IT-Stack — Master TODO & Implementation Checklist

Project: `it-stack` | GitHub Org: `it-stack-dev`

Created: February 27, 2026
Status: Phases 0–7 Complete · ALL 120 Labs Scripted · Azure Testing: All Phases ✅ (118/118) · Ansible Integrations ✅ (INT-03–23) · Production Monitoring ✅ · Security CI ✅ · DR Tested ✅ · On-Call Policy ✅ · Thunderbird Integration: INT-24 ✅ · INT-25–29 In Progress

This is the living task list for implementing the IT-Stack project using the framework defined in PROJECT-FRAMEWORK-TEMPLATE.md.
Check items off as you complete them. Each section maps to a Phase or infrastructure domain.

Phase 0: Planning & Setup — ✅ Complete
Phase 1: GitHub Organization Bootstrap
Phase 2: Local Development Environment
Phase 3: Documentation Migration
Phase 4: Module Scaffolding — Phase 1 (Foundation)
Phase 5: Module Scaffolding — Phase 2 (Collaboration)
Phase 6: Module Scaffolding — Phase 3 (Back Office)
Phase 7: Module Scaffolding — Phase 4 (IT Management)
CI/CD & Automation Setup
Lab Testing Milestones
Integration Milestones
Production Readiness

Legend

Symbol	Meaning
`[ ]`	Not started
`[x]`	Complete
`[-]`	In progress
`[!]`	Blocked / needs decision
`[~]`	Optional / nice-to-have

Phase 0: Planning & Setup

Status: ✅ COMPLETE
GitHub org it-stack-dev created and empty. Documentation set complete (14 docs).

Define project name: it-stack
Create GitHub organization: it-stack-dev
Define 7 categories (identity, database, collaboration, communications, business, it-management, infrastructure)
List and number 20 modules (01–20)
Map all modules to categories
Define 4 deployment phases (Foundation → Collaboration → Back Office → IT Management)
Define 4 deployment tiers (lab → school → department → enterprise)
Complete documentation set assembled (~600 pages, 14 documents in C:\IT-Stack\docs\)
PROJECT-FRAMEWORK-TEMPLATE.md revised for IT-Stack

Phase 1: GitHub Organization Bootstrap

Status: ✅ COMPLETE — 26 repos · 5 projects · 39 labels · 4 milestones · 120 issues

1.1 Organization-Level `.github` Repository

Create repository: github.com/it-stack-dev/.github
Create profile/README.md — org homepage
Create CONTRIBUTING.md — contribution guidelines
Create CODE_OF_CONDUCT.md — Contributor Covenant
Create SECURITY.md — vulnerability reporting policy
Create workflows/ci.yml — reusable CI workflow
Create workflows/release.yml — reusable release workflow
Create workflows/security-scan.yml — Trivy security scanning
Create workflows/docker-build.yml — Docker image build & push to GHCR

1.2 Meta Repositories (6)

Create it-stack-docs — MkDocs site live at https://it-stack-dev.github.io/it-stack-docs/
- Initialize git in C:\IT-Stack\
- git remote add origin https://github.com/it-stack-dev/it-stack-docs.git
- Push main branch + GitHub Pages enabled
Create it-stack-installer — bootstrap & automation scripts
Create it-stack-testing — integration & e2e testing suite
Create it-stack-ansible — Full Ansible roles: all 21 services, 20 playbooks, group_vars+host_vars, full site.yml (161 files)
Create it-stack-terraform — Terraform modules (VM provisioning)
Create it-stack-helm — Helm charts for all services

1.3 GitHub Projects (5)

Create Project #6 — "Phase 1: Foundation" (Kanban + Table + Roadmap views)
Create Project #7 — "Phase 2: Collaboration"
Create Project #8 — "Phase 3: Back Office"
Create Project #9 — "Phase 4: IT Management"
Create Project #10 — "Master Dashboard" (all modules)

1.4 Organization-Level Labels

39 labels × 20+ repos — lab, module-01…20, phase-1…4, category tags, priority, status

1.5 Milestones

Create milestone: "Phase 1: Foundation" (target: Week 4)
Create milestone: "Phase 2: Collaboration" (target: Week 8)
Create milestone: "Phase 3: Back Office" (target: Week 14)
Create milestone: "Phase 4: IT Management" (target: Week 20)

Phase 2: Local Development Environment

Status: ✅ COMPLETE — C:\IT-Stack\it-stack-dev\ · 35 subdirs · all 6 meta repos cloned

Created C:\IT-Stack\it-stack-dev\ with 35 subdirectories
- repos\meta\, repos\01-identity\ through repos\07-infrastructure\
- workspaces\, deployments\, lab-environments\, configs\, scripts\, logs\
All 6 meta repos cloned into repos\meta\
claude.md — AI assistant context file
README.md — Dev environment quick start
configs\global\it-stack.yaml — Global config (all 8 servers, subdomains, ports, versions)
it-stack.code-workspace — VS Code multi-root workspace
[~] PowerShell profile aliases — optional, not yet done
Tools verified: Git · GitHub CLI · Docker Desktop

Phase 3: Documentation Migration

Status: ✅ COMPLETE — 21 docs total · 14 migrated · 7 category specs written · MkDocs site live · numbered structure committed

3.1 Create Standard Docs Folder Structure

docs/01-core/ — category specs
docs/02-implementation/ — deployment and integration guides
docs/03-labs/ — lab manuals (parts 1–5)
docs/04-github/ — org structure and setup guides
docs/05-guides/ — master index, AI instructions
docs/06-technical-reference/ — deep technical docs
docs/07-architecture/ — ADRs and diagrams

3.2 Migrate & Number Existing Documents

New Path	Source Document
`docs/05-guides/01-master-index.md`	`MASTER-INDEX.md`
`docs/05-guides/02-lab-manual-structure.md`	`LAB_MANUAL_STRUCTURE.md`
`docs/02-implementation/03-lab-deployment-plan.md`	`lab-deployment-plan.md`
`docs/02-implementation/04-lab-deployment-plan-v2.md`	`lab-deployment-plan(1).md`
`docs/06-technical-reference/05-stack-deployment.md`	`enterprise-it-stack-deployment.md`
`docs/02-implementation/06-stack-complete-v2.md`	`enterprise-stack-complete-v2.md`
`docs/03-labs/07-lab-manual-part1.md`	`enterprise-it-lab-manual.md`
`docs/03-labs/08-lab-manual-part2.md`	`enterprise-it-lab-manual-part2.md`
`docs/03-labs/09-lab-manual-part3.md`	`enterprise-it-lab-manual-part3.md`
`docs/03-labs/10-lab-manual-part4.md`	`enterprise-it-lab-manual-part4.md`
`docs/03-labs/11-lab-manual-part5.md`	`enterprise-lab-manual-part5.md`
`docs/02-implementation/12-integration-guide.md`	`integration-guide-complete.md`
`docs/04-github/13-github-guide.md`	`IT-STACK-GITHUB-GUIDE.md` (new)
`docs/05-guides/14-project-framework.md`	`PROJECT-FRAMEWORK-TEMPLATE.md`

All 14 documents migrated to numbered paths
MASTER-INDEX.md updated with new paths
docs/README.md created
[~] Front-matter on individual docs — optional, not yet added

3.3 Create Missing Category Spec Documents (7)

docs/01-core/01-identity.md — FreeIPA + Keycloak architecture
docs/01-core/02-database.md — PostgreSQL + Redis + Elasticsearch
docs/01-core/03-collaboration.md — Nextcloud + Mattermost + Jitsi
docs/01-core/04-communications.md — iRedMail + FreePBX + Zammad
docs/01-core/05-business.md — SuiteCRM + Odoo + OpenKM
docs/01-core/06-it-management.md — Taiga + Snipe-IT + GLPI
docs/01-core/07-infrastructure.md — Traefik + Zabbix + Graylog

Phase 4: Module Scaffolding — Deployment Phase 1 (Foundation)

Status: ✅ COMPLETE — 5 repos scaffolded · 30 issues filed · CI passing · Labs 01–05 real content done (25/120 labs)

it-stack-freeipa — Labs 01–03 + docker-compose.sso.yml + test-lab-01-04.sh (LDAP federation) + docker-compose.integration.yml + test-lab-01-05.sh (FreeIPA+KC+PG+Redis ecosystem) + CI ✅
it-stack-keycloak — Labs 01–03 + docker-compose.sso.yml + test-lab-02-04.sh (OIDC/SAML hub) + docker-compose.integration.yml + test-lab-02-05.sh (OpenLDAP federation+MailHog+multi-app) + CI ✅
it-stack-postgresql — Labs 01–03 + docker-compose.sso.yml + test-lab-03-04.sh (pgAdmin+oauth2-proxy) + docker-compose.integration.yml + test-lab-03-05.sh (PG multi-DB+Redis+KC+Traefik+Prometheus) + CI ✅
it-stack-redis — Labs 01–03 + docker-compose.sso.yml + test-lab-04-04.sh (redis-commander+oauth2-proxy) + docker-compose.integration.yml + test-lab-04-05.sh (cache+session+LRU+keyspace+KC+Traefik) + CI ✅
it-stack-traefik — Labs 01–03 + docker-compose.sso.yml + test-lab-18-04.sh (ForwardAuth) + docker-compose.integration.yml + test-lab-18-05.sh (ForwardAuth+KC+oauth2-proxy+Prometheus) + CI ✅

All 5 repos have:

Full directory structure, manifest YAML, Makefile, Dockerfile
6 Docker Compose files (standalone + lan + advanced + sso + integration + production real)
6 lab test scripts (Labs 01–06 all real and complete)
3 GitHub Actions workflows: ci.yml, release.yml, security.yml
lab-01 through lab-06-smoke CI jobs (all 5 modules)
CI/ShellCheck passing (all 5 green)

4.2 Lab Issues (30 total)

30 issues created (6 labs × 5 repos), all labeled and milestoned
All added to GitHub Project #6 (Phase 1: Foundation) and #10 (Master Dashboard)

4.3 Ansible (it-stack-ansible)

Phase 5: Module Scaffolding — Deployment Phase 2 (Collaboration)

Status: ✅ COMPLETE — All 6 labs done · 5 modules · 30 labs · Phase 2 COMPLETE 🎉

Phase 6: Module Scaffolding — Deployment Phase 3 (Back Office)

Status: ✅ COMPLETE — All 6 labs done · 4 modules · 24 labs · Phase 3 COMPLETE 🎉

Phase 7: Module Scaffolding — Deployment Phase 4 (IT Management)

Status: ✅ COMPLETE — All 6 labs done for all 6 modules · 36/36 labs · Phase 4 COMPLETE 🎉

CI/CD & Automation Setup

Status: ✅ WORKFLOWS COMPLETE — 3 workflows × 20 repos = 60 workflow files pushed and passing

Per-Repository CI/CD

.github/workflows/ci.yml — ShellCheck · Compose validate · Trivy config scan · Lab 01 smoke test
.github/workflows/release.yml — Docker build + GHCR push + GitHub Release on semver tags
.github/workflows/security.yml — Weekly Trivy filesystem + config scan, SARIF → GitHub Security tab
All Phase 1 repos: CI passing ✅ (3 rounds of debugging required — see session notes)

Automation Scripts (in `it-stack-installer`)

Azure Lab Testing

Track actual hardware validation of lab scripts on Azure VMs. These are distinct from lab script completion (all 120 done) — this tracks verifying scripts run correctly on target hardware.

Azure VM: `lab-single` (Phase 1 — Standard_D4s_v4, Ubuntu 24.04, Docker 29.3)

Module	Lab 01 (Azure)	Notes
01 · FreeIPA	[x] ✅	patched image (`it-stack-freeipa-patched:almalinux-9`), 390s install
02 · Keycloak	[x] ✅	HTTP 302, OIDC token, /health/ready
03 · PostgreSQL	[x] ✅	pg_isready, CRUD, multi-db
04 · Redis	[x] ✅	PING, SET/GET, LPUSH/LLEN, AOF
18 · Traefik	[x] ✅	file provider (Docker 29.x API incompatibility), /ping, dashboard, reverse proxy

Azure Phase 1 result: 18/18 PASS (2026-03-07, commit e3ddab0)

Azure VM Phase 2 — `lab-phase2.sh` ✅

Module	Result	Notes
06 · Nextcloud	[x] ✅	HTTP 200, WebDAV, OCS API
07 · Mattermost	[x] ✅	API ping, team/channel/post created
08 · Jitsi	[x] ✅	4-container stack, TLS/BOSH/config.js
09 · iRedMail	[x] ✅	SMTP:25, IMAP:143, webmail
11 · Zammad	[x] ✅	Rails server, ES index, API token

Azure Phase 2 result: 20/20 PASS (lab-phase2.sh)

Azure VM Phase 3 — `lab-phase3.sh` ✅

Module	Result	Notes
10 · FreePBX	[x] ✅	Admin HTTP, Asterisk CLI, dashboard content
12 · SuiteCRM	[x] ✅	Apache, login page, config.php, DB
13 · Odoo	[x] ✅	Web client, XML-RPC, database list
14 · OpenKM	[x] ✅	Tomcat :8080, REST API (port check via /proc/net/tcp)

Azure Phase 3 result: 20/20 PASS (2026-03-09, commit 7751fcc)

Azure VM SSO Integrations — `lab-sso-integrations.sh` ✅

Azure SSO result: 35/35 PASS (lab-sso-integrations.sh)

Azure VM Phase 4 — `lab-phase4.sh` ✅

Module	Result	Notes
05 · Elasticsearch	✅	single-node, xpack disabled, vm.max_map_count, index CRUD
15 · Taiga	✅	PostgreSQL + Django back API + nginx front, wait_http polling
16 · Snipe-IT	✅	MariaDB healthcheck, HTTP 200, branding
17 · GLPI	✅	MariaDB + wait_http (no Docker healthcheck in image)
19 · Zabbix	✅	PostgreSQL + web-nginx-pgsql, API jsonrpc v7.2.15
20 · Graylog	✅	MongoDB + ES 7.17, journal size 512mb, lbstatus ALIVE

Azure Phase 4 result: 25/25 PASS (2026-03-10, commit 22fac0f)

Key fixes: Taiga direct HTTP poll (Django migrations 8–10 min), Graylog journal size cap (GRAYLOG_MESSAGE_JOURNAL_MAX_SIZE=512mb) for disk-constrained labs, correct SHA256 hash for Graylog root password.

Lab Testing Milestones

Track lab completion status here as you work through the 6-lab progression for each module. Format: [x] = lab passed, [ ] = not started, [-] = in progress

Category 01: Identity & Authentication

Module	Lab 01	Lab 02	Lab 03	Lab 04	Lab 05	Lab 06
01 · FreeIPA	[x]	[x]	[x]	[x]	[x]	[x]
02 · Keycloak	[x]	[x]	[x]	[x]	[x]	[x]

Category 02: Database & Cache

Module	Lab 01	Lab 02	Lab 03	Lab 04	Lab 05	Lab 06
03 · PostgreSQL	[x]	[x]	[x]	[x]	[x]	[x]
04 · Redis	[x]	[x]	[x]	[x]	[x]	[x]
05 · Elasticsearch	[x]	[x]	[x]	[x]	[x]	[x]

Category 03: Collaboration

Module	Lab 01	Lab 02	Lab 03	Lab 04	Lab 05	Lab 06
06 · Nextcloud	[x]	[x]	[x]	[x]	[x]	[x]
07 · Mattermost	[x]	[x]	[x]	[x]	[x]	[x]
08 · Jitsi	[x]	[x]	[x]	[x]	[x]	[x]

Category 04: Communications

Module	Lab 01	Lab 02	Lab 03	Lab 04	Lab 05	Lab 06
09 · iRedMail	[x]	[x]	[x]	[x]	[x]	[x]
10 · FreePBX	[x]	[x]	[x]	[x]	[x]	[x]
11 · Zammad	[x]	[x]	[x]	[x]	[x]	[x]

Category 05: Business Systems

Module	Lab 01	Lab 02	Lab 03	Lab 04	Lab 05	Lab 06
12 · SuiteCRM	[x]	[x]	[x]	[x]	[x]	[x]
13 · Odoo	[x]	[x]	[x]	[x]	[x]	[x]
14 · OpenKM	[x]	[x]	[x]	[x]	[x]	[x]

Category 06: IT & Project Management

Module	Lab 01	Lab 02	Lab 03	Lab 04	Lab 05	Lab 06
15 · Taiga	[x]	[x]	[x]	[x]	[x]	[x]
16 · Snipe-IT	[x]	[x]	[x]	[x]	[x]	[x]
17 · GLPI	[x]	[x]	[x]	[x]	[x]	[x]

Category 07: Infrastructure

Module	Lab 01	Lab 02	Lab 03	Lab 04	Lab 05	Lab 06
18 · Traefik	[x]	[x]	[x]	[x]	[x]	[x]
19 · Zabbix	[x]	[x]	[x]	[x]	[x]	[x]
20 · Graylog	[x]	[x]	[x]	[x]	[x]	[x]

Lab Progress: 120/120 (100.0%) — Phase 1 complete (30/120) ✅ · Phase 2 complete (30/120) ✅ · Phase 3 COMPLETE (24/120) ✅🎉 · Phase 4 COMPLETE (36/120) ✅🎉 — ALL 120 LABS DONE!

Integration Milestones

From integration-guide-complete.md — cross-service integrations
GitHub Issues created via create-integration-issues.ps1 (Sprint 29) — checkboxes below track implementation status.

SSO Integrations (via Keycloak)

FreeIPA ↔ Keycloak LDAP Federation ← INT-01 DONE (Sprint 30: Ansible tasks + integration test)
Nextcloud ↔ Keycloak OIDC ← INT-02 DONE (Sprint 31: Ansible tasks + integration test)
Mattermost ↔ Keycloak OIDC ← INT-03 DONE (roles/mattermost/tasks/keycloak-oidc.yml, 172 lines; it-stack-ansible #1 closed)
SuiteCRM ↔ Keycloak SAML ← INT-04 DONE (roles/suitecrm/tasks/keycloak-saml.yml, 98 lines; it-stack-ansible #2 closed)
Odoo ↔ Keycloak OIDC ← INT-05 DONE (roles/odoo/tasks/keycloak-oidc.yml, 364 lines; it-stack-ansible #3 closed)
Zammad ↔ Keycloak OIDC ← INT-06 DONE (roles/zammad/tasks/keycloak-oidc.yml, 241 lines; it-stack-ansible #4 closed)
GLPI ↔ Keycloak SAML ← INT-07 DONE (roles/glpi/tasks/keycloak-saml.yml, 177 lines; it-stack-ansible #5 closed)
Taiga ↔ Keycloak OIDC ← INT-08 DONE (roles/taiga/tasks/keycloak-oidc.yml, 142 lines; it-stack-ansible #6 closed)

Business Workflow Integrations

Thunderbird Client Integration (INT-24–29)

Status: INT-24 DONE ✅ — docker-mailserver deployed on Azure VM (port 143/587, no SSL), 3 accounts created, Nextcloud Mail webmail enabled. Guide updated 2026-03-11 in docs/05-guides/23-thunderbird-integration.md

Production Readiness

Security Hardening

TLS on all services (via Traefik internal CA) ← playbooks/tls-setup.yml + make tls
All secrets managed via Ansible Vault (no plaintext credentials in repos)
Firewall rules documented and applied ← roles/common/tasks/firewall.yml + UFW per-host
SSH key-only authentication on all servers ← playbooks/harden.yml + vault_ssh_authorized_keys
FreeIPA Kerberos tickets for internal service auth ← DONE (roles/freeipa/tasks/kerberos-service-principals.yml, 109 lines: 12 principals, keytabs, krb5.conf.j2; it-stack-ansible #14 closed)
Regular security scan (Trivy) on all Docker images in CI ← DONE (.github/workflows/trivy.yml: 5-job pipeline — Gitleaks, ansible-lint, Trivy image scan all 20 images, Trivy FS scan; SARIF → GitHub Security; make scan/make scan-images; commit ef3de9a)

Monitoring & Alerting

Zabbix monitoring all 8-9 servers (CPU, RAM, disk, network) ← DONE (roles/zabbix/tasks/register-hosts.yml, 262 lines: auto-registers all 8 hosts via API, Linux template applied; it-stack-ansible #11 closed)
Zabbix service checks for all 20 services ← DONE (IT-Stack Service Checks template with 23 TCP port checks; created by register-hosts.yml)
Graylog collecting logs from all services (Syslog / Filebeat) ← DONE (roles/graylog/tasks/configure-inputs.yml, 195 lines: Syslog UDP :1514, GELF UDP :12201, GELF HTTP :12202 + 8 streams + rsyslog-graylog.conf.j2; it-stack-ansible #12 closed)
Alerting to Mattermost channel #ops-alerts ← INT-22/23 DONE (roles/zabbix/tasks/mattermost-alerts.yml 135 lines + roles/graylog/tasks/zabbix-alerts.yml 126 lines; it-stack-ansible #13 closed)
On-call escalation policy documented ← DONE (docs/05-guides/18-on-call-policy.md: P1–P4 severity levels, 15-min P1 response target, escalation path Mattermost→primary→secondary→manager, per-issue runbooks, RTO/RPO table, incident report template, maintenance window schedule)

Backup & Recovery

PostgreSQL automated daily backup (all 10+ databases) ← playbooks/backup.yml Play 1 + cron 02:00 UTC
Nextcloud file backup scheduled ← playbooks/backup.yml Play 2 + cron 03:00 UTC
Configuration backups (Ansible playbook: playbooks/backup.yml) ← Play 3 + optional GPG encrypt
Backup restoration tested (RPO/RTO documented) ← DONE (playbooks/test-restore.yml: pg_restore each DB to staging + object-count verify, Nextcloud rsync dry-run, config archive decrypt/list, RPO ≤24h / RTO targets table; make test-restore; commit ef3de9a)
Disaster recovery runbook written ← docs/05-guides/17-admin-runbook.md

Capacity Planning

Hardware/VM inventory documented ← docs/02-implementation/15-capacity-planning.md
Resource utilization baselines captured ← service RAM/CPU table in capacity-planning.md
Growth projections (user count × service resource needs) ← 50/100/200/500/1000-user tables
Scale-out plan per service documented ← scale-out plan table in capacity-planning.md

Documentation & Handover

All docs/ content pushed to it-stack-docs repo ← DONE (55/55 docs files verified tracked in git, confirmed 2026-03-10)
Runbooks for each service written or linked ← docs/05-guides/17-admin-runbook.md + docs/05-guides/18-on-call-policy.md
Network diagram (with IP addresses) in docs/07-architecture/
User onboarding guide (how to get SSO account, access each service) ← docs/05-guides/16-user-onboarding.md
Admin handover guide (passwords in vault, backup procedures) ← docs/05-guides/17-admin-runbook.md

Quick Reference: Module → Repo Mapping

#	Service	Repo	Category	Phase
01	FreeIPA	`it-stack-freeipa`	identity	1
02	Keycloak	`it-stack-keycloak`	identity	1
03	PostgreSQL	`it-stack-postgresql`	database	1
04	Redis	`it-stack-redis`	database	1
05	Elasticsearch	`it-stack-elasticsearch`	database	4
06	Nextcloud	`it-stack-nextcloud`	collaboration	2
07	Mattermost	`it-stack-mattermost`	collaboration	2
08	Jitsi	`it-stack-jitsi`	collaboration	2
09	iRedMail	`it-stack-iredmail`	communications	2
10	FreePBX	`it-stack-freepbx`	communications	3
11	Zammad	`it-stack-zammad`	communications	2
12	SuiteCRM	`it-stack-suitecrm`	business	3
13	Odoo	`it-stack-odoo`	business	3
14	OpenKM	`it-stack-openkm`	business	3
15	Taiga	`it-stack-taiga`	it-management	4
16	Snipe-IT	`it-stack-snipeit`	it-management	4
17	GLPI	`it-stack-glpi`	it-management	4
18	Traefik	`it-stack-traefik`	infrastructure	1
19	Zabbix	`it-stack-zabbix`	infrastructure	4
20	Graylog	`it-stack-graylog`	infrastructure	4

Direction Decision

Chosen path: Go deep on Phase 1 — complete Labs 01→06 for all 5 Phase 1 modules before writing Lab 01 for Phase 2.

Rationale:

Phase 2 services (Nextcloud, Mattermost) depend on Phase 1 (PostgreSQL, Keycloak) — Phase 1 must be solid first
Lab 04 for Phase 1 is the SSO integration test — proves Keycloak and FreeIPA are production-ready
Lab 06 for PostgreSQL proves the database tier that everything else builds on
Completing Labs 01–06 for 5 small/well-understood services proves the lab methodology before applying it to 15 more complex services

Sequence:

Sprint	Goal	Labs
~~Sprint 2~~	~~Phase 1 Lab 02 (external deps)~~	~~freeipa·keycloak·postgresql·redis·traefik Lab 02~~ ✅
~~Sprint 3~~	~~Phase 1 Lab 03 (advanced features)~~	~~freeipa·keycloak·postgresql·redis·traefik Lab 03~~ ✅
~~Sprint 4~~	~~Phase 1 Lab 04 (SSO integration)~~	~~freeipa·keycloak·postgresql·redis·traefik Lab 04~~ ✅
~~Sprint 5~~	~~Phase 1 Lab 05 (integrations)~~	~~All 5 Lab 05~~ ✅
~~Sprint 6~~	~~Phase 1 Lab 06 (production)~~	~~All 5 Lab 06 → Phase 1 complete~~ ✅
~~Sprint 7~~	~~Phase 2 Lab 01 (standalone)~~	~~nextcloud·mattermost·jitsi·iredmail·zammad Lab 01~~ ✅
~~Sprint 8~~	~~Phase 2 Lab 02 (external deps)~~	~~nextcloud·mattermost·jitsi·iredmail·zammad Lab 02~~ ✅
~~Sprint 9~~	~~Phase 2 Lab 03 (advanced features)~~	~~nextcloud·mattermost·jitsi·iredmail·zammad Lab 03~~ ✅
~~Sprint 10~~	~~Phase 2 Lab 04 (SSO integration)~~	~~nextcloud·mattermost·jitsi·iredmail·zammad Lab 04~~ ✅
~~Sprint 11~~	~~Phase 2 Lab 05 (integrations)~~	~~nextcloud·mattermost·jitsi·iredmail·zammad Lab 05~~ ✅
~~Sprint 12~~	~~Phase 2 Lab 06 (production deployment)~~	~~nextcloud·mattermost·jitsi·iredmail·zammad Lab 06~~ ✅ · Phase 2 COMPLETE 🎉
Sprint 13 ✅	Phase 3 Lab 01 (standalone)	freepbx·suitecrm·odoo·openkm Lab 01 done
Sprint 15 ✅	Phase 3 Lab 03 (advanced features)	freepbx·suitecrm·odoo·openkm Lab 03 done
Sprint 16 ✅	Phase 3 Lab 04 (SSO integration)	freepbx·suitecrm·odoo·openkm Lab 04 done
Sprint 17 ✅	Phase 3 Lab 05 (advanced integration)	freepbx·suitecrm·odoo·openkm Lab 05 done
Sprint 18 ✅	Phase 3 Lab 06 (production deployment)	freepbx·suitecrm·odoo·openkm Lab 06 done — Phase 3 COMPLETE 🎉
Sprint 19 ✅	Phase 4 Lab 01 (standalone)	taiga·snipeit·glpi·elasticsearch·zabbix·graylog Lab 01 done
Sprint 20 ✅	Phase 4 Lab 02 (external deps)	taiga·snipeit·glpi·elasticsearch·zabbix·graylog Lab 02 done
Sprint 21 ✅	Phase 4 Lab 03 (advanced features)	taiga·snipeit·glpi·elasticsearch·zabbix·graylog Lab 03 done
Sprint 22 ✅	Phase 4 Lab 04 (SSO integration)	taiga·snipeit·glpi·elasticsearch·zabbix·graylog Lab 04 done
Sprint 23 ✅	Phase 4 Lab 05 (advanced integration)	taiga·snipeit·glpi·elasticsearch·zabbix·graylog Lab 05 done
Sprint 24 ✅	Phase 4 Lab 06 (production deployment)	taiga·snipeit·glpi·elasticsearch·zabbix·graylog Lab 06 done — PHASE 4 COMPLETE 🎉
Sprint 14 ✅	Phase 3 Lab 02 (external deps)	freepbx·suitecrm·odoo·openkm Lab 02 done

Phase 5: Kubernetes / Helm Production Deployment

Goal: Migrate the full IT-Stack from Docker Compose to production-grade Kubernetes,
enabling HA, auto-scaling, rolling updates, and GitOps for the 8-server topology.

Infrastructure Layer

it-stack-helm repo — initialize chart structure (umbrella chart + 20 sub-charts)
k3s single-node install playbook (playbooks/k3s-single.yml)
k3s multi-node HA install playbook (playbooks/k3s-ha.yml — 3 control-plane nodes)
StorageClass definitions (local-path for labs, Longhorn for production)
MetalLB load-balancer config (IP pool 10.0.50.100–.150)
cert-manager install + ClusterIssuer (Let's Encrypt + internal CA)
Traefik CRD IngressRoute replacing standalone Traefik container

Identity Layer

Helm chart: FreeIPA StatefulSet + PVC (LDAP + Kerberos data)
Helm chart: Keycloak (Bitnami chart override, externalDatabase PostgreSQL)
NetworkPolicy: FreeIPA ↔ Keycloak LDAP federation (TCP 389/636)

Database Layer

Helm chart: PostgreSQL cluster (Bitnami HA, 1 primary + 2 replicas)
Helm chart: Redis Sentinel (3-node sentinel + 1 primary + 2 replicas)
Helm chart: Elasticsearch (2-node cluster, 512 MB heap each)
PersistentVolumeClaims: 50 GB PostgreSQL, 20 GB Redis AOF, 100 GB Elasticsearch

Collaboration Layer

Helm chart: Nextcloud (Apache, externalDatabase, externalRedis, PVC 200 GB)
Helm chart: Mattermost (externalDB, externalRedis, file store via Nextcloud S3)
Helm chart: Jitsi (videoBridge DaemonSet + web Deployment, UDP hostPort 10000)

Communications Layer

Helm chart: iRedMail (StatefulSet, hostNetwork for SMTP/IMAP port binding)
Helm chart: Zammad (6-container set: pg, es, redis, init, rails, nginx)
Helm chart: FreePBX (StatefulSet, hostNetwork for SIP/RTP port binding)

Business Layer

Helm chart: SuiteCRM (Apache + PVC for uploads)
Helm chart: Odoo (+ workers Deployment, externalDB)
Helm chart: OpenKM (Tomcat StatefulSet + PVC)

IT Management Layer

Helm chart: Taiga (back + front + celery + rabbitmq, externalDB)
Helm chart: Snipe-IT (Apache + externalDB MariaDB or PG)
Helm chart: GLPI (Apache + externalDB)
Helm chart: Zabbix (server + web, externalDB PG)
Helm chart: Graylog (+ MongoDB StatefulSet)

Operations

HorizontalPodAutoscaler for: Keycloak web, Mattermost, Jitsi web, Taiga-back
PodDisruptionBudgets for all StatefulSets
ArgoCD install + ApplicationSet for all 20 modules
Kubernetes-native secret management (Sealed Secrets or External Secrets Operator)
Helm umbrella chart it-stack — deploy full stack in one command
make k8s-install / make k8s-destroy convenience targets
GitHub Actions: helm lint + helm template + kubeval in CI for all charts

Phase: Cloud Lab Deployment (Azure Single-VM — March 2026)

This phase tracks the manual Docker-based deployment on a single Azure VM (lab-single, rg-it-stack-phase1).
Unlike previous phases which ran automated lab scripts, this was a live, hands-on provisioning session.

Azure Infrastructure

Azure VM provisioned: lab-single, Standard_D4s_v4 (4 vCPU / 16 GB RAM), West US 2
Static public IP assigned: 4.154.17.25
NSG rules opened: ports 8080, 8180, 8265, 8280, 8302–8305, 8307, 8880, 9001, 9002, 25, 143, 587
Private DNS zone: lab.it-stack.local
Auto-shutdown configured: 22:00 UTC daily (Azure DevTest Labs policy)
Expand OS disk from 30 GB → 64 GB (blocked by quota — pending resize via Azure Portal)
Delete 2 idle static IPs: vnet-westus2-IPv4, workspace-1-vnet-IPv4 (saves ~$7.44/month)
Bastion workspace-1-vnet-bastion deleted (was billing ~$140/month idle)
Bastion rg-stack-test1 deletion confirm (delete queued with --no-wait)

Services Deployed

Disk Management

Removed mailhog/mailhog:latest (freed 572 MB) — replaced by docker-mailserver
Removed elasticsearch:8.17.3 (freed 2 GB) — was orphaned (Graylog uses bundled ES)
Run docker image prune -f after Zammad deployment to recover additional space
Expand OS disk: Azure Portal → lab-single_OsDisk → Size + performance → 64 GB, then sudo growpart /dev/sda 1 && sudo resize2fs /dev/root

Post-Deployment Configuration

Documentation Updates (this session)

docs/05-guides/18-azure-lab-deployment.md — Added "Current Live Deployment (March 2026)" section with full service table, compose commands, fix procedures, cost summary
docs/07-architecture/network-topology.md — Added "Cloud Single-VM Topology" section with container diagram, port map table, and limitations comparison
README.md — Added Cloud Lab Deployment callout section; updated Project Status table with Cloud row; updated Getting Started
CHANGELOG.md — Added [2.1.0] — 2026-03-12 entry documenting all cloud lab work
docs/05-guides/22-gui-walkthrough.md — Updated entire document to reflect live services: corrected Service Directory table (real credentials, ✅ active vs ⏳ pending split), fixed NSG/SSH-tunnel commands to active ports only, added ✅ Already Running callout to each deployed module, added ⏳ Not yet deployed notice to Zammad and FreeIPA, removed stale MailHog reference
docs/05-guides/01-master-index.md — Added Path 0 (Cloud Lab live environment), updated Documentation Versioning to v2.1
docs/05-guides/17-admin-runbook.md — Added Deployment Context table (Cloud Lab vs On-Prem), added Cloud Lab VM operations section with health check and user management procedures
docs/05-guides/21-production-troubleshooting.md — Added deployment context note clarifying single-VM vs multi-server command differences

Document Version: 2.7
Project: IT-Stack | Org: it-stack-dev
Last Updated: 2026-03-12 — Added Phase: Cloud Lab Deployment (Azure Single-VM). 12/13 services live. Zammad pending disk expansion. Documentation updated to reflect live environment.

FilesExpand file tree

IT-STACK-TODO.md

Latest commit

History