☁️ Niufin Cloud Infrastructure Documentation

Version: 1.0
Server OS: Windows Server 2025 (Standard/Datacenter)
Architecture: Native Windows (No Docker/Hyper-V)
Public IP: 152.53.253.74
Internal Gateway: 10.253.0.1 (VPN DNS)

---

📚 Table of Contents

1. Core Infrastructure
   • Active Directory & DNS
   • WireGuard VPN (Remote Access)
   • IIS Reverse Proxy & SSL
2. Hosted Services
   • Cloud Office (RDS)
   • Cloud Drive (FileCloud)
   • Email Server (SmarterMail)
   • Code Hosting (Gitea)
   • Password Vault (Pleasant)
   • Project Management (Kanboard)
   • Monitoring (Uptime Kuma)
3. Maintenance & Disaster Recovery

---

1. Core Infrastructure

1.1 Active Directory & DNS

• Domain Name: int.niufin.de
• Role: Primary Domain Controller.
• User Strategy: "One Identity." All users are created in AD first. All other apps sync from here.

Critical Configuration:

• Privacy Fix (Hide User Folders):
  • By default, users can list C:\Users.
  • Fix: Right-click C:\Users > Properties > Security > Advanced.
  • Disable Inheritance.
  • Edit Users group: Uncheck "List folder / read data". Check "Traverse folder / execute file".
  • Result: Users can access their own folder but cannot see a list of other employees.

1.2 WireGuard VPN

• Software: WS4W (WireGuard Server for Windows)
• Public Port: UDP 51820
• Tunnel Network: 10.253.0.0/24
• Server IP: 10.253.0.1

Client Configuration (Laptop Join): To join a remote laptop to the domain, the client config MUST include the DNS setting:

[Interface]
PrivateKey = <Client_Private_Key>
Address = 10.253.0.2/32
DNS = 10.253.0.1  ; <--- CRITICAL: Points to DC DNS

[Peer]
PublicKey = <Server_Public_Key>
Endpoint = 152.53.253.74:51820
AllowedIPs = 0.0.0.0/0

1.3 IIS Reverse Proxy & SSL (win-acme)

• Role: Central Gateway. All apps run on hidden localhost ports. IIS proxies public HTTPS traffic to them.
• Modules: URL Rewrite 2.1, Application Request Routing (ARR) 3.0.
• SSL Tool: win-acme (wacs.exe).
  • Usage: Run as Admin > N (New) > Select Site ID.
  • Renewal: Automatic via Task Scheduler.

---

2. Hosted Services

2.1 Cloud Office (Remote Desktop)

• URL: https://apps.niufin.cloud
• Tech: RDS Web Client (HTML5).
• Port: 443 (HTTPS).

Troubleshooting "Unexpected Server Authentication Certificate": If users get certificate errors launching apps, the RDS Broker is presenting the wrong cert. Fix: Run this in PowerShell (Admin):

# 1. Find your valid certificate thumbprint
Get-ChildItem Cert:\LocalMachine\My

# 2. Bind it to the RDP Listener
$Thumbprint = "<PASTE_YOUR_THUMBPRINT_HERE>"
$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__PATH
Set-WmiInstance -Path $path -Argument @{SSLCertificateSHA1Hash="$Thumbprint"}

# 3. Fix the published name
Set-RDClientAccessName -ConnectionBroker "WIN-SERVER-NAME.int.niufin.de" -ClientAccessName "apps.niufin.cloud"

# 4. Restart
Restart-Service TermService -Force

2.2 Cloud Drive (FileCloud)

• URL: https://files.niufin.cloud
• Internal: http://127.0.0.1:8888
• Config Path: C:\xampp\htdocs\config\cloudconfig.php

Critical Config Block: Add this to cloudconfig.php to fix login loops and AD errors:

define("TONIDOCLOUD_SECURE_COOKIE", "1"); // Fixes "Secure Cookie" error behind IIS
define("TONIDOCLOUD_TRUSTED_HOSTS", "localhost,127.0.0.1,127.0.0.1:8888,files.niufin.cloud");
if (!defined("LDAP_OPT_REFERRALS")) { define("LDAP_OPT_REFERRALS", 0); } // Fixes AD "Operations Error"

AD Integration Settings:

• Host: int.niufin.de
• Port: 3268 (Global Catalog - Required to avoid referral errors).
• Encryption: None (Internal network).
• Admin DN: INT\Sultan (or Service Account).

2.3 Email Server (SmarterMail)

• URL: https://mail.niufin.de
• Internal: http://localhost:9998
• Firewall Ports: 25, 110, 143, 465, 587, 993.

Deliverability (Anti-Spam) Setup:

Record	Type	Value
SPF	TXT	v=spf1 ip4:152.53.253.74 -all
DKIM	TXT	selector._domainKey (Generated in SmarterMail settings)
DMARC	TXT	v=DMARC1; p=none; rua=mailto:admin@niufin.de
rDNS	PTR	Set in VPS Panel: 152.53.253.74 -> mail.niufin.de

2.4 Code Hosting (Gitea)

• URL: https://git.niufin.cloud
• Internal: http://localhost:3000
• Binary Path: C:\gitea\gitea.exe

Service Installation: Run in CMD (Admin) to ensure it starts on boot:

sc create gitea start= auto binPath= "\"C:\gitea\gitea.exe\" web --config \"C:\gitea\custom\conf\app.ini\""
net start gitea

2.5 Password Vault (Pleasant Password Server)

• URL: https://auth.niufin.cloud
• Internal: https://localhost:10001 (Note HTTPS).
• Database: MS SQL Express (.\SQLEXPRESS01).

Fixing 502.3 Bad Gateway: IIS rejects the self-signed cert from Pleasant.

1. Open mmc.exe > Certificates > Computer Account.
2. Find PasswordServer_Temporary_Placeholder_Certificate.
3. Copy it from Personal -> Paste into Trusted Root Certification Authorities.
4. IIS Proxy Rule: Rewrite URL must be https://127.0.0.1:10001/{R:1} (Use IP, not localhost).

2.6 Project Management (Kanboard)

• URL: https://projects.niufin.cloud
• Path: C:\inetpub\wwwroot\kanboard
• Tech: PHP FastCGI.

Installation Fixes:

• Permissions: IUSR and IIS_IUSRS must have Modify rights on the data folder.
• PHP Config: Edit php.ini and uncomment extension=pdo_sqlite.

2.7 Monitoring (Uptime Kuma)

• URL: https://status.niufin.cloud
• Internal: http://localhost:3001
• Tech: Node.js + PM2.

Service Commands:

# If Kuma stops, run this to revive it:
& "$env:APPDATA\npm\pm2.cmd" resurrect

# To save current state as the boot config:
& "$env:APPDATA\npm\pm2.cmd" save

• Proxy Config: Disable "Reverse Rewrite Host" in IIS ARR settings to support WebSockets.

---

3. Maintenance & Disaster Recovery

Backups

The server relies on Veeam Agent for Windows (Free).

• Backup Mode: Volume Level (Entire C: Drive).
• Target: External Drive or Network Share.
• Frequency: Daily (Midnight).

Critical Paths for Manual Backup

• FileCloud Data: C:\FileCloudData
• SmarterMail: C:\SmarterMail
• Gitea: C:\gitea\data
• Databases: C:\Program Files\Microsoft SQL Server\...\MSSQL\DATA

Common Issues & Fixes

1. "502 Bad Gateway" on a site:
   • The backend service crashed.
   • Fix: Check services.msc (for Gitea/FileCloud) or pm2 status (for Kuma).
2. VPN won't connect:
   • Check if the WireGuard Tunnel service is running.
   • Ensure Port UDP 51820 is allowed in Windows Firewall.
3. Certificate Expired:
   • Run wacs.exe (win-acme) and select "Manage Renewals" to force a check.