At a minimum, I would mandate:
- wired backhaul to every floor, and ideally to every AP
- roaming, via same SSID at every AP
- Something like OpenWISP to make your admin life easier. Avoid SSH.
- PoE is asking for problems - avoid if possible
- go with dumb APs that just bridge to wired backhaul: (almost) same config on every device
- have a simple (docker capable) Synology NAS running docker, which runs grafana+prometheus
- install the prometheus* plugins on each AP
You need to figure out how many APs per m2 floor area. By the looks of things, at least 3-4 per floor.
If user login to WiFi via captive portal is a must, run a RADIUS (docker) image, and assign each user a unique VLAN. Lock network access to RADIUS approval for each AP MAC, to stop anyone sneaking in, or sneaky devices getting connected. APs which have a single port should minimize attack surface from such problems.
Don't track history - you're asking for GDPR hurt, or local privacy laws.
Devices or device types don't matter - OpenWISP will abstract to whatever hardware you have. Recommend the best AX devices available, where possible, to be future proof, and bandwidth distribution where possible.
1GB bandwidth to 120 rooms when they have full house is painful if everyone opens netflix....
Get a pro or sub-contractor to wire the APs and backhaul, unless you know what you're doing. They'll help you avoid RF interference, cross-talk from power cables, and you'll avoid problems with fire standards. They'll also provide clearly marked infra, and some nice cable diagrams.
Buy a few extra APs, because a few devices will likely die, and require replacing.