https://wintermutecore.com/tags/devops/Recent content in Devops on Project WintermuteHugoen-usThu, 05 Mar 2026 14:00:00 +0200https://wintermutecore.com/posts/k3s-hetzner-production-notes/Thu, 05 Mar 2026 14:00:00 +0200https://wintermutecore.com/posts/k3s-hetzner-production-notes/<p><strong>TL;DR.</strong> k3s on Hetzner is a strong cost-control move when you are willing to operate the cluster. Mind the Flannel MTU on Hetzner private networks, separate stateless and stateful workloads at the storage layer, keep observability minimal but real, and treat backups as a tested practice rather than a config setting.</p> <p>A managed Kubernetes service is the right answer for most teams. When it is not the right answer (cost, control, locality of data), self-hosted k3s on a low-cost provider like Hetzner is one of the better options. We have run several clusters of this shape in production for over a year. This post is the set of decisions that have held up.</p>https://wintermutecore.com/posts/go-ci-lint-pipeline-optimisation/Thu, 12 Feb 2026 10:00:00 +0200https://wintermutecore.com/posts/go-ci-lint-pipeline-optimisation/<p><strong>TL;DR.</strong> Lint on a large Go monorepo went from 63 seconds to about 25 seconds on warm cache, with macOS skipped on branches. Five changes: concurrency group, conditional OS matrix, combined cache restore and save, explicit <code>go mod download</code>, and incremental <code>golangci-lint --new-from-rev</code>. None require a self-hosted runner.</p> <p>A large Go codebase makes the CI lint stage the part developers feel most: every push, on every branch. Lint feedback that takes a minute and a half kills iteration speed and quietly trains people to push less often, which is the opposite of what you want.</p>https://wintermutecore.com/posts/kubernetes-ingress-outage-postmortem/Mon, 09 Feb 2026 12:00:00 +0200https://wintermutecore.com/posts/kubernetes-ingress-outage-postmortem/<p><strong>TL;DR.</strong> A backend deployment lost all healthy pods. nginx active health checks marked the upstream pool empty. That pool was the <code>default_server</code> for ports 80 and 443, so every unmatched hostname returned 502 for 6 hours and 38 minutes. The trigger was Kubernetes-side. The blast radius was a configuration choice we made years ago. The post-incident fixes were almost all on the nginx side.</p> <p>We had a P0 outage on a public ingress tier. Two redundant nginx instances, both showing the same symptoms, both serving production traffic to dozens of hostnames. This is the writeup, sanitised and reduced to the parts that generalise.</p>https://wintermutecore.com/services/Sun, 13 Feb 2022 11:11:11 -0100https://wintermutecore.com/services/<p><p style="text-align:center;"> <img src="https://wintermutecore.com/services.jpg" alt="Services" /> </p> </p> <p>Below is what we actually do day to day. We try to keep the list short and the descriptions honest. If something here matches what you need, get in touch.</p> <h2 id="software-engineering" class="anchor-link"><a href="#software-engineering">Software engineering<span class="pilcrow">&nbsp;¶</span></a></h2> <p>We write backend services in Java, Kotlin, Go, and Groovy. Most of the work falls into a few buckets: REST and gRPC APIs, distributed systems handling high request volumes, and the occasional batch job that has to be reliable more than fast.</p>