IT/IS Manager & Infrastructure Architect

Nabil Nacef

I manage everything IT — infrastructure, security, cloud, automation, and AI. When a solution doesn't exist, I build it. When a process is manual, I automate it. From bare-metal servers to AI agents, I own the full stack and ship real systems.

GitHub LinkedIn Email

// about

Building real systems, not demos

I'm an IT/IS Manager who handles everything — cloud infrastructure, security operations, endpoint management, identity governance, and vendor integrations. I lead security strategy, steer monthly security meetings, and own the full security posture across Google Workspace, GCP, and endpoint fleets. When there's no tool for a problem, I build one.

I'm also a professional AI power user. I build with Claude Code daily — custom skills, MCP agents, agentic workflows, and AI-assisted development. I've used Claude and Vertex AI to help stakeholders across the company ship tools they couldn't build otherwise: RFP generators, legal document automation, invoicing systems, and enterprise knowledge platforms. Outside work, I operate a 9-node homelab with production-grade security.

// skills & technologies

Technical Toolkit

  • Google Cloud Platform
  • Cloud Run / Compute Engine
  • GCP IAM / DwD / PAM
  • Terraform / OpenTofu
  • Atlantis GitOps
  • Google SecOps (Chronicle)
  • Wazuh SIEM/XDR
  • Suricata IDS/IPS
  • OpenVAS / Greenbone / Trivy
  • Kandji MDM + CVE scanning
  • Authelia SSO/2FA
  • Google PAM (JIT access)
  • Claude API / Claude Code
  • Google Vertex AI
  • Custom Claude Code Skills
  • MCP servers & agents
  • Neo4j knowledge graphs
  • RAG pipelines / pgvector
  • Google Workspace Admin
  • GAM (Domain-Wide Delegation)
  • Kandji MDM (macOS fleet)
  • Snipe-IT asset management
  • ClickUp / Slack / Sentry
  • Bitwarden / Vaultwarden
  • Proxmox VE (KVM/LXC)
  • Docker / Docker Compose
  • NAS (Synology, OMV)
  • PBS backup orchestration
  • nginx reverse proxy
  • Cloudflare / Tailscale
  • Zabbix (27+ hosts)
  • Grafana / Prometheus
  • Sentry error tracking
  • NetBox IPAM/DCIM
  • Discord/Slack alerting
  • Bash / Python / Node.js
  • Slack bots (Bolt SDK)
  • Systemd timers & cron
  • API orchestration (15+ SaaS)
  • SOPS + age encryption
  • Cloudflare DNS/CDN
  • Let's Encrypt TLS
  • Tailscale VPN
  • 30+ subdomain management
  • GeoIP access control

// selected projects

Enterprise — AI & Automation

Enterprise AI Knowledge Platform
Company-wide AI knowledge graph with daily multi-source sync, agentic retrieval, and MCP-powered AI workspace for every employee.
Production
  • Designed the backend architecture and led implementation of a Neo4j knowledge graph with daily ingestion from Google Drive, Slack, HubSpot, ClickUp, Google Sheets, GitBook, and contracts — built to enterprise security and data classification standards
  • LLM-powered extraction converts documents into atomic verified claims with human-in-the-loop review and drift detection
  • Hybrid BM25+vector search across 18 retrieval strategies with agentic query pipeline and entity resolution
  • Deployed 4 custom MCP servers (24 tools) into a self-hosted LibreChat instance — unified AI workspace for the whole company
  • MCP integrations: knowledge base queries, ClickUp project management, GitBook documentation, and web search
  • Slack bot for quick lookups via Socket Mode — accessible to every employee from any channel or DM
  • Automated daily sync pipelines, claim verification workflows, priority scoring, and weekly quality digests
  • ACL-based access control with domain ownership, department-scoped data, and restricted content tiers
Neo4j FastAPI Claude LibreChat MCP Vertex AI Slack HubSpot ClickUp GitBook
AI-Powered Stakeholder Solutions
Partnered with Sales, Legal, Finance, and Operations to design and ship AI-powered tools from problem to production.
Production
  • RFP/SOW response automation with specialized tools, pricing validation, and knowledge graph queries
  • Legal document automation with contract templates, redline review, split-LLM annotation, and deal desk analysis
  • Accounts receivable automation with CRM and accounting integrations, multi-stage dunning, and bilingual support
  • Each project went from stakeholder problem to production tool, built end-to-end with AI-assisted development
Claude Vertex AI FastAPI Google Docs API HubSpot QuickBooks
Employee Onboarding/Offboarding Automation
Slack bot automating full employee lifecycle — account provisioning, SaaS access, and task generation across departments.
Production
  • Slack bot handles full onboarding and offboarding across 9 departments via interactive modals
  • Creates Google Workspace accounts and provisions access to Sentry, Bitwarden, ClickUp, and other SaaS platforms
  • Auto-generates ClickUp task checklists tailored per department and role
  • Migrated from PM2 to Cloud Run with HMAC-verified webhooks and GCP Secret Manager
Node.js Cloud Run Slack Bolt Google Admin SDK ClickUp API
Claude Code Skills & MCP Development Platform
11 custom Claude Code skills and MCP servers that automate daily IT operations and cross-team workflows.
Production
  • 6 Google Workspace skills: onboarding, offboarding, Drive transfers, group management, security audits, incident response
  • Terraform skills for GitHub org access management and DNS record automation via ClickUp-tracked PRs
  • Infrastructure backup sync with automated secret scanning before every push
  • Executive document generation skill for polished HTML+PDF presentations
  • Integrated MCP servers for ClickUp, GitBook, and web search into the company's LibreChat AI platform
Claude Code MCP GAM Terraform Node.js Python

Enterprise — Infrastructure & Security

GCP Security & Cloud Operations
Full GCP ownership — Cloud Run, IAM, Vertex AI, Google PAM for JIT access, and Chronicle SIEM.
Ongoing
  • Manage Cloud Run deployments, Compute Engine VMs, IAM policies, and service accounts with Domain-Wide Delegation
  • Deployed Google PAM for just-in-time privileged access to GCP projects — eliminates standing admin access
  • Set up Google SecOps (Chronicle) SIEM with workforce identity federation for centralized log analysis
  • Manage Claude API and Google Vertex AI access, usage, and billing across the organization
GCP Cloud Run Google PAM Chronicle SIEM IAM Vertex AI
Terraform GitHub & DNS Governance
All GitHub org access and DNS records managed as code via Terraform with Atlantis GitOps and approval workflows.
Production
  • GitHub organization access and DNS records managed entirely through Terraform with Atlantis GitOps
  • ClickUp ticket → PR → DevOps approval workflow for all changes
  • Pre-commit enforcement with Checkov security scanning, tflint, and terraform-docs generation
  • 50+ org members and 35+ customer collaborator access managed through code
Terraform OpenTofu Atlantis GitHub Checkov
Google Workspace & Endpoint Security
Full security ownership of Google Workspace and macOS endpoint fleet with Kandji MDM and automated CVE scanning.
Ongoing
  • Own all security aspects of Google Workspace: 2FA enforcement, OAuth token audits, login anomaly detection, compromised account response
  • Manage Kandji MDM fleet with automated CVE scanning across macOS endpoints and compliance policies
  • Device-to-asset sync automation between Kandji and Snipe-IT for inventory tracking
  • Steer monthly security meetings and drive security posture improvements across the organization
Google Workspace Kandji MDM Snipe-IT CVE Scanning Python
Fleet Security Hardening & SIEM
Wazuh SIEM across all infrastructure, SSH CA with SSO, fleet hardening, and three-phase secret scanning.
Production
  • Deployed Wazuh SIEM across all company infrastructure with custom alerting rules and Slack notifications
  • SSH hardened entire fleet: key-only auth, fail2ban, kernel hardening across all servers
  • Deployed Smallstep SSH CA with Google Workspace SSO for certificate-based SSH access
  • Three-phase secret scanner (pre-commit, CI, scheduled) blocks credentials from ever reaching git
Wazuh Smallstep CA fail2ban gitleaks UFW

Personal Infrastructure

Multi-Node Hypervisor Cluster
Production-grade Proxmox cluster with automated provisioning, backup orchestration, and credential management.
Live
  • Multi-node Proxmox VE cluster running dozens of VMs, LXC containers, and Docker services
  • Automated deployment scripts handle provisioning, SSH hardening, monitoring registration, and credential storage
  • Full backup orchestration with Proxmox Backup Server and multi-tier storage
  • Centralized credential management via self-hosted Vaultwarden
Proxmox VE Docker LXC PBS
Enterprise-Grade Security Stack
Layered security with SIEM, IDS/IPS, vulnerability scanning, SSO with 2FA, and container CVE remediation.
Live
  • SIEM with tuned alerting, noise suppression, and active response auto-blocking
  • Network IDS/IPS for real-time traffic analysis and threat detection
  • Vulnerability scanning and container CVE remediation across all Docker hosts
  • MITRE ATT&CK-aligned audit rules for detection coverage
  • All external services behind SSO with 2FA, GeoIP blocking, and automated TLS
Wazuh Suricata Authelia Trivy Cloudflare
Self-Hosted AI & Home Automation
AI chat platform with RAG and memory, AI-powered video surveillance, home automation, and custom pentest framework.
Live
  • Self-hosted AI chat platform with RAG document Q&A and knowledge graph memory
  • AI-powered video surveillance with real-time object detection and remote access via VPN
  • Home automation with smart device integrations and cloud storage access via MCP servers
  • Custom penetration testing framework with modular scanners and report generation
LibreChat Frigate Home Assistant Neo4j MCP

// experience

Professional Background

2024 — Present
IT/IS Manager
Optable (AdTech / Data Privacy SaaS)
  • • Own all IT infrastructure, security, cloud operations, and endpoint management for 94+ employees
  • • Lead security strategy: Google SecOps Chronicle, Google PAM JIT access, monthly security meetings
  • • Built AI agent platform (Ask Optable) and helped stakeholders ship AI-powered business tools
  • • Automated employee lifecycle across 15+ SaaS platforms via Slack bot on Cloud Run
  • • Built 11 Claude Code skills and MCP agents for daily IT operations and cross-team automation
  • • Manage GCP (Cloud Run, IAM, Vertex AI), Terraform GitOps, Kandji MDM fleet with CVE scanning
  • • Develop IT and automation solutions where none exist — if there's no tool, I build one

Personal Infrastructure

2024 — Present
Homelab — Full-Stack Infrastructure
9-Node Proxmox Cluster / nabz.ca
  • • Multi-node hypervisor cluster with automated provisioning, backup orchestration, and credential management
  • • Enterprise-grade security: SIEM, IDS/IPS, vulnerability scanning, SSO with 2FA, and container CVE remediation
  • • Self-hosted AI platform, video surveillance with object detection, and home automation
  • • Full domain management with reverse proxy, automated TLS, and self-hosted documentation

// philosophy

If it doesn't exist, build it

Most of my best work started because there was no tool for the job. I identify gaps, prototype fast, and ship solutions that stakeholders actually use.

Security is not optional

Every system gets hardened before it goes live. SIEM monitoring, secret scanning, CVE remediation, and JIT access are part of the baseline, not afterthoughts.

AI as a force multiplier

I use Claude Code, MCP agents, and custom skills to move at 10x. AI doesn't replace technical judgment — it amplifies it. I build the tools that make the tools.

Own the full stack

From bare-metal BIOS to AI inference. Understanding every layer means faster debugging, better architecture, and the ability to solve problems nobody else can.