Files
hermes-recovery/references/ops-portal-recommendations.md
T

550 lines
23 KiB
Markdown

# IT Pro Partner — Ops Portal Recommendations
> Generated: 2026-07-09
> Based on audit of current portal at `/var/www/ops/` and ops-status.json collection pipeline
---
## Table of Contents
1. [Current State Summary](#1-current-state-summary)
2. [Recommended Pages (New & Improved)](#2-recommended-pages)
3. [Actions Per Page — What Users Should Be Able to Do](#3-actions-per-page)
4. [Integrations Roadmap](#4-integrations-roadmap)
5. [Data Already Flowing](#5-data-already-flowing)
6. [RBAC Recommendations](#6-rbac-recommendations)
7. [Implementation Priorities](#7-implementation-priorities)
---
## 1. Current State Summary
### Existing Pages (all read-only, no action buttons)
| Page | URL | Status | What It Shows |
|------|-----|--------|---------------|
| Dashboard | `/` | ✅ Live | Health bar, cron jobs, services, S3 backups, API health, server inventory, versions |
| Servers | `/servers.html` | ✅ Live | netcup detail + Hetzner table (sortable), quick specs |
| Backups | `/backups.html` | ✅ Live | S3 bucket status grid, backup schedules, Wasabi info, manual actions (text only) |
| Network | `/network.html` | ✅ Live | DNS/Cloudflare zones, MikroTik (placeholder), Ubiquiti (placeholder) |
| Services | `/services.html` | ✅ Live | Systemd service status grid, API health, SyncroMSP integration summary |
| Cron Jobs | `/cron.html` | ✅ Live | Metrics overview, searchable job table with script viewer |
| Logs & Events | `/logs.html` | ✅ Live | API timeline, service events, cron errors, failure summary with filters |
| Config | `/config.html` | ✅ Live | Versions, config file viewer (Caddyfile, Hermes YAML), environment |
| Template | `/template.html` | ✅ Minimal | Empty page with nav injection |
### Key Gaps Identified
- **No action/control buttons anywhere** — everything is read-only
- **No customer management** — no client list, activations, lifecycle
- **No billing/finance** — Stripe, Xero, invoices, payments
- **No user/RBAC management** — no login, no roles
- **No audit log** — no record of who did what
- **No settings/integrations page** — API keys, integrations, branding
- **MikroTik routers** — placeholder only
- **Ubiquiti/UISP** — placeholder only
- **No backup restore buttons**
- **No service start/stop/restart**
- **No provisioning actions** — no way to spin up a server or create a customer
- **No DNS management actions** — cannot add/remove records
- **No support ticket creation**
---
## 2. Recommended Pages
### 2.1 Dashboard (Improve Existing)
**Current:** Health bar, cron jobs, S3 backups, API health, server inventory, versions.
**Improvements:**
- Add **role-aware widgets** — show different cards depending on who's logged in
- Add **quick-action toolbar** — "Provision new server", "New customer", "Create ticket"
- Add **alert/incident summary** — current failures, threshold breaches
- Add **recent activity feed** — last 10 actions taken in the portal
- Add **revenue/ billing snapshot** for owner role
- Add **weather/network status** at a glance
- Add **pinned services** — most-watched services at top
### 2.2 Server Management (Improve Existing)
**Current:** netcup detail, Hetzner table with sorting, quick specs.
**Improvements:**
- Add **provisioning actions** per server:
- Restart server (soft reboot via Hetzner API)
- Power on/off
- Create snapshot
- Open SSH console (WebSSH / terminal-in-browser)
- View resource graphs (CPU, RAM, disk over time)
- Add **threshold alerts per server** — show warning if disk/mem/CPU exceeds thresholds
- Add **server tags/groups** — tag servers by role (web, db, ai, monitoring)
- Add **migration status** — track Hetzner→netcup migration progress per server
- Show **backup status per server** (last Hetzner snapshot date)
- Show **Hudu link** for each server's documentation page
- Add **network interface stats** — bandwidth per interface
### 2.3 Customer Management (NEW)
**Purpose:** One place to see all ITPP customers and their lifecycle.
**Data sources:** SyncroMSP, Stripe, Hudu, DRE CRM
**Display:**
- Customer list/search table with: name, email, phone, plan/service tier, status (active/pending/suspended), billing status, last ticket date
- Customer detail page with:
- Contact info
- Active services/subscriptions
- Ticket history (from SyncroMSP)
- Billing history (from Stripe)
- Device inventory (from SyncroMSP)
- Notes / tags
- Linked documentation (Hudu link)
**Actions:**
- Create new customer
- Suspend/reactivate customer
- Assign service tier
- Create ticket on behalf of customer
- View full billing history
- Link to SyncroMSP, Hudu, Stripe
### 2.4 Network (Improve Existing)
**Current:** Cloudflare zones + placeholders for MikroTik and Ubiquiti.
**Improvements:**
**A) MikroTik Routers (unlock placeholder):**
- Router list with: hostname, model, RouterOS version, uptime, CPU/load, memory, interfaces
- Interface table: name, status (up/down), traffic (tx/rx), errors
- Connected clients / DHCP leases
- Firewall rules overview (count, active)
- Backup status (link to MikroTik backup on Wasabi)
**Actions:**
- Reboot router
- Run configuration backup
- View interface traffic graphs
- Enable/disable interface
- View log tail
**B) Ubiquiti / UISP (unlock placeholder):**
- UISP device list: towers, access points, CPEs
- Client counts per tower
- Bandwidth utilization graphs
- Device health (online/offline, signal strength)
- UniFi controller status, access point health
**Actions:**
- Provision new CPE
- Block/stick client
- View real-time RF metrics
- Trigger site survey
**C) DNS & Domains (add actions):**
Currently 13 Cloudflare zones already tracked:
boxpilotlogistics.com, broadbandtx.com, debtrecoveryexperts.com, fleettracker360.com, forefrontisp.com, germainebrown.com, iamgmb.com, itpropartner.com, katiewattsdesign.com, localisp.com, texasinternetaccess.com, vigilanttac.com, voipsimplicity.com
**Actions to add:**
- Add/edit/delete DNS records (A, CNAME, MX, TXT, etc.)
- Enable/disable proxy (Cloudflare orange cloud)
- View DNS record count per zone
- Trigger Cloudflare cache purge
- Show SSL/TLS status per domain
- Domain expiry dates (if registrar API connected)
### 2.5 Backups (Improve Existing)
**Current:** S3 bucket status grid, schedules, Wasabi info, text-only manual actions.
**Improvements:**
- Add **one-click restore** button per bucket (list snapshots, pick restore point)
- Add **trigger backup now** button per bucket
- Show **backup size** per bucket (not just status)
- Add **restore logs** — history of recent restores
- Add **backup retention policy** display (how long each bucket keeps data)
- Add **integrity check results** — last verification timestamp and status
- Add **restore to staging** — restore to a temp directory for verification
**Actions:**
- **Trigger backup** → runs the relevant cron script immediately
- **Restore from backup** → pick a date/snapshot and restore
- **Verify integrity** → run checksum verification
- **Download archive** link to Wasabi console URL
- **Set retention policy** input
### 2.6 Services (Improve Existing)
**Current:** Systemd service grid, API health cards, SyncroMSP summary.
**Improvements:**
- Add **start / stop / restart** buttons per service
- Show **service logs** (journalctl tail)
- Show **resource usage** per service (memory, CPU, uptime)
- Add **dependencies** — what depends on this service being up
- Add **enable/disable at boot** toggle
- Add **service health history** — uptime %, last restart reason
**Actions:**
- Start service
- Stop service
- Restart service
- View live logs (journalctl -u)
- Enable/disable at boot
- Reload configuration (for services that support it)
### 2.7 Billing & Finance (NEW)
**Purpose:** Business owner's view of revenue, invoices, and accounting sync.
**Data sources:** Stripe, Xero
**Display:**
- **Revenue overview** — MTD, YTD, monthly breakdown (chart)
- **Pending invoices** — outstanding, overdue
- **Payment history** — recent transactions
- **Customer billing summary** — per customer: plan, last payment, balance
- **Subscription health** — active, past-due, canceled counts
- **Accounting sync status** — last Xero sync, any errors
**Actions:**
- View invoice detail
- Send invoice reminder
- Mark invoice as paid (manual override)
- Sync with Stripe
- Sync with Xero
- Export billing report (CSV)
### 2.8 DNS & Domains (NEW dedicated page — or merge into Network)
If kept as separate page:
- All Cloudflare zones with DNS record counts
- Domain registrar details (expiry, auto-renew)
- Quick-add DNS record form
- SSL/TLS settings per domain
- Page Rules / redirect rules
### 2.9 Users & RBAC (NEW)
**Purpose:** Who can access the portal and what they can see/do.
**Display:**
- User list table: name, email, role, last login, status (active/disabled)
- Role/permission matrix view
- Audit log of user actions
**Actions:**
- Create user
- Edit user role
- Disable/delete user
- View user activity log
- Reset password / send invite
### 2.10 Audit Log (NEW)
**Purpose:** Record every action taken in the portal.
**Display:**
- Searchable, filterable timeline of events
- Columns: timestamp, user, action, resource, details, IP
- Exportable to CSV
**Data captures:**
- Who restarted a service
- Who triggered a backup
- Who created a customer
- Who changed a DNS record
- Login/logout events
- Failed permission attempts
### 2.11 Settings (NEW)
**Purpose:** Configure the portal itself and connected integrations.
**Sections:**
- **Integrations** — enable/disable and configure API keys for:
- SyncroMSP
- Cloudflare
- Hetzner
- Stripe
- Xero
- Wasabi
- UniFi
- UISP
- MikroTik
- Hudu
- RingLogix
- RunCloud
- **API Keys** — generate/manage API keys for programmatic portal access
- **Branding** — logo, company name, colors, support phone/email
- **Notifications** — configure alert email/Telegram destinations
- **Backup retention** — set retention policies per bucket
- **Data retention** — how long to keep logs, audit trail, events
### 2.12 Support Tickets (NEW)
**Purpose:** ITPP internal support ticket management.
**Data source:** SyncroMSP
**Display:**
- Ticket queue: ID, customer, subject, status, priority, assignee, last update
- Ticket detail: full conversation, attachments, time tracking
- Ticket metrics: open/closed counts, average response time
**Actions:**
- Create ticket
- Assign ticket
- Update status
- Add note/internal note
- Close/resolve ticket
- Link to customer profile
### 2.13 DRE Claims Dashboard (NEW or link to internal DRE portal)
The DRE portal already exists at `internal.debtrecoveryexperts.com`. On the Ops portal, add a **widget/card** on the dashboard showing:
- Pending approvals count
- Recent claims
- Inbox message count (from dre-mail-poller)
- Link through to the full DRE portal
---
## 3. Actions Per Page
| Page | Read-Only Information | Actions Available |
|------|----------------------|-------------------|
| **Dashboard** | Health summary, recent failures, quick stats | Quick action toolbar, drill into alerts |
| **Servers** | Server specs, status, IP, provider, type | **Restart**, power on/off, create snapshot, WebSSH, view resource graphs |
| **Customers** | Contact info, services, tickets, bills | **Create**, suspend, reactivate, create ticket, view billing |
| **Network** | Router status, interfaces, clients, DNS zones, device health | **Reboot router**, run backup, add DNS record, purge cache, enable/disable interface |
| **Backups** | Bucket status, last upload, age, schedule | **Trigger backup**, **restore from snapshot**, verify integrity, set retention |
| **Services** | Systemd status, API health, SyncroMSP stats | **Start / stop / restart**, view logs, enable/disable boot |
| **Billing** | Revenue, invoices, payments, subscriptions | Sync Stripe, sync Xero, send invoice reminder, export CSV |
| **DNS** | Zone list, record count, SSL status | **Add/Edit/Delete record**, toggle proxy, purge cache |
| **Users/RBAC** | User list, roles, last login | **Create user**, edit role, disable, view audit log |
| **Audit Log** | Full action timeline with user, action, resource | Search, filter, export |
| **Settings** | Integration status, versions, env | **Add/rotate API keys**, enable/disable integrations, set branding |
| **Support Tickets** | Queue, details, metrics | **Create**, assign, update status, add note, resolve |
| **DRE** | Pending approvals, claims, inbox count | Link to full DRE portal |
---
## 4. Integrations Roadmap
### Already Connected & Working
| Integration | Status | Data Flow | Page(s) Using It |
|-------------|--------|-----------|------------------|
| **SyncroMSP** | ✅ Live | 26 customers, tickets, devices via API | Dashboard, Services |
| **Cloudflare** | ✅ Live | 13 zones, DNS record status via API | Network, Dashboard |
| **Hetzner** | ✅ Live | 10 servers, status, type, IP via API | Servers, Dashboard |
| **netcup** | ✅ Live | Server detail (template, IP, id) via API/config | Servers |
| **Wasabi** | ✅ Live | 6 backup buckets, last upload, age via AWS CLI | Backups, Dashboard |
| **Admin-AI** | ✅ Live | API health check | Dashboard, Services |
### In Progress — API Keys Saved, Need Portal UI
| Integration | Status | What to Build |
|-------------|--------|---------------|
| **UniFi** | 🔶 Saved | Add UniFi client count, access point health, client list to Network page |
| **UISP (UNMS)** | 🔶 Saved | Add tower/CPE status, bandwidth to Network page |
### Planned — Need Connection & UI
| Integration | Priority | What to Build |
|-------------|----------|---------------|
| **Stripe** | 🔴 High | Billing page: invoice list, revenue, subscription management |
| **Xero** | 🔴 High | Billing page: accounting sync, P&L snapshot |
| **MikroTik** | 🟡 Medium | Network page: RouterOS API for interface stats, DHCP, firewall |
| **RingLogix** | 🟡 Medium | VoIP status, call metrics, DID inventory, phone management |
| **Hudu** | 🟡 Medium | Link servers/customers to documentation, inline wiki viewer |
| **RunCloud** | 🟢 Low | WordPress server management, site health, SSL |
### Future / Nice-to-Have
| Integration | Use Case |
|-------------|----------|
| **Porkbun / Namecheap** | Domain registration details, expiry dates, auto-renew |
| **GitHub** | Deploy status, latest commits, CI pipeline status |
| **Grafana** | Embed resource graphs, historical metrics |
| **Uptime Kuma / Better Uptime** | External monitoring status, incident history |
| **OpenAI / AI credits** | Usage tracking (Firecrawl already done, can add AI model usage) |
---
## 5. Data Already Flowing
The ops-data-collector (Python, runs every 5 min) already collects:
```json
{
"timestamp": "ISO-8601",
"collection_duration_ms": 10363,
"overall": {
"total_jobs": 21,
"passing": 19,
"failing": 2,
"disk_used_pct": 6,
"memory_used_pct": 41
},
"cron_jobs": [ /* 21 jobs with name, schedule, lastRun, status, script */ ],
"services": { /* 8 systemd services: active/inactive */ },
"disk_memory": { "disk_used_pct", "memory_used_pct" },
"s3_backups": { /* 6 buckets: status, last_upload, age_hours */ },
"api_checks": { /* admin-ai, caddy-config, port checks, cloudflare */ },
"cloudflare_zones": [ /* 13 zone names + status */ ],
"versions": { /* hermes, caddy, python, os */ },
"routers": [ /* currently empty placeholder */ ],
"netcup_server": { /* id, template, ip */ },
"hetzner_servers": [ /* 10 servers with name, status, type, ip, id */ ],
"syncromsp": { /* customers: 26, tickets, devices, customer_list */ }
}
```
**What the collector CANNOT currently collect:**
- MikroTik RouterOS data (API key needed + collect every 1-5 min)
- Ubiquiti/UISP data (API key saved, but collector not extended yet)
- Stripe billing data (no API key in collector)
- Xero accounting data (no API key in collector)
- Per-server resource usage beyond disk/memory (needs SSH or agent)
- Historical metrics (needs time-series DB like Prometheus or simple log file)
---
## 6. RBAC Recommendations
### 6.1 Roles
| Role | Description |
|------|-------------|
| **Owner** | Full access — see everything, do everything. Germaine. |
| **Admin** | Full access minus billing configuration and system settings. Tony. |
| **Tech / Support** | Servers, services, network, logs, tickets, customers (read). No billing, provisioning, settings. |
| **Sales / Onboarding** | Customer activation flow, order forms, provisioning status. No server internals, no billing. |
| **Viewer / Auditor** | Read-only across limited scope. No actions, no billing, no settings. |
| **DRE Agent** | DRE-specific pages only — claims, inbox, pending approvals. No infrastructure. Anita. |
### 6.2 Page Access Matrix
| Page / Feature | Owner | Admin | Tech/Support | Sales/Onboarding | Viewer | DRE Agent |
|----------------|-------|-------|-------------|-----------------|--------|-----------|
| Dashboard (full) | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Dashboard (tech view) | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Dashboard (sales view) | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ |
| Dashboard (DRE view) | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Servers — view | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Servers — restart/power | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Servers — snapshot/provision | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Customers — view | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Customers — create/edit/suspend | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ |
| Customers — billing detail | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Network — view | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Network — reboot router/interface | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Network — DNS edit | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Backups — view | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Backups — trigger/restore | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Services — view | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Services — start/stop/restart | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Billing — view | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Billing — modify/sync | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Users/RBAC — manage | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Users/RBAC — view | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Audit Log — view | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Settings — all | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Settings — notification prefs | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Tickets — view all | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Tickets — create/assign | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| DRE Claims | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Provisioning (new servers/customers) | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
### 6.3 Person-to-Role Mapping
| Person | Role | Notes |
|--------|------|-------|
| **Germaine** (email@redacted) | **Owner** | Sees everything, can do everything. Needs billing, provisioning, and audit. |
| **Tony** (email@redacted) | **Admin** | Full access minus billing config and user management. Handles server operations, backups, customer management. |
| **Anita** | **DRE Agent** | DRE-focused view. Claims, pending approvals, inbox. No infrastructure. |
| **Future Tech Hire** | **Tech/Support** | Servers, services, network, tickets. No billing, provisioning, settings. |
| **Future Sales Hire** | **Sales/Onboarding** | Customer activation, provisioning status, order forms. No server internals. |
| **Future Auditor** | **Viewer** | Read-only, limited scope. Good for compliance or investor review. |
### 6.4 RBAC Implementation Notes
- **Start simple** — use JWT or session tokens with role stored in the token
- **No auth initially** — phase 1: keep open but label sections as "Owner Only" / "Tech Only"
- **Phase 2**: add login with email/password or OAuth (Google/GitHub)
- **Phase 3**: full RBAC enforcement at API/backend level
- Consider using **Hudu's SSO** or **SyncroMSP's user model** as identity source to avoid yet another password
- Store role assignments in a simple JSON config file or small SQLite DB
---
## 7. Implementation Priorities
### Phase 1: Add Actions to Existing Pages (Weeks 1-3)
1. **Backups** — add "Trigger Backup" and "Restore" buttons (calls existing scripts via SSH)
2. **Services** — add Start/Stop/Restart buttons (calls systemctl over SSH)
3. **Servers** — add Reboot + Snapshot buttons (calls Hetzner API)
4. **Network** — add DNS record management (calls Cloudflare API)
### Phase 2: Unlock Placeholders (Weeks 3-5)
5. **MikroTik** — RouterOS API integration, live interface/uptime/leases data
6. **Ubiquiti/UISP** — Connect API, show tower status and client counts
7. **Dashboard improvements** — alert summary, recent activity, quick actions
### Phase 3: New Pages — Foundation (Weeks 5-8)
8. **Customer Management** — list/search/create customers, linked to SyncroMSP
9. **Audit Log** — capture and display every action
10. **Support Tickets** — SyncroMSP ticket queue integration
11. **DRE Dashboard widget** — pending approvals, inbox count
### Phase 4: New Pages — Business & Admin (Weeks 8-12)
12. **Users & RBAC** — login, role assignment, permission enforcement
13. **Billing & Finance** — Stripe revenue, invoice list, Xero sync
14. **Settings** — integration management, API keys, branding
15. **Full RBAC enforcement** — every API endpoint checks permissions
### Phase 5: Polish & Optimization (Ongoing)
16. Add resource graphs (historical CPU/RAM/disk)
17. Add notification preferences per user (email/Telegram for specific alerts)
18. Add dark mode toggle (already dark theme, but add theme options)
19. Mobile-responsive improvements
20. Performance optimization (lazy load, paginate large tables, caching)
---
## Architecture Notes for the Build Team
**Current architecture:**
- Static HTML pages served by Caddy (`ops.itpropartner.com`)
- All data from `ops-status.json` (generated every 5 min by Python collector)
- Vanilla JS fetches JSON and renders DOM
- Shared nav partial (`nav.html`) injected via `fetch()`
- Shared CSS (`ops.css`) and JS (`utils.js`)
- **No backend API** — purely static frontend reading JSON
**Recommended evolution:**
1. Keep static frontend for Phase 1 (quick action buttons can call API endpoints)
2. Add a lightweight backend (FastAPI or Node.js) for:
- Authentication/sessions
- Action endpoints (POST /api/restart-service, POST /api/trigger-backup, etc.)
- Audit logging middleware
- Role/permission checks
3. Options for backend:
- **FastAPI** (Python) — matches existing ecosystem, easy to add SSH/cron exec
- **Express/PocketBase** — simple, built-in auth
- **Remote game** — use Caddy's `reverse_proxy` to a backend running on port 8084
**Data pipeline options for actions:**
- **Direct API call** from backend (best for Hetzner, Cloudflare, Stripe — they have HTTP APIs)
- **SSH execute** (for systemctl on Core and remote servers)
- **Hermes cron trigger** (for backup jobs — trigger the cron script directly)
- **Webhook** (for 3rd party services that support incoming webhooks)