23 KiB
IT Pro Partner — Ops Portal Recommendations
Generated: 2026-07-09 Based on audit of current portal at
/var/www/ops/and ops-status.json collection pipeline
Table of Contents
- Current State Summary
- Recommended Pages (New & Improved)
- Actions Per Page — What Users Should Be Able to Do
- Integrations Roadmap
- Data Already Flowing
- RBAC Recommendations
- Implementation Priorities
1. Current State Summary
Existing Pages (all read-only, no action buttons)
| Page | URL | Status | What It Shows |
|---|---|---|---|
| Dashboard | / |
✅ Live | Health bar, cron jobs, services, S3 backups, API health, server inventory, versions |
| Servers | /servers.html |
✅ Live | netcup detail + Hetzner table (sortable), quick specs |
| Backups | /backups.html |
✅ Live | S3 bucket status grid, backup schedules, Wasabi info, manual actions (text only) |
| Network | /network.html |
✅ Live | DNS/Cloudflare zones, MikroTik (placeholder), Ubiquiti (placeholder) |
| Services | /services.html |
✅ Live | Systemd service status grid, API health, SyncroMSP integration summary |
| Cron Jobs | /cron.html |
✅ Live | Metrics overview, searchable job table with script viewer |
| Logs & Events | /logs.html |
✅ Live | API timeline, service events, cron errors, failure summary with filters |
| Config | /config.html |
✅ Live | Versions, config file viewer (Caddyfile, Hermes YAML), environment |
| Template | /template.html |
✅ Minimal | Empty page with nav injection |
Key Gaps Identified
- No action/control buttons anywhere — everything is read-only
- No customer management — no client list, activations, lifecycle
- No billing/finance — Stripe, Xero, invoices, payments
- No user/RBAC management — no login, no roles
- No audit log — no record of who did what
- No settings/integrations page — API keys, integrations, branding
- MikroTik routers — placeholder only
- Ubiquiti/UISP — placeholder only
- No backup restore buttons
- No service start/stop/restart
- No provisioning actions — no way to spin up a server or create a customer
- No DNS management actions — cannot add/remove records
- No support ticket creation
2. Recommended Pages
2.1 Dashboard (Improve Existing)
Current: Health bar, cron jobs, S3 backups, API health, server inventory, versions.
Improvements:
- Add role-aware widgets — show different cards depending on who's logged in
- Add quick-action toolbar — "Provision new server", "New customer", "Create ticket"
- Add alert/incident summary — current failures, threshold breaches
- Add recent activity feed — last 10 actions taken in the portal
- Add revenue/ billing snapshot for owner role
- Add weather/network status at a glance
- Add pinned services — most-watched services at top
2.2 Server Management (Improve Existing)
Current: netcup detail, Hetzner table with sorting, quick specs.
Improvements:
- Add provisioning actions per server:
- Restart server (soft reboot via Hetzner API)
- Power on/off
- Create snapshot
- Open SSH console (WebSSH / terminal-in-browser)
- View resource graphs (CPU, RAM, disk over time)
- Add threshold alerts per server — show warning if disk/mem/CPU exceeds thresholds
- Add server tags/groups — tag servers by role (web, db, ai, monitoring)
- Add migration status — track Hetzner→netcup migration progress per server
- Show backup status per server (last Hetzner snapshot date)
- Show Hudu link for each server's documentation page
- Add network interface stats — bandwidth per interface
2.3 Customer Management (NEW)
Purpose: One place to see all ITPP customers and their lifecycle.
Data sources: SyncroMSP, Stripe, Hudu, DRE CRM
Display:
- Customer list/search table with: name, email, phone, plan/service tier, status (active/pending/suspended), billing status, last ticket date
- Customer detail page with:
- Contact info
- Active services/subscriptions
- Ticket history (from SyncroMSP)
- Billing history (from Stripe)
- Device inventory (from SyncroMSP)
- Notes / tags
- Linked documentation (Hudu link)
Actions:
- Create new customer
- Suspend/reactivate customer
- Assign service tier
- Create ticket on behalf of customer
- View full billing history
- Link to SyncroMSP, Hudu, Stripe
2.4 Network (Improve Existing)
Current: Cloudflare zones + placeholders for MikroTik and Ubiquiti.
Improvements:
A) MikroTik Routers (unlock placeholder):
- Router list with: hostname, model, RouterOS version, uptime, CPU/load, memory, interfaces
- Interface table: name, status (up/down), traffic (tx/rx), errors
- Connected clients / DHCP leases
- Firewall rules overview (count, active)
- Backup status (link to MikroTik backup on Wasabi)
Actions:
- Reboot router
- Run configuration backup
- View interface traffic graphs
- Enable/disable interface
- View log tail
B) Ubiquiti / UISP (unlock placeholder):
- UISP device list: towers, access points, CPEs
- Client counts per tower
- Bandwidth utilization graphs
- Device health (online/offline, signal strength)
- UniFi controller status, access point health
Actions:
- Provision new CPE
- Block/stick client
- View real-time RF metrics
- Trigger site survey
C) DNS & Domains (add actions): Currently 13 Cloudflare zones already tracked: boxpilotlogistics.com, broadbandtx.com, debtrecoveryexperts.com, fleettracker360.com, forefrontisp.com, germainebrown.com, iamgmb.com, itpropartner.com, katiewattsdesign.com, localisp.com, texasinternetaccess.com, vigilanttac.com, voipsimplicity.com
Actions to add:
- Add/edit/delete DNS records (A, CNAME, MX, TXT, etc.)
- Enable/disable proxy (Cloudflare orange cloud)
- View DNS record count per zone
- Trigger Cloudflare cache purge
- Show SSL/TLS status per domain
- Domain expiry dates (if registrar API connected)
2.5 Backups (Improve Existing)
Current: S3 bucket status grid, schedules, Wasabi info, text-only manual actions.
Improvements:
- Add one-click restore button per bucket (list snapshots, pick restore point)
- Add trigger backup now button per bucket
- Show backup size per bucket (not just status)
- Add restore logs — history of recent restores
- Add backup retention policy display (how long each bucket keeps data)
- Add integrity check results — last verification timestamp and status
- Add restore to staging — restore to a temp directory for verification
Actions:
- Trigger backup → runs the relevant cron script immediately
- Restore from backup → pick a date/snapshot and restore
- Verify integrity → run checksum verification
- Download archive link to Wasabi console URL
- Set retention policy input
2.6 Services (Improve Existing)
Current: Systemd service grid, API health cards, SyncroMSP summary.
Improvements:
- Add start / stop / restart buttons per service
- Show service logs (journalctl tail)
- Show resource usage per service (memory, CPU, uptime)
- Add dependencies — what depends on this service being up
- Add enable/disable at boot toggle
- Add service health history — uptime %, last restart reason
Actions:
- Start service
- Stop service
- Restart service
- View live logs (journalctl -u)
- Enable/disable at boot
- Reload configuration (for services that support it)
2.7 Billing & Finance (NEW)
Purpose: Business owner's view of revenue, invoices, and accounting sync.
Data sources: Stripe, Xero
Display:
- Revenue overview — MTD, YTD, monthly breakdown (chart)
- Pending invoices — outstanding, overdue
- Payment history — recent transactions
- Customer billing summary — per customer: plan, last payment, balance
- Subscription health — active, past-due, canceled counts
- Accounting sync status — last Xero sync, any errors
Actions:
- View invoice detail
- Send invoice reminder
- Mark invoice as paid (manual override)
- Sync with Stripe
- Sync with Xero
- Export billing report (CSV)
2.8 DNS & Domains (NEW dedicated page — or merge into Network)
If kept as separate page:
- All Cloudflare zones with DNS record counts
- Domain registrar details (expiry, auto-renew)
- Quick-add DNS record form
- SSL/TLS settings per domain
- Page Rules / redirect rules
2.9 Users & RBAC (NEW)
Purpose: Who can access the portal and what they can see/do.
Display:
- User list table: name, email, role, last login, status (active/disabled)
- Role/permission matrix view
- Audit log of user actions
Actions:
- Create user
- Edit user role
- Disable/delete user
- View user activity log
- Reset password / send invite
2.10 Audit Log (NEW)
Purpose: Record every action taken in the portal.
Display:
- Searchable, filterable timeline of events
- Columns: timestamp, user, action, resource, details, IP
- Exportable to CSV
Data captures:
- Who restarted a service
- Who triggered a backup
- Who created a customer
- Who changed a DNS record
- Login/logout events
- Failed permission attempts
2.11 Settings (NEW)
Purpose: Configure the portal itself and connected integrations.
Sections:
- Integrations — enable/disable and configure API keys for:
- SyncroMSP
- Cloudflare
- Hetzner
- Stripe
- Xero
- Wasabi
- UniFi
- UISP
- MikroTik
- Hudu
- RingLogix
- RunCloud
- API Keys — generate/manage API keys for programmatic portal access
- Branding — logo, company name, colors, support phone/email
- Notifications — configure alert email/Telegram destinations
- Backup retention — set retention policies per bucket
- Data retention — how long to keep logs, audit trail, events
2.12 Support Tickets (NEW)
Purpose: ITPP internal support ticket management.
Data source: SyncroMSP
Display:
- Ticket queue: ID, customer, subject, status, priority, assignee, last update
- Ticket detail: full conversation, attachments, time tracking
- Ticket metrics: open/closed counts, average response time
Actions:
- Create ticket
- Assign ticket
- Update status
- Add note/internal note
- Close/resolve ticket
- Link to customer profile
2.13 DRE Claims Dashboard (NEW or link to internal DRE portal)
The DRE portal already exists at internal.debtrecoveryexperts.com. On the Ops portal, add a widget/card on the dashboard showing:
- Pending approvals count
- Recent claims
- Inbox message count (from dre-mail-poller)
- Link through to the full DRE portal
3. Actions Per Page
| Page | Read-Only Information | Actions Available |
|---|---|---|
| Dashboard | Health summary, recent failures, quick stats | Quick action toolbar, drill into alerts |
| Servers | Server specs, status, IP, provider, type | Restart, power on/off, create snapshot, WebSSH, view resource graphs |
| Customers | Contact info, services, tickets, bills | Create, suspend, reactivate, create ticket, view billing |
| Network | Router status, interfaces, clients, DNS zones, device health | Reboot router, run backup, add DNS record, purge cache, enable/disable interface |
| Backups | Bucket status, last upload, age, schedule | Trigger backup, restore from snapshot, verify integrity, set retention |
| Services | Systemd status, API health, SyncroMSP stats | Start / stop / restart, view logs, enable/disable boot |
| Billing | Revenue, invoices, payments, subscriptions | Sync Stripe, sync Xero, send invoice reminder, export CSV |
| DNS | Zone list, record count, SSL status | Add/Edit/Delete record, toggle proxy, purge cache |
| Users/RBAC | User list, roles, last login | Create user, edit role, disable, view audit log |
| Audit Log | Full action timeline with user, action, resource | Search, filter, export |
| Settings | Integration status, versions, env | Add/rotate API keys, enable/disable integrations, set branding |
| Support Tickets | Queue, details, metrics | Create, assign, update status, add note, resolve |
| DRE | Pending approvals, claims, inbox count | Link to full DRE portal |
4. Integrations Roadmap
Already Connected & Working
| Integration | Status | Data Flow | Page(s) Using It |
|---|---|---|---|
| SyncroMSP | ✅ Live | 26 customers, tickets, devices via API | Dashboard, Services |
| Cloudflare | ✅ Live | 13 zones, DNS record status via API | Network, Dashboard |
| Hetzner | ✅ Live | 10 servers, status, type, IP via API | Servers, Dashboard |
| netcup | ✅ Live | Server detail (template, IP, id) via API/config | Servers |
| Wasabi | ✅ Live | 6 backup buckets, last upload, age via AWS CLI | Backups, Dashboard |
| Admin-AI | ✅ Live | API health check | Dashboard, Services |
In Progress — API Keys Saved, Need Portal UI
| Integration | Status | What to Build |
|---|---|---|
| UniFi | 🔶 Saved | Add UniFi client count, access point health, client list to Network page |
| UISP (UNMS) | 🔶 Saved | Add tower/CPE status, bandwidth to Network page |
Planned — Need Connection & UI
| Integration | Priority | What to Build |
|---|---|---|
| Stripe | 🔴 High | Billing page: invoice list, revenue, subscription management |
| Xero | 🔴 High | Billing page: accounting sync, P&L snapshot |
| MikroTik | 🟡 Medium | Network page: RouterOS API for interface stats, DHCP, firewall |
| RingLogix | 🟡 Medium | VoIP status, call metrics, DID inventory, phone management |
| Hudu | 🟡 Medium | Link servers/customers to documentation, inline wiki viewer |
| RunCloud | 🟢 Low | WordPress server management, site health, SSL |
Future / Nice-to-Have
| Integration | Use Case |
|---|---|
| Porkbun / Namecheap | Domain registration details, expiry dates, auto-renew |
| GitHub | Deploy status, latest commits, CI pipeline status |
| Grafana | Embed resource graphs, historical metrics |
| Uptime Kuma / Better Uptime | External monitoring status, incident history |
| OpenAI / AI credits | Usage tracking (Firecrawl already done, can add AI model usage) |
5. Data Already Flowing
The ops-data-collector (Python, runs every 5 min) already collects:
{
"timestamp": "ISO-8601",
"collection_duration_ms": 10363,
"overall": {
"total_jobs": 21,
"passing": 19,
"failing": 2,
"disk_used_pct": 6,
"memory_used_pct": 41
},
"cron_jobs": [ /* 21 jobs with name, schedule, lastRun, status, script */ ],
"services": { /* 8 systemd services: active/inactive */ },
"disk_memory": { "disk_used_pct", "memory_used_pct" },
"s3_backups": { /* 6 buckets: status, last_upload, age_hours */ },
"api_checks": { /* admin-ai, caddy-config, port checks, cloudflare */ },
"cloudflare_zones": [ /* 13 zone names + status */ ],
"versions": { /* hermes, caddy, python, os */ },
"routers": [ /* currently empty — placeholder */ ],
"netcup_server": { /* id, template, ip */ },
"hetzner_servers": [ /* 10 servers with name, status, type, ip, id */ ],
"syncromsp": { /* customers: 26, tickets, devices, customer_list */ }
}
What the collector CANNOT currently collect:
- MikroTik RouterOS data (API key needed + collect every 1-5 min)
- Ubiquiti/UISP data (API key saved, but collector not extended yet)
- Stripe billing data (no API key in collector)
- Xero accounting data (no API key in collector)
- Per-server resource usage beyond disk/memory (needs SSH or agent)
- Historical metrics (needs time-series DB like Prometheus or simple log file)
6. RBAC Recommendations
6.1 Roles
| Role | Description |
|---|---|
| Owner | Full access — see everything, do everything. Germaine. |
| Admin | Full access minus billing configuration and system settings. Tony. |
| Tech / Support | Servers, services, network, logs, tickets, customers (read). No billing, provisioning, settings. |
| Sales / Onboarding | Customer activation flow, order forms, provisioning status. No server internals, no billing. |
| Viewer / Auditor | Read-only across limited scope. No actions, no billing, no settings. |
| DRE Agent | DRE-specific pages only — claims, inbox, pending approvals. No infrastructure. Anita. |
6.2 Page Access Matrix
| Page / Feature | Owner | Admin | Tech/Support | Sales/Onboarding | Viewer | DRE Agent |
|---|---|---|---|---|---|---|
| Dashboard (full) | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Dashboard (tech view) | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Dashboard (sales view) | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ |
| Dashboard (DRE view) | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Servers — view | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Servers — restart/power | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Servers — snapshot/provision | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Customers — view | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Customers — create/edit/suspend | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ |
| Customers — billing detail | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Network — view | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Network — reboot router/interface | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Network — DNS edit | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Backups — view | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Backups — trigger/restore | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Services — view | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Services — start/stop/restart | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Billing — view | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Billing — modify/sync | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Users/RBAC — manage | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Users/RBAC — view | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Audit Log — view | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Settings — all | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Settings — notification prefs | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Tickets — view all | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Tickets — create/assign | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| DRE Claims | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Provisioning (new servers/customers) | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
6.3 Person-to-Role Mapping
| Person | Role | Notes |
|---|---|---|
| Germaine (email@redacted) | Owner | Sees everything, can do everything. Needs billing, provisioning, and audit. |
| Tony (email@redacted) | Admin | Full access minus billing config and user management. Handles server operations, backups, customer management. |
| Anita | DRE Agent | DRE-focused view. Claims, pending approvals, inbox. No infrastructure. |
| Future Tech Hire | Tech/Support | Servers, services, network, tickets. No billing, provisioning, settings. |
| Future Sales Hire | Sales/Onboarding | Customer activation, provisioning status, order forms. No server internals. |
| Future Auditor | Viewer | Read-only, limited scope. Good for compliance or investor review. |
6.4 RBAC Implementation Notes
- Start simple — use JWT or session tokens with role stored in the token
- No auth initially — phase 1: keep open but label sections as "Owner Only" / "Tech Only"
- Phase 2: add login with email/password or OAuth (Google/GitHub)
- Phase 3: full RBAC enforcement at API/backend level
- Consider using Hudu's SSO or SyncroMSP's user model as identity source to avoid yet another password
- Store role assignments in a simple JSON config file or small SQLite DB
7. Implementation Priorities
Phase 1: Add Actions to Existing Pages (Weeks 1-3)
- Backups — add "Trigger Backup" and "Restore" buttons (calls existing scripts via SSH)
- Services — add Start/Stop/Restart buttons (calls systemctl over SSH)
- Servers — add Reboot + Snapshot buttons (calls Hetzner API)
- Network — add DNS record management (calls Cloudflare API)
Phase 2: Unlock Placeholders (Weeks 3-5)
- MikroTik — RouterOS API integration, live interface/uptime/leases data
- Ubiquiti/UISP — Connect API, show tower status and client counts
- Dashboard improvements — alert summary, recent activity, quick actions
Phase 3: New Pages — Foundation (Weeks 5-8)
- Customer Management — list/search/create customers, linked to SyncroMSP
- Audit Log — capture and display every action
- Support Tickets — SyncroMSP ticket queue integration
- DRE Dashboard widget — pending approvals, inbox count
Phase 4: New Pages — Business & Admin (Weeks 8-12)
- Users & RBAC — login, role assignment, permission enforcement
- Billing & Finance — Stripe revenue, invoice list, Xero sync
- Settings — integration management, API keys, branding
- Full RBAC enforcement — every API endpoint checks permissions
Phase 5: Polish & Optimization (Ongoing)
- Add resource graphs (historical CPU/RAM/disk)
- Add notification preferences per user (email/Telegram for specific alerts)
- Add dark mode toggle (already dark theme, but add theme options)
- Mobile-responsive improvements
- Performance optimization (lazy load, paginate large tables, caching)
Architecture Notes for the Build Team
Current architecture:
- Static HTML pages served by Caddy (
ops.itpropartner.com) - All data from
ops-status.json(generated every 5 min by Python collector) - Vanilla JS fetches JSON and renders DOM
- Shared nav partial (
nav.html) injected viafetch() - Shared CSS (
ops.css) and JS (utils.js) - No backend API — purely static frontend reading JSON
Recommended evolution:
- Keep static frontend for Phase 1 (quick action buttons can call API endpoints)
- Add a lightweight backend (FastAPI or Node.js) for:
- Authentication/sessions
- Action endpoints (POST /api/restart-service, POST /api/trigger-backup, etc.)
- Audit logging middleware
- Role/permission checks
- Options for backend:
- FastAPI (Python) — matches existing ecosystem, easy to add SSH/cron exec
- Express/PocketBase — simple, built-in auth
- Remote game — use Caddy's
reverse_proxyto a backend running on port 8084
Data pipeline options for actions:
- Direct API call from backend (best for Hetzner, Cloudflare, Stripe — they have HTTP APIs)
- SSH execute (for systemctl on Core and remote servers)
- Hermes cron trigger (for backup jobs — trigger the cron script directly)
- Webhook (for 3rd party services that support incoming webhooks)