Hadi Cherkaoui
I write Rust. Building Anvil — a Kubernetes-native Minecraft panel — on the k0s cluster I operate myself. OSS advocate, AI/ML enthusiast, homelab operator, and competing in ICT Championships Switzerland.
I build Kubernetes-native in Rust.
Anvil
Existing panels (Crafty, Pterodactyl) treat Kubernetes as an afterthought — they assume Docker on a single host. Anvil flips it: the cluster is the runtime, and a Minecraft server is just a shape of StatefulSet + PVC + Service. Scale-to-zero is replicas: 0; per-server PVCs are free.
One Axum binary drives it via kube-rs typed APIs — no CRDs, no controller, no reconciliation loop. The Next.js frontend ships as a static export embedded with rust-embed: one distroless image, ~30 MB, no Node runtime in production. Runs on the k0s cluster I operate myself. AGPL, v1.0.0.
Stack
I build tools I actually use.
Lockbox
Lockbox is my first Rust project — an open-source E2EE secrets manager built for k8s and automation. Ed25519 keypair auth (no master password, SSH-style), AES-256-GCM encryption, and a delta-sync API designed for controllers.
The companion Go controller watches your cluster, pulls changed secrets from Lockbox, decrypts them, and injects them as native k8s Secrets tagged lockbox.io/managed. No secrets in git. No manual kubectl apply.
Stack
I run my own infrastructure.
Network
Custom OpnSense router with a 10Gig NIC between the ISP and my network. Managed switch: 10Gig uplink, 8×2.5Gig downstream. VLAN segmentation between home and lab environments. WiFi 7 via UniFi U7 Lite.
Cluster & GitOps
AMD Ryzen 5 7600X, 64GB DDR5 RAM, k0s on Ubuntu Server. Deployments go through FluxCD, pulling manifests from a self-hosted GitLab instance. I wrote the CI pipelines. Everything is GitOps — no manual kubectl apply in production.
Identity & Privacy
I don't extend trust by convention. Every self-hosted service authenticates through Authentik — my self-hosted SSO. For cloud I use Proton: Swiss jurisdiction, open-source, E2EE by default. Proton Pass for passwords. Proton Drive for offsite backups. Nothing sensitive touches a vendor I can't audit.
I use my tools on purpose.
Operating System
I daily-drive Artix Linux — not for the aesthetic, but because I want every layer of my system to match what I mean. dinit instead of systemd, doas instead of sudo, Catppuccin Macchiato across the entire stack. Rolling releases, deliberate choices.
Languages & AI
I write Go when Rust is overkill: tooling, scripts, things that need to compile fast and get out of the way. I know TypeScript and React — but I reach for Leptos when the project shares a codebase with the server. I'm also exploring AI/ML tooling and building with LLM APIs.
Dev Environment
Alacritty terminal running Zsh with Powerlevel10k, Tmux for session management, JetBrains Mono everywhere code is displayed. Every tool is chosen, nothing is default.
I compete.
ICT Championships Switzerland
I compete in the ICT Championships Switzerland — Skill 53 (Cloud Computing). I recently won the regional championship with a perfect score of 120/120. The competition covers infrastructure, cloud platforms, and problem-solving under pressure.
I learn offense.
I'm working through TryHackMe's ethical hacking path — hands-on labs covering penetration testing, network exploitation, and security tooling. You don't really understand how to defend a system until you've tried to break one.
TryHackMe profileGet in Touch
If you want to work together, talk about Rust, or ask about the homelab — reach out.