# ☁️ Niufin Cloud Infrastructure Documentation

**Version:** 1.0  
**Server OS:** Windows Server 2025 (Standard/Datacenter)  
**Architecture:** Native Windows (No Docker/Hyper-V)  
**Public IP:** `152.53.253.74`  
**Internal Gateway:** `10.253.0.1` (VPN DNS)

---

## 📚 Table of Contents
1. [Core Infrastructure](#1-core-infrastructure)
    - [Active Directory & DNS](#11-active-directory--dns)
    - [WireGuard VPN (Remote Access)](#12-wireguard-vpn)
    - [IIS Reverse Proxy & SSL](#13-iis-reverse-proxy--ssl-win-acme)
2. [Hosted Services](#2-hosted-services)
    - [Cloud Office (RDS)](#21-cloud-office-remote-desktop)
    - [Cloud Drive (FileCloud)](#22-cloud-drive-filecloud)
    - [Email Server (SmarterMail)](#23-email-server-smartermail)
    - [Code Hosting (Gitea)](#24-code-hosting-gitea)
    - [Password Vault (Pleasant)](#25-password-vault-pleasant-password-server)
    - [Project Management (Kanboard)](#26-project-management-kanboard)
    - [Monitoring (Uptime Kuma)](#27-monitoring-uptime-kuma)
3. [Maintenance & Disaster Recovery](#3-maintenance--disaster-recovery)

---

## 1. Core Infrastructure

### 1.1 Active Directory & DNS
* **Domain Name:** `int.niufin.de`
* **Role:** Primary Domain Controller.
* **User Strategy:** "One Identity." All users are created in AD first. All other apps sync from here.

**Critical Configuration:**
* **Privacy Fix (Hide User Folders):**
    * By default, users can list `C:\Users`.
    * **Fix:** Right-click `C:\Users` > Properties > Security > Advanced.
    * Disable Inheritance.
    * Edit **Users** group: Uncheck "List folder / read data". Check "Traverse folder / execute file".
    * *Result:* Users can access their own folder but cannot see a list of other employees.

### 1.2 WireGuard VPN
* **Software:** [WS4W (WireGuard Server for Windows)](https://github.com/micahmo/WgServerforWindows)
* **Public Port:** `UDP 51820`
* **Tunnel Network:** `10.253.0.0/24`
* **Server IP:** `10.253.0.1`

**Client Configuration (Laptop Join):**
To join a remote laptop to the domain, the client config **MUST** include the DNS setting:
```ini
[Interface]
PrivateKey = <Client_Private_Key>
Address = 10.253.0.2/32
DNS = 10.253.0.1  ; <--- CRITICAL: Points to DC DNS

[Peer]
PublicKey = <Server_Public_Key>
Endpoint = 152.53.253.74:51820
AllowedIPs = 0.0.0.0/0
````

### 1.3 IIS Reverse Proxy & SSL (win-acme)

  * **Role:** Central Gateway. All apps run on hidden localhost ports. IIS proxies public HTTPS traffic to them.
  * **Modules:** URL Rewrite 2.1, Application Request Routing (ARR) 3.0.
  * **SSL Tool:** **win-acme** (`wacs.exe`).
      * *Usage:* Run as Admin \> `N` (New) \> Select Site ID.
      * *Renewal:* Automatic via Task Scheduler.

-----

## 2\. Hosted Services

### 2.1 Cloud Office (Remote Desktop)

  * **URL:** `https://apps.niufin.cloud`
  * **Tech:** RDS Web Client (HTML5).
  * **Port:** 443 (HTTPS).

**Troubleshooting "Unexpected Server Authentication Certificate":**
If users get certificate errors launching apps, the RDS Broker is presenting the wrong cert.
**Fix:** Run this in PowerShell (Admin):

```powershell
# 1. Find your valid certificate thumbprint
Get-ChildItem Cert:\LocalMachine\My

# 2. Bind it to the RDP Listener
$Thumbprint = "<PASTE_YOUR_THUMBPRINT_HERE>"
$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__PATH
Set-WmiInstance -Path $path -Argument @{SSLCertificateSHA1Hash="$Thumbprint"}

# 3. Fix the published name
Set-RDClientAccessName -ConnectionBroker "WIN-SERVER-NAME.int.niufin.de" -ClientAccessName "apps.niufin.cloud"

# 4. Restart
Restart-Service TermService -Force
```

### 2.2 Cloud Drive (FileCloud)

  * **URL:** `https://files.niufin.cloud`
  * **Internal:** `http://127.0.0.1:8888`
  * **Config Path:** `C:\xampp\htdocs\config\cloudconfig.php`

**Critical Config Block:**
Add this to `cloudconfig.php` to fix login loops and AD errors:

```php
define("TONIDOCLOUD_SECURE_COOKIE", "1"); // Fixes "Secure Cookie" error behind IIS
define("TONIDOCLOUD_TRUSTED_HOSTS", "localhost,127.0.0.1,127.0.0.1:8888,files.niufin.cloud");
if (!defined("LDAP_OPT_REFERRALS")) { define("LDAP_OPT_REFERRALS", 0); } // Fixes AD "Operations Error"
```

**AD Integration Settings:**

  * **Host:** `int.niufin.de`
  * **Port:** `3268` (Global Catalog - **Required** to avoid referral errors).
  * **Encryption:** None (Internal network).
  * **Admin DN:** `INT\Sultan` (or Service Account).

### 2.3 Email Server (SmarterMail)

  * **URL:** `https://mail.niufin.de`
  * **Internal:** `http://localhost:9998`
  * **Firewall Ports:** `25, 110, 143, 465, 587, 993`.

**Deliverability (Anti-Spam) Setup:**
| Record | Type | Value |
| :--- | :--- | :--- |
| **SPF** | TXT | `v=spf1 ip4:152.53.253.74 -all` |
| **DKIM** | TXT | `selector._domainKey` (Generated in SmarterMail settings) |
| **DMARC** | TXT | `v=DMARC1; p=none; rua=mailto:admin@niufin.de` |
| **rDNS** | PTR | Set in VPS Panel: `152.53.253.74` -\> `mail.niufin.de` |

### 2.4 Code Hosting (Gitea)

  * **URL:** `https://git.niufin.cloud`
  * **Internal:** `http://localhost:3000`
  * **Binary Path:** `C:\gitea\gitea.exe`

**Service Installation:**
Run in CMD (Admin) to ensure it starts on boot:

```cmd
sc create gitea start= auto binPath= "\"C:\gitea\gitea.exe\" web --config \"C:\gitea\custom\conf\app.ini\""
net start gitea
```

### 2.5 Password Vault (Pleasant Password Server)

  * **URL:** `https://auth.niufin.cloud`
  * **Internal:** `https://localhost:10001` (Note HTTPS).
  * **Database:** MS SQL Express (`.\SQLEXPRESS01`).

**Fixing 502.3 Bad Gateway:**
IIS rejects the self-signed cert from Pleasant.

1.  Open `mmc.exe` \> Certificates \> Computer Account.
2.  Find `PasswordServer_Temporary_Placeholder_Certificate`.
3.  Copy it from **Personal** -\> Paste into **Trusted Root Certification Authorities**.
4.  **IIS Proxy Rule:** Rewrite URL must be `https://127.0.0.1:10001/{R:1}` (Use IP, not localhost).

### 2.6 Project Management (Kanboard)

  * **URL:** `https://projects.niufin.cloud`
  * **Path:** `C:\inetpub\wwwroot\kanboard`
  * **Tech:** PHP FastCGI.

**Installation Fixes:**

  * **Permissions:** `IUSR` and `IIS_IUSRS` must have **Modify** rights on the `data` folder.
  * **PHP Config:** Edit `php.ini` and uncomment `extension=pdo_sqlite`.

### 2.7 Monitoring (Uptime Kuma)

  * **URL:** `https://status.niufin.cloud`
  * **Internal:** `http://localhost:3001`
  * **Tech:** Node.js + PM2.

**Service Commands:**

```powershell
# If Kuma stops, run this to revive it:
& "$env:APPDATA\npm\pm2.cmd" resurrect

# To save current state as the boot config:
& "$env:APPDATA\npm\pm2.cmd" save
```

  * **Proxy Config:** Disable "Reverse Rewrite Host" in IIS ARR settings to support WebSockets.

-----

## 3\. Maintenance & Disaster Recovery

### **Backups**

The server relies on **Veeam Agent for Windows (Free)**.

  * **Backup Mode:** Volume Level (Entire C: Drive).
  * **Target:** External Drive or Network Share.
  * **Frequency:** Daily (Midnight).

### **Critical Paths for Manual Backup**

  * **FileCloud Data:** `C:\FileCloudData`
  * **SmarterMail:** `C:\SmarterMail`
  * **Gitea:** `C:\gitea\data`
  * **Databases:** `C:\Program Files\Microsoft SQL Server\...\MSSQL\DATA`

### **Common Issues & Fixes**

1.  **"502 Bad Gateway" on a site:**
      * The backend service crashed.
      * **Fix:** Check `services.msc` (for Gitea/FileCloud) or `pm2 status` (for Kuma).
2.  **VPN won't connect:**
      * Check if the `WireGuard Tunnel` service is running.
      * Ensure Port `UDP 51820` is allowed in Windows Firewall.
3.  **Certificate Expired:**
      * Run `wacs.exe` (win-acme) and select "Manage Renewals" to force a check.

<!-- end list -->

```
```