Complete company setup

I was unsure where to post this as it covers several categories but I figured this would be the “broadest” section

I apologize for the wall of text, but I’m curious how others would design the best solution in terms of ease of management and ease of use balanced with economics.

Next year, during approximately Q2, we will start a new company that we are expecting to scale to around 100 employees, where about 40 of them will need a PC to work at, and about half of them (roughly 20) will be entirely web based interfaces that we have developed in-house. This leaves 20 PCs with standard office worker tools (browser, word processor, spreadsheet, mail+calendar) and 20 PCs that only have to run a chrome or Firefox based browser spread out over 3 buildings that are interconnected with fiber.

Besides the PCs I have to design the network and wifi - I already have some equipment that I got for free, so in each network rack there is a Ubiquiti EdgeMax 48 Lite with 48 Gbit ports and 10Gbit fiber backhaul. The internet is two different 1 Gigabit connections with static IP and flatrate data. I also have 2x Ubiquiti EdgeRouter Pro (8 port) and 2x Unifi Security Gateway Pro (4 port), but my personal preference is pfSense / OPNsense. For WiFi I have 8 Ubiquiti nanoHD APs and UniFi Cloud Key Gen2 Plus that also has a bunch of UniFi G3 Flex Cameras. There are about 10 networked HP laser printers.

I have a SuperMicro X10SRW-F based 1U machine with an Intel E5-2620 v3 and 32GB ECC RAM and dual 500GB SATA3 SSDs, another SuperMicro server but in 3U and 12x 3.5" drivebays with 8x 4TB HDDs and 4x 500GB SSDs, dual CPU and 128GB ECC RAM. There is also one older 8 drive Synology box with Intel CPU and various older servers I’d rather not spin up if I don’t have to.

My question is - what is the optimal business solution when there is almost zero legacy and I get to plan for the future. I know the approximate amount of workers we will grow to and I know the users software requirements - but what should I go for on the OS side, does the savings in licenses outweigh the additional cost of educating the users and how does it affect the ease of management? What is the “right” combination of free and paid software when you want to do identity/access management, network storage, backup, configuration management, security, patch management, monitoring, ticketing, workgroup mail and calendar, documentation, wiki etc.

I used to be a UNIX systems engineer so I’m not affraid of a shell, but I have yet to dip my toes in Ansible/Puppet/Chef etc. and I think I need NetBox for ease of documentation, but I haven’t looked into that properly yet. I love TrueNAS Core and Scale, I like Proxmox but I’m open to XCP-ng and so on.

My thought is that this an interesting open question with no “right” answer, but I’m very much interested if we could reach some sort of consensus on what combination offers the best balance between cost and usage. Sorry if this isn’t interesting at all and you made it all the way to the end

Welcome

Given your pedigree in Unix, consider using as much FOSS as you can. You probably can’t go w/o at least one Win-OS machine, but that doesn’t need to be on bare metal And the rest of your use case screams, to me at least, about this:

Having a central server will earn you “eternal gratitude” of your sys-admins as it simplifies their life by some margin over having to update/upgrade each work station for every security patch. It also means you can use older, thus cheaper, workstations as thin clients, as well as ensuring any remote workers don’t need company secrets transmitted over the web, encrypted or not.

HTH!

I’ve been thinking about thin clients also - and I will be the sysadmin until there is enough work for a dedicated person, that it was I’m trying to come up with what to pick all the way around.

On the office PC side I’m not sure Linux + LibreOffice is the way to go compared to Windows + 365 with local installation of the office apps. The issue here is that people know the Microsoft programs, and LibreOffice doesn’t have Outlook. I’ve yet to find a properly integrated mail+calender solution that is FOSS and can understand and send out meeting invitations from other companies that use Outlook based solutions.

One of the things I was considering was the 20 or so web only workstations would boot linux into a kiosk mode - ltsp is perfect for this

But that leaves a lot of other questions - how to integrate that into user access mangement that is unified across PCs, wifi etc. Also client OS is just a small part of the puzzle with identity/access management, network storage, backup, configuration management, security, patch management, monitoring, ticketing, workgroup mail and calendar, documentation, wiki etc.

Just go with Windows + Office365, it’s not worth the churn and I would recommend OWA over a local Outlook install just for simplicity and less pain if you need to replace a workstation etc.

Given that you have a lot of Windows clients I would expect that you will end up with AD/Azure AD and RADIUS/LDAP for user management.

For configuration and patch management just use Microsoft’s tools, that will likely be the less painful way in the long run.

As for networking you might want to look at FreeBSD (pf etc) and jails + SELKS (GitHub - StamusNetworks/SELKS: A Suricata based IDS/IPS/NSM distro) .

FreshDesk looks like a pretty nice ticket system, if you hate people I’d suggest Jira

For storage and backup either TrueNAS Core/Enterprise or FreeBSD with ZFS might be an option.

As for documentation it depends on your needs, there are many capable easy systems such as geekdocs.de unless you need it to be very advanced and complicated.

Just a few ideas…

Great input, and don’t worry, if it runs on FreeBSD it runs on FreeBSD, have been on the Beastie train since 3.X

Again excellent input

Look into chromebox / chromebooks for your kiosks and web workers.

There’s quite a bit of overhead setting things up for only 50-ish devices, but I think it’s still worth getting into even at such a small population of machines.

They’re generally super duper easy to keep locked down and secure both in hardware and in software in either scenario, and you can source the hardware from your typical Lenovo/HP whoever you’d normally buy stuff from, and they don’t need pre-configuration before being shipped to your workers or whoever will install them into your kiosks. Once devices are enrolled into your organization, they’re generally unstealable … or of very little value if taken out, similar to modern iphones/ipads once properly locked down.

For your web workers you can set policies to disable android apps or VMs or browser extensions.

It’s also implied you’d use client side certs in your auth setup, so while you can run VPNs you generally wouldn’t bother and your ingress/auth/… whatever solution you use for your web stuff would check the certs and the SSO before allowing access to anything of value.