Briggs Bastian, Seattle, WA
Systems that hold
under pressure.
I'm a self-driven security analyst and engineer, happiest learning across the computer space, networking, infrastructure, wherever I'm needed. At work I run a security program. At home I run a NixOS homelab like it's production and build a souls-like game after hours.
- years in security
- 04+
- hosts, one flake
- 05
- services on real certs
- 15
- desktop 412
- mgmt 188
- media 203
- playground 97
- hacktop 154
Now building
Selected work
Gesture
A deterministic 1v1 arena dueling prototype inspired by Dark Souls 3 combat. Godot 4, GDScript, fully data-driven, with the simulation built to go peer-to-peer later.
- Godot 4
- GDScript
- Data-driven
- Steam P2P (planned)
The Homelab
A UniFi network running a NixOS fleet from one flake: workstation, services host, media, a libvirt security lab, and a staging/CI box, all deployed with a single colmena apply. One Ubuntu NAS stays off NixOS on purpose.
- NixOS
- Colmena
- sops-nix
- Terraform
- libvirt
- UniFi
briggsbastian.com
This site, treated as a production system: Astro static build, Nix flake package, a gated CI pipeline on my own Forgejo, and a publish-on-green mirror feeding GitHub Pages.
- Astro
- Nix Flakes
- Forgejo Actions
- GitHub Pages
Operations
How I run things
Infrastructure as Code
Five NixOS hosts described in one Nix flake and deployed with a single colmena apply. Any host can be rebuilt from scratch.
CI/CD & Release Engineering
A self-hosted Forgejo pipeline that builds every host, scans for secrets, and only mirrors to the public repo on green, including the site you are reading.
Cloud
The cloud leg is code: Terraform and nixos-anywhere stood up a Linode node in the same flake as the house, and tore it down just as cleanly — it is one apply from returning. Next is Azure at architect depth, AZ-104 under study now, AZ-305 behind it.
Secrets & Trust
sops-nix secrets keyed to each host’s own SSH identity, a private step-ca CA issuing real certs to internal services, and a deploy user that can ship a closure but never open a root shell.
Observability
A SIEM I tune at work; at home, a declarative Loki/Alloy stack that replaced Wazuh, every host shipping its journal, alert rules living in the same flake as the hosts they watch.
Security Engineering
Threat modeling, hardening baselines, and least-privilege design, plus a libvirt range to attack the lab and prove the detections fire.
Networking
An overall network guy: UniFi with VLAN segmentation across trusted, IoT, and guest, plus nftables host firewalls. At work, the same on Cisco, Meraki, SonicWall, Fortinet, and pfSense.
Declarative Recovery
Every NixOS host is a generation you can roll back to, and a compromised box is rebuilt to known-good with one command.
Thought garden
Recently tended
A SIEM that lives in the config?
I moved the homelab off Wazuh onto a declarative Loki/Alloy stack, and I honestly do not know yet whether it was the right call.
- nixos
- security
- observability
Does declarative config actually replace an RMM?
RMMs are necessary for managing a fleet, and I am not convinced the declarative-everything story really replaces one. Where Colmena ends and an RMM begins.
- nixos
- homelab
Kubernetes the hard way
Kubernetes is on every job posting in the space I am aiming at. The plan is to learn it from scratch rather than helm-install it. Notes once I actually start.
- kubernetes
- devops
- learning