A small, opinionated stack

The web app, the Celery worker, the PowerShell worker and Beat. Postgres for storage. Reverse proxy of choice.

• Web app — FastAPI (Python 3.12), server-rendered admin and portal with HTMX + Jinja2 + Tailwind
• Celery worker — orchestrates runbook execution and async jobs
• PowerShell 7 worker — runs script steps natively, on Linux, with Kerberos / GSSAPI
• Beat — schedules cron-driven runbooks and the daily cost-threshold check
• Flower — for queue inspection in development and incident response

PowerShell 7 worker, on Linux

Native, not a wrapper. Use the modules and idioms you already know.

• Kerberos / GSSAPI authentication for SCCM
• PSGallery installs at build time, manual module upload at runtime
• Per-step timeout, retry and log capture
• Streaming output to the audit log as the step runs

Celery + Beat for scheduling

Standard cron expressions with timezone awareness. Overlap protection so the same runbook never runs twice concurrently against the same asset.

• Cron schedules per runbook
• Timezone-aware (defaults to Europe/Berlin for the threshold checks)
• Per-asset overlap lock
• Flower UI for live inspection

Leaver events: SCIM 2.0 and HR webhook

Two flows for the same outcome. Pick whichever your IdP or HRIS supports.

1. 01Your IdP or HRIS marks a user as inactive.
2. 02It calls /scim/v2/Users with active=false, or /hr/leaver with the user identifier.
3. 03ip·Solis enumerates every asset the user holds.
4. 04For each asset, the deprovision runbook is queued.
5. 05The audit log records every step with full attribution.