Welcome on Andrei Vasiliu

From Docker Image to Running Pod: Completing the GitOps Loop with App-of-Apps and Multi-Source Argo CD

Thu, 16 Apr 2026 00:00:00 +0000

The image is built, scanned, and pushed. The version tag is v0.1.0-alpha.7.

Stop Shipping Blind: Security Gates and Iterative Hardening with GitHub Actions

Fri, 03 Apr 2026 00:00:00 +0000

The artifact is already hardened. From FinTech to Homelab: Writing an Enterprise-Ready Dockerfile for Hugo was about building the container correctly. This post is about everything that has to happen after that.

From FinTech to Homelab: Writing an Enterprise-Ready Dockerfile for Hugo

Wed, 25 Mar 2026 00:00:00 +0000

In the previous post, I laid out my plan: treat this blog as a production application and host it using the same standards I apply when architecting platforms for private banking and fintech.

Stop Rebuilding Your Images: The "Build Once, Promote Everywhere" Manifesto

Tue, 17 Mar 2026 00:00:00 +0000

The Enterprise Traceability Problem
#

Guessing whether v1.3.0 in production actually includes yesterday’s critical security patch is a dangerous game. Knowing exactly which version of an artifact is running in any given environment isn’t just a nice-to-have dashboard feature… it’s the foundation of a reliable release process. You can never afford to wonder if the build candidate QA just signed off on is truly the exact same binary you are deploying to users.

From Hashnode to Kubernetes: Why I'm Self-Hosting My Blog Like a Bank Website

Tue, 10 Mar 2026 00:00:00 +0000

The Question That Changed Everything
#

Over the past months, I’ve received a variation of the same question more than any other:

GitOps Your Identity: Integrating Keycloak with Argo CD

Mon, 02 Mar 2026 00:00:00 +0000

More Than Just a Login Screen
#

In our last post, we deployed a production-ready Keycloak cluster. But an Identity Provider (IdP) in isolation is just a database of users. Its true power lies in being the architectural enforcement point for your entire platform.

Stop Outsourcing Identity: A Production Guide to Keycloak on K8s

Wed, 25 Feb 2026 00:00:00 +0000

Take Back Control of Your Identity
#

Over the last few months, we’ve built a platform that rivals small enterprise setups. We have established a resilient networking layer with automated TLS, deployed distributed block storage with Longhorn, and mastered PostgreSQL on Kubernetes with CloudNativePG.

The Database Dilemma - Mastering PostgreSQL on Kubernetes with CloudNativePG

Tue, 24 Feb 2026 00:00:00 +0000

The “Stateful” Reality Check
#

In our last post, we solved the persistence layer by deploying Longhorn on Talos Linux. We finally have a place to put data. But a raw block device isn’t a database.

The State of Persistence - Deploying Longhorn on Talos Linux

Sat, 14 Feb 2026 00:00:00 +0000

The Paradox of Statelessness
#

Kubernetes is designed to be ephemeral. Pods die, nodes are replaced, and the cluster heals itself. This “stateless” philosophy is efficient for application logic, but it hits a hard wall when you need to store data. Databases, message queues, and media servers all need a place to live that persists beyond a pod restart.

The Path to Automated TLS - Part 3 Automated Certificates with Cert-Manager

Fri, 06 Feb 2026 00:00:00 +0000

Locking it Down - From HTTP to HTTPS
#

In the preceding chapters, we established the networking foundation for a production-grade bare-metal Kubernetes platform.

The Path to Automated TLS - Part 2 The Gateway to the Cluster - Traefik and Technitium

Wed, 04 Feb 2026 00:00:00 +0000

From IP Address to Intelligent Gateway
#

In Chapter 1, we laid the foundational pillar by solving the bare-metal IP address problem with MetalLB. Our test NGINX service successfully acquired the IP 10.20.0.90, proving our cluster can now serve traffic like its cloud-native counterparts.

The Path to Automated TLS - Part 1 Bridging the Gap - Networking with MetalLB

Mon, 02 Feb 2026 00:00:00 +0000

The Path to Automated TLS: A Three-Part Guide
#

The path to achieving fully automated, production-grade TLS on a bare-metal Kubernetes homelab is a rewarding but detailed journey. To do it justice, I’ve structured this guide as a three-part series… a continuous story where each post builds on the last. Frankly, cramming everything into a single, monolithic article would be an overwhelming read.

From Vault to Pod: Automating Kubernetes Secrets with 1Password and External Secrets

Fri, 23 Jan 2026 00:00:00 +0000

After building a Kubernetes cluster and setting up Argo CD to manage its configuration, what’s the very next thing you should install? For me, both in production and in my homelab, the answer is always the same: External Secrets Operator. This post explains why and shows you how I integrate it with 1Password to bring enterprise-grade secret management to my home setup.

Stop Drifting: How to Lock Down Your Cilium CNI with Argo CD

Sun, 18 Jan 2026 00:00:00 +0000

In my last post, Stop Using the Wrong CNI: Why Your Homelab Deserves Cilium in 2026, we established a production-grade networking foundation for our Talos Kubernetes cluster. But a powerful CNI is only half the story. To truly manage our cluster like a professional, we must automate and declare everything.

Stop Using the Wrong CNI: Why Your Homelab Deserves Cilium in 2026

Sun, 11 Jan 2026 00:00:00 +0000

In my last post, The Four-Repo GitOps Structure for My Homelab Platform, I laid out the architectural blueprint for managing my homelab like a production environment. Building on the automation I detailed in my popular post, Need for Speed: Automating Proxmox K8s Clusters with Talos Omni, we now have a cluster ready for a production-grade CNI. Now that we have a solid GitOps foundation and a running Talos Kubernetes cluster, it’s time to address a critical component: networking.

The Four-Repo GitOps Structure for My Homelab Platform

Sat, 03 Jan 2026 00:00:00 +0000

The Journey So Far
#

In this series, we’ve built a powerful foundation for a homelab Kubernetes platform. We started by installing Talos Omni to get a centralized management plane. Then, we walked the “scenic route” by manually provisioning a cluster to understand the nuts and bolts. Finally, we achieved true velocity by automating cluster creation, turning our Kubernetes infrastructure into a disposable, on-demand resource.

Need for Speed: Automating Proxmox K8s Clusters with Talos Omni

Mon, 29 Dec 2025 00:00:00 +0000

In my previous posts, I walked through installing Talos Omni and then manually provisioning a Talos Kubernetes cluster on Proxmox. Both were essential learning experiences. Getting Talos Omni running was a huge win, and understanding the manual provisioning process… from downloading the ISO, creating VMs, configuring static IPs in the console, and patching nodes… built a strong foundation. But the real game-changer wasn’t just running Kubernetes… it was discovering how quickly I could create it.

From ISO to kubectl: A Guide to Manually Provisioning a Talos Kubernetes Cluster

Wed, 24 Dec 2025 00:00:00 +0000

In the world of platform engineering, our goal is always to automate everything. But before we can appreciate the elegance of a fully automated workflow, it’s incredibly valuable to walk through the manual process at least once. It builds a deep understanding of what’s happening under the hood.

Enterprise Kubernetes at Home - A Guide to Installing Talos Omni

Sun, 14 Dec 2025 00:00:00 +0000

In the world of enterprise cloud, managing Kubernetes clusters with services like GKE, EKS, or AKS is standard practice. These platforms offer incredible power but come with a learning curve and, more importantly, a cost that’s hard to justify for a homelab. As a platform engineer, I’m used to building and managing production-grade infrastructure, but as I explained in my first post, Why not a homelab?, I wanted a solution for my homelab that offered a similar centralized management experience without the overhead.

How I Chose My Homelab Hardware (Part 1): From Cloud Sizing to Requirements

Mon, 17 Nov 2025 00:00:00 +0000

When you architect a Kubernetes cluster, you don’t think about heat dissipation or power consumption. You think in abstractions: N2 instances, vCPUs, memory tiers. Click, deploy, bill. The infrastructure vanishes behind APIs and Terraform declarations. But the moment you decide to build that same cluster in your homelab, those abstractions collapse into very real decisions: which CPU, how much RAM, what kind of storage, and critically, how much will this cost me in electricity every month?

How I Chose My Homelab Hardware (Part 2): From Design Principles to Physical Build

Mon, 17 Nov 2025 00:00:00 +0000

This is Part 2. If you need the cloud-to-homelab translation and requirement framing, read Part 1: From Cloud Sizing to Requirements first.

From Blueprint to Bare Metal: Building a Segmented Homelab Network

Sun, 02 Nov 2025 00:00:00 +0000

I love diagrams, but diagrams don’t wire cables for me. In this post I will show the physical mapping, the Proxmox bridge pattern I used, the OPNsense management model, and the first firewall policy I used to protect the lab. The network was already in place; below I explain what I did to build and secure it.

From Enterprise to Homelab: Transforming My Home Network

Sun, 19 Oct 2025 00:00:00 +0000

Hey there! In my last post, I shared why I’m starting this homelab journey. Today I’m taking it a step further: I’m rebuilding my home network from a simple, flat LAN into a segmented, security‑first setup … very similar to how Google Cloud designs hub‑and‑spoke networks. If you’re new here, you might want to start with my introduction: Why not a homelab?

Why not a homelab?

Sat, 11 Oct 2025 00:00:00 +0000

Hey there! If you’re reading this, you’re about to embark on an adventure with me that I never thought I’d start.

About

Mon, 01 Jan 0001 00:00:00 +0000

Hi, I’m Andrei Vasiliu, currently the Platform & ISMS Director at Alpian Technologies in Rome, Italy, and a self-admitted homelab addict. I’m originally from Romania, and yes, I somehow made the jump from Civil Engineering (keeping actual physical buildings from falling down) to DevOps and Platform Engineering (keeping virtual pods from mysteriously crash-looping).

Page Not Found