated provisioning of monitoring configurations (logs, metrics, service health) through installation and configuration of the Datadog Agent.
• As deployments were integral parts of CI/CD pipelines for end-to-end testing, optimization of deployment speed became increasingly relevant with the growing number of services.
• Playbooks were refactored to enable automated rollout of PKI-based certificates, integration of Azure Key Vault for secrets management, and intensive use of Ansible tags to selectively execute tasks.

These activities applied Infrastructure as Code (IaC) principles to ensure automation, scalability, and standardized infrastructure management.

Apache Kafka

• Within the project, Apache Kafka was introduced by building a proof-of-concept environment to support developers in adopting event streaming. Deployment was fully automated using Ansible, including the provisioning of users, permissions, and topics.
• The entire process, from initial setup to productive usage, was standardized by applying Infrastructure as Code (IaC) principles.
• For operating Kafka on Kubernetes, Helm charts were implemented to ensure scalable and reproducible deployments.
• Later, Kafka was upgraded from version 3 to version 4, aligning the platform with current requirements and ensuring long-term stability and automation.
• Developed and deployed a proof of concept for secure integration of Apache Kafka with Keycloak via OAuth2.

Kubernetes / AKS

• I administered Kubernetes clusters on Azure (AKS) and carried out deployments of both in‑house developed microservices and external third‑party services using Helm.
• For end‑to‑end testing within CI/CD pipelines, I implemented namespace separation to provide isolated environments and enable parallel deployments without conflicts.
• I was responsible for upgrading the Traefik Ingress Controller from version 2 to version 3.
• When issues arose, I performed debugging at both the cluster level and within individual deployments to quickly identify root causes and deliver sustainable solutions.
• By leveraging autoscaling mechanisms such as the Cluster Autoscaler, I ensured dynamic adjustment of resources in response to varying workloads.

Container services

• Provisioned Docker images for use in CI/CD pipelines, Kubernetes deployments, and production operations in Docker‑native environments.
• Ensured security by conducting regular scans with Trivy and establishing a nightly automated rebuild of all images.
• Evaluated identified CVEs and implemented mitigation measures to maintain a robust and trustworthy container infrastructure.
• Operated container services on Podman and Docker, including Nginx, SonaType Nexus, Squid, and a Gradle Build Cache.
• Rolled out configurations and initiated container operations via Ansible, ensuring consistent and automated provisioning.
• Performed regular application updates to guarantee security, stability, and up‑to‑date functionality.

Python & Automation

• Developed a Python script to publish Markdown content directly into Confluence, integrating it into the reporting pipeline I built to provide a comprehensive overview of all systems running in Azure.
• Automated the update of secrets in Azure Key Vaults, enabling password rotation with every deployment to enhance security and compliance.
• Implemented notifications to Microsoft Teams, for example to alert on failed pipelines, ensuring rapid visibility and response.
• Built a notification system for available software updates of third‑party applications (e.g., Datadog Agent, Ansible, Kafka), leveraging RSS feeds with filtering functions to distribute only relevant information to stakeholders.

Distributed Ledger (Corda / CENM)

• Operation and administration of Corda 4 Nodes, both with Ansible and containerized using Kubernetes/Helm
• Rollout, identity management, and updates for nodes and networks, including troubleshooting of complex issues
• Support in debugging and build processes of CorDapps (Corda Distributed Applications)
• Establishment of a private network with the Corda Enterprise Network Manager (CENM) after the shutdown of the R3‑operated network
• Migration of data and identities from the R3 network into the newly established private network
• Development of a pipeline for test cases and update validation, ensuring reproducible and secure rollouts and maintenance procedures
• Infrastructure design optimization within the private network, with a focus on stability, security, and compliance

Implementation of Proxy Solutions

• Packaging Dante as an RPM-based SOCKS proxy and deploying it with a dynamic rule set via Ansible.
• Setting up a proxy solution based on Squid to restrict external access in test environments, aligned with the production setup.

Migration from Bitbucket/Bamboo to GitLab PaaS as enterprise‑wide CI/CD platform

• Setup of a Proof‑of‑Concept environment on AWS, with a strong focus on permission models to meet company security requirements
• Deployment of local GitLab runners to evaluate pipeline functionalities
• Integration with Azure AD via SAML for centralized identity management
• Implementation of pipeline templates for common use cases (e.g. artifact publishing, container builds using Kaniko rootless and Docker)
• Coordination with the PaaS provider (GitLabHost) for environment setup and troubleshooting
• Support for project teams with diverse tech stacks (Maven/Gradle & Java, C++ with cross‑compiling, API gateways with special requirements, Python)
• Collaboration with other migration team members to communicate effectively with project teams
• Support and debugging of pipeline issues, including coordination of runner configuration adjustments when required
• Migration of deployment processes and adaptation of deployment strategies to GitLab standards
• Handling of project migrations with near‑zero downtime for developers, ensuring business continuity

Bitbucket / Bamboo

• Integration of Bamboo into the company’s Atlassian platform
• Setup of additional instances in different network segments
• Operation and support of Bamboo agents, including container image updates and troubleshooting
• Specialized support of Bamboo agents on macOS for iOS application builds
• Support for build pipeline and deployment issues
• Operation of multiple instances (E/K/P) and execution of cross‑instance updates

Crowd

• Setup of Crowd as the central authentication and authorization platform for all Atlassian products
• Operation of multiple instances (E/K/P) and execution of updates
• Integration with LDAP queries, local users, and Azure AD

Jira / Confluence

• Supported developers in plugin development
• Provisioned platforms in different network areas with varying user groups
• Operation of multiple instances (E/K/P), execution of updates, and coordination of plugin testing as well as test cases on the base application
• Troubleshooting of incidents, stability issues, and performance problems
• Partial support for user issues
• Setup of a new infrastructure for migration to the Datacenter Edition

SonarQube

• Provisioning and updating of the SonarQube platform
• Incorporation of SonarQube into CI/CD pipelines to perform automated code analysis and enforce a quality gate.

Artifactory

• Provisioning and updating of JFrog Artifactory
• Setup of repositories and registries for storing build artifacts and caching public dependencies

Puppet / Ansible

• Rollout and configuration of all applications and associated reverse proxies (Apache) using Puppet Enterprise.
• Migration of rollout processes to Ansible, including complete redevelopment of playbooks to migrate the entire platform to new infrastructure and enable future deployments via Ansible

Other Responsibilities

• Close collaboration with other infrastructure teams (DBA, Firewall, Linux, WebApp, Network, Load Balancer, AD)
• Performed direct database debugging of application issues on production instances and updated database contents for migration and testing purposes, including regular support for test environments
• Consulting on the feasibility of security policies
• Validation and mitigation of CVEs, particularly Log4Shell
• Assumed responsibility for complex or non‑standard tasks requiring tailored solutions
• Training and certification in SAFe – DevOps

DNS Administration (Unbound & Bind)

• Administration of Unbound and Bind DNS systems, operating internet resolvers and managing zone files
• Creation and maintenance of zone files, including setup of zone delegations
• Management of all relevant DNS records: A, AAAA, CAA, CNAME, SPF, TXT
• Deployment of DNS software, zones, and configurations using Ansible automation
• Review and implementation of customer requests related to DNS configuration and records
• Consultation for internal teams on DNS strategies and best practices

RPM Packaging & CI/CD Integration

• Packaging and maintenance of RPM packages for DNS and related software components
• Build and validation of RPMs through a CI/CD pipeline
• Delivery of resulting artifacts to the Linux team for integration into the central repository

SMTP Chain & Mail Infrastructure

• Administration of the SMTP chain, covering communication between applications, the internet, and internal backend systems
• Configuration and optimization of Postfix and Postfwd, maintaining routing rules and ensuring reliable mail delivery
• Consultation with internal teams and customers on application mailing requirements in line with corporate policies
• Review of submitted specifications for technical accuracy and policy compliance, translated into Postfwd rules
• Seamless integration of mail infrastructure with internal and external systems to guarantee secure communication

Secure Mail Delivery

• Operation and optimization of the Zertificon Z1 SecureMail Gateway for encrypted and policy-compliant email exchange
• Review and implementation of requirements for secure mail delivery, including evaluation of certificate authorities and configuration of mandatory TLS
• Implementation of PGP and S/MIME support, both for client-to-server communication and site-to-site encryption
• Ensured confidential and compliant email delivery across all systems

Anti-Spam & Malware Protection

• Management and fine-tuning of Expurgate and Postgrey for spam filtering and greylisting
• Adjustment of rules and configurations to minimize false positives and improve detection accuracy
• Analysis and troubleshooting of false positives in spam detection
• Continuous optimization of anti-spam and malware protection to maintain reliable communication

Infrastructure Migration & Automation

• Migration of the entire mail infrastructure to new systems in line with server operations team guidelines for SLES12
• Server and network planning, design of merge strategies, and complete redesign of Ansible playbooks for application and configuration rollout
• Rebuild and operation of all components (Postfix, Postfwd, Postgrey, custom scripts) in chroot environments
• Independent packaging of applications as RPMs via GitLab CI/CD pipelines
• Established a robust, testable, and policy-compliant mail infrastructure, eliminating issues from the previous operating model

OTRS Ticketing System

• Introduction and implementation of the OTRS ticketing system as a mail-based support solution
• Manual compilation of various CPAN modules and resolution of dependencies
• Configuration of OTRS and mail routing, in close collaboration with the Exchange team
• Setup and configuration of required mailboxes, establishment and maintenance of OTRS queues for structured ticket distribution
• Migration of OTRS from Oracle DB to PostgreSQL (OFork) to ensure long-term support and stability

Open Source Contributions

• Contributions to the Postfix project, including bug reporting, discussions, and minor fixes
• Collaboration with maintainers Wietse Venema and Victor Duchovni
• Several contributions documented in the official Postfix changelogs

Office and Client Management

• Responsible for the entire office network and all clients, including workstation setup, system rollouts, and software license management
• Administration of Office 365 in a hybrid environment with Active Directory and Azure AD Connect: users were created in the local AD and automatically synchronized to the cloud, providing Office licenses and mailboxes
• Introduction of OCS Inventory as an asset management solution to ensure transparent and efficient tracking of hardware and software
• Direct communication with customers and end users regarding technical issues, planned updates, and maintenance activities to ensure smooth operations

Collaboration & Atlassian Platform

• Operation and administration of the Atlassian platform with Jira and Confluence
• Creation of new projects, workflow customization, and support for teams in optimizing platform usage

Network & VPN

• Design and operation of VPN connections between different offices and data center systems to ensure secure and stable site connectivity
• Planning and implementation of routing and network segmentation using defined IP address ranges, achieving clear separation of systems and services
• Introduction of OpenVPN for reliable home office connectivity, replacing insecure workarounds such as permanently running PCs with TeamViewer
• Design and implementation of firewalls based on iptables, including granular rule sets to secure infrastructure and minimize attack surfaces
• Continuous analysis and optimization of the network architecture to balance performance and security

Virtualization & Server Operations

• Deployment and management of Windows and Linux VMs based on Hyper-V
• Operation and maintenance of production applications on Windows servers using IIS for hosting .NET applications, as well as configuration of Apache web servers on Debian as reverse proxies, including setup and ongoing administration.
• Operation of internal infrastructure and customer applications on Debian systems
• Analysis and resolution of performance issues in production environments

Migrations & Integration

• Migration of Redmine to a new environment with partial data migration
• Transfer of complete email mailboxes from Google Mail to Office 365
• Management of IT infrastructure for an additional office, including adjustments to networks and systems

Automation & DevOps

• Introduction of Puppet to automate administrative tasks and standardize configurations
• Creation and maintenance of build configurations in TeamCity for .NET/C# projects, including definition of build steps, dependencies, and environment variables
• Provision of consistent build environments to give developers a stable foundation for compilation and testing
• Introduction of GitLab to support code reviews and foster collaborative development processes
• Support for developer teams in using TeamCity and GitLab, troubleshooting build issues, and improving development workflows
• Assistance with the development and integration of customer-specific plugins for Jira and Confluence, including consulting and technical guidance

Databases

• Setup, administration, and management of MSSQL databases for production applications, including performance optimization and backup strategies
• Deployment, operation, and maintenance of PostgreSQL databases with a focus on stability and scalability for internal systems and customer projects
• Design, deployment, and operation of MySQL databases and clusters, including high availability setups and replication to ensure resilience
• Ongoing analysis and troubleshooting of performance issues, including query optimization and configuration tuning
• Close collaboration with development teams to provide stable database environments for applications and customer-specific solutions

Technical Platform Support for ERP Implementation (Baan ERP / BaanLN / Infor LN)

• Supported the introduction of a new ERP platform (historically Baan ERP, project‑specific BaanLN, now Infor LN).
• Provisioned and configured test instances to validate functionality and performance.
• Performed sizing analyses and infrastructure planning to ensure optimal platform dimensioning.
• Provided project support including troubleshooting and close collaboration with business units.

Operation of Java Applications and Web Infrastructure

• Provisioning and administration of Apache Tomcat application servers for running business‑critical Java applications.
• TLS termination and reverse proxy configuration on Apache to ensure secure delivery of web applications.
• Troubleshooting deployment and runtime issuesand implementing sustainable fixes to ensure high availability.

Migration and Operation of the Digital Asset Management Platform Canto Cumulus

• Migrated the existing Cumulus platform to a new infrastructure and redesigned the system architecture.
• Collaborated with the vendor to adapt database replication for proxy‑compatible operation.
• Provisioned, configured, and operated the platform for centralized digital asset management.
• Implemented monitoring and troubleshooting to ensure stability, scalability, and high availability.

Internet Proxy

Responsible for secure operation of the corporate proxy infrastructure using McAfee Webwasher, including traffic analysis, risk management, and controlled release of blocked websites.

Implementation and Operation of the Multi‑Project Management Tool PlanView with SharePoint Integration

• Supported the implementation of PlanView as a central multi‑project management system.
• Planned and provisioned technical resources and infrastructure for platform operation.
• Integrated with Microsoft SharePoint for centralized document management and workflow support.
• Operated and administered the platform to support project portfolio management and resource coordination.

Architecture and Pilot Implementation of a Configuration Management Database (CMDB)

• Designed and implemented a centralized CMDB for infrastructure and application data management.
• Utilized Puppet for automated configuration and deployment.
• Integrated Icinga2 for monitoring and alerting.
• Integrated DNS information to replace manual documentation in MediaWiki.
• Developed an Oracle APEX interface for centralized management and reporting.
• Project goal: Ensure transparency, consistency, and operational efficiency through automation and integrated monitoring.

Implementation of Siemens Teamcenter (PLM System)

• Set up and provisioned server infrastructure for a large project team.
• Implemented technical requirements to support the Teamcenter rollout

Automated Installer Environment for SLES (Linux Operations)

• Designed and implemented an unattended installation environment based on SUSE Linux Enterprise Server (SLES)
• Utilized AutoYaST with manually maintained XML profiles to standardize and automate system deployments
• Leveraged PXE boot and DHCP for automated system startup and provisioning
• Ensured consistent and reproducible Linux installations to support operational stability
• Contributed to improved efficiency and scalability in Linux operations

Administration and Operation of Unix/Linux Servers (Debian, Red Hat, Solaris)

• Installed and configured systems and services for reliable day‑to‑day operations.
• Monitored performance and ensured availability through troubleshooting with Munin and Big Brother monitoring tools.
• Provided on‑call support, frequently resolving unexpected issues on unfamiliar systems under time pressure.
• Applied updates, security hardening, and patch management to maintain stability and safeguard infrastructure.

Migration and Modernization of the XMPP‑based Messaging Platform

• Replaced the existing jabberd implementation with PostgreSQL and Perl scripts by a ejabberd‑based solution with MySQL.
• Developed automated roster creation using PHP, integrated with the OpenLDAP directory.
• Improved maintainability and simplified administration through modern technologies and centralized user management.
• Supported internal communication with a more stable and better integrated messaging platform.

Design and Operation of Mail Infrastructures for Internal and External Systems

• Set up and maintained the internal mail platform based on Dovecot, Postfix, and Horde Webmail.
• Configured load balancers to distribute traffic and ensure high availability of Dovecot instances.
• Managed mailstores on NetApp storage systems to guarantee performance and reliability.
• Operated and administered customer systems with up to 2 million mailboxes, using Postfix, Qmail, Sendmail, Courier, and Dovecot

Support in Implementing IDM Systems

• Defined LDAP attributes and validation rules, collaborated on compliance testing, and identified a critical Dovecot bug that would have compromised the mail platform, ensuring stability and preventing disruption.

Development of a Web‑based Self‑Service Interface for LDAP Administration

• Built an administration interface using PHP and Zend Framework.
• Implemented LDAP authentication for secure login and centralized user management.
• Applied form validation to ensure consistent and error‑free input.
• Enabled management of groups and storage of SSH public keys in the LDAP directory.
• Introduced self‑service features for group owners, delegating administrative tasks and reducing workload for the central IT team.

Migration of Samba Platform to High‑Availability Cluster Architecture

• Migrated the legacy Samba platform to an active‑passive cluster using CTDB.
• Transferred approximately 3 TB of data to the new infrastructure.
• Adjusted directory structures to enable remote profiles.
• Integrated the environment as a Windows domain for centralized authentication and access control.

Implementation of Documentation Platform (BIPo – BetriebsInformationsPortal)

• Designed and implemented a central documentation platform for IKB Data based on PHP, IIS, and MSSQL.
• Integrated Microsoft Indexing Server to enable full‑text search across documents and attachments.
• Connected to the Oracle CMDB database to automatically detect server names in articles and link them to CMDB entries.
• Provided a unified knowledge base improving accessibility and operational efficiency across the organization