job@merux.dev: ~/projects
+
cat centric_sovereign.md

Centric: Public Sector Azure & Sovereign Cloud

Role: Infrastructure Specialist

[Context] Design, implementation, and management of secure cloud foundations for the Dutch government and municipalities. Currently, the strategic focus lies on developing "digital sovereignty" in response to global geopolitical developments and the reliance on Big Tech.

[Architecture & Operations]

  • Government Cloud Infrastructure: Design and deployment of secure Azure landing zones for the public sector. The infrastructure is fully deployed 'as-code' via Bicep. Compliance-by-design is central, strictly architected according to the Microsoft Cloud Adoption Framework (CAF) and national government guidelines.
  • Proof of Concept: Sovereign Digital Workplace: Development of a strategic, sovereign alternative to standard Big Tech workspaces (such as Microsoft 365). This initiative facilitates an independent work environment where the government retains 100% ownership and control over its own data.
  • Nextcloud on Kubernetes (Ongoing): Leading architectural role in the technical realization of this PoC. By deploying Nextcloud in a highly available setup on a robust Kubernetes foundation, the scalability of modern cloud-native systems is combined with the strict data-residency requirements of the EU.
cat prorail_aks.md

ProRail: Enterprise AKS & Cloud Automation

Role: Cloud Automation Engineer

[Context] Responsible for the operational continuity, scalability, and modernization of mission-critical Azure Kubernetes Service (AKS) clusters. These clusters form the foundation for essential Java applications supporting the national railway infrastructure.

[Architecture & Operations]

  • Platform Engineering & CI/CD: Automated management of core cluster components, including Keycloak (IAM) and RabbitMQ (messaging). By optimizing pipelines in Jenkins and Bitbucket, patch management was standardized, enabling monthly component updates to be rolled out with zero downtime.
  • Observability & Ingress Migration: Successful execution of a complex architectural transition to improve cluster performance. NGINX was migrated to Traefik as a modern cloud-native API gateway. Additionally, the legacy ELK stack was replaced by the more efficient LGTM stack (Grafana, Loki, Tempo, Mimir). This resulted in faster query times, integrated distributed tracing for the Java applications, and a drastically reduced resource footprint.
  • IaC & Security Hardening: Transformation to a strict Infrastructure as Code model using Terraform. Special focus on reducing the attack surface by applying the Cloud Adoption Framework (CAF): permanent 'Global Owner/Contributor' rights were eliminated and replaced with a fine-grained 'Least Privilege' Role-Based Access Control (RBAC) architecture.
mermaid render prorail_architecture.mmd
flowchart TD Client(["Internet Traffic"]) subgraph Automation ["Platform Engineering"] Bitbucket["Bitbucket"] Jenkins["Jenkins CI/CD"] Terraform["Terraform IaC"] end subgraph AKS ["Azure Kubernetes Service"] Traefik{"Traefik API Gateway"} JavaApps["Mission Critical Java Apps"] Keycloak["Keycloak IAM"] RabbitMQ[("RabbitMQ")] subgraph LGTM ["LGTM Observability Stack"] Grafana["Grafana Dashboard"] Loki["Loki"] Tempo["Tempo"] Mimir["Mimir"] end end Client -->|HTTPS| Traefik Traefik -->|Route| JavaApps Traefik -->|Admin/Auth| Keycloak JavaApps -->|Message Queue| RabbitMQ RabbitMQ -->|Reply| JavaApps JavaApps -->|Auth Tokens| Keycloak Keycloak -->|Verify| JavaApps JavaApps -->|Logs| Loki JavaApps -->|Traces| Tempo JavaApps -->|Metrics| Mimir Grafana --> Loki Grafana --> Tempo Grafana --> Mimir Bitbucket -->|Trigger| Jenkins Jenkins -.->|Deploy| JavaApps Jenkins -.->|Updates| Keycloak Terraform -.->|Provision and RBAC| AKS classDef default fill:#0d1117,stroke:#21262d,stroke-width:1px,color:#c9d1d9; classDef highlight fill:#161b22,stroke:#00ff66,stroke-width:2px,color:#00ff66; classDef db fill:#0d1117,stroke:#58a6ff,stroke-width:2px; class Traefik,Grafana,Terraform highlight; class RabbitMQ db;