DevOps & Edge Security Engineer

Samuel Monteiro

Curitiba, Brazil

Professional summary

Software Engineer with over 4 years of experience specializing in infrastructure automation, Linux systems administration, and network security.

Extensive track record in server provisioning (Docker/Docker Compose), configuring secure mesh networks (Tailscale VPN/WireGuard), and developing APIs in Python (FastAPI) and Node.js.

Focus on Site Reliability Engineering (SRE), operational security (hardening), and elimination of repetitive manual tasks through code and telemetry.

01

Infrastructure as Code

Real configuration of my stack: reverse proxy with automated TLS, hardened containers, edge bot-firewall, and CI/CD with supply chain scanning.

Caddyfilecaddyfile
api.monteirotf.com {
  encode zstd gzip
  tls samuel@monteirotf.com        # ACME — Automated TLS, no renewal cron

  # hardening: security headers on every response
  header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Content-Security-Policy   "default-src 'none'; frame-ancestors 'none'"
    X-Frame-Options           "DENY"
    X-Content-Type-Options    "nosniff"
    Referrer-Policy           "strict-origin-when-cross-origin"
    Permissions-Policy        "geolocation=(), camera=(), microphone=()"
    -Server
  }

  # reverse proxy to container, with active health-check
  reverse_proxy api:8080 {
    health_uri      /healthz
    health_interval 10s
    health_timeout  3s
    lb_policy       round_robin
  }
}
02

Core Competencies

End-to-end platform stack: from provisioning to operation and reliability.

DevOps & Infrastructure

  • Docker
  • Docker Compose
  • Linux/Unix SysAdminDebian, Arch Linux, macOS
  • Caddy ServerReverse Proxy, Automated SSL
  • VPN MeshTailscale, WireGuard
  • Networks & FirewallsIPTables
  • SSH Hardening
  • Git

Development & Automation

  • PythonFastAPI, CLI Scripts, Web Scraping
  • Node.jsREST APIs, WebSockets, BullMQ
  • n8n Automation Workflows
  • Shell/Bash Scripting
  • LuaNeovim configuration

Edge & Serverless

  • Cloudflare Workers
  • Durable Objects
  • KV Store
  • D1 Database
  • DNS-over-HTTPS
  • Edge Security Heuristics

Databases & Queues

  • PostgreSQL
  • SQL Server
  • Redis Pub/Sub
  • SQLite
  • LUKS Full Disk Encryption
  • mTLS Authentication
03

Production Projects

Real cases with the problem, technical approach, and measured impact. Each solved a concrete platform bottleneck.

Firewall & Edge Security

Sentinel (Edge Bot-Firewall)

Repository
Problem
Bot attacks and data scrapers consumed excessive bandwidth and requests, inflating infrastructure costs without a viable mitigation tool on the free tier.
Approach
Developed Sentinel, an edge-executed bot-firewall using Cloudflare Workers and Durable Objects. It scores each request using TLS, HTTP version, and browser header signatures, drastically reducing the connection budget for suspicious agents.
-94%
Harmful traffic mitigated
0ms (waitUntil)
Added latency
$0 (Free tier)
Security API cost
  • Cloudflare Workers
  • Durable Objects
  • JavaScript
  • Vitest
Automated Security Posture

RealScan (External Security Auditor)

Repository
Problem
HTTP security header misconfigurations, DNS records (SPF/DMARC) flaws, and client-side credential leaks were difficult to continuously audit from the outside.
Approach
Created RealScan, a serverless scanner on Cloudflare Workers that audits domains in seconds for compliance and exposed secrets. Implements a robust architecture against SSRF vectors by blocking private/reserved IP ranges (RFC1918).
Seconds
Full scan duration
Detected + redacted
Client-side secrets
RFC1918 blocked
SSRF guard
  • Cloudflare Workers
  • JavaScript
  • DNS-over-HTTPS
High Performance & Synchronization System

Cortex-Vault (Knowledge Infrastructure)

Problem
Inconsistencies in local knowledge bases caused operational friction and sluggishness during data ingestion and local search across different hosts.
Approach
Built a high-performance system for data ingestion, automatically synchronized over a private Tailscale VPN mesh network with mTLS between Arch Linux and macOS, featuring utilities developed in Shell and Python.
Active mTLS
Secure synchronization
< 50ms
Local search time
Only via tailnet
Access limit
  • Linux
  • Shell Script
  • Python
  • Tailscale
  • WireGuard
Cybersecurity & Cryptography

6ID (Digital Identity Management)

Problem
Issuance and management of digital identities suffered from vulnerable security and weak compliance for handling sensitive personal data.
Approach
Developed a secure end-to-end solution for digital identity issuance and control. Scalable backend in FastAPI featuring end-to-end encryption for handling sensitive data and cybersecurity compliance.
Encrypted
Sensitive data
LGPD/GDPR by design
Compliance
FastAPI / Python
Core technology
  • FastAPI
  • React
  • Python
  • PostgreSQL
Linux Systems Administration

dotfiles-bspwm (Configuration-as-Code)

Repository
Problem
Maintaining Unix environments consistent, reproducible, and free from exposed sensitive data (such as API keys, credentials, and history) when publishing configurations publicly.
Approach
Developed a self-contained dotfiles repository under the Crimson aesthetic (bspwm, sxhkd, picom, polybar, dunst, and rofi) featuring an automated and idempotent Shell installer (setup.sh) that supports GNU Stow, automated timestamped backups, fault isolation, and data leak auditing.
Fully idempotent
Installation process
Direct Link / GNU Stow
Deployment compatibility
Secrets auditing
Privacy
  • Linux
  • Shell Script
  • BSPWM
  • sxhkd
  • GNU Stow
  • Polybar
04

Control Room

My edge-security infrastructure topology — from the edge to the origin. Drag to rotate; click on a node to inspect what it does, how it's hardened, and real metrics.

System healthy· monteirotf.com
Sentinel· Cloudflare Worker · edge

Edge bot-firewall. Scores each request (User-Agent · Accept-Language · HTTP version · TLS · ASN) and decides before hitting the origin: blocks (≥80), challenges (≥60) or allows. Durable Objects: RateLimiter per IP + Stats. Logged via ctx.waitUntil, outside the critical path.

−94% malicious0ms latency$0 free tierDurable Objects
05

Trajectory & Certifications

8 years evolving from infrastructure operations to platform and reliability engineering.

Certifications

  • CS50: Introduction to Computer Science

    Harvard University

  • Degree in Systems Analysis and Development

    PUCPR | Ongoing

  • Bachelor of Laws (LL.B.)

    UNISEPE (2017 - 2021)

06

Contact

Available to discuss infrastructure architecture, platform reliability, and delivery automation. Direct response through the channels below.

E-mailGitHubLinkedIn