What I do

Three pillars — Managed IT & Security, Private AI, and Websites & Infrastructure — and the architecture patterns underneath them, with one identity surface and central logging tying it together.

Services

Three pillars, delivered end-to-end by one expert — from running cable and racking servers up to standing up private on-prem AI. Engagements are scoped individually or bundled into a longer-running retainer.

Managed IT & Security

Your whole IT stack — endpoints, email, network, identity, backups — managed and defended on one Canadian-hosted platform, by one person who answers the phone.

  • Endpoint threat detection & response (EDR), secure email gateway, patching, verified backups, and 24/7 monitoring with a live client console.
  • Infrastructure & networking: structured cabling, rack builds, hardware firewalls (pfSense, WatchGuard, SonicWall), VLAN segmentation, and wireless point-to-point bridges.
  • Security & access: VPN + MFA as the only inbound path, Tier-0 admin separation, hardened baselines (Intune/GPO), and central logging someone actually reads.
  • Identity: Microsoft 365 / Entra ID / Active Directory — hybrid sync, SSO, conditional access, cleanup.
  • Cloud & hybrid setup where it pays off — Azure/AWS sized to real load, with workload placement backed by cost math.
  • Private cloud storage and a zero-knowledge password manager included as retainer features.
  • Automation that sticks: Bash/PowerShell/Python ops scripting, git-versioned configs, onboarding/offboarding flows, Power Automate.
The retainer pillar
Managed IT & Security →

Private AI

On-prem private LLMs, agentic workflows, and retrieval assistants grounded in your own data — with the data and compute staying inside your network.

  • Private LLMs on dedicated GPU servers (Ollama, vLLM, llama.cpp) so sensitive data never leaves the network.
  • Cost angle that matters: one capable server hosting a private LLM is often cheaper than a stack of $200-per-seat AI subscriptions — with full data sovereignty as a bonus.
  • Agentic workflows — Claude Code, MCP servers, and custom orchestrators — wired into code, ops, and back-office tasks.
  • Retrieval-augmented assistants over your real data: SharePoint libraries, file shares, ticket histories, internal wikis.
  • Guardrails, audit logging, and IdP-backed access so AI use is traceable and policy-aligned.
  • Proof, not slides: I run this exact stack myself — see the LLM Chat demo and Tower.
The differentiator
Private AI →

Websites & Infrastructure

Fast, owned, no-lock-in websites — and the hardened servers, hosting, and plumbing behind them.

  • Hand-built sites with no page-builder bloat: fast loads, clean SEO, and full ownership — no monthly platform lock-in.
  • Live template demos you can click before you commit.
  • Hosting on hardened infrastructure: TLS, backups, monitoring, and a human who actually fixes things.
  • Custom internal tools — booking, client portals, dashboards — built on PHP/LAMP, Python, or Node and wired into the systems you already run.
  • Migrations off WordPress/cPanel messes, handled end-to-end.
  • Database design and ops (MySQL/MariaDB, PostgreSQL, MSSQL) with backups and recovery discipline.
Build & Host
See live demos →

Architecture

How environments are designed under the hood — from the patch panel to the private LLM. Six layers, each built on simple, hardened building blocks and configuration kept under version control.

Physical & Network

The layer most teams ignore until it bites: cabling, racks, firewalls, switching, and wireless P2P bridges done properly.

  • Structured cabling, rack builds, patch panels, UPS, and PDU layouts oversaw or executed personally.
  • Hardware firewalls (pfSense, WatchGuard, SonicWall) configured with sane ACLs, IDS/IPS, and reporting wired into central logging.
  • L2/L3 switching, VLAN segmentation, and inter-VLAN routing — separate networks for servers, users, IoT/cameras, and guests.
  • Wireless point-to-point bridges and backhauls (TP-Link CPE710-class radios) for branch links, warehouse extensions, and acquisition stand-ups.
  • Site-to-site VPN topologies (WireGuard, IPsec) with health monitoring and failover.
  • DNS, DHCP, NTP, and SNMP — boring, foundational, and built to be observable.

Compute & Storage

Clustered VMs, on-prem servers, and cloud workloads designed as one estate — with SMB, iSCSI, and S3-compatible storage where each fits.

  • Hypervisor stacks: Hyper-V, VMware, KVM/Proxmox — clustered with HA, live migration, and replication to a secondary site.
  • Windows Server roles (AD DS, DNS/DHCP, IIS, file/print, ADFS) and Linux servers (Ubuntu, RHEL/Fedora) running side-by-side.
  • Cloud compute — Azure VMs and AWS EC2 — sized for actual load, with autoscale only where the workload genuinely benefits.
  • Storage layouts: SMB shares, iSCSI targets, NFS, and S3-compatible object storage — chosen for the workload, not the vendor.
  • Dedicated backup servers (Veeam-class or scripted snapshot pipelines) with offline copies and tested restore drills.
  • Database tiers across MySQL/MariaDB, PostgreSQL, and MSSQL with backups, replication, and migration discipline.

Identity & Access

One identity surface across on-prem and cloud, with MFA, conditional access, and Tier-0 separation as the defaults.

  • Centralized identity via AD DS / Entra ID — policies, groups, and MFA flow through to servers, SaaS, and VPN endpoints from one place.
  • Conditional access and Tier-0 separation: admin accounts isolated from daily-driver accounts; PAW-style admin workstations where appropriate.
  • SSH key-only authentication for Linux servers, with role-based admin accounts and no password logins.
  • WireGuard / IPsec VPNs for remote desktop, SSH, and SMB traffic — services kept off the public internet by default.
  • Mandatory MFA for VPN, RDP, admin tooling, and cloud sign-ins (Microsoft Authenticator, Duo, hardware tokens).
  • Sign-in and admin-action logging fed into central monitoring so suspicious access patterns surface fast.

Data & Applications

Custom web apps, internal tools, and ERP / CRM integrations on top of databases that are backed up, encrypted, and operated like production.

  • Apache or nginx fronting PHP, Python, and Node services — front-controller / MVC layouts, no framework lock-in.
  • Hardened TLS, HSTS, CSP, and sane HTTP-header / cookie defaults baked into every site.
  • Application data stored in encrypted databases on-prem or in cloud, with backups and point-in-time recovery configured per workload.
  • ERP / CRM integration — Dynamics, Salesforce, SharePoint, Power Platform — wired together via REST APIs, queues, and Power Automate.
  • Internal tools and dashboards that replace spreadsheet-based processes for finance, ops, and HR.
  • Reverse-proxy designs (nginx, Cloudflare) for safe public exposure of internal services where needed.

Operations

Configuration as code, CI/CD pipelines, scripted ops, and monitoring that catches problems before users do.

  • Git-versioned configuration: nginx/Apache vhosts, firewall rules, IaC templates, and automation scripts live in source control.
  • CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) for build, test, deploy, and rollback paths on apps and infrastructure changes.
  • Bash, PowerShell, and Python automation for backups, health checks, log rotation, certificate renewal, and post-migration cleanup.
  • Power Automate for business workflows: approvals, notifications, document routing, and lifecycle tasks across M365.
  • Onboarding / offboarding flows that drive AD, Entra ID, Intune, Exchange Online, and SaaS provisioning from a single trigger.
  • Monitoring (Grafana / Prometheus / Zabbix / native cloud) with alerting tuned to actual workload behaviour, not just defaults.

AI Layer

On-prem private LLMs, agentic workflows, and AI assistants grounded in real company data — with the compute and prompts staying inside your network.

  • Private LLMs hosted on dedicated GPU servers (Ollama, vLLM, llama.cpp) behind a hardened reverse proxy and IdP-backed auth.
  • Cost angle: a single capable server can serve a 30+ person org for less than the equivalent stack of $200-per-seat AI subscriptions — with full data sovereignty.
  • Retrieval-augmented assistants pointed at SharePoint libraries, file shares, ticket history, code repos, and internal wikis.
  • Agentic workflows — Claude Code, MCP servers, custom orchestrators — wired into ops, code, and back-office tasks.
  • ERP / CRM integration so AI surfaces sit on top of existing systems, not in a side-quest portal nobody opens.
  • Audit logging, rate limits, and access policies aligned with the rest of the stack — AI usage is observable and reviewable.
Book a free audit →