[{"content":"🎓 Education Technological Specialization in Network and System Administration CINEL – Center of Education in Electronics, Energy, Telecommunications and IT Nov 2018 – Aug 2020\nFinal Grade: 17/20 Qualification Level: EQF Level 5 (74.5 ECTS Credits) Core Competencies: Heterogeneous environments (Windows/Unix), server virtualization, network device management (switching, routing, VPN), security hardening, monitoring systems Capstone: Enterprise High-Availability Network — dual-vendor WAN edge with VRRP failover, multi-area OSPF, Windows AD/Exchange and Samba AD domains, ZFS/iSCSI storage, Bareos backups, Zabbix monitoring Bachelor\u0026rsquo;s Degree in Musicology NOVA FCSH (Universidade Nova de Lisboa) 2013 – 2017\n📜 Certifications ITIL 4 Foundation — PeopleCert, Jan 2024 Microsoft Certified: Azure Fundamentals (AZ-900) — Microsoft, Oct 2022 EXIN Agile Scrum Foundation — EXIN, May 2022 Oracle Cloud Infrastructure Foundations Certified Associate — Oracle, 2021 Neural Networks and Deep Learning — DeepLearning.AI (Coursera), Oct 2025 Advanced Training Microsoft Azure Security Technologies (AZ-500) — 28h, Olisipo, Apr 2022 DASA DevOps Fundamentals — Olisipo, Oct 2022 Advanced Linux: The Linux Kernel — LinkedIn Learning, Apr 2023 🌍 Languages Portuguese — Native English — Fluent (professional working language) ","permalink":"http://hugoqs.pt/education/","summary":"\u003ch2 id=\"-education\"\u003e🎓 Education\u003c/h2\u003e\n\u003ch3 id=\"technological-specialization-in-network-and-system-administration\"\u003eTechnological Specialization in Network and System Administration\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eCINEL – Center of Education in Electronics, Energy, Telecommunications and IT\u003c/strong\u003e\n\u003cem\u003eNov 2018 – Aug 2020\u003c/em\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eFinal Grade:\u003c/strong\u003e 17/20\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eQualification Level:\u003c/strong\u003e EQF Level 5 (74.5 ECTS Credits)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCore Competencies:\u003c/strong\u003e Heterogeneous environments (Windows/Unix), server virtualization, network device management (switching, routing, VPN), security hardening, monitoring systems\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCapstone:\u003c/strong\u003e \u003ca href=\"/projects/capstone/\"\u003eEnterprise High-Availability Network\u003c/a\u003e — dual-vendor WAN edge with VRRP failover, multi-area OSPF, Windows AD/Exchange and Samba AD domains, ZFS/iSCSI storage, Bareos backups, Zabbix monitoring\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"bachelors-degree-in-musicology\"\u003eBachelor\u0026rsquo;s Degree in Musicology\u003c/h3\u003e\n\u003cp\u003e\u003cstrong\u003eNOVA FCSH (Universidade Nova de Lisboa)\u003c/strong\u003e\n\u003cem\u003e2013 – 2017\u003c/em\u003e\u003c/p\u003e","title":"Education \u0026 Certifications"},{"content":"Contact Email: me@hugoqs.pt LinkedIn: linkedin.com/in/hugoqueirozsantos GitHub: github.com/vicktorhugoqs Location: Lisbon, Portugal ","permalink":"http://hugoqs.pt/contact/","summary":"\u003ch3 id=\"contact\"\u003eContact\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eEmail:\u003c/strong\u003e \u003ca href=\"mailto:me@hugoqs.pt\"\u003eme@hugoqs.pt\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLinkedIn:\u003c/strong\u003e \u003ca href=\"https://www.linkedin.com/in/hugoqueirozsantos\"\u003elinkedin.com/in/hugoqueirozsantos\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGitHub:\u003c/strong\u003e \u003ca href=\"https://github.com/vicktorhugoqs\"\u003egithub.com/vicktorhugoqs\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLocation:\u003c/strong\u003e Lisbon, Portugal\u003c/li\u003e\n\u003c/ul\u003e","title":"Get in Touch"},{"content":"Platform Engineer / DevOps Engineer Siemens | Jan 2022 – Present | Lisbon, Portugal (Remote)\nPlatform \u0026amp; VM Lifecycle Automation Built VM image pipelines on Tekton with KubeVirt — ISO-based installation driven by cloud-init, plus cloud-image customization with libvirt/guestfs to meet internal partitioning requirements — for Ubuntu, Debian, and RHEL Developed a self-service VM provisioning workflow: requests arrive as GitHub Issues, and GitHub Actions deploys through a custom Helm chart that templates the VM and its disks on OpenShift Virtualization, registers the IP via the phpIPAM API, and hands off to Ansible for post-deployment configuration Manage the full lifecycle of hundreds of Linux servers across multiple international datacenters — provisioning, patching, compliance, credential rotation, and decommissioning Log Management Platform Built and operate the team\u0026rsquo;s centralized logging for its managed servers: Beats agents ship to Logstash nodes, which route streams to OpenSearch — and selected log types also to a company-wide Kafka platform Developed the Ansible role for automated OpenSearch/Logstash/Dashboards deployment with TLS, OIDC authentication, and ISM retention policies Onboarded logs from 10+ services the team runs — monitoring, backup, DHCP, IPAM, file servers, antivirus mirrors, terminal servers, Ansible Automation Platform — into the central platform Security \u0026amp; Compliance Automation Maintain CIS-derived hardening roles for Ubuntu, Debian, and RHEL — translating company-wide measure plans (built on CIS, NIST, and other published standards) into Ansible, with per-measure tagging for selective execution Built automated compliance checking: an Ansible role that emails compliance reports and raises Icinga2 alarms for non-compliant hosts, with remediation coordinated with the teams owning each VM Implemented credential rotation automation with HashiCorp Vault Manage fleet-wide antivirus infrastructure — mirror server, Ansible deployment role, monitoring, and exception handling Ansible Automation Platform (AAP) Administer AAP across 60+ inventory groups — execution nodes, OIDC authentication, and Grafana monitoring dashboards Author and maintain, with my team, 10+ Ansible roles on GitHub Enterprise with CI/CD linting pipelines and automated release drafting Infrastructure Operations Deliver and run the VMs behind the team\u0026rsquo;s internal services — ALM tooling, artifact repositories, build agents, load balancers, monitoring — handling incidents and service requests across access management, storage, networking, patching, and service recovery Key Technologies: Ansible, AAP, OpenShift Virtualization (KubeVirt), Tekton, Helm, GitHub Actions, HashiCorp Vault, OpenSearch, Logstash, Grafana, Icinga2, VMware ESXi, Python, Bash\nJunior System Administrator PDMFC | Apr 2021 – Sep 2021 | Lisbon, Portugal\nManaged virtualization infrastructure across VMware ESXi, Proxmox, and Hyper-V for Dev, QA, and Production environments Installed and maintained GitLab CI runners and helped development teams troubleshoot application deployments Configured Zabbix monitoring with custom metrics and alarm thresholds for proactive incident detection Assisted with maintenance of firewall policies and VPN configurations supporting network segmentation Key Technologies: VMware ESXi, Proxmox, Hyper-V, GitLab CI, Zabbix, BIND DNS, pfSense, OpenVPN, Active Directory\nOperational Support Systems Trainee Claranet Portugal | Jun 2020 – Aug 2020 | Lisbon, Portugal\nWorked on the fleet-wide migration from SNMPv2 to SNMPv3 with new proxy infrastructure — a multi-hundred-asset effort, carried out with a fellow trainee and still in progress when the traineeship ended Built a custom Zabbix template to monitor UPS units via SNMP Key Technologies: Zabbix, SNMP, ITIL\nSkills Overview Automation \u0026amp; IaC: Ansible (roles, AAP), Tekton, Helm, GitHub Actions, CI/CD pipelines\nContainers \u0026amp; Orchestration: OpenShift 4.x, OpenShift Virtualization (KubeVirt), Kubernetes, Helm, container image pipelines\nObservability \u0026amp; Logging: OpenSearch, Logstash, Filebeat, Grafana, Icinga2, Zabbix\nSecurity \u0026amp; Compliance: CIS benchmarks, credential rotation, SSH hardening, fleet antivirus management\nSecrets \u0026amp; Identity: HashiCorp Vault, Active Directory/SSSD, OIDC (Microsoft Entra ID), Kerberos, LDAP\nInfrastructure: VMware ESXi, Proxmox, Hyper-V, QEMU/KVM, Pure Storage (FC), Portworx, Multus CNI\nNetworking: phpIPAM, day-to-day TCP/IP troubleshooting; foundational training in OSPF, VRRP, IPSec, OpenVPN, OPNsense, VyOS\nCore Services: Nginx, HAProxy, Bind (DNS), DHCP\nLanguages \u0026amp; Tools: Bash, Python, Jinja2, YAML, Git, GitHub Enterprise, GitLab, MkDocs\n","permalink":"http://hugoqs.pt/experience/","summary":"\u003ch2 id=\"platform-engineer--devops-engineer\"\u003ePlatform Engineer / DevOps Engineer\u003c/h2\u003e\n\u003cp\u003e\u003cstrong\u003eSiemens\u003c/strong\u003e | Jan 2022 – Present | Lisbon, Portugal (Remote)\u003c/p\u003e\n\u003ch3 id=\"platform--vm-lifecycle-automation\"\u003ePlatform \u0026amp; VM Lifecycle Automation\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eBuilt VM image pipelines on \u003cstrong\u003eTekton with KubeVirt\u003c/strong\u003e — ISO-based installation driven by cloud-init, plus cloud-image customization with libvirt/guestfs to meet internal partitioning requirements — for Ubuntu, Debian, and RHEL\u003c/li\u003e\n\u003cli\u003eDeveloped a \u003cstrong\u003eself-service VM provisioning workflow\u003c/strong\u003e: requests arrive as GitHub Issues, and GitHub Actions deploys through a custom \u003cstrong\u003eHelm chart\u003c/strong\u003e that templates the VM and its disks on OpenShift Virtualization, registers the IP via the phpIPAM API, and hands off to \u003cstrong\u003eAnsible\u003c/strong\u003e for post-deployment configuration\u003c/li\u003e\n\u003cli\u003eManage the full lifecycle of hundreds of Linux servers across multiple international datacenters — provisioning, patching, compliance, credential rotation, and decommissioning\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"log-management-platform\"\u003eLog Management Platform\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eBuilt and operate the team\u0026rsquo;s centralized logging for its managed servers: \u003cstrong\u003eBeats\u003c/strong\u003e agents ship to \u003cstrong\u003eLogstash\u003c/strong\u003e nodes, which route streams to \u003cstrong\u003eOpenSearch\u003c/strong\u003e — and selected log types also to a company-wide \u003cstrong\u003eKafka\u003c/strong\u003e platform\u003c/li\u003e\n\u003cli\u003eDeveloped the Ansible role for automated OpenSearch/Logstash/Dashboards deployment with TLS, OIDC authentication, and ISM retention policies\u003c/li\u003e\n\u003cli\u003eOnboarded logs from 10+ services the team runs — monitoring, backup, DHCP, IPAM, file servers, antivirus mirrors, terminal servers, Ansible Automation Platform — into the central platform\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"security--compliance-automation\"\u003eSecurity \u0026amp; Compliance Automation\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eMaintain \u003cstrong\u003eCIS-derived hardening roles\u003c/strong\u003e for Ubuntu, Debian, and RHEL — translating company-wide measure plans (built on CIS, NIST, and other published standards) into Ansible, with per-measure tagging for selective execution\u003c/li\u003e\n\u003cli\u003eBuilt automated compliance checking: an Ansible role that emails compliance reports and raises \u003cstrong\u003eIcinga2\u003c/strong\u003e alarms for non-compliant hosts, with remediation coordinated with the teams owning each VM\u003c/li\u003e\n\u003cli\u003eImplemented \u003cstrong\u003ecredential rotation automation with HashiCorp Vault\u003c/strong\u003e\u003c/li\u003e\n\u003cli\u003eManage fleet-wide antivirus infrastructure — mirror server, Ansible deployment role, monitoring, and exception handling\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"ansible-automation-platform-aap\"\u003eAnsible Automation Platform (AAP)\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAdminister AAP across 60+ inventory groups — execution nodes, OIDC authentication, and Grafana monitoring dashboards\u003c/li\u003e\n\u003cli\u003eAuthor and maintain, with my team, 10+ Ansible roles on GitHub Enterprise with CI/CD linting pipelines and automated release drafting\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"infrastructure-operations\"\u003eInfrastructure Operations\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eDeliver and run the VMs behind the team\u0026rsquo;s internal services — ALM tooling, artifact repositories, build agents, load balancers, monitoring — handling incidents and service requests across access management, storage, networking, patching, and service recovery\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eKey Technologies:\u003c/strong\u003e Ansible, AAP, OpenShift Virtualization (KubeVirt), Tekton, Helm, GitHub Actions, HashiCorp Vault, OpenSearch, Logstash, Grafana, Icinga2, VMware ESXi, Python, Bash\u003c/p\u003e","title":"Professional Experience"},{"content":"Project Overview Institution: CINEL — Centro de Formação Profissional da Indústria Electrónica, Energia, Telecomunicações e Tecnologias da Informação (Lisbon) Program: CET — Técnico Especialista de Gestão de Redes e Sistemas Informáticos (EQF Level 5) Date: January 2020 · Two-person team The Assignment Build a complete, working two-site corporate network: 8 servers, 5 firewalls and 6 virtual routers, virtualized to run on a single classroom PC, connected to physical Cisco and Huawei routers shared with 15 other teams over a common training-center WAN.\nThere was no partial credit for slideware: 15 of the 20 points came from live functionality, verified in a 1–1.5 hour defense where every requirement was exercised against the running VMs — no time to rebuild anything that didn\u0026rsquo;t work.\nArchitecture Training-center WAN (10.2.0.0/16) │ ┌──────────────┴──────────────┐ │ Cisco (IOS) Huawei (VRP)│ Physical edge routers in │ └── VRRP virtual IP ──│ active/backup failover └──────────────┬──────────────┘ │ OSPF backbone ── Kronix (project-wide ┌──────────────┴──────────────┐ DNS + NTP) West OSPF area East OSPF area 3 × VyOS routers 3 × VyOS routers │ │ Firewalls Tijolo · Calhau Firewalls Brick · Brack · Stone ├─ Green: Samba 4 AD DC, ├─ Green: Windows Server PDC │ Windows Server Core RODC │ (AD DS/DNS/DHCP/Exchange), ├─ Orange DMZ: Nginx/Apache │ FreeNAS iSCSI storage │ web tier + Moodle └─ Green: Bareos backups + └─ Blue: VoIP server Zabbix monitoring Network \u0026amp; Routing Dual-vendor WAN edge: a physical Cisco router (IOS) and Huawei router (VRP) configured as a single virtual gateway via VRRP — on master failure, the backup takes over existing connections between the internal network and the center\u0026rsquo;s WAN Six VyOS routers (Debian-based) forming two internal areas, with OSPF across 3 areas spanning both the virtual and physical routers Egress policy enforced at the edge: only a defined subset of host addresses in the team\u0026rsquo;s range could reach the center network and Internet Security \u0026amp; Segmentation Five open-source firewall appliances segmenting each site into Green (trusted), Orange (DMZ) and Blue (VoIP) zones, with SSH administration restricted to public-key authentication only Enforced DNS resolution chains — clients could only resolve through the Windows DC, which forwarded through the firewalls to the project DNS and out to the WAN; direct resolution was blocked Identity-, group- and time-based content policies: social media limited to specific departments and time windows, remote-access tools allowed only for IT during working hours, webmail blocked for selected groups, category and TLD blocking on the DMZ firewall VPN mesh: IPsec site-to-site links between the firewalls, plus OpenVPN road-warrior access from the WAN authenticated against Active Directory through RADIUS — restricted to the IT group within defined hours, with all client traffic forced through the firewall\u0026rsquo;s egress rules Windows Infrastructure (East site) Windows Server 2012/2016 Primary Domain Controller running AD DS, primary DNS, DHCP and Exchange 2013/2016, with webmail (OWA) reachable over HTTPS from outside Country- and department-based OU structure with ~25 Group Policy Objects: folder redirection to network storage, mapped drives with per-user quotas, printer deployment at logon, assigned software installation, per-department enforced wallpapers, command-line lockdown with IT exemptions, and browser policies Read-Only Domain Controller on Windows Server Core simulating a branch office in the other site: slave DNS, DHCP, NTP sync, authentication scoped to a single OU, and nightly AD schema/SYSVOL backups FreeNAS storage server: ZFS RAID 5 pool exposed over iSCSI and mounted by the domain controller to host Exchange mail stores and redirected home folders Linux Infrastructure (West site) Samba 4 Active Directory domain controller (Windows 2008 R2 forest level) managing Windows clients with GPOs — drive mappings, hidden shares with group ACLs, per-department policies and software deployment Samba shares on Linux software RAID 5 with per-user quotas and usage warnings; CUPS print services for domain clients Postfix/Dovecot mail hosting multiple domains with cross-domain and external routing, RoundCube webmail reachable from the WAN, and Rspamd + ClamAV spam/antivirus filtering SSH hardened to key-pair authentication and restricted to defined time windows DMZ Web Tier Nginx reverse proxy in round-robin over two Apache virtual hosts — plain HTTP in on one port, SSL/TLS out on another Additional basic-auth and TLS-protected sites served by both Apache and Nginx, and a Moodle CMS behind TLS All services published through the project\u0026rsquo;s \u0026ldquo;external\u0026rdquo; DNS and validated from a test client on the WAN Backup, Monitoring \u0026amp; Core Services Bareos backup server on RAID 6 with a hot spare, running per-system full/incremental/differential schedules: AD database and SYSVOL, Exchange stores and home folders, Samba/Postfix/Dovecot configuration and logs, web server logs and virtual hosts, VoIP call records Zabbix monitoring of every server, firewall and router — physical and virtual — via agents and SNMP: CPU, memory and swap paging, interface bandwidth, OSPF LSA exchange between neighbors, VRRP state transitions, and hardware temperature on the physical routers Central project DNS/NTP server providing name resolution and time sync for the entire network VoIP server in the Blue zone supporting softphone calls between users in different zones — including calls to another team\u0026rsquo;s network across the shared WAN Why It Still Matters This was my first end-to-end build of an enterprise-shaped environment: routing, segmentation, identity, mail, storage, backup and monitoring all had to interoperate — and survive a live demonstration. What carried into my professional work wasn\u0026rsquo;t the specific stack — outside of Zabbix in my first roles, I haven\u0026rsquo;t worked with network equipment or open-source firewalls professionally — but the foundations underneath it: understanding how these systems fit together, and the troubleshooting discipline the project demanded: reading documentation, hunting error messages in logs, forming hypotheses, gathering evidence, and thinking critically about failure modes.\nBuilt as a two-person team from a brief authored by CINEL\u0026rsquo;s instructors; every specification above was validated during the final defense.\n","permalink":"http://hugoqs.pt/projects/capstone/","summary":"Final project of my CET in Network \u0026amp; Systems Management at CINEL: a fully working multi-site corporate network — dual-vendor VRRP WAN edge, 3-area OSPF, Windows AD + Exchange, Samba AD, segmented firewalls with a VPN mesh, Bareos backups and Zabbix monitoring — defended live.","title":"Enterprise High-Availability Network (Capstone)"}]