7.6 KiB

Raw Blame History

☁️ Niufin Cloud Infrastructure Documentation

Version: 1.0
Server OS: Windows Server 2025 (Standard/Datacenter)
Architecture: Native Windows (No Docker/Hyper-V)
Public IP: 152.53.253.74
Internal Gateway: 10.253.0.1 (VPN DNS)

📚 Table of Contents

Core Infrastructure
Hosted Services
Maintenance & Disaster Recovery

1. Core Infrastructure

1.1 Active Directory & DNS

Domain Name: int.niufin.de
Role: Primary Domain Controller.
User Strategy: "One Identity." All users are created in AD first. All other apps sync from here.

Critical Configuration:

Privacy Fix (Hide User Folders):
- By default, users can list C:\Users.
- Fix: Right-click C:\Users > Properties > Security > Advanced.
- Disable Inheritance.
- Edit Users group: Uncheck "List folder / read data". Check "Traverse folder / execute file".
- Result: Users can access their own folder but cannot see a list of other employees.

1.2 WireGuard VPN

Software: WS4W (WireGuard Server for Windows)
Public Port: UDP 51820
Tunnel Network: 10.253.0.0/24
Server IP: 10.253.0.1

Client Configuration (Laptop Join): To join a remote laptop to the domain, the client config MUST include the DNS setting:

[Interface]
PrivateKey = <Client_Private_Key>
Address = 10.253.0.2/32
DNS = 10.253.0.1  ; <--- CRITICAL: Points to DC DNS

[Peer]
PublicKey = <Server_Public_Key>
Endpoint = 152.53.253.74:51820
AllowedIPs = 0.0.0.0/0

1.3 IIS Reverse Proxy & SSL (win-acme)

Role: Central Gateway. All apps run on hidden localhost ports. IIS proxies public HTTPS traffic to them.
Modules: URL Rewrite 2.1, Application Request Routing (ARR) 3.0.
SSL Tool: win-acme (wacs.exe).
- Usage: Run as Admin > N (New) > Select Site ID.
- Renewal: Automatic via Task Scheduler.

2. Hosted Services

2.1 Cloud Office (Remote Desktop)

URL: https://apps.niufin.cloud
Tech: RDS Web Client (HTML5).
Port: 443 (HTTPS).

Troubleshooting "Unexpected Server Authentication Certificate": If users get certificate errors launching apps, the RDS Broker is presenting the wrong cert. Fix: Run this in PowerShell (Admin):

# 1. Find your valid certificate thumbprint
Get-ChildItem Cert:\LocalMachine\My

# 2. Bind it to the RDP Listener
$Thumbprint = "<PASTE_YOUR_THUMBPRINT_HERE>"
$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__PATH
Set-WmiInstance -Path $path -Argument @{SSLCertificateSHA1Hash="$Thumbprint"}

# 3. Fix the published name
Set-RDClientAccessName -ConnectionBroker "WIN-SERVER-NAME.int.niufin.de" -ClientAccessName "apps.niufin.cloud"

# 4. Restart
Restart-Service TermService -Force

2.2 Cloud Drive (FileCloud)

URL: https://files.niufin.cloud
Internal: http://127.0.0.1:8888
Config Path: C:\xampp\htdocs\config\cloudconfig.php

Critical Config Block: Add this to cloudconfig.php to fix login loops and AD errors:

define("TONIDOCLOUD_SECURE_COOKIE", "1"); // Fixes "Secure Cookie" error behind IIS
define("TONIDOCLOUD_TRUSTED_HOSTS", "localhost,127.0.0.1,127.0.0.1:8888,files.niufin.cloud");
if (!defined("LDAP_OPT_REFERRALS")) { define("LDAP_OPT_REFERRALS", 0); } // Fixes AD "Operations Error"

AD Integration Settings:

Host: int.niufin.de
Port: 3268 (Global Catalog - Required to avoid referral errors).
Encryption: None (Internal network).
Admin DN: INT\Sultan (or Service Account).

2.3 Email Server (SmarterMail)

URL: https://mail.niufin.de
Internal: http://localhost:9998
Firewall Ports: 25, 110, 143, 465, 587, 993.

Deliverability (Anti-Spam) Setup:

Record	Type	Value
SPF	TXT	`v=spf1 ip4:152.53.253.74 -all`
DKIM	TXT	`selector._domainKey` (Generated in SmarterMail settings)
DMARC	TXT	`v=DMARC1; p=none; rua=mailto:admin@niufin.de`
rDNS	PTR	Set in VPS Panel: `152.53.253.74` -> `mail.niufin.de`

2.4 Code Hosting (Gitea)

URL: https://git.niufin.cloud
Internal: http://localhost:3000
Binary Path: C:\gitea\gitea.exe

Service Installation: Run in CMD (Admin) to ensure it starts on boot:

sc create gitea start= auto binPath= "\"C:\gitea\gitea.exe\" web --config \"C:\gitea\custom\conf\app.ini\""
net start gitea

2.5 Password Vault (Pleasant Password Server)

URL: https://auth.niufin.cloud
Internal: https://localhost:10001 (Note HTTPS).
Database: MS SQL Express (.\SQLEXPRESS01).

Fixing 502.3 Bad Gateway: IIS rejects the self-signed cert from Pleasant.

Open mmc.exe > Certificates > Computer Account.
Find PasswordServer_Temporary_Placeholder_Certificate.
Copy it from Personal -> Paste into Trusted Root Certification Authorities.
IIS Proxy Rule: Rewrite URL must be https://127.0.0.1:10001/{R:1} (Use IP, not localhost).

2.6 Project Management (Kanboard)

URL: https://projects.niufin.cloud
Path: C:\inetpub\wwwroot\kanboard
Tech: PHP FastCGI.

Installation Fixes:

Permissions: IUSR and IIS_IUSRS must have Modify rights on the data folder.
PHP Config: Edit php.ini and uncomment extension=pdo_sqlite.

2.7 Monitoring (Uptime Kuma)

URL: https://status.niufin.cloud
Internal: http://localhost:3001
Tech: Node.js + PM2.

Service Commands:

# If Kuma stops, run this to revive it:
& "$env:APPDATA\npm\pm2.cmd" resurrect

# To save current state as the boot config:
& "$env:APPDATA\npm\pm2.cmd" save

Proxy Config: Disable "Reverse Rewrite Host" in IIS ARR settings to support WebSockets.

3. Maintenance & Disaster Recovery

Backups

The server relies on Veeam Agent for Windows (Free).

Backup Mode: Volume Level (Entire C: Drive).
Target: External Drive or Network Share.
Frequency: Daily (Midnight).

Critical Paths for Manual Backup

FileCloud Data: C:\FileCloudData
SmarterMail: C:\SmarterMail
Gitea: C:\gitea\data
Databases: C:\Program Files\Microsoft SQL Server\...\MSSQL\DATA

Common Issues & Fixes

"502 Bad Gateway" on a site:
- The backend service crashed.
- Fix: Check services.msc (for Gitea/FileCloud) or pm2 status (for Kuma).
VPN won't connect:
- Check if the WireGuard Tunnel service is running.
- Ensure Port UDP 51820 is allowed in Windows Firewall.
Certificate Expired:
- Run wacs.exe (win-acme) and select "Manage Renewals" to force a check.

7.6 KiB Raw Blame History