Roman Mednitzer

Vienna, AT · Senior Linux & Platform Engineer

I run production Linux, virtualization, and Kubernetes infrastructure in regulated, business-critical environments, and build open-source tools and platforms for the same problems. Mostly self-taught. Open source by default.

focus: Linux · virtualization · Kubernetes/GitOps · observability · backup/DR
experience: 10+ years in regulated & business-critical environments · ISO 27001
approach: open source by default · mostly self-taught

About

Ten-plus years operating production infrastructure in regulated, business-critical environments, from manufacturing to enterprise hybrid estates. Day to day, that means Linux (Ubuntu, Red Hat), virtualization (KVM, VMware), Kubernetes and GitOps, observability (Zabbix, Grafana, Prometheus, OpenTelemetry), and backup/DR with verified restores, all under change control and audit.

Open-source projects

A few projects I maintain, built to understand real operating problems properly.

relay-shell Apache-2.0 · v0.1.0

A governed MCP server for shell and SSH work. It adds four authority modes (open, guarded, read-only, and deny), append-only auditing with SHA-256 output hashes instead of raw output storage, automatic secret redaction, and bounded execution through timeouts, output caps, and idle-session reaping. One interface covers local shell, SSH, SFTP, port forwarding, and parallel fleet commands.

agents Apache-2.0 · pre-1.0

An execution substrate that sits between model output and real system capabilities. It enforces behavioral contracts (pre, invariant, post), action budgets (steps, tokens, wall-clock, per-tool), a single guard gate that can approve, reject, or ask first, and namespace-isolated encrypted memory across SQLite, Redis, S3, and DynamoDB.

core-graph Apache-2.0 · alpha

A converged graph-vector knowledge platform on PostgreSQL with Apache AGE and pgvector. It pulls heterogeneous security and infrastructure data (threat intelligence, security events, OSINT, audit evidence, forensic timelines) into one store across eight ontology layers aligned to STIX 2.1, MITRE ATT&CK, OCSF, and OSCAL, exposed over MCP, REST, and TAXII 2.1.

sentinel Apache-2.0

Continuous failure-mode classification of a running agent fleet. Twice a day it samples the most recent window of scheduled-agent activity, classifies the behavior against a Human-Autonomy Teaming taxonomy, and commits the result to the repository. It is deliberately honest about its limits: single-operator, classifications are model-derived, observation rather than controlled evaluation.

platform-blueprint Apache-2.0 · docs

An engineering blueprint for designing, operating, and assuring platform systems: design patterns, reference architectures, and EU regulatory mapping (NIS2, CRA, DORA, GDPR, AI Act) with the ISO 27001 and 42001 families as references. Documentation rather than deployable code, written as specifications to implement.

My other repos are at github.com/rmednitzer.

Homelab

A self-run, all-open-source fleet, mostly Ubuntu. Local LLM inference runs on NVIDIA (llama.cpp, llama-swap) and AMD ROCm (Ollama), feeding PydanticAI agents through a self-built MCP gateway on Hetzner. Underneath is a single-node Talos Kubernetes cluster running VictoriaMetrics, OpenTelemetry, and Wazuh, plus ZFS with Sanoid snapshots and a Tailscale/WireGuard mesh.

Skills

Linux & Virtualization: Linux Ubuntu Red Hat SLES KVM VMware ZFS
Containers / GitOps: Kubernetes OpenShift Talos Docker Helm Argo CD GitOps
Automation / IaC: Ansible Terraform OpenTofu GitLab CI/CD
Observability: Prometheus Grafana Zabbix OpenTelemetry VictoriaMetrics Checkmk
Resilience / Security: Backup/DR Veeam Wazuh ISO 27001 ISMS/BCM NIS2
Homelab / Learning: Local LLMs llama.cpp Ollama MCP PydanticAI LLMOps