Complete Enterprise IT Stack Deployment¶
Version 2.0 - With Back Office Suite Integration¶
Comprehensive Open-Source Business Infrastructure
Document Overview¶
Version: 2.0
Date: February 2026
Purpose: Complete enterprise infrastructure deployment guide
Scope: Identity → Collaboration → Communications → Business Operations
Target: 50-500+ users
Deployment: 8 servers, full enterprise integration
Table of Contents¶
- Architecture Overview
- Server Infrastructure
- Network Architecture
- Service Catalog
- Core Infrastructure
- Collaboration Suite
- Communication Systems
- Back Office Suite
- Integration Architecture
- Deployment Sequence
- Testing & Validation
- Operations & Maintenance
Architecture Overview¶
Complete Technology Stack¶
┌─────────────────────────────────────────────────────────────────┐
│ COMPLETE ENTERPRISE STACK │
├─────────────────────────────────────────────────────────────────┤
│ │
│ LAYER 1: IDENTITY & SECURITY │
│ ┌────────────┬──────────────┬─────────────────┐ │
│ │ FreeIPA │ Keycloak │ Certificate │ │
│ │ (LDAP/ │ (SSO/OAuth/ │ Authority │ │
│ │ Kerberos) │ SAML) │ (PKI) │ │
│ └────────────┴──────────────┴─────────────────┘ │
│ │
│ LAYER 2: DATA & CACHE │
│ ┌────────────┬──────────────┬─────────────────┐ │
│ │ PostgreSQL │ Redis │ Elasticsearch │ │
│ │ (Primary │ (Cache/ │ (Search/ │ │
│ │ Database) │ Session) │ Analytics) │ │
│ └────────────┴──────────────┴─────────────────┘ │
│ │
│ LAYER 3: COLLABORATION │
│ ┌────────────┬──────────────┬─────────────────┐ │
│ │ Nextcloud │ Mattermost │ Jitsi Meet │ │
│ │ (Files/ │ (Team │ (Video │ │
│ │ Calendar) │ Chat) │ Conference) │ │
│ └────────────┴──────────────┴─────────────────┘ │
│ │
│ LAYER 4: COMMUNICATIONS │
│ ┌────────────┬──────────────┬─────────────────┐ │
│ │ iRedMail │ FreePBX │ Zammad │ │
│ │ (Email │ (VoIP/PBX │ (Help Desk/ │ │
│ │ Server) │ System) │ Support) │ │
│ └────────────┴──────────────┴─────────────────┘ │
│ │
│ LAYER 5: BUSINESS OPERATIONS │
│ ┌────────────┬──────────────┬─────────────────┐ │
│ │ SuiteCRM │ Odoo ERP │ OpenKM (DMS) │ │
│ │ (Customer │ (Business │ (Document │ │
│ │ Relations)│ Management)│ Management) │ │
│ └────────────┴──────────────┴─────────────────┘ │
│ │
│ LAYER 6: IT & PROJECT MANAGEMENT │
│ ┌────────────┬──────────────┬─────────────────┐ │
│ │ Taiga │ Snipe-IT │ GLPI │ │
│ │ (Project │ (Asset │ (IT Service │ │
│ │ Mgmt) │ Tracking) │ Management) │ │
│ └────────────┴──────────────┴─────────────────┘ │
│ │
│ LAYER 7: INFRASTRUCTURE │
│ ┌────────────┬──────────────┬─────────────────┐ │
│ │ Traefik │ Zabbix │ Graylog │ │
│ │ (Reverse │ (Monitoring/│ (Log │ │
│ │ Proxy) │ Metrics) │ Aggregation) │ │
│ └────────────┴──────────────┴─────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Value Proposition¶
Complete Business Suite: - 🔐 Identity: Centralized authentication for 500+ users - 💾 Data: Enterprise-grade database infrastructure - 👥 Collaboration: Modern team productivity tools - 📞 Communications: Professional email, voice, video - 💼 Business: CRM, ERP, accounting, inventory - 🎯 Projects: Agile project management - 🏢 IT Operations: Asset tracking, ITSM, help desk - 📊 Monitoring: Complete observability stack
Total Cost: $0 in software licensing (100% open-source)
Replaces: Salesforce + Microsoft 365 + Zoom + RingCentral + ServiceNow
Savings: $50,000-100,000+ per year for 100 users
Server Infrastructure¶
8-Server Production Deployment¶
Server 1: Identity & Directory (lab-id1)¶
Hostname: lab-id1.domain.com
IP: 10.0.50.11
OS: Ubuntu 24.04 Server LTS
CPU: 6 cores
RAM: 16 GB
Storage:
- OS: 50 GB (SSD)
- Data: 100 GB (SSD)
Network: 2x 1 Gbps (bonded)
Services:
├── FreeIPA 4.11+
│ ├── LDAP (389-ds)
│ ├── Kerberos (MIT)
│ ├── DNS (BIND)
│ ├── CA (Dogtag)
│ └── NTP (chrony)
├── Keycloak 24.0+
│ ├── SSO Provider
│ ├── OAuth2/OIDC
│ ├── SAML 2.0
│ └── User Federation
└── Monitoring Agent
├── Zabbix Agent
└── Log Forwarder
Ports:
53/UDP,TCP - DNS
80/TCP - HTTP
88/UDP,TCP - Kerberos
389/TCP - LDAP
443/TCP - HTTPS
464/UDP,TCP - Kerberos Password
636/TCP - LDAPS
8080/TCP - Keycloak
Server 2: Database & Cache (lab-db1)¶
Hostname: lab-db1.domain.com
IP: 10.0.50.12
OS: Ubuntu 24.04 Server LTS
CPU: 8 cores
RAM: 32 GB (64 GB for heavy workload)
Storage:
- OS: 50 GB (SSD)
- Database: 500 GB (NVMe SSD - high IOPS)
- Backups: 1 TB (SAS/SATA)
Network: 2x 10 Gbps (bonded) - critical for performance
Services:
├── PostgreSQL 16.x
│ ├── Databases:
│ │ ├── keycloak
│ │ ├── nextcloud
│ │ ├── mattermost
│ │ ├── zammad
│ │ ├── suitecrm
│ │ ├── odoo
│ │ ├── openkm
│ │ ├── taiga
│ │ ├── snipeit
│ │ └── glpi
│ ├── pgBouncer (connection pooling)
│ ├── pg_stat_statements
│ └── Automated backups (pg_dump)
├── Redis 7.x
│ ├── Cache layer
│ ├── Session storage
│ └── Message queue
├── Elasticsearch 8.x
│ ├── Zammad search
│ ├── GLPI search
│ ├── OpenKM indexing
│ └── Log aggregation
└── MongoDB 7.x (optional)
└── GLPI optional backend
Configuration:
shared_buffers = 8GB
effective_cache_size = 24GB
max_connections = 500
work_mem = 16MB
maintenance_work_mem = 2GB
checkpoint_completion_target = 0.9
wal_buffers = 16MB
default_statistics_target = 100
random_page_cost = 1.1
effective_io_concurrency = 200
Ports:
5432/TCP - PostgreSQL
6379/TCP - Redis
9200/TCP - Elasticsearch
27017/TCP - MongoDB
Server 3: Collaboration Apps (lab-app1)¶
Hostname: lab-app1.domain.com
IP: 10.0.50.13
OS: Ubuntu 24.04 Server LTS
CPU: 8 cores
RAM: 24 GB
Storage:
- OS: 50 GB (SSD)
- Nextcloud Data: 2 TB (SSD/SAS)
- App Data: 200 GB (SSD)
Network: 2x 1 Gbps (bonded)
Services:
├── Nextcloud 28.x
│ ├── Nginx 1.24+
│ ├── PHP 8.3-FPM
│ ├── Apps:
│ │ ├── Files
│ │ ├── Calendar (CalDAV)
│ │ ├── Contacts (CardDAV)
│ │ ├── Talk (WebRTC)
│ │ ├── Mail
│ │ ├── Deck (Kanban)
│ │ ├── Notes
│ │ └── OnlyOffice integration
│ └── External Storage
├── Mattermost 9.3+
│ ├── Team Edition
│ ├── Channels
│ ├── Integrations
│ ├── Mobile push
│ └── File uploads
└── Jitsi Meet (Latest)
├── Jitsi Videobridge
├── Jicofo
├── Prosody XMPP
└── Recording (optional)
Ports:
80/TCP - HTTP (Nextcloud)
443/TCP - HTTPS
8065/TCP - Mattermost
10000/UDP - Jitsi media
4443/TCP - Jitsi Harvester
Server 4: Communications (lab-comm1)¶
Hostname: lab-comm1.domain.com
IP: 10.0.50.14
OS: Ubuntu 24.04 Server LTS
CPU: 6 cores
RAM: 16 GB
Storage:
- OS: 50 GB (SSD)
- Mail: 500 GB (SSD)
- Attachments: 500 GB (SAS)
Network: 2x 1 Gbps (bonded)
Services:
├── iRedMail 1.6.8+
│ ├── Postfix (SMTP)
│ ├── Dovecot (IMAP/POP3)
│ ├── Roundcube (Webmail)
│ ├── SOGo (Groupware - optional)
│ ├── SpamAssassin (Anti-spam)
│ ├── ClamAV (Antivirus)
│ ├── Amavisd-new
│ ├── OpenDKIM
│ └── Fail2ban
├── Zammad 6.x
│ ├── Web interface
│ ├── Email integration
│ ├── Phone integration
│ ├── Knowledge base
│ └── Time tracking
└── Monitoring Stack
├── Zabbix Server
├── Grafana
└── Prometheus
Ports:
25/TCP - SMTP
80/TCP - HTTP
110/TCP - POP3
143/TCP - IMAP
443/TCP - HTTPS
465/TCP - SMTPS
587/TCP - Submission
993/TCP - IMAPS
995/TCP - POP3S
3000/TCP - Zammad
3001/TCP - Grafana
10050/TCP - Zabbix Agent
Server 5: VoIP/PBX (lab-voip1)¶
Hostname: lab-voip1.domain.com
IP: 10.0.50.15
OS: Ubuntu 24.04 or FreePBX Distro
CPU: 6 cores
RAM: 12 GB
Storage:
- OS: 50 GB (SSD)
- Recordings: 500 GB (SAS)
Network: 2x 1 Gbps (bonded)
QoS: Dedicated VLAN recommended
Services:
├── FreePBX 17+ / Asterisk 21+
│ ├── PBX Core
│ ├── IVR (Auto-attendant)
│ ├── Ring Groups
│ ├── Call Queues
│ ├── Voicemail
│ ├── Call Recording
│ ├── Conference Bridge
│ ├── Call Parking
│ ├── Paging/Intercom
│ └── Time Conditions
├── SIP Trunking
│ ├── Twilio integration
│ ├── Bandwidth.com
│ └── Local carrier
├── Softphone Server
│ └── WebRTC support
└── CTI Integration
├── CRM connector
└── Call logging
Extensions Plan:
100-199: Executives
200-299: Sales
300-399: Support/Customer Service
400-499: IT/Technical
500-599: Operations
600-699: Ring Groups
700-799: Queues
9000-9099: Conference Rooms
Ports:
80/TCP - HTTP (FreePBX GUI)
443/TCP - HTTPS
5060/UDP,TCP - SIP signaling
5061/TCP - SIP TLS
10000-20000/UDP - RTP media streams
Server 6: Business Operations (lab-biz1)¶
Hostname: lab-biz1.domain.com
IP: 10.0.50.16
OS: Ubuntu 24.04 Server LTS
CPU: 8 cores
RAM: 24 GB
Storage:
- OS: 50 GB (SSD)
- App Data: 300 GB (SSD)
- Documents: 1 TB (SAS)
Network: 2x 1 Gbps (bonded)
Services:
├── SuiteCRM 8.6+
│ ├── Sales automation
│ ├── Marketing
│ ├── Customer service
│ ├── Reporting
│ ├── Mobile app
│ └── API access
├── OpenKM Community 6.3+
│ ├── Document repository
│ ├── Version control
│ ├── Workflow engine
│ ├── OCR processing
│ ├── Email archiving
│ ├── Digital signatures
│ ├── Records management
│ └── Full-text search
└── Document Scanning
├── OCR engine (Tesseract)
└── PDF processing
Integration Points:
- LDAP: FreeIPA authentication
- SSO: Keycloak (SAML/OAuth)
- Email: iRedMail sync
- VoIP: FreePBX CTI
- Calendar: CalDAV (Nextcloud)
- Files: WebDAV bridge to Nextcloud
Ports:
80/TCP - HTTP
443/TCP - HTTPS
8090/TCP - OpenKM
Server 7: ERP System (lab-erp1)¶
Hostname: lab-erp1.domain.com
IP: 10.0.50.17
OS: Ubuntu 24.04 Server LTS
CPU: 10 cores
RAM: 32 GB (ERP is resource-intensive)
Storage:
- OS: 50 GB (SSD)
- App Data: 200 GB (SSD)
- Attachments: 500 GB (SAS)
Network: 2x 1 Gbps (bonded)
Services:
├── Odoo 17.0 Community
│ ├── Core Modules:
│ │ ├── CRM
│ │ ├── Sales
│ │ ├── Purchase
│ │ ├── Inventory
│ │ ├── Accounting
│ │ ├── Invoicing
│ │ ├── Manufacturing
│ │ ├── Human Resources
│ │ ├── Project Management
│ │ ├── Timesheets
│ │ ├── Expenses
│ │ ├── Point of Sale
│ │ ├── Website/eCommerce
│ │ ├── Email Marketing
│ │ ├── Documents
│ │ ├── Fleet Management
│ │ ├── Maintenance
│ │ └── Quality
│ ├── Multi-company support
│ ├── Multi-currency
│ ├── Multi-language
│ └── Mobile apps (iOS/Android)
└── Integration Layer
├── API gateway
├── Webhook handlers
└── ETL processes
Business Processes:
- Quote to Cash (Sales)
- Procure to Pay (Purchasing)
- Order to Delivery (Fulfillment)
- Hire to Retire (HR)
- Record to Report (Accounting)
Ports:
8069/TCP - Odoo HTTP
8072/TCP - Odoo longpolling
Server 8: IT Management (lab-it1)¶
Hostname: lab-it1.domain.com
IP: 10.0.50.18
OS: Ubuntu 24.04 Server LTS
CPU: 6 cores
RAM: 16 GB
Storage:
- OS: 50 GB (SSD)
- App Data: 200 GB (SSD)
Network: 2x 1 Gbps (bonded)
Services:
├── Taiga 6.7+
│ ├── Scrum/Kanban boards
│ ├── Backlog management
│ ├── Sprints
│ ├── Issues/bugs
│ ├── Wiki
│ ├── Epics
│ └── Custom workflows
├── Snipe-IT (Latest)
│ ├── Asset inventory
│ ├── License management
│ ├── Check-in/out
│ ├── Depreciation
│ ├── Maintenance scheduling
│ ├── Audit trails
│ ├── Barcode/QR codes
│ └── Mobile app
├── GLPI 10.x
│ ├── Help desk
│ ├── Asset management
│ ├── Change management
│ ├── Problem management
│ ├── Service catalog
│ ├── SLA management
│ ├── Knowledge base
│ ├── Auto-discovery
│ └── Inventory
Ports:
80/TCP - HTTP
443/TCP - HTTPS
8080/TCP - Taiga
8085/TCP - Snipe-IT
8084/TCP - GLPI
Infrastructure Server (lab-infra1)¶
Hostname: lab-infra1.domain.com
IP: 10.0.50.19
OS: Ubuntu 24.04 Server LTS
CPU: 4 cores
RAM: 12 GB
Storage:
- OS: 50 GB (SSD)
- Logs: 500 GB (SAS)
- Backups: 2 TB (SAS - external)
Network: 2x 10 Gbps (bonded) - critical path
Services:
├── Traefik 2.11+
│ ├── Reverse proxy
│ ├── Load balancer
│ ├── TLS termination
│ ├── Let's Encrypt integration
│ ├── Dynamic configuration
│ ├── Service discovery
│ └── HTTP/2, HTTP/3 support
├── Graylog 5.x
│ ├── Log aggregation
│ ├── Log parsing
│ ├── Search/analysis
│ ├── Alerting
│ ├── Dashboards
│ └── Archive
└── Backup System
├── Restic
├── BorgBackup
└── S3-compatible storage
Routing Table (Traefik):
*.domain.com → Backend routing
cloud.domain.com → lab-app1:80
chat.domain.com → lab-app1:8065
meet.domain.com → lab-app1:80 (Jitsi)
mail.domain.com → lab-comm1:443
desk.domain.com → lab-comm1:3000
voip.domain.com → lab-voip1:443
crm.domain.com → lab-biz1:80
docs.domain.com → lab-biz1:8090
erp.domain.com → lab-erp1:8069
projects.domain.com → lab-it1:8080
assets.domain.com → lab-it1:8085
itsm.domain.com → lab-it1:8084
monitor.domain.com → lab-comm1:3001
ipa.domain.com → lab-id1:443
sso.domain.com → lab-id1:8080
Ports:
80/TCP - HTTP (redirect to 443)
443/TCP - HTTPS
8080/TCP - Traefik dashboard
9000/TCP - Graylog web
9200/TCP - Graylog API
12201/UDP - GELF input
514/UDP - Syslog
Total Infrastructure Footprint¶
Physical Resources: - Servers: 9 (8 application + 1 infrastructure) - CPU Cores: 62 total - RAM: 184 GB total - Storage: ~8 TB total (apps + backups) - Network: 1-10 Gbps per server - Power: ~3-4 kW (UPS recommended)
Virtual/Cloud Alternative: - VMs: 9 virtual machines - Hypervisor: Proxmox, VMware, Hyper-V - Cloud: AWS, Azure, GCP, DigitalOcean - Estimated Cost: $2,000-4,000/month cloud hosting
User Capacity: - Concurrent Users: 100-200 - Total Users: 500-1,000 - Storage per User: 10-20 GB average - Email: Unlimited mailboxes - VoIP: 100+ concurrent calls
Network Architecture¶
Production Network Design¶
Internet
│
├─── Firewall/Router (pfSense/OPNsense)
│ ├── WAN: Public IP
│ └── LAN: 10.0.50.1
│
├─── Core Switch (Layer 3)
│ └── VLANs configured
│
├─── VLAN 10: Management (10.0.10.0/24)
│ ├── SSH Access
│ ├── IPMI/iLO
│ └── Admin workstations
│
├─── VLAN 20: Infrastructure (10.0.50.0/24)
│ ├── 10.0.50.11 - Identity (FreeIPA, Keycloak)
│ ├── 10.0.50.12 - Database (PostgreSQL, Redis)
│ ├── 10.0.50.13 - Collaboration (Nextcloud, Mattermost, Jitsi)
│ ├── 10.0.50.14 - Communications (Mail, Zammad, Monitoring)
│ ├── 10.0.50.15 - VoIP (FreePBX)
│ ├── 10.0.50.16 - Business (CRM, DMS)
│ ├── 10.0.50.17 - ERP (Odoo)
│ ├── 10.0.50.18 - IT Management (Taiga, Snipe-IT, GLPI)
│ └── 10.0.50.19 - Infrastructure (Traefik, Graylog, Backup)
│
├─── VLAN 30: VoIP (10.0.30.0/24)
│ ├── QoS Priority
│ ├── SIP phones
│ └── Softphones
│
├─── VLAN 40: Database Backend (10.0.40.0/24)
│ ├── Isolated database traffic
│ └── High-speed interconnect
│
└─── VLAN 50: Users (10.0.100.0/22)
├── Workstations
├── Laptops
└── Mobile devices (WiFi)
DNS Configuration¶
Internal DNS (FreeIPA):
domain.local zone:
ipa.domain.local → 10.0.50.11
sso.domain.local → 10.0.50.11
db.domain.local → 10.0.50.12
cloud.domain.local → 10.0.50.19 (via Traefik)
chat.domain.local → 10.0.50.19 (via Traefik)
meet.domain.local → 10.0.50.19 (via Traefik)
mail.domain.local → 10.0.50.19 (via Traefik)
desk.domain.local → 10.0.50.19 (via Traefik)
voip.domain.local → 10.0.50.19 (via Traefik)
crm.domain.local → 10.0.50.19 (via Traefik)
docs.domain.local → 10.0.50.19 (via Traefik)
erp.domain.local → 10.0.50.19 (via Traefik)
projects.domain.local → 10.0.50.19 (via Traefik)
assets.domain.local → 10.0.50.19 (via Traefik)
itsm.domain.local → 10.0.50.19 (via Traefik)
monitor.domain.local → 10.0.50.19 (via Traefik)
External DNS (Public):
yourdomain.com zone (at registrar/DNS provider):
A yourdomain.com → Public IP
A *.yourdomain.com → Public IP (wildcard)
MX 10 mail.yourdomain.com → Public IP
TXT yourdomain.com → "v=spf1 mx ~all"
TXT _dmarc.yourdomain.com → DMARC policy
TXT default._domainkey... → DKIM public key
Service Catalog¶
Complete Service Roster¶
| Category | Service | URL | Server | Users | Purpose |
|---|---|---|---|---|---|
| Identity | FreeIPA | https://ipa.domain.com | lab-id1 | IT Admin | LDAP/DNS/Kerberos |
| Keycloak | https://sso.domain.com | lab-id1 | IT Admin | SSO/OAuth/SAML | |
| Collaboration | Nextcloud | https://cloud.domain.com | lab-app1 | All Users | Files/Calendar/Contacts |
| Mattermost | https://chat.domain.com | lab-app1 | All Users | Team Chat/Collaboration | |
| Jitsi Meet | https://meet.domain.com | lab-app1 | All Users | Video Conferencing | |
| Communications | Webmail | https://mail.domain.com | lab-comm1 | All Users | Email Access |
| Zammad | https://desk.domain.com | lab-comm1 | Support Team | Help Desk/Ticketing | |
| FreePBX | https://voip.domain.com | lab-voip1 | IT/Users | Phone System Admin | |
| Business | SuiteCRM | https://crm.domain.com | lab-biz1 | Sales/Marketing | Customer Relationship Mgmt |
| OpenKM | https://docs.domain.com | lab-biz1 | All Users | Document Management | |
| ERP | Odoo | https://erp.domain.com | lab-erp1 | Business Users | Full ERP Suite |
| IT/Projects | Taiga | https://projects.domain.com | lab-it1 | Project Teams | Agile Project Management |
| Snipe-IT | https://assets.domain.com | lab-it1 | IT Asset Mgmt | Asset/License Tracking | |
| GLPI | https://itsm.domain.com | lab-it1 | IT Staff | IT Service Management | |
| Infrastructure | Traefik | https://proxy.domain.com | lab-infra1 | IT Admin | Reverse Proxy/Load Balancer |
| Grafana | https://monitor.domain.com | lab-comm1 | IT Admin | Metrics/Dashboards | |
| Graylog | https://logs.domain.com | lab-infra1 | IT Admin | Log Aggregation/Analysis |
User Access Matrix¶
| Role | Cloud | Chat | Meet | CRM | ERP | Docs | Desk | Projects | Assets | ITSM | VoIP | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Executive | ✓ | ✓ | ✓ | ✓ | R | ✓ | ✓ | R | R | R | - | ✓ |
| Sales | ✓ | ✓ | ✓ | ✓ | ✓ | R | ✓ | R | R | - | - | ✓ |
| Support | ✓ | ✓ | ✓ | ✓ | R | - | ✓ | ✓ | - | - | R | ✓ |
| IT Staff | ✓ | ✓ | ✓ | ✓ | - | - | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Accounting | ✓ | ✓ | ✓ | ✓ | R | ✓ | ✓ | R | - | - | - | ✓ |
| HR | ✓ | ✓ | ✓ | ✓ | - | ✓ | ✓ | R | - | R | - | ✓ |
| Operations | ✓ | ✓ | ✓ | ✓ | - | ✓ | ✓ | R | R | - | - | ✓ |
| All Employees | ✓ | ✓ | ✓ | ✓ | - | - | ✓ | U | - | - | U | ✓ |
Legend: ✓ = Full Access, R = Read Only, U = Submit/Use Only, - = No Access
Integration Architecture¶
SSO Integration Flow¶
┌────────────────────────────────────────────────────────────┐
│ User Login Flow │
└────────────────────────────────────────────────────────────┘
1. User accesses: https://cloud.domain.com
└─→ Traefik receives request
2. Traefik forwards to Nextcloud
└─→ Nextcloud checks authentication
3. No active session → Redirect to Keycloak
└─→ https://sso.domain.com/realms/production/protocol/openid-connect/auth
4. Keycloak checks for session
└─→ No session → Show login form
5. User enters credentials
└─→ Keycloak validates against FreeIPA (LDAP)
6. FreeIPA authentication succeeds
└─→ Keycloak issues tokens (ID token, Access token, Refresh token)
7. Keycloak redirects back to Nextcloud with authorization code
└─→ https://cloud.domain.com/callback?code=ABC123
8. Nextcloud exchanges code for tokens
└─→ Validates tokens with Keycloak
9. Nextcloud creates session
└─→ User logged in to Nextcloud
10. User clicks link to Mattermost
└─→ https://chat.domain.com
11. Mattermost checks Keycloak session
└─→ Active session exists → Automatic login (no password prompt)
12. User accesses CRM
└─→ https://crm.domain.com
13. Same SSO session → Automatic login
└─→ No re-authentication needed
Result: One login, access everything!
Data Flow Architecture¶
┌──────────────────────────────────────────────────────────────┐
│ Cross-System Data Integration │
└──────────────────────────────────────────────────────────────┘
NEW EMPLOYEE ONBOARDING:
1. HR creates employee in Odoo HR module
├─→ Name, email, department, position, start date
└─→ Triggers webhook
2. Webhook to FreeIPA API
├─→ Creates LDAP user account
├─→ Assigns to groups (based on department)
├─→ Sets password (temporary)
└─→ Generates employee ID
3. FreeIPA triggers secondary webhooks:
├─→ iRedMail: Create mailbox
│ └─→ Email: firstname.lastname@domain.com
├─→ FreePBX: Provision extension
│ └─→ Extension: Auto-assign from pool (e.g., 201)
├─→ Nextcloud: Auto-provision user
│ └─→ 10 GB default quota
└─→ Keycloak: Sync user (automatic)
4. IT receives notification in GLPI
├─→ Asset assignment task created
├─→ IT checks out laptop in Snipe-IT
└─→ Links asset to employee
5. Employee receives welcome email
├─→ Login credentials
├─→ Extension number
├─→ IT contact
└─→ Onboarding checklist
CUSTOMER LIFECYCLE (Lead to Cash):
1. Marketing campaign generates lead (web form)
└─→ Captured in SuiteCRM
2. Sales rep receives notification in Mattermost
└─→ Auto-assigned based on territory
3. Rep calls lead from CRM (click-to-call)
├─→ FreePBX dials via SIP
├─→ Call logged in CRM automatically
└─→ Recording saved (compliance)
4. Rep converts lead to opportunity
└─→ Creates quote in Odoo Sales
5. Quote approved by customer
├─→ Sales order created in Odoo
├─→ Contract document generated
└─→ Stored in OpenKM with e-signature
6. Fulfillment team notified
├─→ Inventory reserved in Odoo
├─→ Delivery scheduled
└─→ Tracking updated in CRM
7. Invoice generated in Odoo
├─→ Emailed via iRedMail
├─→ Payment link included
└─→ Payment recorded automatically
8. Customer support ticket opened
├─→ Zammad ticket from email
├─→ Linked to CRM account
├─→ SLA tracking starts
└─→ Assigned to support queue
IT SUPPORT WORKFLOW:
1. User calls help desk
├─→ FreePBX IVR routes to support queue
└─→ Call distributed to available agent
2. Agent answers via softphone
├─→ Screen pop in GLPI with caller info
├─→ Recent tickets displayed
└─→ Asset info from Snipe-IT shown
3. Agent creates ticket in GLPI
├─→ Also creates in Zammad (sync)
├─→ Categorizes issue
└─→ Links to asset
4. Ticket assigned to specialist
├─→ Notification in Mattermost
├─→ SMS alert (high priority)
└─→ Email notification
5. Specialist checks knowledge base
├─→ Finds solution article
└─→ Implements fix
6. Specialist updates ticket
├─→ Resolution documented
├─→ Customer notified
└─→ Satisfaction survey sent
7. Ticket closed
├─→ Metrics updated
├─→ If recurring → Problem record created
└─→ KB article created for future
PROJECT DELIVERY:
1. Contract signed (OpenKM)
└─→ Project created in Taiga
2. Project manager creates epic/user stories
├─→ Estimates story points
└─→ Assigns to sprint
3. Team collaboration
├─→ Daily standup via Jitsi
├─→ Chat in Mattermost project channel
├─→ Documents in Nextcloud folder
└─→ Wiki in Taiga
4. Developer works on tasks
├─→ Logs time in Taiga
├─→ Moves card in Kanban
└─→ Links commits (if using Git)
5. Time exported to Odoo
├─→ Timesheet approval workflow
├─→ Client invoicing
└─→ Project profitability tracking
6. Project completion
├─→ Deliverables in OpenKM
├─→ Final invoice in Odoo
├─→ Project archived
└─→ Lessons learned documented
API Integration Map¶
┌────────────────────────────────────────────────────────┐
│ API Integration Points │
└────────────────────────────────────────────────────────┘
FreeIPA (LDAP/Kerberos):
├─→ Keycloak: User federation
├─→ Nextcloud: LDAP authentication
├─→ Mattermost: LDAP authentication
├─→ Zammad: User sync
├─→ FreePBX: Directory integration
├─→ SuiteCRM: LDAP auth
├─→ Odoo: Employee sync
├─→ OpenKM: User authentication
├─→ Taiga: LDAP backend
├─→ Snipe-IT: User import
└─→ GLPI: LDAP sync
Keycloak (SSO/OAuth/SAML):
├─→ Nextcloud: OIDC provider
├─→ Mattermost: OAuth 2.0
├─→ Zammad: SAML authentication
├─→ SuiteCRM: SAML SP
├─→ Odoo: OAuth provider
├─→ Taiga: Social auth backend
├─→ GLPI: SAML integration
└─→ Custom apps: OAuth 2.0 clients
PostgreSQL (Database):
├─→ Keycloak: Identity data
├─→ Nextcloud: Files/metadata
├─→ Mattermost: Messages/channels
├─→ Zammad: Tickets/knowledge base
├─→ SuiteCRM: CRM data
├─→ Odoo: ERP data
├─→ OpenKM: Document metadata
├─→ Taiga: Projects/tasks
└─→ Snipe-IT: Asset inventory
FreePBX (VoIP):
├─→ SuiteCRM: Click-to-call, call logging (AMI)
├─→ Zammad: Phone integration
├─→ GLPI: Call logging
├─→ FreeIPA: Extension provisioning
└─→ Webhook: Call detail records
SuiteCRM (CRM):
├─→ Odoo: Customer sync (REST API)
├─→ FreePBX: CTI connector
├─→ iRedMail: Email sync (IMAP)
├─→ Nextcloud: Calendar sync (CalDAV)
├─→ OpenKM: Document linking
└─→ Mattermost: Notifications (webhooks)
Odoo (ERP):
├─→ SuiteCRM: Customer/opportunity sync
├─→ FreeIPA: Employee sync (LDAP)
├─→ Taiga: Time import (API)
├─→ Snipe-IT: Asset procurement
├─→ GLPI: Service catalog
├─→ iRedMail: Invoice delivery
└─→ OpenKM: Document storage
Nextcloud (Files):
├─→ Mattermost: File preview
├─→ Jitsi: Meeting integration
├─→ Odoo: Attachment storage
├─→ OpenKM: Folder sync
├─→ Taiga: File attachments
└─→ All: WebDAV access
Mattermost (Chat):
├─→ Jitsi: Video call plugin
├─→ Nextcloud: File sharing
├─→ Taiga: Project notifications
├─→ Zammad: Ticket updates
├─→ GLPI: Alert notifications
└─→ Custom: Webhooks/bots
Traefik (Reverse Proxy):
├─→ All services: HTTP routing
├─→ Let's Encrypt: SSL automation
├─→ Prometheus: Metrics export
└─→ Graylog: Access logs
Zabbix (Monitoring):
├─→ All servers: Zabbix agent
├─→ PostgreSQL: Database metrics
├─→ Services: HTTP checks
├─→ Grafana: Data source
└─→ Mattermost: Alert notifications
Graylog (Logging):
├─→ All servers: Syslog/GELF
├─→ Applications: Structured logs
├─→ Traefik: Access logs
└─→ Security: SIEM analysis
[Document continues with detailed deployment procedures, configurations, testing scenarios, and operational procedures... This would be approximately 15,000-20,000 more lines covering each service installation, integration steps, troubleshooting, and maintenance procedures]
Next sections to be included: - Detailed installation procedures for each service - Configuration file templates - Integration setup guides - Testing and validation procedures - Backup and disaster recovery - Monitoring and alerting setup - Security hardening - Performance tuning - Troubleshooting guides - Operational runbooks - Upgrade procedures - Scaling guidelines
Total document size: ~300-400 pages when complete