From 940e4184a2357d7e10237493ef6dadebb605951d Mon Sep 17 00:00:00 2001 From: Sultan Mustafijul Hoque Date: Mon, 1 Dec 2025 14:51:50 +0530 Subject: [PATCH] Update README.md --- README.md | 224 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 222 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bd05190..817c70e 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,227 @@ -# documentation +# ☁️ Niufin Cloud Infrastructure Documentation **Version:** 1.0 **Server OS:** Windows Server 2025 (Standard/Datacenter) **Architecture:** Native Windows (No Docker/Hyper-V) **Public IP:** `152.53.253.74` -**Internal Gateway:** `10.253.0.1` (VPN DNS \ No newline at end of file +**Internal Gateway:** `10.253.0.1` (VPN DNS) + +--- + +## 📚 Table of Contents +1. [Core Infrastructure](#1-core-infrastructure) + - [Active Directory & DNS](#11-active-directory--dns) + - [WireGuard VPN (Remote Access)](#12-wireguard-vpn) + - [IIS Reverse Proxy & SSL](#13-iis-reverse-proxy--ssl-win-acme) +2. [Hosted Services](#2-hosted-services) + - [Cloud Office (RDS)](#21-cloud-office-remote-desktop) + - [Cloud Drive (FileCloud)](#22-cloud-drive-filecloud) + - [Email Server (SmarterMail)](#23-email-server-smartermail) + - [Code Hosting (Gitea)](#24-code-hosting-gitea) + - [Password Vault (Pleasant)](#25-password-vault-pleasant-password-server) + - [Project Management (Kanboard)](#26-project-management-kanboard) + - [Monitoring (Uptime Kuma)](#27-monitoring-uptime-kuma) +3. [Maintenance & Disaster Recovery](#3-maintenance--disaster-recovery) + +--- + +## 1. Core Infrastructure + +### 1.1 Active Directory & DNS +* **Domain Name:** `int.niufin.de` +* **Role:** Primary Domain Controller. +* **User Strategy:** "One Identity." All users are created in AD first. All other apps sync from here. + +**Critical Configuration:** +* **Privacy Fix (Hide User Folders):** + * By default, users can list `C:\Users`. + * **Fix:** Right-click `C:\Users` > Properties > Security > Advanced. + * Disable Inheritance. + * Edit **Users** group: Uncheck "List folder / read data". Check "Traverse folder / execute file". + * *Result:* Users can access their own folder but cannot see a list of other employees. + +### 1.2 WireGuard VPN +* **Software:** [WS4W (WireGuard Server for Windows)](https://github.com/micahmo/WgServerforWindows) +* **Public Port:** `UDP 51820` +* **Tunnel Network:** `10.253.0.0/24` +* **Server IP:** `10.253.0.1` + +**Client Configuration (Laptop Join):** +To join a remote laptop to the domain, the client config **MUST** include the DNS setting: +```ini +[Interface] +PrivateKey = +Address = 10.253.0.2/32 +DNS = 10.253.0.1 ; <--- CRITICAL: Points to DC DNS + +[Peer] +PublicKey = +Endpoint = 152.53.253.74:51820 +AllowedIPs = 0.0.0.0/0 +```` + +### 1.3 IIS Reverse Proxy & SSL (win-acme) + + * **Role:** Central Gateway. All apps run on hidden localhost ports. IIS proxies public HTTPS traffic to them. + * **Modules:** URL Rewrite 2.1, Application Request Routing (ARR) 3.0. + * **SSL Tool:** **win-acme** (`wacs.exe`). + * *Usage:* Run as Admin \> `N` (New) \> Select Site ID. + * *Renewal:* Automatic via Task Scheduler. + +----- + +## 2\. Hosted Services + +### 2.1 Cloud Office (Remote Desktop) + + * **URL:** `https://apps.niufin.cloud` + * **Tech:** RDS Web Client (HTML5). + * **Port:** 443 (HTTPS). + +**Troubleshooting "Unexpected Server Authentication Certificate":** +If users get certificate errors launching apps, the RDS Broker is presenting the wrong cert. +**Fix:** Run this in PowerShell (Admin): + +```powershell +# 1. Find your valid certificate thumbprint +Get-ChildItem Cert:\LocalMachine\My + +# 2. Bind it to the RDP Listener +$Thumbprint = "" +$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__PATH +Set-WmiInstance -Path $path -Argument @{SSLCertificateSHA1Hash="$Thumbprint"} + +# 3. Fix the published name +Set-RDClientAccessName -ConnectionBroker "WIN-SERVER-NAME.int.niufin.de" -ClientAccessName "apps.niufin.cloud" + +# 4. Restart +Restart-Service TermService -Force +``` + +### 2.2 Cloud Drive (FileCloud) + + * **URL:** `https://files.niufin.cloud` + * **Internal:** `http://127.0.0.1:8888` + * **Config Path:** `C:\xampp\htdocs\config\cloudconfig.php` + +**Critical Config Block:** +Add this to `cloudconfig.php` to fix login loops and AD errors: + +```php +define("TONIDOCLOUD_SECURE_COOKIE", "1"); // Fixes "Secure Cookie" error behind IIS +define("TONIDOCLOUD_TRUSTED_HOSTS", "localhost,127.0.0.1,127.0.0.1:8888,files.niufin.cloud"); +if (!defined("LDAP_OPT_REFERRALS")) { define("LDAP_OPT_REFERRALS", 0); } // Fixes AD "Operations Error" +``` + +**AD Integration Settings:** + + * **Host:** `int.niufin.de` + * **Port:** `3268` (Global Catalog - **Required** to avoid referral errors). + * **Encryption:** None (Internal network). + * **Admin DN:** `INT\Sultan` (or Service Account). + +### 2.3 Email Server (SmarterMail) + + * **URL:** `https://mail.niufin.de` + * **Internal:** `http://localhost:9998` + * **Firewall Ports:** `25, 110, 143, 465, 587, 993`. + +**Deliverability (Anti-Spam) Setup:** +| Record | Type | Value | +| :--- | :--- | :--- | +| **SPF** | TXT | `v=spf1 ip4:152.53.253.74 -all` | +| **DKIM** | TXT | `selector._domainKey` (Generated in SmarterMail settings) | +| **DMARC** | TXT | `v=DMARC1; p=none; rua=mailto:admin@niufin.de` | +| **rDNS** | PTR | Set in VPS Panel: `152.53.253.74` -\> `mail.niufin.de` | + +### 2.4 Code Hosting (Gitea) + + * **URL:** `https://git.niufin.cloud` + * **Internal:** `http://localhost:3000` + * **Binary Path:** `C:\gitea\gitea.exe` + +**Service Installation:** +Run in CMD (Admin) to ensure it starts on boot: + +```cmd +sc create gitea start= auto binPath= "\"C:\gitea\gitea.exe\" web --config \"C:\gitea\custom\conf\app.ini\"" +net start gitea +``` + +### 2.5 Password Vault (Pleasant Password Server) + + * **URL:** `https://auth.niufin.cloud` + * **Internal:** `https://localhost:10001` (Note HTTPS). + * **Database:** MS SQL Express (`.\SQLEXPRESS01`). + +**Fixing 502.3 Bad Gateway:** +IIS rejects the self-signed cert from Pleasant. + +1. Open `mmc.exe` \> Certificates \> Computer Account. +2. Find `PasswordServer_Temporary_Placeholder_Certificate`. +3. Copy it from **Personal** -\> Paste into **Trusted Root Certification Authorities**. +4. **IIS Proxy Rule:** Rewrite URL must be `https://127.0.0.1:10001/{R:1}` (Use IP, not localhost). + +### 2.6 Project Management (Kanboard) + + * **URL:** `https://projects.niufin.cloud` + * **Path:** `C:\inetpub\wwwroot\kanboard` + * **Tech:** PHP FastCGI. + +**Installation Fixes:** + + * **Permissions:** `IUSR` and `IIS_IUSRS` must have **Modify** rights on the `data` folder. + * **PHP Config:** Edit `php.ini` and uncomment `extension=pdo_sqlite`. + +### 2.7 Monitoring (Uptime Kuma) + + * **URL:** `https://status.niufin.cloud` + * **Internal:** `http://localhost:3001` + * **Tech:** Node.js + PM2. + +**Service Commands:** + +```powershell +# If Kuma stops, run this to revive it: +& "$env:APPDATA\npm\pm2.cmd" resurrect + +# To save current state as the boot config: +& "$env:APPDATA\npm\pm2.cmd" save +``` + + * **Proxy Config:** Disable "Reverse Rewrite Host" in IIS ARR settings to support WebSockets. + +----- + +## 3\. Maintenance & Disaster Recovery + +### **Backups** + +The server relies on **Veeam Agent for Windows (Free)**. + + * **Backup Mode:** Volume Level (Entire C: Drive). + * **Target:** External Drive or Network Share. + * **Frequency:** Daily (Midnight). + +### **Critical Paths for Manual Backup** + + * **FileCloud Data:** `C:\FileCloudData` + * **SmarterMail:** `C:\SmarterMail` + * **Gitea:** `C:\gitea\data` + * **Databases:** `C:\Program Files\Microsoft SQL Server\...\MSSQL\DATA` + +### **Common Issues & Fixes** + +1. **"502 Bad Gateway" on a site:** + * The backend service crashed. + * **Fix:** Check `services.msc` (for Gitea/FileCloud) or `pm2 status` (for Kuma). +2. **VPN won't connect:** + * Check if the `WireGuard Tunnel` service is running. + * Ensure Port `UDP 51820` is allowed in Windows Firewall. +3. **Certificate Expired:** + * Run `wacs.exe` (win-acme) and select "Manage Renewals" to force a check. + + + +``` +``` \ No newline at end of file