Sultan
/
documentation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update README.md

This commit is contained in:
Sultan Mustafijul Hoque 2025-12-01 14:51:50 +05:30
parent 8892aacb78
commit 940e4184a2
1 changed files with 222 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

224
README.md
View File

@ -1,7 +1,227 @@
# documentation
# ☁️ Niufin Cloud Infrastructure Documentation
**Version:** 1.0
**Server OS:** Windows Server 2025 (Standard/Datacenter)
**Architecture:** Native Windows (No Docker/Hyper-V)
**Public IP:** `152.53.253.74`
**Internal Gateway:** `10.253.0.1` (VPN DNS
**Internal Gateway:** `10.253.0.1` (VPN DNS)
---
## 📚 Table of Contents
1. [Core Infrastructure](#1-core-infrastructure)
- [Active Directory & DNS](#11-active-directory--dns)
- [WireGuard VPN (Remote Access)](#12-wireguard-vpn)
- [IIS Reverse Proxy & SSL](#13-iis-reverse-proxy--ssl-win-acme)
2. [Hosted Services](#2-hosted-services)
- [Cloud Office (RDS)](#21-cloud-office-remote-desktop)
- [Cloud Drive (FileCloud)](#22-cloud-drive-filecloud)
- [Email Server (SmarterMail)](#23-email-server-smartermail)
- [Code Hosting (Gitea)](#24-code-hosting-gitea)
- [Password Vault (Pleasant)](#25-password-vault-pleasant-password-server)
- [Project Management (Kanboard)](#26-project-management-kanboard)
- [Monitoring (Uptime Kuma)](#27-monitoring-uptime-kuma)
3. [Maintenance & Disaster Recovery](#3-maintenance--disaster-recovery)
---
## 1. Core Infrastructure
### 1.1 Active Directory & DNS
* **Domain Name:** `int.niufin.de`
* **Role:** Primary Domain Controller.
* **User Strategy:** "One Identity." All users are created in AD first. All other apps sync from here.
**Critical Configuration:**
* **Privacy Fix (Hide User Folders):**
* By default, users can list `C:\Users`.
* **Fix:** Right-click `C:\Users` > Properties > Security > Advanced.
* Disable Inheritance.
* Edit **Users** group: Uncheck "List folder / read data". Check "Traverse folder / execute file".
* *Result:* Users can access their own folder but cannot see a list of other employees.
### 1.2 WireGuard VPN
* **Software:** [WS4W (WireGuard Server for Windows)](https://github.com/micahmo/WgServerforWindows)
* **Public Port:** `UDP 51820`
* **Tunnel Network:** `10.253.0.0/24`
* **Server IP:** `10.253.0.1`
**Client Configuration (Laptop Join):**
To join a remote laptop to the domain, the client config **MUST** include the DNS setting:
```ini
[Interface]
PrivateKey = <Client_Private_Key>
Address = 10.253.0.2/32
DNS = 10.253.0.1 ; <--- CRITICAL: Points to DC DNS
[Peer]
PublicKey = <Server_Public_Key>
Endpoint = 152.53.253.74:51820
AllowedIPs = 0.0.0.0/0
````
### 1.3 IIS Reverse Proxy & SSL (win-acme)
* **Role:** Central Gateway. All apps run on hidden localhost ports. IIS proxies public HTTPS traffic to them.
* **Modules:** URL Rewrite 2.1, Application Request Routing (ARR) 3.0.
* **SSL Tool:** **win-acme** (`wacs.exe`).
* *Usage:* Run as Admin \> `N` (New) \> Select Site ID.
* *Renewal:* Automatic via Task Scheduler.
-----
## 2\. Hosted Services
### 2.1 Cloud Office (Remote Desktop)
* **URL:** `https://apps.niufin.cloud`
* **Tech:** RDS Web Client (HTML5).
* **Port:** 443 (HTTPS).
**Troubleshooting "Unexpected Server Authentication Certificate":**
If users get certificate errors launching apps, the RDS Broker is presenting the wrong cert.
**Fix:** Run this in PowerShell (Admin):
```powershell
# 1. Find your valid certificate thumbprint
Get-ChildItem Cert:\LocalMachine\My
# 2. Bind it to the RDP Listener
$Thumbprint = "<PASTE_YOUR_THUMBPRINT_HERE>"
$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__PATH
Set-WmiInstance -Path $path -Argument @{SSLCertificateSHA1Hash="$Thumbprint"}
# 3. Fix the published name
Set-RDClientAccessName -ConnectionBroker "WIN-SERVER-NAME.int.niufin.de" -ClientAccessName "apps.niufin.cloud"
# 4. Restart
Restart-Service TermService -Force
```
### 2.2 Cloud Drive (FileCloud)
* **URL:** `https://files.niufin.cloud`
* **Internal:** `http://127.0.0.1:8888`
* **Config Path:** `C:\xampp\htdocs\config\cloudconfig.php`
**Critical Config Block:**
Add this to `cloudconfig.php` to fix login loops and AD errors:
```php
define("TONIDOCLOUD_SECURE_COOKIE", "1"); // Fixes "Secure Cookie" error behind IIS
define("TONIDOCLOUD_TRUSTED_HOSTS", "localhost,127.0.0.1,127.0.0.1:8888,files.niufin.cloud");
if (!defined("LDAP_OPT_REFERRALS")) { define("LDAP_OPT_REFERRALS", 0); } // Fixes AD "Operations Error"
```
**AD Integration Settings:**
* **Host:** `int.niufin.de`
* **Port:** `3268` (Global Catalog - **Required** to avoid referral errors).
* **Encryption:** None (Internal network).
* **Admin DN:** `INT\Sultan` (or Service Account).
### 2.3 Email Server (SmarterMail)
* **URL:** `https://mail.niufin.de`
* **Internal:** `http://localhost:9998`
* **Firewall Ports:** `25, 110, 143, 465, 587, 993`.
**Deliverability (Anti-Spam) Setup:**
| Record | Type | Value |
| :--- | :--- | :--- |
| **SPF** | TXT | `v=spf1 ip4:152.53.253.74 -all` |
| **DKIM** | TXT | `selector._domainKey` (Generated in SmarterMail settings) |
| **DMARC** | TXT | `v=DMARC1; p=none; rua=mailto:admin@niufin.de` |
| **rDNS** | PTR | Set in VPS Panel: `152.53.253.74` -\> `mail.niufin.de` |
### 2.4 Code Hosting (Gitea)
* **URL:** `https://git.niufin.cloud`
* **Internal:** `http://localhost:3000`
* **Binary Path:** `C:\gitea\gitea.exe`
**Service Installation:**
Run in CMD (Admin) to ensure it starts on boot:
```cmd
sc create gitea start= auto binPath= "\"C:\gitea\gitea.exe\" web --config \"C:\gitea\custom\conf\app.ini\""
net start gitea
```
### 2.5 Password Vault (Pleasant Password Server)
* **URL:** `https://auth.niufin.cloud`
* **Internal:** `https://localhost:10001` (Note HTTPS).
* **Database:** MS SQL Express (`.\SQLEXPRESS01`).
**Fixing 502.3 Bad Gateway:**
IIS rejects the self-signed cert from Pleasant.
1. Open `mmc.exe` \> Certificates \> Computer Account.
2. Find `PasswordServer_Temporary_Placeholder_Certificate`.
3. Copy it from **Personal** -\> Paste into **Trusted Root Certification Authorities**.
4. **IIS Proxy Rule:** Rewrite URL must be `https://127.0.0.1:10001/{R:1}` (Use IP, not localhost).
### 2.6 Project Management (Kanboard)
* **URL:** `https://projects.niufin.cloud`
* **Path:** `C:\inetpub\wwwroot\kanboard`
* **Tech:** PHP FastCGI.
**Installation Fixes:**
* **Permissions:** `IUSR` and `IIS_IUSRS` must have **Modify** rights on the `data` folder.
* **PHP Config:** Edit `php.ini` and uncomment `extension=pdo_sqlite`.
### 2.7 Monitoring (Uptime Kuma)
* **URL:** `https://status.niufin.cloud`
* **Internal:** `http://localhost:3001`
* **Tech:** Node.js + PM2.
**Service Commands:**
```powershell
# If Kuma stops, run this to revive it:
& "$env:APPDATA\npm\pm2.cmd" resurrect
# To save current state as the boot config:
& "$env:APPDATA\npm\pm2.cmd" save
```
* **Proxy Config:** Disable "Reverse Rewrite Host" in IIS ARR settings to support WebSockets.
-----
## 3\. Maintenance & Disaster Recovery
### **Backups**
The server relies on **Veeam Agent for Windows (Free)**.
* **Backup Mode:** Volume Level (Entire C: Drive).
* **Target:** External Drive or Network Share.
* **Frequency:** Daily (Midnight).
### **Critical Paths for Manual Backup**
* **FileCloud Data:** `C:\FileCloudData`
* **SmarterMail:** `C:\SmarterMail`
* **Gitea:** `C:\gitea\data`
* **Databases:** `C:\Program Files\Microsoft SQL Server\...\MSSQL\DATA`
### **Common Issues & Fixes**
1. **"502 Bad Gateway" on a site:**
* The backend service crashed.
* **Fix:** Check `services.msc` (for Gitea/FileCloud) or `pm2 status` (for Kuma).
2. **VPN won't connect:**
* Check if the `WireGuard Tunnel` service is running.
* Ensure Port `UDP 51820` is allowed in Windows Firewall.
3. **Certificate Expired:**
* Run `wacs.exe` (win-acme) and select "Manage Renewals" to force a check.
<!-- end list -->
```
```