Hi, I'm David.
I build the systems behind the network.

Operations & billing platform for ISPs

Custom OSS/BSS for the muni-broadband space. Fastify + TypeScript API, React + Vite admin UI, Temporal workers handling billing cycle, dunning, and provisioning, Postgres + PostGIS for coverage areas. Production-ready across 19 development phases: accounts, billing, dunning, ticketing, technician dispatch, customer portal, integrations (API keys plus HMAC-signed webhooks), and a knowledge base with full-text search backed by Postgres tsvector. Deployed behind Caddy and Cloudflare Tunnel on a self-hosted LXC.

Fiber-optic inventory & job management

Web app for fiber-optic contractors to track splice cases, OTDR test results, materials, crews, and customer jobs from intake through closeout. Node + Express backend with MongoDB, React + Vite frontend, hardened systemd deployment. In production for an active fiber crew. Migrated cleanly off a third-party VPS into a self-hosted LXC with zero downtime.

Certification & CEU tracking for fiber technicians

Python (FastAPI) + SQLite app that tracks fiber-optic certifications, renewal dates, and CEU credits for field technicians under the Lightcraft umbrella. Issues digital certificates, sends pre-expiry reminders, and produces audit-ready compliance reports. Replaced a spreadsheet workflow that had outgrown the team's needs. Migrated email delivery from Resend to Amazon SES for higher deliverability.

Internal tooling for Mac Mountain field ops

The umbrella of internal tools, dashboards, and automations I build and run under Lightcraft / Mac Mountain, the shared-services platform serving GWI, SanfordNet, Islesboro Broadband, Lyme NH Fiber, DV Fiber VT, and NWFX. Coverage maps, technician schedules, crew compliance, and cross-tenant reporting all live here.

Self-hosted Kanban for small teams

Lightweight task board running for myself, family, and friends. Docker-deployed Python backend, secret key bootstrapped on first run, SQLite persistence. Replaced Trello when the free tier's limits no longer fit the workflow, and the data lives on owned hardware rather than a third-party service.

Five-node Proxmox cluster, fully self-hosted

Proxmox 9.x cluster across five nodes (pve1 through pve5) with a Raspberry Pi 5 quorum witness and a Pi-NFS backup target. Hosts everything on this page plus Plex, Obsidian sync (CouchDB), Homarr dashboards, n8n workflow automation, monitoring, and dev VMs. Corosync runs on a dedicated VLAN with a /28 backbone for low-latency cluster traffic. UniFi network segmentation and firewall policy keep service VLANs isolated from the rest of the LAN. Cluster tolerates loss of up to four nodes with the qdevice witness active.

Eight VLANs, 10G fabric, DNS filtering, and remote-access mesh

UniFi UDM Pro Max routing eight isolated VLANs: trusted LAN, 10G storage fabric, UniFi Protect cameras, IoT, kids, management, VoIP, and Proxmox cluster. A dedicated 10 Gbps SFP+ aggregation layer carries Plex traffic and NFS to the UNAS Pro and UGREEN DXP4800. AdGuard Home runs as a redundant pair (primary + secondary) for network-wide DNS filtering and ad blocking. Twingate provides remote LAN access through four high-availability connector nodes, eliminating the need for inbound port forwards. Cloudflare Tunnel fronts every public service so the firewall stays sealed.

VPN-gated download automation with hardlink imports into Plex

Docker stack running qBittorrent, Sonarr, Radarr, Prowlarr, SABnzbd, and NZBGet inside a single LXC, all sharing one Mullvad WireGuard tunnel via gluetun. The kill switch is enforced at the network namespace level, so any VPN drop cuts all traffic instantly. Sonarr and Radarr import via hardlink directly into the existing Plex library on an SMB-mounted Mac Mini server, avoiding duplicate storage. Category routing in qBittorrent keeps TV and movie staging separate, and a no-seeding policy (ratio cap of zero plus post-import torrent removal) limits disk wear.

End-to-end-encrypted vault sync on owned hardware

Replaced iCloud Drive as my Obsidian vault sync with a self-hosted CouchDB on the cluster, fronted by a Cloudflare Tunnel. Vault stays end-to-end encrypted client-side, all chunks live on hardware I own, and there is no third-party storage cap. Currently around 30k docs / 300 MB synced across Mac and iOS clients.

Wazuh fleet across every host in the network

Wazuh 4.14 manager deployed as a Proxmox VM with twelve agents across the full infrastructure: five Proxmox hosts, two Raspberry Pi services, the UGREEN DXP4800 NAS, and four macOS endpoints (Plex server, primary workstation, and two family laptops). UniFi gateway, switches, and access points ship syslog directly to the manager on UDP 514 for unified visibility across hardware that cannot run an agent. File integrity monitoring, vulnerability scanning, CIS configuration assessment, and rule-based alerting run continuously. Authd is configured with force-insert enrollment so agents reconcile cleanly after host rebuilds.

Personal security tool launcher

Python-based menu launcher tying together my OSINT and offensive-security toolkit (XSS detection, email OSINT, intelligence DB CLI, UDP scanning, file brute-forcing). Used in authorized testing engagements and CTF practice, not a public release.

Multi-source intelligence correlation

Python project that aggregates and cross-references OSINT data from multiple feeds. Built for authorized investigations: domain pivots, email enrichment, and footprint mapping into a single report.