Welcome to my portfolio

Hi, I'm
Marcus Holtz

DevOps Engineer & Cloud Architect

Senior Systems Engineer with 11+ years of experience across web development, systems administration, networking, and DevOps — from architecture through production deployment.

Get In Touch Download CV

Featured Projects

Unique Password Hash Script

Unique Password Hash Script

Personal Project

Proxmox Disaster Recovery System

Proxmox Disaster Recovery System

Home Lab / Infrastructure

Docker Secrets & Vault Management

Docker Secrets & Vault Management

DevOps / Security

Grafana + Alloy + Loki Observability Stack

Grafana + Alloy + Loki Observability Stack

Monitoring Infrastructure

Carterville — Municipal Government Site

Carterville — Municipal Government Site

Client Project

VPN over Port 53

VPN over Port 53

Personal Project

Auto-Updating Resume Pipeline

Auto-Updating Resume Pipeline

Personal Project

Web Confidentiality, Privacy & Security

Web Confidentiality, Privacy & Security

Public Talk — BLUG, Boulder CO · May 2024

Automate Custom Deployments with Cloud-init

Automate Custom Deployments with Cloud-init

Public Talk — SFS, Littleton CO · August 2023

Astro Portfolio Theme

Astro Portfolio Theme

Personal Project

Animated Boot Screen Creator for Linux

Animated Boot Screen Creator for Linux

Personal Project

Hidden VPN That Looks Like a Website

Hidden VPN That Looks Like a Website

Personal Project

Geofiltered IP Blocklist Aggregator

Geofiltered IP Blocklist Aggregator

Security Infrastructure

Piping Server — Ephemeral Secure Sharing

Piping Server — Ephemeral Secure Sharing

Privacy / Security

Tor Hidden Service with Vanity .onion

Tor Hidden Service with Vanity .onion

Privacy / Security

Docker MacVLAN Traefik Analytics

Docker MacVLAN Traefik Analytics

Monitoring Infrastructure

After-Hours Network Lockdown — WiFi, Firewall & SSO on a Schedule

After-Hours Network Lockdown — WiFi, Firewall & SSO on a Schedule

Home Lab / Automation

OpenWRT Network Infrastructure

OpenWRT Network Infrastructure

Public Talk — SFS, Littleton CO

Self-Hosted GitLab with CI Runners & TLS

Self-Hosted GitLab with CI Runners & TLS

DevOps Infrastructure

Authentik SSO with Traefik ForwardAuth

Authentik SSO with Traefik ForwardAuth

Security Infrastructure

Chrome/Firefox Browser Extension - Zammad Time Tracker

Chrome/Firefox Browser Extension - Zammad Time Tracker

Personal Project

Zammad Knowledge Base Automated Backup to Static Site

Zammad Knowledge Base Automated Backup to Static Site

Systems Administration

Reticulum Mesh Network Demo

Reticulum Mesh Network Demo

Personal Project

nzyme Wireless Security Monitoring

nzyme Wireless Security Monitoring

Security Infrastructure

DNS Image Transfer

DNS Image Transfer

Personal Project

WheelSpin — Self-Hosted Random Selector

WheelSpin — Self-Hosted Random Selector

Personal Project

Docker Service Phone-Home Audit

Docker Service Phone-Home Audit

Security / DevOps

Astro Marketing Theme

Astro Marketing Theme

Personal Project

Symlink Curator - MusicLink

Symlink Curator - MusicLink

Personal Project

1 / 29

Get to know me

About Me

I'm a Senior Systems Engineer and Web Developer with over 11 years of experience delivering technical solutions for a wide range of clients and industries. I work across the full stack — systems and network design, infrastructure, virtualization, CI/CD pipelines, application development, and security compliance — adapting to the specific performance, usability, and scalability requirements each engagement demands. I've partnered with IT, communications, and operations teams to meet cross-functional goals: accessibility standards, security policies, and performance benchmarks. If you're looking for a seasoned technical collaborator, I'd welcome the opportunity to connect.

Role

Senior System Administrator & Web Developer

Location

Denver, Colorado

Experience

11+ Years of Experience

Education

BS Finance, Southern Illinois University Carbondale

Volunteer

Board Member, Software Freedom School · 2022–2024

What I do

Expertise

System Administrator

Technical troubleshooter and server magician who maintains operations and keeps infrastructure running at peak performance.

Web Development

High-quality development of really neato sites at the professional level — from architecture through deployment.

Client Support

Professional development of custom systems tailored precisely to the needs of my clients, delivered on time.

Leadership

Inspire, guide, and empower others towards shared goals and success — from solo teams to cross-functional groups.

My work

Featured Projects

DevOps Infrastructure

Self-Hosted GitLab with CI Runners & TLS

Full GitLab Omnibus deployment with registered CI runners and automated TLS certificate management. Provides a private, git controlled CI/CD platform. Full featured GitLab install ready with demonstration project.

GitLabCI/CDTLSTraefikDocker
devops
Click for link to project

Personal Project

Auto-Updating Resume Pipeline

CI/CD pipeline that rebuilds and publishes a polished resume every single day via GitHub Actions. Containerized LaTeX rendering produces a versioned PDF artifact — the pipeline itself is the portfolio piece.

GitHub ActionsDockerCI/CDLaTeXPandoc
devops
Click for link to project

Security Infrastructure

Authentik SSO with Traefik ForwardAuth

Full SSO layer using Authentik on a Docker MacVLAN bridge, enabling Traefik to delegate auth via ForwardAuth without network collisions. Supports OAuth token exchange across isolated container networks.

AuthentikTraefikOAuthDockerMacVLAN
security
Click for link to project

Home Lab / Automation

After-Hours Network Lockdown — WiFi, Firewall & SSO on a Schedule

Automated network curfew: OpenWRT kills the WiFi radio, OPNsense firewall rules lock down VLANs, and Authentik policies block app logins — on a schedule. Includes: daily SSID rotation with the password hidden in a math puzzle.

OpenWRTOPNsenseAuthentikCronNetwork Automation
devops
Click for link to project

Personal Project

Astro Portfolio Theme

This website. Built on Astro and Tailwind CSS. Content is in JSON files — multi-stage Docker CI, and automatic one-command deploy to GitHub Pages, GitLab, Cloudflare, or self-hosted VPS.

AstroTypeScriptTailwind CSSDockerStatic Site
web
Click for link to project

Monitoring Infrastructure

Docker MacVLAN Traefik Analytics

Docker MacVLAN network that gives Traefik direct physical interface access with real source IPs. Feeds un-NAT'd access logs through Promtail → Loki → Grafana for full visitor analytics without exposing the host network.

MacVLANTraefikGrafanaLokiDocker
infrastructure
Click for link to project

Privacy Infrastructure

Cloudflare Email Routing & Aliasing

Privacy-first email alias system using Cloudflare Email Routing. Infinite unique inbound aliases route to a single private mailbox — no third-party dependency, no data leakage, fully automated.

CloudflareEmailPrivacyDNSAutomation
devops
Click for link to project

Storage Engineering

ZFS Storage & Snapshot Architecture

Optimal ZFS datastore design for Proxmox — pool layout, compression, deduplication, snapshot scheduling, and cluster-friendly dataset naming conventions that survive live migrations without I/O storms.

ZFSProxmoxStorageSnapshotsLinux
infrastructure
Click for link to project

Security / DevOps

WAF Smoke Test Script

Lightweight shell script that tests Web Application Firewall effectiveness and fingerprinting by firing a battery of attack patterns — SQLi, XSS, path traversal, and more — to verify blocking rules are actually working.

WAFSecurity TestingBashOWASPDevOps
security
Click for link to project

Network Engineering

HAProxy Proxy Protocol to Traefik

Configures HAProxy on OPNsense to forward real client IPs through multiple proxy layers to Traefik using Proxy Protocol v2 — domain-based routing with full client metadata preserved end-to-end.

HAProxyTraefikOPNsenseProxy ProtocolDocker
infrastructure
Click for link to project

Client Project

Clearwave — Technology Company Site

Professional web presence for a technology sector client. Clean architecture, fast load times, conversion-focused layout — designed to communicate technical credibility and drive enterprise inquiries.

Web DesignHTML/CSSPerformanceCorporateClient Work
web
Click for link to project

Public Talk — SFS, Littleton CO

Enterprise Security Across All Devices

Five-part deep dive into open-source home network security: auditing Android traffic (TrackerControl, PCAPdroid, cert-pinning bypass), per-app outbound firewalls on every OS (OpenSnitch, Little Snitch, WFC), router-level visibility with ntopng and Suricata IDS/IPS, anonymous exit strategies (Tor, I2P, XRAY), and a hardened home network stack built on OpenWRT and OPNsense.

Network SecurityOPNsenseOpenWRTSuricataMonitoring
talks
Click for link to project

Personal Project

Unique Password Hash Script

Generates repeatable, unique passwords for every service or website from a single master secret — no password manager required. Deterministic hashing means you can always reproduce the same password without storing it.

BashCryptographyPrivacySecurityScripting
security
Click for link to project

Home Lab / Infrastructure

Proxmox Disaster Recovery System

Enterprise-grade automated backup and disaster recovery for Proxmox clusters. ZFS snapshots managed by Sanoid, VM-level backups via cv4pve, and off-site replication to Proxmox Backup Server 2 — fully hands-off.

ProxmoxZFSSanoidPBS2Backup Automation
infrastructure
Click for link to project

DevOps / Security

Docker Secrets & Vault Management

Secure secrets injection pipeline using Docker Secrets integrated with GitLab CI. Eliminates plaintext credentials from pipelines and repositories — secrets never touch disk unencrypted.

DockerSecrets ManagementGitLab CISecurityDevOps
devops
Click for link to project

Monitoring Infrastructure

Grafana + Alloy + Loki Observability Stack

Containerized full-stack observability: Grafana for dashboards, Loki for log aggregation, and Grafana Alloy as the OpenTelemetry-compatible collector — Docker Compose deployed with persistent storage and alerting rules.

GrafanaLokiAlloyDockerObservability
infrastructure
Click for link to project

Client Project

Carterville — Municipal Government Site

Full municipal website for the City of Carterville. Resident-facing services portal, parks and recreation sections with aquatics and adult programming, ADA-compliant and mobile-first.

Web DesignGovernmentAccessibilityResponsiveClient Work
web
Click for link to project

Personal Project

VPN over Port 53

WireGuard VPN tunneled through port 53, iodine DNS tunnel as fallback, and CrowdSec as a behavioral DNS firewall. Bypasses carrier-level VPN blocking — nftables routes traffic, CrowdSec bans probers at the kernel level.

WireGuardiodineCrowdSecnftablesDNS Tunnel
security
Click for link to project

Public Talk — BLUG, Boulder CO · May 2024

Web Confidentiality, Privacy & Security

Presentation at Boulder Linux User Group on safeguarding browsing experiences — covering fingerprinting vectors, tracker evasion, DNS-over-HTTPS, compartmentalization strategies, and hardened browser profiles for everyday use.

PrivacySecurityBrowserDNSTracking Defense
talks
Click for link to project

Public Talk — SFS, Littleton CO · August 2023

Automate Custom Deployments with Cloud-init

Demonstrated reusable Cloud-init templates for automating fleet system deployments — provisioning users, packages, SSH keys, and services from a single declarative config at first boot.

Cloud-initAutomationLinuxDevOpsInfrastructure
talks
Click for link to project

Personal Project

Animated Boot Screen Creator for Linux

Converts any MP4 video to a PNG sequence and packages it as a custom Plymouth boot theme for Linux. Automates frame extraction, theme config, and initramfs integration.

BashPlymouthFFmpegLinuxAutomation
devops
Click for link to project

Personal Project

Hidden VPN That Looks Like a Website

Docker setup that deploys an HTTPS proxy disguised as a legitimate tech-company landing page. XRAY VLESS over WebSocket/TLS routes traffic through a convincing decoy site — six industry presets, browser-based terminal via ttyd, zero-SSH management.

XRAYNginxDockerTLSPrivacy
security
Click for link to project

Security Infrastructure

Geofiltered IP Blocklist Aggregator

Aggregates multiple public IP blocklists into a single optimized firewall-ready list with VLSM compression and country-level geolocation filtering. Runs twice daily via GitHub Actions, compatible with OPNsense, pfSense, iptables, and OpenWRT.

PythonGeoIPGitHub ActionsOPNsenseFirewall
security
Click for link to project

Privacy / Security

Piping Server — Ephemeral Secure Sharing

Self-hosted Piping Server that creates one-time-use encrypted data channels over plain HTTP. Used for secure file transfers, encrypted chat, and remote command execution — no special client software needed.

DockerOpenSSLPrivacyBashSelf-Hosted
security
Click for link to project

Privacy / Security

Tor Hidden Service with Vanity .onion

Automated Docker setup to host services on the Tor network with a custom vanity .onion address — no open ports required. Uses mkp224o for address generation and X25519 client auth for private access control.

TorDockerPrivacyCryptographySelf-Hosted
security
Click for link to project

Security Infrastructure

Transparent Nginx WAF on OPNsense

Transparent Web Application Firewall using Nginx on OPNsense with Caddy and Traefik failover — layer-7 inspection and active threat blocking for self-hosted services, with zero changes required at the application layer.

NginxWAFOPNsenseCaddyTraefik
infrastructure
Click for link to project

Personal AI Project

Automated Job Search AI Assistant

AI-powered agent that autonomously scrapes job listings, scores relevance against a target profile using an LLM, and delivers prioritized alerts. Removes the noise from job hunting entirely.

PythonLLM / AIn8nAutomationAlerts
devops
Click for link to project

Personal Project

Chrome/Firefox Browser Extension - Zammad Time Tracker

Chrome and Firefox browser extensions for tracking and submitting time directly to Zammad helpdesk tickets — eliminates context-switching, lets you log time without leaving the page you're working on.

JavaScriptBrowser ExtensionChromeFirefoxZammad
web
Click for link to project

Systems Administration

Zammad Knowledge Base Automated Backup to Static Site

Self-contained Docker tool that exports a Zammad Knowledge Base entirely to a directory tree of Markdown files. Scheduled exports, compression, and off-site transfer — zero manual intervention.

ZammadDockerMarkdownBackupAutomation
devops
Click for link to project

Personal Project

Reticulum Mesh Network Demo

Self-contained Docker demo for Reticulum — a cryptographic mesh networking stack where your address is the hash of your public key. Runs encrypted shells, file transfers, and LoRa mesh radio demos from a browser terminal.

ReticulumDockerMesh NetworkingLoRaEncryption
infrastructure
Click for link to project

DevOps / Automation

Traefik Docker Cron Scheduler

Toggles Traefik reverse proxy services on and off based on a configurable cron schedule. Useful for shutting down non-critical services during off-hours without removing their configuration.

TraefikDockerCronAutomationScheduling
devops
Click for link to project

Security Infrastructure

nzyme Wireless Security Monitoring

Deploys nzyme — a Java-based WiFi threat detection system using libpcap packet capture — to identify and physically locate rogue devices and attacks on wireless networks, with PostgreSQL backend and web dashboards.

nzymeWiFiPacket CaptureSecurityMonitoring
security
Click for link to project

Systems Administration

Proxmox 8→9 Upgrade Script

Safe, automated upgrade script for Proxmox VE 8 to 9 with pre-flight safety checks, cluster awareness, and Proxmox Backup Server compatibility — no manual steps, no surprises.

ProxmoxBashAutomationUpgradeCluster
devops
Click for link to project

Network Engineering

OPNsense Multi-Site HAProxy + Unbound

Visual guide to routing multiple domains through a single OPNsense box using HAProxy for layer-7 traffic splitting, Unbound for split-DNS, DNSCrypt for encrypted upstream, and WireGuard for secure remote access.

OPNsenseHAProxyUnboundDNSCryptWireGuard
infrastructure
Click for link to project

Network Engineering

OPNsense WireGuard Site-to-Site VPN

Full WireGuard VPN deployment on OPNsense for site-to-site tunnels and remote access — cryptographic key routing, firewall rules, DNSCrypt for encrypted resolution, and multi-site subnet routing.

WireGuardOPNsenseVPNDNSCryptUnbound
infrastructure
Click for link to project

Network Engineering

PowerDNS + Unbound DNS Infrastructure

Authoritative and recursive DNS infrastructure using PowerDNS with a web GUI for internal zones, and Unbound for DNSSEC-validating recursive resolution — fully self-hosted, no upstream provider dependency.

PowerDNSUnboundDNSDNSSECSelf-Hosted
infrastructure
Click for link to project

Home Lab / Infrastructure

Immich Self-Hosted Photo Platform

Complete Immich deployment on UnRAID with Docker — self-hosted Google Photos replacement with ML-powered photo analysis, duplicate detection, multi-user support, video compression, and NetBird VPN for remote access.

ImmichDockerUnRAIDMachine LearningSelf-Hosted
infrastructure
Click for link to project

Personal Project

DNS Image Transfer

Converts an image to Base64, splits it across multiple DNS TXT records, and stores the retrieval script in DNS itself. Download and reconstruct the image anywhere with just `dig` — no server, no HTTP.

DNSBase64BashCloudflareNetworking
security
Click for link to project

Client Project

Eclipse — Interactive Tourism Event Map

Custom web application for a tourism client featuring an interactive JavaScript-powered event map with filterable overlays, responsive layout, and client-branded design delivered to production.

JavaScriptWeb DesignInteractive MapsResponsiveClient Work
web
Click for link to project

Client Project

Chef Clash — Non-Profit Donor Platform

Full fundraising platform for a live charitable event — distinct donor and recipient user flows, event management, real-time updates, and custom branding. Designed and deployed end-to-end.

Web DevelopmentNon-ProfitJavaScriptUX DesignClient Work
web
Click for link to project

Personal Project

WheelSpin — Self-Hosted Random Selector

Self-hosted spinning wheel web application for randomly selecting outcomes. Fully configurable with custom entries, deployed via Docker for easy self-hosting.

JavaScriptDockerSelf-HostedWeb AppFun
web
Click for link to project

Personal Project

Self-Hosted Interactive Map

Self-hosted web application for drawing and labeling geographic areas with persistent storage. Used for network maps, infrastructure diagrams, and geographic planning — no cloud dependency.

JavaScriptDockerSelf-HostedMappingVisualization
web
Click for link to project

Public Talk — SFS, Littleton CO

OpenWRT Network Infrastructure

Public presentation on custom router firmware ecosystems — comparing OpenWRT, DD-WRT, Tomato, and Gargoyle across 1,500+ supported devices. Covers build systems, package management, and network hardening.

OpenWRTNetworkingRoutingLinuxFirmware
talks
Click for link to project

Public Talk — SFS, Littleton CO · December 2022

Self-Hosted Social Networking Services

Presented software solutions for running connected social networking services — Mastodon, ActivityPub federation, and self-hosted alternatives to corporate social platforms on private infrastructure.

MastodonActivityPubSelf-HostedPrivacyDecentralization
talks
Click for link to project

Public Talk — SFS, Littleton CO

Homelab: Introduction to Self-Hosting

Beginner-to-intermediate guide on running personal infrastructure you own and control. Covers motivations (privacy, learning, custom solutions), a 4-step framework for getting started, hardware choices from Raspberry Pi to rack servers, and real-world use cases: home automation, media streaming, file storage, and password management.

Self-HostingHomelabRaspberry PiDockerInfrastructure
talks
Click for link to project

Security / DevOps

Docker Service Phone-Home Audit

Network audit tool that captures every outbound connection made by a Docker service, geolocates each IP, and delivers a PASS/FAIL verdict for phone-home behavior. Tests popular self-hosted services (Seafile, Syncthing, Jellyfin, Gitea, Portainer) in sealed Docker-in-Docker environments with Wireshark-compatible PCAP output.

DockertcpdumpGeoIPSecurityNetwork Audit
security
Click for link to project

Personal Project

Astro Marketing Theme

Astro 6 + Tailwind CSS 4 marketing site template with persistent sidebar navigation, nested dropdowns, RSS blog importer, portfolio slider, Web3Forms contact, and a simulated chat widget. Multi-stage Docker CI, one-command deploy to GitHub Pages, GitLab, Cloudflare, or self-hosted VPS. All content lives in JSON files.

AstroTailwind CSSTypeScriptDockerStatic Site
web
Click for link to project

Personal Project

Symlink Curator - MusicLink

Browser-based tool for managing collections spread across network shares. Browse shares from a web UI, select files and folders, and it places symlinks into a single output folder — no file duplication. Compatible with Navidrome, Plex, and Jellyfin. Runs on UnRAID, TrueNAS, and OpenMediaVault via Docker.

BashDockerSelf-HostedMediaSymlinks
devops
Click for link to project

My portfolio

Portfolio

Projects across different fields and clients.

Clearwave

Clearwave

Technology company website with a full frontend redesign and custom backend development.

3 screens
Technology
Clearwave 3 screens
Roberts Law

Roberts Law

Law firm website with SEO optimization and a professional redesign that increased organic traffic.

2 screens
Legal
Roberts Law 2 screens
Eclipse Tourism

Eclipse Tourism

Interactive tourism event map and homepage for a regional eclipse event, built for high traffic and real-time updates.

3 screens
Tourism
Eclipse Tourism 3 screens
Giant City Lodge

Giant City Lodge

Lodge and restaurant website with a full menu integration and responsive design for tourism visitors.

2 screens
Tourism
Giant City Lodge 2 screens
City of Carterville

City of Carterville

Municipal government website rebuilt for accessibility, ADA compliance, and ease of content management.

2 screens
Municipalities
City of Carterville 2 screens
Carterville Parks & Rec

Carterville Parks & Rec

Parks and recreation department site with program listings, aquatics schedules, and adult recreation pages.

3 screens
Municipalities
Carterville Parks & Rec 3 screens
Warpath Industries

Warpath Industries

Manufacturing company website showcasing capabilities, product lines, and company identity.

3 screens
Manufacturing
Warpath Industries 3 screens
Level 7 Motorsports

Level 7 Motorsports

Motorsports lifestyle brand with a dynamic homepage, editorial content, and single post templates.

3 screens
Manufacturing
Level 7 Motorsports 3 screens
Images Framing

Images Framing

Custom framing shop website with a services showcase and clean product-focused layout.

2 screens
Retail
Images Framing 2 screens
Chef Clash

Chef Clash

Non-profit donor platform for a charity cooking competition, with online donations and recipient profiles.

2 screens
Non-Profits
Chef Clash 2 screens
Boys & Girls Club

Boys & Girls Club

Boys & Girls Club chapter website with membership signup, program pages, and community-focused design.

2 screens
Non-Profits
Boys & Girls Club 2 screens
SEO Performance Report

SEO Performance Report

Comprehensive SEO audit and reporting dashboard delivered as part of a full website overhaul engagement.

SEO
SEO Performance Report 1 screen
Cedar Court Imaging

Cedar Court Imaging

State-of-the-art medical imaging center website with a professional design highlighting advanced scanning technology and patient services.

2 screens
Healthcare
Cedar Court Imaging 2 screens
IESO Medical Cannabis

IESO Medical Cannabis

Illinois medical cannabis provider website converted from PSD to HTML with a clean, compliant design for patient registration and education.

3 screens
Healthcare
IESO Medical Cannabis 3 screens
Milano Metal Recycling

Milano Metal Recycling

Metal recycling company website showcasing accepted materials, pricing, and facility information for commercial and residential clients.

3 screens
Manufacturing
Milano Metal Recycling 3 screens
The Vape Shop

The Vape Shop

Vape and e-juice retail website with a dynamic product showcase, animated e-juice feature demo, and a bold storefront design.

3 screens
Retail
The Vape Shop 3 screens

My Services

The Whole Package

We handle the tech and the hosting — two services that work together for you.

IT & Web

Holtzweb.com

Full-service IT support and web development for small businesses and teams. Networking, servers, WordPress, custom builds — all in one place.

  • IT Support & Helpdesk
  • Network & Server Setup
  • Web Design & Development
Visit Holtzweb.com
Hosting

Holtzhost.com

Privacy-first web and app hosting. Self-hosted infrastructure, no big-tech middlemen. Fast, reliable, and managed by people you can actually reach.

  • Web & App Hosting
  • Self-Hosted Applications
  • Privacy-Focused Infrastructure
Visit Holtzhost.com

Contact me

Let's talk.

Location

Denver, Colorado

Find Me