Three pillars — Managed IT & Security, Private AI, and Websites &
Infrastructure — and the architecture patterns underneath them, with one
identity surface and central logging tying it together.
Services
Three pillars, delivered end-to-end by one expert — from running cable and
racking servers up to standing up private on-prem AI. Engagements are
scoped individually or bundled into a longer-running retainer.
Managed IT & Security
Your whole IT stack — endpoints, email, network, identity, backups —
managed and defended on one Canadian-hosted platform, by one person
who answers the phone.
Endpoint threat detection & response (EDR), secure email gateway, patching, verified backups, and 24/7 monitoring with a live client console.
Security & access: VPN + MFA as the only inbound path, Tier-0 admin separation, hardened baselines (Intune/GPO), and central logging someone actually reads.
Identity: Microsoft 365 / Entra ID / Active Directory — hybrid sync, SSO, conditional access, cleanup.
Cloud & hybrid setup where it pays off — Azure/AWS sized to real load, with workload placement backed by cost math.
Private cloud storage and a zero-knowledge password manager included as retainer features.
Automation that sticks: Bash/PowerShell/Python ops scripting, git-versioned configs, onboarding/offboarding flows, Power Automate.
On-prem private LLMs, agentic workflows, and retrieval assistants
grounded in your own data — with the data and compute staying inside
your network.
Private LLMs on dedicated GPU servers (Ollama, vLLM, llama.cpp) so sensitive data never leaves the network.
Cost angle that matters: one capable server hosting a private LLM is often cheaper than a stack of $200-per-seat AI subscriptions — with full data sovereignty as a bonus.
Agentic workflows — Claude Code, MCP servers, and custom orchestrators — wired into code, ops, and back-office tasks.
Retrieval-augmented assistants over your real data: SharePoint libraries, file shares, ticket histories, internal wikis.
Guardrails, audit logging, and IdP-backed access so AI use is traceable and policy-aligned.
Proof, not slides: I run this exact stack myself — see the LLM Chat demo and Tower.
How environments are designed under the hood — from the patch panel to the
private LLM. Six layers, each built on simple, hardened building blocks and
configuration kept under version control.
Physical & Network
The layer most teams ignore until it bites: cabling, racks, firewalls,
switching, and wireless P2P bridges done properly.
Structured cabling, rack builds, patch panels, UPS, and PDU layouts oversaw or executed personally.
Hardware firewalls (pfSense, WatchGuard, SonicWall) configured with sane ACLs, IDS/IPS, and reporting wired into central logging.
L2/L3 switching, VLAN segmentation, and inter-VLAN routing — separate networks for servers, users, IoT/cameras, and guests.
Wireless point-to-point bridges and backhauls (TP-Link CPE710-class radios) for branch links, warehouse extensions, and acquisition stand-ups.
Site-to-site VPN topologies (WireGuard, IPsec) with health monitoring and failover.
DNS, DHCP, NTP, and SNMP — boring, foundational, and built to be observable.
Compute & Storage
Clustered VMs, on-prem servers, and cloud workloads designed as one
estate — with SMB, iSCSI, and S3-compatible storage where each fits.
Hypervisor stacks: Hyper-V, VMware, KVM/Proxmox — clustered with HA, live migration, and replication to a secondary site.
Windows Server roles (AD DS, DNS/DHCP, IIS, file/print, ADFS) and Linux servers (Ubuntu, RHEL/Fedora) running side-by-side.
Cloud compute — Azure VMs and AWS EC2 — sized for actual load, with autoscale only where the workload genuinely benefits.
Storage layouts: SMB shares, iSCSI targets, NFS, and S3-compatible object storage — chosen for the workload, not the vendor.
Dedicated backup servers (Veeam-class or scripted snapshot pipelines) with offline copies and tested restore drills.
Database tiers across MySQL/MariaDB, PostgreSQL, and MSSQL with backups, replication, and migration discipline.
Identity & Access
One identity surface across on-prem and cloud, with MFA, conditional
access, and Tier-0 separation as the defaults.
Centralized identity via AD DS / Entra ID — policies, groups, and MFA flow through to servers, SaaS, and VPN endpoints from one place.
Conditional access and Tier-0 separation: admin accounts isolated from daily-driver accounts; PAW-style admin workstations where appropriate.
SSH key-only authentication for Linux servers, with role-based admin accounts and no password logins.
WireGuard / IPsec VPNs for remote desktop, SSH, and SMB traffic — services kept off the public internet by default.
Mandatory MFA for VPN, RDP, admin tooling, and cloud sign-ins (Microsoft Authenticator, Duo, hardware tokens).
Sign-in and admin-action logging fed into central monitoring so suspicious access patterns surface fast.
Data & Applications
Custom web apps, internal tools, and ERP / CRM integrations on top of
databases that are backed up, encrypted, and operated like production.
Apache or nginx fronting PHP, Python, and Node services — front-controller / MVC layouts, no framework lock-in.
Hardened TLS, HSTS, CSP, and sane HTTP-header / cookie defaults baked into every site.
Application data stored in encrypted databases on-prem or in cloud, with backups and point-in-time recovery configured per workload.
ERP / CRM integration — Dynamics, Salesforce, SharePoint, Power Platform — wired together via REST APIs, queues, and Power Automate.
Internal tools and dashboards that replace spreadsheet-based processes for finance, ops, and HR.
Reverse-proxy designs (nginx, Cloudflare) for safe public exposure of internal services where needed.
Operations
Configuration as code, CI/CD pipelines, scripted ops, and monitoring
that catches problems before users do.
Git-versioned configuration: nginx/Apache vhosts, firewall rules, IaC templates, and automation scripts live in source control.
CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) for build, test, deploy, and rollback paths on apps and infrastructure changes.
Bash, PowerShell, and Python automation for backups, health checks, log rotation, certificate renewal, and post-migration cleanup.
Power Automate for business workflows: approvals, notifications, document routing, and lifecycle tasks across M365.
Onboarding / offboarding flows that drive AD, Entra ID, Intune, Exchange Online, and SaaS provisioning from a single trigger.
Monitoring (Grafana / Prometheus / Zabbix / native cloud) with alerting tuned to actual workload behaviour, not just defaults.
AI Layer
On-prem private LLMs, agentic workflows, and AI assistants grounded in
real company data — with the compute and prompts staying inside your
network.
Private LLMs hosted on dedicated GPU servers (Ollama, vLLM, llama.cpp) behind a hardened reverse proxy and IdP-backed auth.
Cost angle: a single capable server can serve a 30+ person org for less than the equivalent stack of $200-per-seat AI subscriptions — with full data sovereignty.
Retrieval-augmented assistants pointed at SharePoint libraries, file shares, ticket history, code repos, and internal wikis.
Agentic workflows — Claude Code, MCP servers, custom orchestrators — wired into ops, code, and back-office tasks.
ERP / CRM integration so AI surfaces sit on top of existing systems, not in a side-quest portal nobody opens.
Audit logging, rate limits, and access policies aligned with the rest of the stack — AI usage is observable and reviewable.