From 0ca5b2b73da26b9ceb5112df0100c370c5cdf7e5 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Tue, 24 Mar 2026 13:46:48 -0700 Subject: [PATCH] Migrate credentials to 1Password: 58 items across 4 vaults - Created 4 new vaults: Infrastructure (16), Clients (27), Projects (10), MSP Tools (5) - Replaced credentials.md with op:// reference version (no plaintext secrets) - Updated CLAUDE.md with 1Password access instructions for all workstations - Service account (Agentic_Cli) for non-interactive CLI access Co-Authored-By: Claude Opus 4.6 (1M context) --- .claude/CLAUDE.md | 22 +- credentials.md | 1263 ++++++---------------------- session-logs/2026-03-24-session.md | 54 ++ 3 files changed, 315 insertions(+), 1024 deletions(-) diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index c5b123e..78e79cb 100644 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -39,9 +39,9 @@ You are NOT an executor. You coordinate specialized agents and preserve your con ## Key Rules - **NO EMOJIS** - Use ASCII markers: `[OK]`, `[ERROR]`, `[WARNING]`, `[SUCCESS]`, `[INFO]` -- **No hardcoded credentials** - Use encrypted storage +- **No hardcoded credentials** - Use 1Password (`op read "op://Vault/Item/field"`) or encrypted storage - **SSH:** Use system OpenSSH (on Windows: `C:\Windows\System32\OpenSSH\ssh.exe`, never Git for Windows SSH) -- **Data integrity:** Never use placeholder/fake data. Check credentials.md or ask user. +- **Data integrity:** Never use placeholder/fake data. Check credentials.md (op:// refs) or 1Password or ask user. - **Full coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand, not every session) --- @@ -57,10 +57,23 @@ You are NOT an executor. You coordinate specialized agents and preserve your con ## Context Recovery When user references previous work, use `/context` command. Never ask user for info in: -- `credentials.md` - All infrastructure credentials (UNREDACTED) +- `credentials.md` - Infrastructure reference with `op://` paths (secrets in 1Password) - `session-logs/` - Daily work logs (also in `projects/*/session-logs/` and `clients/*/session-logs/`) - `SESSION_STATE.md` - Project history +### 1Password Credential Access + +Credentials are stored in 1Password across 4 vaults: **Infrastructure**, **Clients**, **Projects**, **MSP Tools**. + +**To read a secret:** `op read "op://VaultName/ItemTitle/field_name"` + +**Service account (non-interactive):** Set `OP_SERVICE_ACCOUNT_TOKEN` env var. Token stored in `op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential`. The service account has Read & Write on all 4 vaults (except Projects which is read-only -- use desktop app auth for Projects writes). + +**Setup on new machines:** +1. Install 1Password CLI: https://developer.1password.com/docs/cli/get-started/ +2. Sign in: `op signin` (or use desktop app integration) +3. For non-interactive use, add to shell config: `set -gx OP_SERVICE_ACCOUNT_TOKEN "token_value"` + --- ## Commands & Skills @@ -69,7 +82,8 @@ When user references previous work, use `/context` command. Never ask user for i |---------|---------| | `/checkpoint` | Dual checkpoint: git commit + database context | | `/save` | Comprehensive session log (credentials, decisions, changes) | -| `/context` | Search session logs and credentials.md | +| `/context` | Search session logs, credentials.md, and 1Password | +| `/1password` | 1Password secrets management integration | | `/sync` | Sync config from Gitea repository | | `/create-spec` | Create app specification for AutoCoder | | `/frontend-design` | Modern frontend design patterns (auto-invoke after UI changes) | diff --git a/credentials.md b/credentials.md index 4f4a20e..abcd154 100644 --- a/credentials.md +++ b/credentials.md @@ -1,8 +1,22 @@ # Credentials & Authorization Reference -**Last Updated:** 2026-01-26 +**Last Updated:** 2026-03-24 **Purpose:** Centralized credentials for Claude Code context recovery **Project:** ClaudeTools MSP Work Tracking System +**Backend:** 1Password (vaults: Infrastructure, Clients, Projects, MSP Tools) + +## How to Read Secrets + +```bash +# Single field +op read "op://VaultName/ItemTitle/field_name" + +# Full item +op item get "ItemTitle" --vault VaultName + +# With service account (no biometric) +export OP_SERVICE_ACCOUNT_TOKEN="op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential" +``` --- @@ -11,9 +25,9 @@ ### GuruRMM Server (172.16.3.30) - **Host:** 172.16.3.30 - **Hostname:** gururmm / gururmm-build -- **User:** guru -- **SSH Password:** Gptf*77ttb123!@#-rmm (note: special chars cause sudo issues, use heredoc) -- **Sudo Password:** Gptf*77ttb123!@#-rmm +- **User:** op://Infrastructure/GuruRMM Server/username +- **SSH Password:** op://Infrastructure/GuruRMM Server/password +- **Sudo Password:** op://Infrastructure/GuruRMM Server/password - **SSH Port:** 22 - **Role:** Production server hosting ClaudeTools database and API, GuruRMM system, cross-platform builds - **Services:** @@ -24,30 +38,28 @@ - Nginx reverse proxy (Port 80/443) - **ClaudeTools Database:** - Database: claudetools - - User: claudetools - - Password: CT_e8fcd5a3952030a79ed6debae6c954ed + - User: op://Infrastructure/GuruRMM Server/Databases.MariaDB User + - Password: op://Infrastructure/GuruRMM Server/Databases.MariaDB Password - **GuruRMM Database (PostgreSQL):** - Database: gururmm - - User: gururmm - - Password: 43617ebf7eb242e814ca9988cc4df5ad - - Connection: postgres://gururmm:43617ebf7eb242e814ca9988cc4df5ad@172.16.3.30:5432/gururmm + - User: op://Infrastructure/GuruRMM Server/Databases.PostgreSQL User + - Password: op://Infrastructure/GuruRMM Server/Databases.PostgreSQL Password + - Connection: postgres://[user]:[pass]@172.16.3.30:5432/gururmm - **GuruRMM API Access:** - Base URL: http://172.16.3.30:3001 - Production URL: https://rmm-api.azcomputerguru.com - - Admin Email: claude-api@azcomputerguru.com - - Admin Password: ClaudeAPI2026!@# - - Admin User ID: 4d754f36-0763-4f35-9aa2-0b98bbcdb309 - - JWT Secret: ZNzGxghru2XUdBVlaf2G2L1YUBVcl5xH0lr/Gpf/QmE= + - Admin Email: op://Infrastructure/GuruRMM Server/GuruRMM API.Admin Email + - Admin Password: op://Infrastructure/GuruRMM Server/GuruRMM API.Admin Password + - JWT Secret: op://Infrastructure/GuruRMM Server/GuruRMM API.JWT Secret - **OS:** Ubuntu 22.04 LTS - **SSH Keys:** guru@wsl, guru@gururmm-build (ed25519) -- **Notes:** Primary ClaudeTools infrastructure, systemd service auto-starts API. GuruRMM admin user created 2026-01-22 for API integration. Build server for cross-platform GuruRMM builds. ### Jupiter (Unraid Primary - 172.16.3.20) - **Host:** 172.16.3.20 -- **User:** root +- **User:** op://Infrastructure/Jupiter (Unraid Primary)/username - **SSH Port:** 22 -- **Password:** Th1nk3r^99## -- **WebUI Password:** Th1nk3r^99## +- **Password:** op://Infrastructure/Jupiter (Unraid Primary)/password +- **WebUI Password:** op://Infrastructure/Jupiter (Unraid Primary)/password - **Role:** Primary container host, Gitea server, NPM, GuruRMM, Seafile - **Services:** - Gitea (Port 3000, SSH 2222) @@ -57,22 +69,19 @@ - Seafile Pro (Port 8082) - **iDRAC (Dell Remote Management):** - IP: 172.16.1.73 (DHCP) - - User: root - - Password: Window123!@#-idrac - - IPMI Key: 0000000000000000000000000000000000000000 (all zeros) - - SSH: Enabled (port 22) - cipher compatibility issues + - User: op://Infrastructure/Jupiter (Unraid Primary)/iDRAC.iDRAC User + - Password: op://Infrastructure/Jupiter (Unraid Primary)/iDRAC.iDRAC Password + - IPMI Key: op://Infrastructure/Jupiter (Unraid Primary)/iDRAC.IPMI Key - Web UI: https://172.16.1.73/ - **SSH Keys:** claude-code@localadmin (ed25519), root@GuruSync (ed25519), guru@wsl (ed25519), guru@gururmm-build (ed25519) -- **Notes:** Used for code repository management and version control. Primary infrastructure server. ### IX Server (Hosting - 172.16.3.10) - **Host:** ix.azcomputerguru.com - **Internal IP:** 172.16.3.10 - **External IP:** 72.194.62.5 -- **User:** root +- **User:** op://Infrastructure/IX Server/username - **SSH Port:** 22 -- **Password:** Gptf*77ttb!@#!@# -- **SSH Key:** guru@wsl key added to authorized_keys +- **Password:** op://Infrastructure/IX Server/password - **OS:** Rocky Linux (WHM/cPanel) - **Role:** Primary cPanel hosting server for client websites (80+ accounts) - **Services:** @@ -87,45 +96,24 @@ - WHM: https://ix.azcomputerguru.com:2087 - cPanel: https://ix.azcomputerguru.com:2083 - **VPN Required:** Yes (for external SSH access) -- **Hosted Sites:** 40+ WordPress sites (arizonahatters.com, peacefulspirit.com, etc.) -- **Notes:** - - Critical performance issues documented 2026-01-13 - - Requires VPN for SSH access - - See clients/internal-infrastructure/ix-server-issues-2026-01-13.md for maintenance details - - 80+ cPanel accounts hosted -- **Critical Sites Maintained (2026-01-13):** - - acepickupparts.com (PHP 256MB, database cleaned) - - arizonahatters.com (PHP 256MB, Wordfence bloat cleaned) - - peacefulspirit.com (database bloat cleaned 310MB→0.67MB) +- **Hosted Sites:** 40+ WordPress sites ### WebSvr (Legacy Hosting - websvr.acghosting.com) - **Host:** websvr.acghosting.com - **External IP:** 162.248.93.81 -- **User:** root +- **User:** op://Infrastructure/WebSvr (Legacy Hosting)/username - **SSH Port:** 22 -- **Password:** r3tr0gradE99# +- **Password:** op://Infrastructure/WebSvr (Legacy Hosting)/password - **OS:** CentOS 7 (WHM/cPanel) - **Role:** Legacy cPanel hosting server, DNS management for ACG Hosting domains -- **Services:** - - WHM (Web Host Manager) - - cPanel - - Apache/LiteSpeed web server - - MariaDB - - DNS Zone Management -- **API Token:** 8ZPYVM6R0RGOHII7EFF533MX6EQ17M7O (Full access) -- **DNS Management:** Authoritative for ACG Hosting nameservers (grabbanddurando.com zone, etc.) +- **API Token:** op://Infrastructure/WebSvr (Legacy Hosting)/API.API Token - **Status:** Active - DNS management, some legacy sites -- **Notes:** - - Used for DNS zone editing for client domains - - Migration source to IX server - - See clients/grabb-durando/website-migration/README.md for DNS management examples ### pfSense Firewall (172.16.0.1) - **Host:** 172.16.0.1 - **SSH Port:** 2248 -- **User:** admin -- **Password:** r3tr0gradE99!! -- **SSH Key:** ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrv2u99Y/KecA4GtJ3xi/8ExzkjdPsCHLDdaFPBkGAg claude-code@localadmin +- **User:** op://Infrastructure/pfSense Firewall/username +- **Password:** op://Infrastructure/pfSense Firewall/password - **OS:** FreeBSD (pfSense 2.8.1) - **Role:** Primary network firewall, VPN gateway, Tailscale gateway - **Services:** @@ -135,8 +123,7 @@ - DHCP server - **Tailscale:** - Tailscale IP: 100.79.69.82 (pfsense-1) / 100.119.153.74 (pfsense-2) - - Subnet Routes: 172.16.0.0/22 (advertised to Tailscale network) - - Hostname: pfsense-1 / pfsense-2 + - Subnet Routes: 172.16.0.0/22 - **Web UI:** https://172.16.0.1 - **Status:** CRITICAL PRODUCTION - Network gateway - **Network:** @@ -144,61 +131,31 @@ - OpenVPN: 192.168.6.0/24 - WAN (Fiber): 98.181.90.163/31 - Public IPs: 72.194.62.2-10, 70.175.28.51-57 -- **Notes:** - - Primary network security appliance - - Routes traffic for entire 172.16.0.0/16 network - - Tailscale exit node for remote access - - Migrated to Intel N100 hardware 2025-12-25 ### Saturn (172.16.3.21) - DECOMMISSIONED - **Host:** 172.16.3.21 -- **User:** root -- **SSH Port:** 22 -- **Password:** r3tr0gradE99 +- **User:** op://Infrastructure/Saturn (DECOMMISSIONED)/username +- **Password:** op://Infrastructure/Saturn (DECOMMISSIONED)/password - **OS:** Unraid 6.x -- **Role:** Secondary Unraid server (decommissioned) - **Status:** DECOMMISSIONED - Migration to Jupiter complete (Seafile migrated 2025-12-27) -- **Notes:** - - All services migrated to Jupiter in 2025 - - May be powered off - - Documented for historical reference ### OwnCloud VM (172.16.3.22) - **Host:** 172.16.3.22 - **Hostname:** cloud.acghosting.com -- **User:** root -- **SSH Port:** 22 -- **Password:** Paper123!@#-unifi! +- **User:** op://Infrastructure/OwnCloud VM/username +- **Password:** op://Infrastructure/OwnCloud VM/password - **OS:** Rocky Linux 9.6 - **Role:** OwnCloud file synchronization server -- **Services:** - - Apache web server - - MariaDB - - PHP-FPM - - Redis - - OwnCloud application - - Datto RMM agents -- **Storage:** SMB mount from Jupiter (Unraid shares - /mnt/user/OwnCloud) -- **Status:** Active -- **Notes:** - - Jupiter has SSH key auth configured - - File sync service for team collaboration - - Data stored on Jupiter NAS backend ### VMware Workstation Pro (192.168.3.24) - **Host:** 192.168.3.24 -- **Role:** VMware Workstation Pro main interface (VM host) -- **User:** root -- **Password:** r3tr0gradE99# -- **Notes:** - - Main VMware interface for local VMs - - Bridge network for VM guests +- **User:** op://Infrastructure/VMware Workstation/username +- **Password:** op://Infrastructure/VMware Workstation/password ### HP iLO (172.16.9.125) - **Host:** 172.16.9.125 -- **Role:** HP Integrated Lights-Out management interface -- **User:** root -- **Password:** r3tr0gradE99# +- **User:** op://Infrastructure/HP iLO/username +- **Password:** op://Infrastructure/HP iLO/password --- @@ -206,47 +163,22 @@ ### GoDaddy VPS (208.109.235.224) - Grabb & Durando - **Host:** 208.109.235.224 -- **Hostname:** 224.235.109.208.host.secureserver.net - **User:** root -- **SSH Port:** 22 - **Auth:** SSH key (id_ed25519) - **OS:** CloudLinux 9.6 -- **cPanel:** v126.0 (build 11) -- **Role:** data.grabbanddurando.com hosting (MIGRATION COMPLETE - old server) -- **Status:** OFFLINE - 99% disk space used (1.6GB free) - migration complete -- **Client:** Grabb & Durando Law Firm -- **Application:** Custom PHP calendar/user management system -- **Database Credentials (on GoDaddy):** - - Database: grabblaw_gdapp - - User: grabblaw_gdapp - - Password: e8o8glFDZD - - cPanel User: grabbanddurando -- **Migration Target:** ix.azcomputerguru.com (COMPLETE) -- **Migration Status:** Complete - old server can be decommissioned -- **Notes:** - - MIGRATION COMPLETE - data sync performed 2025-12-12 - - SSH key authentication (passwordless) - - See clients/grabb-durando/website-migration/README.md for migration details - - Keep active for 1 week after successful migration (retention period expired) +- **Status:** OFFLINE - migration complete +- **Database Credentials:** op://Clients/GoDaddy VPS - Grabb & Durando (OFFLINE)/Database.* ### Neptune Exchange Server (67.206.163.124) - **Hostname:** neptune.acghosting.com - **Public IP:** 67.206.163.124 - **Internal IP:** 172.16.3.11 (requires Dataforth VPN) -- **Domain:** ACG -- **Admin User:** ACG\administrator -- **Admin Password:** Gptf*77ttb## +- **Admin User:** op://Clients/Neptune Exchange Server/username +- **Admin Password:** op://Clients/Neptune Exchange Server/password - **Exchange Version:** Exchange Server 2016 - **OWA URL:** https://neptune.acghosting.com/owa/ -- **PowerShell URL:** https://neptune.acghosting.com/PowerShell/ -- **Authentication:** Basic Auth -- **ActiveSync:** Enabled (BasicAuthEnabled: True) - **Status:** Active -- **Client:** heieck.org (migration to M365 complete 2026-01-14) -- **Notes:** - - Requires VPN access (OpenVPN to Dataforth network) - - UDM firewall rules required for OpenVPN→Dataforth access - - iptables rules on UDM: 192.168.6.0/24 ↔ 172.16.0.0/22 +- **Notes:** Requires VPN access (OpenVPN to Dataforth network) --- @@ -254,230 +186,74 @@ ### ESXi Host (192.168.0.122) - **Host:** 192.168.0.122 -- **Role:** VMware ESXi hypervisor -- **User:** root -- **Password:** Gptf*77ttb!@#!@# +- **User:** op://Clients/Dataforth ESXi 122/username +- **Password:** op://Clients/Dataforth ESXi 122/password - **Web UI:** https://192.168.0.122 -- **Network:** Dataforth LAN (192.168.0.0/24) -- **SSH User:** sysadmin / Paper123!@# +- **SSH User:** op://Clients/Dataforth ESXi 122/SSH.SSH User +- **SSH Password:** op://Clients/Dataforth ESXi 122/SSH.SSH Password - **VMs:** AD1, AD2, FILES-D1, PBX ### ESXi Host (192.168.0.124) - **Host:** 192.168.0.124 -- **Role:** VMware ESXi hypervisor -- **User:** root -- **Password:** Gptf*77ttb!@#!@# -- **Web UI:** https://192.168.0.124 -- **Network:** Dataforth LAN (192.168.0.0/24) +- **User:** op://Clients/Dataforth ESXi 124/username +- **Password:** op://Clients/Dataforth ESXi 124/password ### PBX (192.168.100.2) - **Host:** 192.168.100.2 - **Hostname:** pbx.intranet.dataforth.com -- **Role:** Sangoma FreePBX 17 / Asterisk (phone system) -- **OS:** Debian 12 (Sangoma FreePBX Distro) -- **SSH User:** sangoma -- **SSH Password:** Gptf*77ttb!@#!@# -- **Web UI:** https://192.168.100.2 +- **User:** op://Clients/Dataforth PBX/username +- **Password:** op://Clients/Dataforth PBX/password +- **OS:** Debian 12 (Sangoma FreePBX 17) - **Network:** VLAN100 (192.168.100.0/24) - **SIP Trunk:** FirstDigital (66.7.123.215, PJSIP) -- **SIP Network:** 10.208.107.116/30 (SIP_Group vSwitch) -- **ESXi Host:** 192.168.0.122 (VM ID 9, SAN-D1-15k datastore) - **Extensions:** 201-343 range (~35 endpoints) -- **DIDs:** 520-741-1404 (ring group 600), 520-917-0493 (ext 269), 520-917-0495 (ext 273), 520-917-2235+ ### AD2 (Production Server - 192.168.0.6) - **Host:** 192.168.0.6 - **Hostname:** AD2.intranet.dataforth.com - **Domain:** INTRANET -- **User:** INTRANET\sysadmin -- **Password:** Paper123!@# +- **User:** op://Clients/Dataforth AD2/username +- **Password:** op://Clients/Dataforth AD2/password - **OS:** Windows Server 2022 -- **Local Path:** C:\Shares\test -- **Share Access:** \\192.168.0.6\C$ (admin share, requires credentials) -- **Role:** Production server for Dataforth DOS machines, Secondary Domain Controller -- **Services:** - - Active Directory Domain Controller (Secondary) - - File Server (SMB3) - - Scheduled sync task (Sync-FromNAS.ps1 every 15 min) - - WinRM (PowerShell Remoting) on port 5985 - - OpenSSH Server on port 22 -- **Network:** 192.168.0.0/24 -- **Automation Access:** - - **Service Account:** INTRANET\ClaudeTools-ReadOnly - - **Service Password:** vG!UCAD>=#gIk}1A3=:{+DV3 - - **Service UPN:** ClaudeTools-ReadOnly@dataforth.local - - **Permissions:** Read-only AD access, Remote Management Users group - - **Scripts Location:** C:\ClaudeTools\Scripts\ - - **Logs Location:** C:\ClaudeTools\Logs\Transcripts\ -- **SSH Key (sysadmin account):** - - **Key Type:** ED25519 - - **Fingerprint:** SHA256:JsiEDAJ/fD19d6W7B5iuV78f8dLKZbLTrMor7b9CXSQ - - **Public Key:** ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHpk0bdronDasfx5RYjky4N4xIeUJF5xIJdX08rb3+Ui sysadmin@AD2-automation - - **Private Key Location:** C:\Users\sysadmin\.ssh\id_ed25519 -- **WinRM Configuration:** - - **TrustedHosts:** 172.16.*,192.168.*,10.* (LAN/VPN access) - - **Listener:** HTTP on port 5985 - - **Transcript Logging:** Enabled (all remote sessions logged) - - **Module Logging:** Enabled - - **Script Block Logging:** Enabled -- **Connection Method (SMB Share):** - ```powershell - $pass = ConvertTo-SecureString 'Paper123!@#' -AsPlainText -Force - $cred = New-Object System.Management.Automation.PSCredential('INTRANET\sysadmin', $pass) - New-PSDrive -Name Z -PSProvider FileSystem -Root '\\192.168.0.6\C$' -Credential $cred - # Access: Z:\Shares\test\ - ``` -- **Connection Method (WinRM - Admin):** - ```powershell - $password = ConvertTo-SecureString 'Paper123!@#' -AsPlainText -Force - $cred = New-Object System.Management.Automation.PSCredential('INTRANET\sysadmin', $password) - Enter-PSSession -ComputerName 192.168.0.6 -Credential $cred - ``` -- **Connection Method (WinRM - Read-Only):** - ```powershell - $password = ConvertTo-SecureString 'vG!UCAD>=#gIk}1A3=:{+DV3' -AsPlainText -Force - $cred = New-Object System.Management.Automation.PSCredential('INTRANET\ClaudeTools-ReadOnly', $password) - Enter-PSSession -ComputerName 192.168.0.6 -Credential $cred - ``` -- **Connection Method (SSH):** - ```bash - ssh INTRANET\\sysadmin@192.168.0.6 - # Password: Paper123!@# - # Or with key: ssh -i path/to/id_ed25519 INTRANET\\sysadmin@192.168.0.6 - ``` -- **Software Update Locations:** - - Common (all machines): C:\Shares\test\COMMON\ProdSW\ and C:\Shares\test\_COMMON\ProdSW\ - - Station-specific: C:\Shares\test\TS-XX\ProdSW\ - - System files: C:\Shares\test\COMMON\DOS\ -- **Notes:** - - SMB1 disabled for security (after crypto attack) - - Sync mechanism moved from NAS to AD2 due to WINS crashes - - Files sync to NAS within 15 minutes after placement - - DOS machines pull from NAS (not directly from AD2) +- **Role:** Production server, Secondary Domain Controller +- **Service Account:** + - User: op://Clients/Dataforth AD2/Service Account.Service User + - Password: op://Clients/Dataforth AD2/Service Account.Service Password + - UPN: ClaudeTools-ReadOnly@dataforth.local +- **Notes:** SMB1 disabled for security (after crypto attack). WinRM port 5985, SSH port 22. ### AD1 (Primary Domain Controller - 192.168.0.27) - **IP:** 192.168.0.27 - **Hostname:** AD1.intranet.dataforth.com -- **User:** INTRANET\sysadmin -- **Password:** Paper123!@# +- **User:** op://Clients/Dataforth AD1/username +- **Password:** op://Clients/Dataforth AD1/password - **Role:** Primary DC, NPS/RADIUS server - **NPS Ports:** 1812/1813 (auth/accounting) -- **Services:** - - Active Directory Domain Controller (Primary) - - NPS/RADIUS Server -- **Access Methods:** RDP, WinRM ### D2TESTNAS (SMB1 Proxy - 192.168.0.9) - **Host:** 192.168.0.9 -- **NetBIOS Name:** D2TESTNAS -- **MAC:** 28:C6:8E:34:4B:5E / 5F -- **HTTP:** http://192.168.0.9/ -- **User (Web):** admin -- **Password (Web):** Paper123!@#-nas -- **SSH User:** root -- **SSH Auth:** ed25519 key (passwordless) + password: Paper123!@#-nas -- **SSH Key:** ed25519 from ~/.ssh/id_ed25519 (WSL) +- **SSH User:** op://Clients/Dataforth D2TESTNAS/username +- **SSH Password:** op://Clients/Dataforth D2TESTNAS/password +- **Web User:** op://Clients/Dataforth D2TESTNAS/Web.Web User +- **Web Password:** op://Clients/Dataforth D2TESTNAS/Web.Web Password +- **Engineer Access:** op://Clients/Dataforth D2TESTNAS/SMB.Engineer User / op://Clients/Dataforth D2TESTNAS/SMB.Engineer Password - **Role:** SMB1 proxy/bridge for DOS 6.22 machines -- **OS:** Netgear ReadyNAS RN10400 (Linux NAS appliance) -- **Share:** \\D2TESTNAS\test (maps to /data/test) -- **Shares:** - - \\D2TESTNAS\test (guest writable, maps to T:) - - \\D2TESTNAS\datasheets (guest writable, maps to X:) -- **Services:** - - SMB1 server (for DOS machine compatibility - CORE protocol) - - SSH server (Port 22) - - WINS Server: Enabled (192.168.0.9) -- **SMB Configuration:** - - Protocol: CORE (oldest, for DOS compatibility) - - Workgroup: INTRANET - - WINS support: yes - - Null passwords: enabled - - Guest access: enabled -- **SMB Users:** ts-1 through ts-50 (NULL passwords - smbpasswd -n ts-XX) -- **Engineer Access:** engineer / Engineer1! -- **Notes:** - - Bridges DOS machines (SMB1) with AD2 (SMB3) - - Previous sync location (moved to AD2) - - Network path: /data/test/ - - Sync credentials in /root/.ad2creds +- **Shares:** \\D2TESTNAS\test (T:), \\D2TESTNAS\datasheets (X:) ### Dataforth DOS Machines (TS-XX) - **Network:** 192.168.0.0/24 - **OS:** MS-DOS 6.22 - **Count:** ~30 machines for QC testing -- **Naming:** TS-01 through TS-30 -- **Network Share:** T: drive (maps to \\D2TESTNAS\test) -- **Machine Variable:** %MACHINE% (set in AUTOEXEC.BAT from C:\NET\SYSTEM.INI) -- **Backup Location:** T:\%MACHINE%\BACKUP\ -- **Update Path:** T:\COMMON\ -- **Credentials:** None (local DOS machines) -- **Network Drives:** - - T: = \\D2TESTNAS\test - - X: = \\D2TESTNAS\datasheets -- **Boot Sequence:** - 1. C:\AUTOEXEC.BAT - 2. C:\STARTNET.BAT (mount drives) - 3. T:\TS-XX\NWTOC.BAT (download updates) - 4. C:\ATE\MENU.BAT (test menu) -- **Central Management:** T:\UPDATE.BAT (v2.0) - - Commands: STATUS, UPDATE, DOS - - Auto-detection from C:\NET\SYSTEM.INI -- **Machines Tested Working:** - - TS-27: Working, full config copied - - TS-8L: Working, 717 logs + 2966 reports moved - - TS-8R: Working, 821 logs + 3780 reports moved -- **Notes:** - - SMB1 protocol required - - DOS 6.22 limitations: no %COMPUTERNAME%, no IF /I - - Network stack: MS Client 3.0, Netware VLM client - - Update workflow: AD2 → D2TESTNAS → DOS machines - - Startup sequence: AUTOEXEC.BAT → STARTNET.BAT → MENUX.EXE - - MENUX menu provides test module selection interface - - Test Equipment: Keithley 2010, Fluke 8842A, HP 33220A, KEPCO DPS, BK Precision 1651A, Rigol MSO2102A +- **Credentials:** None (local DOS machines, NULL SMB passwords) +- **Network Drives:** T: = \\D2TESTNAS\test, X: = \\D2TESTNAS\datasheets ### UDM (UniFi Dream Machine - 192.168.0.254) -- **Service:** Gateway/firewall - **IP:** 192.168.0.254 -- **SSH User:** root -- **SSH Password:** Paper123!@#-unifi -- **SSH Key:** claude-code key added -- **Web User:** azcomputerguru -- **Web Password:** Paper123!@#-unifi -- **2FA:** Push notification enabled -- **Role:** Gateway/firewall, OpenVPN server -- **OpenVPN:** 192.168.6.0/24 network -- **Isolated Network:** 172.16.0.0/22 (Dataforth internal) -- **MongoDB:** 127.0.0.1:27117/ace (UniFi controller) -- **Access Methods:** SSH, Web (2FA) -- **Notes:** - - OpenVPN access requires iptables rules for Dataforth network access - - WINS configured in DHCP pointing to D2TESTNAS (192.168.0.9) - - DNS servers: 192.168.0.27, 192.168.0.6, 192.168.1.254 - -### AD2-NAS Sync System -- **Script:** C:\Shares\test\scripts\Sync-FromNAS.ps1 -- **Runs:** Every 15 minutes (Windows Scheduled Task) -- **User:** INTRANET\sysadmin -- **Direction:** Bidirectional -- **Tools:** PuTTY (plink.exe, pscp.exe) -- **Log:** C:\Shares\test\scripts\sync-from-nas.log -- **Status:** C:\Shares\test\_SYNC_STATUS.txt (monitored by DattoRMM) -- **Last Verified:** 2026-01-15 (running successfully) -- **PULL (NAS → AD2):** - - Test results: /data/test/TS-XX/LOGS/*.DAT → C:\Shares\test\TS-XX\LOGS\ - - Reports: /data/test/TS-XX/Reports/*.TXT → C:\Shares\test\TS-XX\Reports\ - - Files deleted from NAS after successful sync - - DAT files imported to database automatically -- **PUSH (AD2 → NAS):** - - Common updates: C:\Shares\test\COMMON\ProdSW\ → /data/test/COMMON/ProdSW/ - - Station updates: C:\Shares\test\TS-XX\ProdSW\ → /data/test/TS-XX/ProdSW/ - - Root utility: C:\Shares\test\UPDATE.BAT → /data/test/UPDATE.BAT - - One-shot tasks: C:\Shares\test\TS-XX\TODO.BAT → /data/test/TS-XX/TODO.BAT -- **Notes:** - - Moved from NAS to AD2 in January 2026 - - Reason: WINS crashes and SSH lockups on NAS - - NAS script (/root/sync-to-ad2.sh) is DEPRECATED - - UPDATE.BAT sync added 2026-01-15 +- **SSH User:** op://Clients/Dataforth UDM/username +- **SSH Password:** op://Clients/Dataforth UDM/password +- **Web User:** op://Clients/Dataforth UDM/Web.Web User +- **Web Password:** op://Clients/Dataforth UDM/Web.Web Password +- **Notes:** 2FA push enabled. OpenVPN 192.168.6.0/24. --- @@ -485,86 +261,52 @@ ### Gitea (Git Server) - **URL:** https://git.azcomputerguru.com/ -- **Web Port:** 3000 -- **HTTPS:** https://git.azcomputerguru.com (preferred) -- **SSH:** ssh://git@172.16.3.20:2222 OR ssh://git@git.azcomputerguru.com:2222 -- **Username:** azcomputerguru -- **Email:** mike@azcomputerguru.com -- **Password:** Gptf*77ttb123!@#-git OR Window123!@#-git -- **SSH Key:** claude-code (ed25519) - CONFIGURED AND WORKING -- **SSH Fingerprint:** SHA256:E+dhx8dYK+pWyqFUcAVAeJtaQEI3cOiIs7eac1w3Dnk -- **API Token:** 9b1da4b79a38ef782268341d25a4b6880572063f +- **SSH:** ssh://git@172.16.3.20:2222 +- **Username:** op://Infrastructure/Gitea/username +- **Password:** op://Infrastructure/Gitea/password +- **API Token:** op://Infrastructure/Gitea/API.API Token - **Repository:** azcomputerguru/ClaudeTools, azcomputerguru/claude-projects -- **Role:** Source code version control, project sync -- **Docker Container:** gitea (on Jupiter server) -- **Notes:** - - Web login: azcomputerguru / Gptf*77ttb123!@#-git - - SSH access: `ssh -T -p 2222 git@172.16.3.20` (verified working 2026-01-19) - - Git remote (HTTPS, preferred): `https://git.azcomputerguru.com/azcomputerguru/claudetools.git` - - Git remote (SSH, internal only): `ssh://git@172.16.3.20:2222/azcomputerguru/ClaudeTools.git` - - Password reset: `docker exec -u git gitea gitea admin user change-password --username azcomputerguru --password 'NEW_PASSWORD'` - - SSH key added: 2026-01-19 15:09 (claude-code) ### NPM (Nginx Proxy Manager) - **Admin URL:** http://172.16.3.20:7818 -- **HTTP Port:** 1880 -- **HTTPS Port:** 18443 -- **User:** mike@azcomputerguru.com OR admin@azcomputerguru.com -- **Password:** r3tr0gradE99! OR Window123!@# -- **Cloudflare API Token:** U1UTbBOWA4a69eWEBiqIbYh0etCGzrpTU4XaKp7w -- **Database:** SQLite at /mnt/user/appdata/npm/database.sqlite -- **Container:** npm on Jupiter +- **User:** op://Infrastructure/NPM (Nginx Proxy Manager)/username +- **Password:** op://Infrastructure/NPM (Nginx Proxy Manager)/password +- **Cloudflare API Token:** op://Infrastructure/NPM (Nginx Proxy Manager)/Cloudflare.Cloudflare API Token - **Proxy Hosts:** - - ID 1: emby.azcomputerguru.com → 172.16.2.99:8096 (SSL: npm-1) - - ID 2: git.azcomputerguru.com → 172.16.3.20:3000 (SSL: npm-2) - - ID 4: plexrequest.azcomputerguru.com → 172.16.3.31:5055 (SSL: npm-4) - - ID 5: rmm-api.azcomputerguru.com → 172.16.3.20:3001 (SSL: npm-6) - - unifi.azcomputerguru.com → 172.16.3.28:8443 (SSL: npm-5) - - ID 8: sync.azcomputerguru.com → 172.16.3.20:8082 (SSL: npm-8) + - emby.azcomputerguru.com -> 172.16.2.99:8096 + - git.azcomputerguru.com -> 172.16.3.20:3000 + - plexrequest.azcomputerguru.com -> 172.16.3.31:5055 + - rmm-api.azcomputerguru.com -> 172.16.3.20:3001 + - unifi.azcomputerguru.com -> 172.16.3.28:8443 + - sync.azcomputerguru.com -> 172.16.3.20:8082 ### ClaudeTools API (Production) - **URL:** http://172.16.3.30:8001 - **Docs:** http://172.16.3.30:8001/api/docs -- **Database:** 172.16.3.30:3306/claudetools +- **Database:** op://Projects/ClaudeTools Database/* - **Auth:** JWT tokens (POST /api/auth/token) -- **Test User:** - - Email: test@example.com - - Password: testpassword123 -- **Role:** Primary MSP work tracking API -- **Endpoints:** 95+ endpoints across 17 entities -- **Notes:** Systemd service, auto-starts on boot +- **JWT Secret:** op://Projects/ClaudeTools API Auth/credential +- **Test User:** op://Projects/ClaudeTools API Auth/Test Email / op://Projects/ClaudeTools API Auth/Test Password ### Seafile Pro (File Sync) - **URL:** https://sync.azcomputerguru.com -- **Internal:** 172.16.3.20:8082 -- **Admin Email:** mike@azcomputerguru.com -- **Admin Password:** r3tr0gradE99# -- **Database User:** seafile -- **Database Password:** 64f2db5e-6831-48ed-a243-d4066fe428f9 -- **Database Root:** db_dev -- **Databases:** ccnet_db, seafile_db, seahub_db -- **Containers:** seafile, seafile-mysql, seafile-memcached, seafile-elasticsearch -- **Docker Compose:** /mnt/user0/SeaFile/DockerCompose/docker-compose.yml -- **Data Path:** /mnt/user0/SeaFile/seafile-data/ +- **Username:** op://Infrastructure/Seafile Pro/username +- **Password:** op://Infrastructure/Seafile Pro/password +- **Database:** op://Infrastructure/Seafile Pro/Database.* +- **Microsoft Graph API:** op://Infrastructure/Seafile Pro/Microsoft Graph.* - **Storage:** 11.8TB -- **Location:** Jupiter (migrated from Saturn 2025-12-27) -- **Elasticsearch:** 7.17.26 (upgraded for kernel 6.12 compatibility) -- **Microsoft Graph API (Email):** - - Tenant ID: ce61461e-81a0-4c84-bb4a-7b354a9a356d - - Client ID: 15b0fafb-ab51-4cc9-adc7-f6334c805c22 - - Client Secret: rRN8Q~FPfSL8O24iZthi_LVJTjGOCZG.DnxGHaSk - - Sender Email: noreply@azcomputerguru.com - - Usage: Seafile email notifications via Graph API ### Cloudflare -- **Service:** DNS and CDN -- **API Token (Full DNS):** DRRGkHS33pxAUjQfRDzDeVPtt6wwUU6FwtXqOzNj -- **API Token (Legacy/Limited):** U1UTbBOWA4a69eWEBiqIbYh0etCGzrpTU4XaKp7w -- **Permissions:** Zone:Read, Zone:Edit, DNS:Read, DNS:Edit -- **Used for:** DNS management, WHM plugin, cf-dns CLI +- **API Token (Full DNS):** op://Infrastructure/Cloudflare/API Token Full DNS +- **API Token (Legacy):** op://Infrastructure/Cloudflare/API Token Legacy - **Domain:** azcomputerguru.com -- **Notes:** New full-access token added 2025-12-19 -- **Access Methods:** API + +### Matomo Analytics +- **URL:** https://analytics.azcomputerguru.com +- **Username:** op://Infrastructure/Matomo Analytics/username +- **Password:** op://Infrastructure/Matomo Analytics/password +- **Database:** op://Infrastructure/Matomo Analytics/Database.* +- **Site IDs:** 1=azcomputerguru.com, 2=community forum, 3=radio show --- @@ -574,109 +316,64 @@ - **Host:** 172.16.3.30 - **Port:** 3306 - **Database:** claudetools -- **User:** claudetools -- **Password:** CT_e8fcd5a3952030a79ed6debae6c954ed -- **Connection String:** - ``` - mysql+pymysql://claudetools:CT_e8fcd5a3952030a79ed6debae6c954ed@172.16.3.30:3306/claudetools?charset=utf8mb4 - ``` +- **User:** op://Projects/ClaudeTools Database/username +- **Password:** op://Projects/ClaudeTools Database/password +- **Connection String:** op://Projects/ClaudeTools Database/Connection String - **Tables:** 38 tables (fully migrated) - **Encryption:** AES-256-GCM for credentials table -- **Backup:** Daily automated backups ### Encryption Keys - **Method:** AES-256-GCM (Fernet) -- **Key:** 319134ddb79fa44a6751b383cb0a7940da0de0818bd6bbb1a9c20a6a87d2d30c -- **File Location:** C:\Users\MikeSwanson\claude-projects\shared-data\.encryption-key -- **Generated:** 2026-01-15 +- **Key:** op://Projects/ClaudeTools Encryption Key/credential - **Key Storage:** Environment variable ENCRYPTION_KEY -- **Usage:** Credentials table password encryption, AES-256-GCM encryption for credentials in database - **Warning:** DO NOT COMMIT TO GIT -- **Notes:** Never commit encryption key to git ### API Authentication - **Method:** JWT tokens -- **Password Hashing:** Argon2 +- **JWT Secret:** op://Projects/ClaudeTools API Auth/credential - **Token Endpoint:** POST /api/auth/token -- **Token Format:** Bearer token in Authorization header -- **JWT Secret:** NdwgH6jsGR1WfPdUwR3u9i1NwNx3QthhLHBsRCfFxcg= -- **Example:** - ```bash - curl -X POST http://172.16.3.30:8001/api/auth/token \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username=test@example.com&password=testpassword123" - ``` +- **Test User:** op://Projects/ClaudeTools API Auth/Test Email +- **Test Password:** op://Projects/ClaudeTools API Auth/Test Password --- ## Projects - GuruRMM ### Dashboard/API Login -- **Service:** GuruRMM dashboard login -- **Email:** admin@azcomputerguru.com -- **Password:** GuruRMM2025 -- **Role:** admin -- **Access Methods:** Web +- **URL:** https://rmm.azcomputerguru.com +- **Email:** op://Projects/GuruRMM Dashboard/username +- **Password:** op://Projects/GuruRMM Dashboard/password ### Database (PostgreSQL) -- **Service:** GuruRMM database -- **Host:** gururmm-db container (172.16.3.20) OR 172.16.3.30 (build server) -- **Port:** 5432 (default) +- **Host:** 172.16.3.30 +- **Port:** 5432 - **Database:** gururmm -- **User:** gururmm -- **Password:** 43617ebf7eb242e814ca9988cc4df5ad -- **Connection:** postgres://gururmm:43617ebf7eb242e814ca9988cc4df5ad@172.16.3.30:5432/gururmm -- **Access Methods:** PostgreSQL protocol +- **User:** op://Projects/GuruRMM Database/username +- **Password:** op://Projects/GuruRMM Database/password +- **Connection:** op://Projects/GuruRMM Database/Connection String ### API Server - **External URL:** https://rmm-api.azcomputerguru.com -- **Internal URL:** http://172.16.3.20:3001 OR http://172.16.3.30:3001 -- **JWT Secret:** ZNzGxghru2XUdBVlaf2G2L1YUBVcl5xH0lr/Gpf/QmE= -- **Access Methods:** HTTPS, HTTP (internal) +- **Internal URL:** http://172.16.3.30:3001 +- **JWT Secret:** op://Projects/GuruRMM API Server/credential ### Microsoft Entra ID (SSO) -- **Service:** GuruRMM SSO via Entra -- **App Name:** GuruRMM Dashboard -- **App ID (Client ID):** 18a15f5d-7ab8-46f4-8566-d7b5436b84b6 -- **Object ID:** 34c80aa8-385a-4bea-af85-f8bf67decc8f -- **Client Secret:** gOz8Q~J.oz7KnUIEpzmHOyJ6GEzYNecGRl-Pbc9w +- **App ID:** op://Projects/GuruRMM Entra SSO/App Registration.App ID +- **Client Secret:** op://Projects/GuruRMM Entra SSO/App Registration.Client Secret - **Secret Expires:** 2026-12-21 -- **Sign-in Audience:** Multi-tenant (any Azure AD org) - **Redirect URIs:** https://rmm.azcomputerguru.com/auth/callback, http://localhost:5173/auth/callback -- **API Permissions:** openid, email, profile -- **Created:** 2025-12-21 -- **Access Methods:** OAuth 2.0 ### CI/CD (Build Automation) - **Webhook URL:** http://172.16.3.30/webhook/build -- **Webhook Secret:** gururmm-build-secret +- **Webhook Secret:** op://Projects/GuruRMM CI-CD/credential - **Build Script:** /opt/gururmm/build-agents.sh -- **Build Log:** /var/log/gururmm-build.log -- **Gitea Webhook ID:** 1 -- **Trigger:** Push to main branch -- **Builds:** Linux (x86_64) and Windows (x86_64) agents - **Deploy Path:** /var/www/gururmm/downloads/ -- **GuruConnect Static Files:** /home/guru/guru-connect/server/static/ -- **GuruConnect Binary:** /home/guru/guru-connect/target/release/guruconnect-server -- **Access Methods:** Webhook - -### Build Server SSH Key (for Gitea) -- **Key Name:** gururmm-build-server -- **Key Type:** ssh-ed25519 -- **Public Key:** AAAAC3NzaC1lZDI1NTE5AAAAIKSqf2/phEXUK8vd5GhMIDTEGSk0LvYk92sRdNiRrjKi guru@gururmm-build -- **Added to:** Gitea (azcomputerguru account) -- **Access Methods:** SSH key authentication ### Clients & Sites #### Glaztech Industries (GLAZ) -- **Client ID:** d857708c-5713-4ee5-a314-679f86d2f9f9 -- **Site:** SLC - Salt Lake City -- **Site ID:** 290bd2ea-4af5-49c6-8863-c6d58c5a55de - **Site Code:** DARK-GROVE-7839 -- **API Key:** grmm_Qw64eawPBjnMdwN5UmDGWoPlqwvjM7lI -- **Created:** 2025-12-18 -- **Access Methods:** API +- **API Key:** op://Projects/GuruRMM Glaztech Site/credential #### AZ Computer Guru (Internal) - **Site Code:** SWIFT-CLOUD-6910 @@ -685,562 +382,179 @@ ## Projects - GuruConnect -### Database (PostgreSQL on build server) -- **Service:** GuruConnect database +### Database (PostgreSQL) - **Host:** localhost (172.16.3.30) - **Port:** 5432 - **Database:** guruconnect -- **User:** guruconnect -- **Password:** gc_a7f82d1e4b9c3f60 -- **DATABASE_URL:** postgres://guruconnect:gc_a7f82d1e4b9c3f60@localhost:5432/guruconnect -- **Created:** 2025-12-28 -- **Access Methods:** PostgreSQL protocol - ---- - -## Projects - Dataforth DOS - -### Update Workflow -- **Admin Deposits:** \\AD2\test\COMMON\ (on AD2) -- **Sync Mechanism:** AD2 scheduled task (C:\Shares\test\scripts\Sync-FromNAS.ps1) -- **DOS Pull:** T:\COMMON\ (from D2TESTNAS) -- **Backup Target:** T:\%MACHINE%\BACKUP\ - -### Key Files -- **UPDATE.BAT:** Machine backup utility (runs on DOS) - v2.0 on T:\UPDATE.BAT -- **NWTOC.BAT:** Network to Computer updates -- **CTONW.BAT:** Computer to Network uploads -- **STAGE.BAT:** System file staging for reboot -- **REBOOT.BAT:** Auto-generated, applies staged updates -- **AUTOEXEC.BAT:** DOS startup, sets %MACHINE% variable -- **CONFIG.SYS:** DOS system configuration -- **STARTNET.BAT:** Network stack initialization - -### Folder Structure -``` -\\AD2\test\ -├── COMMON\ # Shared updates for all machines -│ ├── DOS\ # System files (AUTOEXEC.NEW, CONFIG.NEW) -│ ├── ProdSW\ # Production software updates -│ └── NewSW\ # New software distributions -└── TS-XX\ # Individual machine folders - └── Backup\ # Machine-specific backups -``` +- **User:** op://Projects/GuruConnect Database/username +- **Password:** op://Projects/GuruConnect Database/password +- **DATABASE_URL:** op://Projects/GuruConnect Database/DATABASE_URL --- ## Client - MVAN Inc ### Microsoft 365 Tenant 1 -- **Service:** M365 tenant - **Tenant:** mvan.onmicrosoft.com -- **Admin User:** sysadmin@mvaninc.com -- **Password:** r3tr0gradE99# -- **Notes:** Global admin, project to merge/trust with T2 -- **Access Methods:** Web (M365 portal) +- **Admin User:** op://Clients/MVAN M365/username +- **Password:** op://Clients/MVAN M365/password --- ## Client - BG Builders LLC ### Microsoft 365 Tenant -- **Service:** M365 tenant -- **Tenant:** bgbuildersllc.com -- **CIPP Name:** sonorangreenllc.com - **Tenant ID:** ededa4fb-f6eb-4398-851d-5eb3e11fab27 - **onmicrosoft.com:** sonorangreenllc.onmicrosoft.com -- **Admin User:** sysadmin@bgbuildersllc.com -- **Password:** Window123!@#-bgb -- **Added:** 2025-12-19 -- **Licenses:** - - 8x Microsoft 365 Business Standard - - 4x Exchange Online Plan 1 - - 1x Microsoft 365 Basic -- **Security Gap:** No advanced security features (no conditional access, Intune, or Defender) -- **Recommendation:** Upgrade to Business Premium -- **Access Methods:** Web (M365 portal) +- **Admin User:** op://Clients/BG Builders M365/username +- **Password:** op://Clients/BG Builders M365/password +- **Cloudflare Zone ID:** op://Clients/BG Builders M365/Cloudflare Zone ID +- **Licenses:** 8x Business Standard, 4x Exchange Online Plan 1, 1x Basic ### Email Security (Configured 2025-12-19) | Record | Status | Details | |--------|--------|---------| -| SPF | ✅ | `v=spf1 include:spf.protection.outlook.com -all` | -| DMARC | ✅ | `v=DMARC1; p=reject; rua=mailto:sysadmin@bgbuildersllc.com` | -| DKIM selector1 | ✅ | CNAME to selector1-bgbuildersllc-com._domainkey.sonorangreenllc.onmicrosoft.com | -| DKIM selector2 | ✅ | CNAME to selector2-bgbuildersllc-com._domainkey.sonorangreenllc.onmicrosoft.com | -| MX | ✅ | bgbuildersllc-com.mail.protection.outlook.com | - -### Security Investigation (2025-12-22) - RESOLVED -- **Compromised User:** Shelly@bgbuildersllc.com (Shelly Dooley) -- **Symptoms:** Suspicious sent items reported by user -- **Findings:** - - Gmail OAuth app with EAS.AccessAsUser.All (REMOVED) - - "P2P Server" app registration backdoor (DELETED by admin) - - No malicious mailbox rules or forwarding - - Sign-in logs unavailable (no Entra P1 license) -- **Remediation:** - - Password reset: `5ecwyHv6&dP7` (must change on login) - - All sessions revoked - - Gmail OAuth consent removed - - P2P Server backdoor deleted -- **Status:** RESOLVED - -### Cloudflare -- **Zone ID:** 156b997e3f7113ddbd9145f04aadb2df -- **Nameservers:** amir.ns.cloudflare.com, mckinley.ns.cloudflare.com -- **A Records:** 3.33.130.190, 15.197.148.33 (proxied) - GoDaddy Website Builder - ---- - -## Client - Sonoran Green LLC - -### Status -**Active** - Related entity to BG Builders LLC (same M365 tenant) - -### Company Information -- **Domain:** sonorangreenllc.com -- **Primary Entity:** BG Builders LLC - -### Microsoft 365 -- **Tenant:** Shared with BG Builders LLC (ededa4fb-f6eb-4398-851d-5eb3e11fab27) -- **onmicrosoft.com:** sonorangreenllc.onmicrosoft.com - -### DNS Configuration - -#### Current Status -- **Nameservers:** Still on GoDaddy (not migrated to Cloudflare) -- **A Record:** 172.16.10.200 (private IP - problematic) -- **Email Records:** Properly configured for M365 - -#### Needed Records (Not Yet Applied) -- DMARC: `v=DMARC1; p=reject; rua=mailto:sysadmin@bgbuildersllc.com` -- DKIM selector1: CNAME to selector1-sonorangreenllc-com._domainkey.sonorangreenllc.onmicrosoft.com -- DKIM selector2: CNAME to selector2-sonorangreenllc-com._domainkey.sonorangreenllc.onmicrosoft.com +| SPF | OK | `v=spf1 include:spf.protection.outlook.com -all` | +| DMARC | OK | `v=DMARC1; p=reject; rua=mailto:sysadmin@bgbuildersllc.com` | +| DKIM | OK | selector1/selector2 CNAMEs configured | +| MX | OK | bgbuildersllc-com.mail.protection.outlook.com | --- ## Client - CW Concrete LLC ### Microsoft 365 Tenant -- **Service:** M365 tenant -- **Tenant:** cwconcretellc.com -- **CIPP Name:** cwconcretellc.com - **Tenant ID:** dfee2224-93cd-4291-9b09-6c6ce9bb8711 - **Default Domain:** NETORGFT11452752.onmicrosoft.com -- **Notes:** De-federated from GoDaddy 2025-12, domain needs re-verification -- **Licenses:** - - 2x Microsoft 365 Business Standard - - 2x Exchange Online Essentials -- **Security Gap:** No advanced security features -- **Recommendation:** Upgrade to Business Premium for Intune, conditional access, Defender -- **Access Methods:** Web (M365 portal) - -### Security Investigation (2025-12-22) - RESOLVED -- **Findings:** - - Graph Command Line Tools OAuth consent with high privileges (REMOVED) - - "test" backdoor app registration with multi-tenant access (DELETED) - - Apple Internet Accounts OAuth (left - likely iOS device) - - No malicious mailbox rules or forwarding -- **Remediation:** - - All sessions revoked for all 4 users - - Backdoor apps removed -- **Status:** RESOLVED +- **Notes:** De-federated from GoDaddy 2025-12 --- ## Client - Dataforth -### Network -- **Subnet:** 192.168.0.0/24 -- **Domain:** INTRANET (intranet.dataforth.com) - ### Microsoft 365 - -#### Tenant Information - **Tenant ID:** 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584 -- **Admin:** sysadmin@dataforth.com / Paper123!@# (synced with AD) - -#### Entra App Registration (Claude-Code-M365) -- **Purpose:** Silent Graph API access for automation -- **App ID:** 7a8c0b2e-57fb-4d79-9b5a-4b88d21b1f29 -- **Client Secret:** tXo8Q~ZNG9zoBpbK9HwJTkzx.YEigZ9AynoSrca3 -- **Created:** 2025-12-22 -- **Expires:** 2027-12-22 -- **Permissions:** Calendars.ReadWrite, Contacts.ReadWrite, User.ReadWrite.All, Mail.ReadWrite, Directory.ReadWrite.All, Group.ReadWrite.All, Sites.ReadWrite.All, Files.ReadWrite.All, Reports.Read.All, AuditLog.Read.All, Application.ReadWrite.All, Device.ReadWrite.All, SecurityEvents.Read.All, IdentityRiskEvent.Read.All, Policy.Read.All, RoleManagement.ReadWrite.Directory +- **Admin:** op://Clients/Dataforth M365/username / op://Clients/Dataforth M365/password +- **Entra App (Claude-Code-M365):** + - App ID: op://Clients/Dataforth M365/Entra App.App ID + - Client Secret: op://Clients/Dataforth M365/Entra App.Client Secret + - Expires: 2027-12-22 ### NPS RADIUS Configuration - **Server:** 192.168.0.27 (AD1) - **Port:** 1812/UDP (auth), 1813/UDP (accounting) -- **Shared Secret:** Gptf*77ttb!@#!@# +- **Shared Secret:** op://Clients/Dataforth M365/NPS RADIUS.Shared Secret - **RADIUS Client:** unifi (192.168.0.254) -- **Network Policy:** Unifi - allows Domain Users 24/7 -- **Auth Methods:** All (PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP) -- **AuthAttributeRequired:** False (required for UniFi OpenVPN) - -### OpenVPN Routes (Split Tunnel) -- 192.168.0.0/24 -- 192.168.1.0/24 -- 192.168.4.0/24 -- 192.168.100.0/24 -- 192.168.200.0/24 -- 192.168.201.0/24 --- ## Client - Valley Wide Plastering (VWP) -### Network -- **Subnet:** 172.16.9.0/24 - -### UDM (UniFi Dream Machine) +### UDM - **IP:** 172.16.9.1 -- **SSH User:** root -- **SSH Password:** Gptf*77ttb123!@#-vwp -- **Role:** Gateway/firewall, VPN server, RADIUS client -- **Access Methods:** SSH, Web +- **User:** op://Clients/VWP UDM/username +- **Password:** op://Clients/VWP UDM/password -### VWP-DC1 (Domain Controller) +### VWP-DC1 - **IP:** 172.16.9.2 - **Hostname:** VWP-DC1.VWP.US -- **Domain:** VWP.US (NetBIOS: VWP) -- **SSH:** sysadmin / r3tr0gradE99# -- **Role:** Primary DC, NPS/RADIUS server -- **Added:** 2025-12-22 -- **Access Methods:** RDP, WinRM +- **User:** op://Clients/VWP DC1/username +- **Password:** op://Clients/VWP DC1/password +- **NPS RADIUS Shared Secret:** op://Clients/VWP DC1/NPS.Shared Secret -### Citrix XenServer (PowerEdge R720) -- **Hypervisor:** XenServer 7.6.0 -- **Hostname:** valleywide -- **Management IP:** 192.168.0.104 (DHCP, eth0) -- **MAC:** ec:f4:bb:d0:69:f8 -- **Gateway:** 192.168.0.1 -- **SSH User:** root -- **SSH Password:** r3tr0gradE99! +### Citrix XenServer +- **Management IP:** 192.168.0.104 +- **User:** op://Clients/VWP XenServer/username +- **Password:** op://Clients/VWP XenServer/password - **iDRAC IP:** 192.168.3.30 -- **iDRAC MAC:** 78:45:C4:F1:CE:6E -- **User:** root -- **Password:** r3tr0gradE99# -- **Service Tag:** 52ZBVV1 -- **Express Service Code:** 11064185101 -- **BIOS:** 2.7.0 -- **iDRAC Firmware:** 2.60.60.60 (iDRAC 7) -- **Virtual Console:** Java-based (avctKVM), requires Java 8 + relaxed security -- **Notes:** Hostname "localhost" (not configured) +- **iDRAC User/Pass:** op://Clients/VWP XenServer/iDRAC.* -### QuickBooks Server - iDRAC (PowerEdge R640) -- **Hostname:** VWP-QBS.VWP.US -- **OS:** Windows Server 2022 (10.0) +### QuickBooks Server iDRAC - **iDRAC IP:** 192.168.3.189 -- **iDRAC MAC:** 54:48:10:F2:A0:2E -- **iDRAC Firmware:** 7.00.00.174 (iDRAC 9) -- **User:** root -- **Password:** r3tr0gradE99# -- **Service Tag:** C84TTQ2 -- **BIOS:** 2.22.2 -- **License:** Enterprise -- **Notes:** iDRAC 9 supports HTML5 virtual console (no Java needed) - -### NPS RADIUS Configuration -- **RADIUS Server:** 172.16.9.2 -- **RADIUS Ports:** 1812 (auth), 1813 (accounting) -- **Clients:** UDM (172.16.9.1), VWP-Subnet (172.16.9.0/24) -- **Shared Secret:** Gptf*77ttb123!@#-radius -- **Policy:** "VPN-Access" - allows all authenticated users (24/7) -- **Auth Methods:** All (PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP) -- **User Dial-in:** All VWP_Users set to Allow -- **AuthAttributeRequired:** Disabled on clients -- **Tested:** 2025-12-22, user cguerrero authenticated successfully -- **Access Methods:** RADIUS protocol -- **AD Structure:** - - Users OU: OU=VWP_Users,DC=VWP,DC=US - - Users with VPN Access (27 total): Darv, marreola, farias, smontigo, truiz, Tcapio, bgraffin, cguerrero, tsmith, tfetters, owner, cougar, Receptionist, Isacc, Traci, Payroll, Estimating, ARBilling, orders2, guru, sdooley, jguerrero, kshoemaker, rose, rguerrero, jrguerrero, Acctpay +- **User:** op://Clients/VWP QuickBooks Server iDRAC/username +- **Password:** op://Clients/VWP QuickBooks Server iDRAC/password --- ## Client - Khalsa -### Network -- **Subnet:** 172.16.50.0/24 - -### UCG (UniFi Cloud Gateway) +### UCG - **IP:** 172.16.50.1 -- **SSH User:** azcomputerguru -- **SSH Password:** Paper123!@#-camden (reset 2025-12-22) -- **Notes:** Gateway/firewall, VPN server, SSH key added but not working -- **Access Methods:** SSH, Web +- **User:** op://Clients/Khalsa UCG/username +- **Password:** op://Clients/Khalsa UCG/password ### Switch -- **User:** 8WfY8 -- **Password:** tI3evTNBZMlnngtBc -- **Access Methods:** Web +- **User:** op://Clients/Khalsa Switch/username +- **Password:** op://Clients/Khalsa Switch/password -### Accountant Machine -- **IP:** 172.16.50.168 -- **User:** accountant -- **Password:** Paper123!@#-accountant -- **Local Admin:** localadmin / r3tr0gradE99! -- **Added:** 2025-12-22 -- **Notes:** VPN routing issue, RDP enabled -- **Access Methods:** RDP +### Accountant Machine (172.16.50.168) +- **User:** op://Clients/Khalsa Accountant Machine/username +- **Password:** op://Clients/Khalsa Accountant Machine/password +- **Local Admin:** op://Clients/Khalsa Accountant Machine/Local Admin User / op://Clients/Khalsa Accountant Machine/Local Admin Password --- ## Client - Scileppi Law Firm -### DS214se (Source NAS - Migration Source - POWERED OFF) -- **Service:** Legacy NAS (source) -- **IP:** 172.16.1.54 -- **SSH User:** admin -- **Password:** Th1nk3r^99 -- **Storage:** 1.8TB (1.6TB used) -- **Data:** User home folders (admin, Andrew Ross, Chris Scileppi, Samantha Nunez, etc.) -- **Status:** Powered off after migration 2025-12-27 -- **Access Methods:** SSH, Web - -### Unraid (Source - Migration - POWERED OFF) -- **Service:** Legacy Unraid (source) -- **IP:** 172.16.1.21 -- **SSH User:** root -- **Password:** Th1nk3r^99 -- **Role:** Data source for migration to RS2212+ -- **Data:** /mnt/user/Scileppi (5.2TB) - - Active: 1.4TB - - Archived: 451GB - - Billing: 17MB - - Closed: 3.0TB -- **Status:** Powered off after migration 2025-12-27 -- **Access Methods:** SSH, Web - -### RS2212+ (Destination NAS) -- **Service:** Primary NAS (destination) +### RS2212+ (Primary NAS) - **IP:** 172.16.1.59 -- **Hostname:** SL-SERVER -- **SSH User:** sysadmin -- **Password:** Gptf*77ttb123!@#-sl-server -- **SSH Key:** claude-code@localadmin added to authorized_keys -- **Storage:** 25TB total, 6.9TB used (28%) -- **Data Share:** /volume1/Data (7.9TB - Active, Closed, Archived, Billing, MOTIONS BANK) -- **Notes:** Migration and consolidation complete 2025-12-29 -- **Access Methods:** SSH (key + password), Web, SMB +- **User:** op://Clients/Scileppi RS2212+/username +- **Password:** op://Clients/Scileppi RS2212+/password +- **Storage:** 25TB total, 6.9TB used +- **User Accounts:** op://Clients/Scileppi RS2212+/Users.* -### RS2212+ User Accounts (Created 2025-12-29) -| Username | Full Name | Password | Notes | -|----------|-----------|----------|-------| -| chris | Chris Scileppi | Scileppi2025! | Owner | -| andrew | Andrew Ross | Scileppi2025! | Staff | -| sylvia | Sylvia | Scileppi2025! | Staff | -| rose | Rose | Scileppi2025! | Staff | -| (TBD) | 5th user | - | Name pending | - -### Migration/Consolidation Status - COMPLETE -- **Completed:** 2025-12-29 -- **Final Structure:** - - Active: 2.5TB (merged Unraid + DS214se Open Cases) - - Closed: 4.9TB (merged Unraid + DS214se Closed Cases) - - Archived: 451GB - - MOTIONS BANK: 21MB - - Billing: 17MB -- **Recycle Bin:** Emptied (recovered 413GB) -- **Permissions:** Group "users" with 775 on /volume1/Data +### DS214se / Unraid (POWERED OFF) +- Credentials in op://Clients/Scileppi DS214se (POWERED OFF)/* and op://Clients/Scileppi Unraid (POWERED OFF)/* --- ## Client - heieck.org ### Microsoft 365 Migration -- **Microsoft 365 Tenant:** heieckorg.onmicrosoft.com -- **Admin User:** sysadmin@heieck.org -- **Mailboxes:** - - sheila@heieck.org (0.66 GB, 10,490 items) - - jjh@heieck.org (2.39 GB, 31,463 items) - - Passwords: Gptf*77ttb## (Exchange) - -### Azure Storage (PST Import) -- **Storage Account:** heieckimport -- **Resource Group:** heieckimport_group -- **Location:** East US -- **Container:** pstimport -- **SAS Token:** (expired 2026-01-22) -- **Uploaded Files:** sheila.pst, jjh.pst (3.05 GB total) - -### DNS Configuration (IX Server) -**heieck.org zone:** -- MX: 0 heieck-org.mail.protection.outlook.com -- TXT (SPF): v=spf1 include:spf.protection.outlook.com -all -- TXT (Verification): MS=ms31330906 -- CNAME (autodiscover): autodiscover.outlook.com - ---- - -## Client Sites - WHM/cPanel - -### IX Server (ix.azcomputerguru.com) -- **Service:** cPanel/WHM hosting server -- **SSH Host:** ix.azcomputerguru.com -- **Internal IP:** 172.16.3.10 (VPN required) -- **SSH User:** root -- **SSH Password:** Gptf*77ttb!@#!@# -- **SSH Key:** guru@wsl key added to authorized_keys -- **Role:** cPanel/WHM server hosting client sites -- **Access Methods:** SSH, cPanel/WHM web - -### data.grabbanddurando.com -- **Service:** Client website (Grabb & Durando Law) -- **Server:** IX (ix.azcomputerguru.com) -- **cPanel Account:** grabblaw -- **Site Path:** /home/grabblaw/public_html/data_grabbanddurando -- **Site Admin User:** admin -- **Site Admin Password:** GND-Paper123!@#-datasite -- **Database:** grabblaw_gdapp_data -- **DB User:** grabblaw_gddata -- **DB Password:** GrabbData2025 -- **Config File:** /home/grabblaw/public_html/data_grabbanddurando/connection.php -- **Backups:** /home/grabblaw/public_html/data_grabbanddurando/backups_mariadb_fix/ -- **Access Methods:** Web (admin), MySQL, SSH (via IX root) +- **Tenant:** heieckorg.onmicrosoft.com +- **Mailbox passwords:** op://Clients/heieck.org M365/* --- ## MSP Tools -### Syncro (PSA/RMM) - AZ Computer Guru -- **Service:** PSA/RMM platform -- **API Key:** T259810e5c9917386b-52c2aeea7cdb5ff41c6685a73cebbeb3 -- **Subdomain:** computerguru +### Syncro (PSA/RMM) - **API Base URL:** https://computerguru.syncromsp.com/api/v1 -- **API Docs:** https://api-docs.syncromsp.com/ -- **Account:** AZ Computer Guru MSP -- **Added:** 2025-12-18 -- **Customers:** 5,064 (29 duplicates found) -- **Access Methods:** API +- **API Key:** op://MSP Tools/Syncro/credential -### Autotask (PSA) - AZ Computer Guru -- **Service:** PSA platform -- **API Username:** dguyqap2nucge6r@azcomputerguru.com -- **API Password:** z*6G4fT#oM~8@9Hxy$2Y7K$ma -- **API Integration Code:** HYTYYZ6LA5HB5XK7IGNA7OAHQLH -- **Integration Name:** ClaudeAPI +### Autotask (PSA) - **API Zone:** webservices5.autotask.net -- **API Docs:** https://autotask.net/help/developerhelp/Content/APIs/REST/REST_API_Home.htm -- **Account:** AZ Computer Guru MSP -- **Added:** 2025-12-18 -- **Notes:** New API user "Claude API" -- **Companies:** 5,499 (19 exact duplicates, 30+ near-duplicates) -- **Access Methods:** REST API +- **API Username:** op://MSP Tools/Autotask/API Username +- **API Password:** op://MSP Tools/Autotask/API Password +- **Integration Code:** op://MSP Tools/Autotask/credential -### CIPP (CyberDrain Improved Partner Portal) -- **Service:** M365 management portal +### CIPP (M365 Management) - **URL:** https://cippcanvb.azurewebsites.net - **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d -- **API Client Name:** ClaudeCipp2 (working) -- **App ID (Client ID):** 420cb849-542d-4374-9cb2-3d8ae0e1835b -- **Client Secret:** MOn8Q~otmxJPLvmL~_aCVTV8Va4t4~SrYrukGbJT -- **Scope:** api://420cb849-542d-4374-9cb2-3d8ae0e1835b/.default -- **CIPP-SAM App ID:** 91b9102d-bafd-43f8-b17a-f99479149b07 -- **IP Range:** 0.0.0.0/0 (all IPs allowed) -- **Auth Method:** OAuth 2.0 Client Credentials -- **Updated:** 2025-12-23 -- **Notes:** Working API client -- **Access Methods:** REST API (OAuth 2.0) - -#### CIPP API Usage (Bash) -```bash -# Get token -ACCESS_TOKEN=$(curl -s -X POST "https://login.microsoftonline.com/ce61461e-81a0-4c84-bb4a-7b354a9a356d/oauth2/v2.0/token" \ - -d "client_id=420cb849-542d-4374-9cb2-3d8ae0e1835b" \ - -d "client_secret=MOn8Q~otmxJPLvmL~_aCVTV8Va4t4~SrYrukGbJT" \ - -d "scope=api://420cb849-542d-4374-9cb2-3d8ae0e1835b/.default" \ - -d "grant_type=client_credentials" | python3 -c "import sys, json; print(json.load(sys.stdin).get('access_token', ''))") - -# Query endpoints (use tenant domain or tenant ID as TenantFilter) -curl -s "https://cippcanvb.azurewebsites.net/api/ListLicenses?TenantFilter=sonorangreenllc.com" \ - -H "Authorization: Bearer ${ACCESS_TOKEN}" -``` - -#### Old CIPP API Client (DO NOT USE) -- **App ID:** d545a836-7118-44f6-8852-d9dd64fb7bb9 -- **Status:** Authenticated but all endpoints returned 403 +- **App ID:** op://MSP Tools/CIPP/OAuth.App ID +- **Client Secret:** op://MSP Tools/CIPP/OAuth.Client Secret +- **Scope:** op://MSP Tools/CIPP/OAuth.Scope ### Claude-MSP-Access (Multi-Tenant Graph API) -- **Service:** Direct Graph API access for M365 investigations - **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d -- **App ID (Client ID):** fabb3421-8b34-484b-bc17-e46de9703418 -- **Client Secret:** ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO -- **Secret Expires:** 2026-12 (24 months) -- **Sign-in Audience:** Multi-tenant (any Entra ID org) -- **Purpose:** Direct Graph API access for M365 investigations and remediation -- **Admin Consent URL:** https://login.microsoftonline.com/common/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient -- **Permissions:** User.ReadWrite.All, Directory.ReadWrite.All, Mail.ReadWrite, MailboxSettings.ReadWrite, AuditLog.Read.All, Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, Group.ReadWrite.All, SecurityEvents.ReadWrite.All, AppRoleAssignment.ReadWrite.All, UserAuthenticationMethod.ReadWrite.All -- **Created:** 2025-12-29 -- **Access Methods:** Graph API (OAuth 2.0) +- **App ID:** op://MSP Tools/Claude-MSP-Access (Graph API)/App ID +- **Client Secret:** op://MSP Tools/Claude-MSP-Access (Graph API)/credential -#### Usage (Python) -```python -import requests - -tenant_id = "CUSTOMER_TENANT_ID" # or use 'common' after consent -client_id = "fabb3421-8b34-484b-bc17-e46de9703418" -client_secret = "~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO" - -# Get token -token_resp = requests.post( - f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token", - data={ - "client_id": client_id, - "client_secret": client_secret, - "scope": "https://graph.microsoft.com/.default", - "grant_type": "client_credentials" - } -) -access_token = token_resp.json()["access_token"] - -# Query Graph API -headers = {"Authorization": f"Bearer {access_token}"} -users = requests.get("https://graph.microsoft.com/v1.0/users", headers=headers) -``` +### ACG-MSP-Access (Google Workspace) +- **Service Account:** op://MSP Tools/ACG-MSP-Access (Google Workspace)/Service Account Email +- **Key File:** temp/acg-msp-access-8f72339997e5.json +- **Onboarded Tenants:** lonestarelectrical.net --- -### ACG-MSP-Access (Google Workspace - Multi-Tenant) -- **Service:** Google Workspace API access for investigations and remediation -- **Google Cloud Project:** acg-msp-access -- **Service Account Email:** acg-msp-access@acg-msp-access.iam.gserviceaccount.com -- **Client ID:** 102231607889615995452 -- **Key File:** `temp/acg-msp-access-8f72339997e5.json` -- **Private Key ID:** 8f72339997e510cb3bf3c01aa658a09a4bce97ba -- **Created:** 2026-03-10 -- **Purpose:** Domain-wide delegation for Google Workspace client investigations -- **Scopes:** - - `admin.directory.user` (user management) - - `admin.directory.user.security` (password reset, 2FA, revoke sessions) - - `admin.reports.audit.readonly` (audit/sign-in logs) - - `gmail.readonly` (mailbox investigation) - - `gmail.settings.basic` (forwarding rules) - - `drive.readonly` (drive audit) - - `admin.directory.domain.readonly` (domain info) -- **Onboarded Tenants:** - - lonestarelectrical.net (sysadmin@lonestarelectrical.net) - added 2026-03-10 +## VPN Access -#### Usage (Python) -```python -from google.oauth2 import service_account -from googleapiclient.discovery import build - -SCOPES = [ - 'https://www.googleapis.com/auth/admin.directory.user', - 'https://www.googleapis.com/auth/admin.directory.user.security', - 'https://www.googleapis.com/auth/admin.reports.audit.readonly', - 'https://www.googleapis.com/auth/gmail.readonly', - 'https://www.googleapis.com/auth/gmail.settings.basic', - 'https://www.googleapis.com/auth/drive.readonly', - 'https://www.googleapis.com/auth/admin.directory.domain.readonly', -] - -creds = service_account.Credentials.from_service_account_file( - 'temp/acg-msp-access-8f72339997e5.json', scopes=SCOPES -) -# Impersonate the admin user in the target tenant -delegated = creds.with_subject('sysadmin@lonestarelectrical.net') -service = build('admin', 'reports_v1', credentials=delegated) -``` +### Peaceful Spirit VPN (L2TP/IPSec) +- **Server IP:** 98.190.129.150 +- **Username:** op://Clients/Peaceful Spirit VPN/username +- **Password:** op://Clients/Peaceful Spirit VPN/password +- **Pre-Shared Key:** op://Clients/Peaceful Spirit VPN/VPN.Pre-Shared Key +- **Remote Network:** 192.168.0.0/24 --- @@ -1248,7 +562,7 @@ service = build('admin', 'reports_v1', credentials=delegated) | Tailscale IP | Hostname | Owner | OS | Notes | |--------------|----------|-------|-----|-------| -| 100.79.69.82 | pfsense-1 | mike@ | freebsd | Gateway (alternate: 100.119.153.74 pfsense-2) | +| 100.79.69.82 | pfsense-1 | mike@ | freebsd | Gateway | | 100.125.36.6 | acg-m-l5090 | mike@ | windows | Workstation | | 100.92.230.111 | acg-tech-01l | mike@ | windows | Tech laptop | | 100.96.135.117 | acg-tech-02l | mike@ | windows | Tech laptop | @@ -1264,18 +578,14 @@ service = build('admin', 'reports_v1', credentials=delegated) ## SSH Public Keys ### guru@wsl (Windows/WSL) -- **User:** guru -- **Sudo Password:** Window123!@#-wsl - **Key Type:** ssh-ed25519 - **Public Key:** AAAAC3NzaC1lZDI1NTE5AAAAIAWY+SdqMHJP5JOe3qpWENQZhXJA4tzI2d7ZVNAwA/1u guru@wsl -- **Usage:** WSL SSH authentication +- **Sudo Password:** op://Infrastructure/GuruRMM Server/password (same as SSH) - **Authorized on:** GuruRMM build server, IX server, Jupiter, Saturn ### azcomputerguru@local (Mac) -- **User:** azcomputerguru - **Key Type:** ssh-ed25519 - **Public Key:** ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDrGbr4EwvQ4P3ZtyZW3ZKkuDQOMbqyAQUul2+JE4K4S azcomputerguru@local -- **Usage:** Mac SSH authentication - **Authorized on:** GuruRMM build server, IX server, AD2, D2TESTNAS ### claude-code@localadmin (Windows) @@ -1285,117 +595,11 @@ service = build('admin', 'reports_v1', credentials=delegated) --- -## VPN Access +## 1Password Service Account -### Peaceful Spirit VPN (L2TP/IPSec) -- **Server IP:** 98.190.129.150 -- **Tunnel Type:** L2TP/IPSec -- **Pre-Shared Key (PSK):** z5zkNBds2V9eIkdey09Zm6Khil3DAZs8 -- **Username:** pst-admin -- **Password:** 24Hearts$ -- **Connection Name:** Peaceful Spirit VPN -- **Purpose:** Remote access to Peaceful Spirit Country Club network -- **Authentication:** MS-CHAPv2 with PSK -- **Split Tunneling:** Enabled (only CC traffic uses VPN) -- **Setup Script:** D:\ClaudeTools\Create-PeacefulSpiritVPN.ps1 -- **Quick Setup:** D:\ClaudeTools\VPN_QUICK_SETUP.md - -**Network Configuration (UniFi Router at CC):** -- **Remote Network:** 192.168.0.0/24 -- **DNS Server:** 192.168.0.2 -- **Gateway:** 192.168.0.10 - -**Complete Setup (Run as Administrator):** -```powershell -# Step 1: Create VPN connection with split tunneling -Add-VpnConnection -Name "Peaceful Spirit VPN" -ServerAddress "98.190.129.150" -TunnelType L2tp -L2tpPsk "z5zkNBds2V9eIkdey09Zm6Khil3DAZs8" -AuthenticationMethod MsChapv2 -EncryptionLevel Required -AllUserConnection -RememberCredential -SplitTunneling $true - -# Step 2: Add route for CC network (192.168.0.0/24) -Add-VpnConnectionRoute -ConnectionName "Peaceful Spirit VPN" -DestinationPrefix "192.168.0.0/24" -AllUserConnection - -# Step 3: Configure DNS server -Set-DnsClientServerAddress -InterfaceAlias "Peaceful Spirit VPN" -ServerAddresses "192.168.0.2" - -# Step 4: Save credentials for pre-login access -rasdial "Peaceful Spirit VPN" "pst-admin" "24Hearts$" -rasdial "Peaceful Spirit VPN" /disconnect - -# Step 5: Enable pre-login VPN -Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "UseRasCredentials" -Value 1 -Type DWord -``` - -**Quick Connect:** -```powershell -rasdial "Peaceful Spirit VPN" -``` - -**Disconnect:** -```powershell -rasdial "Peaceful Spirit VPN" /disconnect -``` - ---- - -## Connection Testing - -### Test Database Connection -```bash -mysql -h 172.16.3.30 -u claudetools -p claudetools -# Password: CT_e8fcd5a3952030a79ed6debae6c954ed -``` - -### Test API Connectivity -```bash -curl http://172.16.3.30:8001/api/health -``` - -### Test Gitea SSH -```bash -ssh -p 2222 git@172.16.3.20 -# Should return: "Hi there! You've successfully authenticated..." -``` - -### Test AD2 Access (from Dataforth network) -```cmd -net use T: \\192.168.0.6\test /user:INTRANET\sysadmin Paper123!@# -``` - -### Test NAS Access (from Dataforth network) -```cmd -net use T: \\192.168.0.9\test -``` - ---- - -## Security Notes - -- **Never commit this file to public repositories** -- **Credentials are stored unredacted for context recovery** -- **ClaudeTools encrypts credentials in database with AES-256-GCM** -- **JWT tokens expire after configured duration** -- **SSH keys required for Gitea access (ed25519)** -- **Dataforth network is isolated (192.168.0.0/24)** -- **AD2 has SMB1 disabled for security (post crypto-attack)** -- **All production credentials should be rotated regularly** - -### Matomo Analytics (analytics.azcomputerguru.com) -- **Service:** Self-hosted web analytics (Matomo 5.8.0) -- **URL:** https://analytics.azcomputerguru.com -- **Server:** IX (172.16.3.10), cPanel account `azcomputerguru` -- **Document Root:** `/home/azcomputerguru/public_html/analytics/` -- **Admin User:** MikeSwanson -- **Admin Password:** Mat0mo2026!CGS -- **Admin Email:** mike@azcomputerguru.com -- **DB Host:** localhost (on IX server) -- **DB Name:** azcompu_matomo -- **DB User:** azcompu_matomo -- **DB Password:** Mat0mo2026!CGS -- **Site ID 1:** AZ Computer Guru (azcomputerguru.com) - tracked via WP mu-plugin -- **Site ID 2:** Community Forum (community.azcomputerguru.com) - tracked via Flarum custom_header -- **Site ID 3:** Radio Show (radio.azcomputerguru.com) - tracked via HTML injection -- **Cron:** Every 5 min, `azcomputerguru` user, archive reports -- **Cloudflare:** Proxied (orange cloud), DNS A record to 72.194.62.5 -- **Installed:** 2026-03-20 +- **Item:** op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential +- **Vaults Accessible:** Infrastructure, Clients, Projects, MSP Tools (Read & Write) +- **Usage:** Set OP_SERVICE_ACCOUNT_TOKEN env var for non-interactive CLI access --- @@ -1403,9 +607,28 @@ net use T: \\192.168.0.9\test When a new Claude session starts or context is lost: -1. **Read this file first** - Get all credentials and infrastructure details -2. **Check session-logs/** - Find recent work and decisions -3. **Read SESSION_STATE.md** - Get project status and phase -4. **Read .claude/claude.md** - Get project overview +1. **Read this file first** - Get all infrastructure details and op:// paths +2. **Use `op read`** to fetch actual credentials as needed +3. **Check session-logs/** - Find recent work and decisions +4. **Read SESSION_STATE.md** - Get project status and phase -This ensures full context recovery without asking user for information already documented. +**Quick credential fetch:** +```bash +# Set service account token first +export OP_SERVICE_ACCOUNT_TOKEN=$(op read "op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential") + +# Then read any credential +op read "op://Infrastructure/IX Server/password" +op read "op://Projects/ClaudeTools Database/password" +op read "op://Clients/Dataforth AD2/password" +``` + +--- + +## Security Notes + +- **Secrets are stored in 1Password** - op:// references are safe to commit to private repos +- **Never commit resolved .env files** - only .env.tpl with op:// references +- **ClaudeTools encrypts credentials in database with AES-256-GCM** +- **Service account token** should be set as environment variable, not committed +- **Rotate on exposure** - update in 1Password, re-inject everywhere diff --git a/session-logs/2026-03-24-session.md b/session-logs/2026-03-24-session.md index 1ac24d6..b6cbf2b 100644 --- a/session-logs/2026-03-24-session.md +++ b/session-logs/2026-03-24-session.md @@ -231,3 +231,57 @@ joser's phone immediately stopped prompting for MDM after re-adding the Lonestar - `/home/guru/ClaudeTools/.claude/commands/1password.md` -- NEW, 1Password slash command for Claude Code - `/home/guru/ClaudeTools/.claude/skills/1password/scripts/` -- NEW, extracted helper scripts (check_setup.sh, store_secret.sh, env_from_op.sh, store-mcp-credentials.sh, launch-in-terminal.sh) - `/home/guru/ClaudeTools/.claude/skills/1password/references/` -- NEW, extracted reference docs (secret_references.md, integrations.md, op_commands.md) + +--- + +## Update: 1Password Credentials Migration + +### Summary +Migrated all credentials from plaintext credentials.md into 1Password. Created 58 items across 4 new vaults. Replaced credentials.md with op:// reference version. + +### 1Password Vaults Created +| Vault | Items | Contents | +|-------|-------|----------| +| Infrastructure | 16 | Servers (GuruRMM, Jupiter, IX, pfSense, etc.), services (Gitea, NPM, Seafile, Cloudflare, Matomo), service account token | +| Clients | 27 | Neptune, Dataforth infra (ESXi, AD1/AD2, D2TESTNAS, UDM, PBX), M365 tenants (MVAN, BG Builders, CW Concrete, Dataforth, heieck), VWP, Khalsa, Scileppi, Lonestar, Peaceful Spirit VPN, Grabb & Durando | +| Projects | 10 | ClaudeTools (DB, encryption key, API auth), GuruRMM (dashboard, DB, API, Entra SSO, CI/CD, Glaztech), GuruConnect DB | +| MSP Tools | 5 | Syncro, Autotask, CIPP, Claude-MSP-Access (Graph API), ACG-MSP-Access (Google Workspace) | + +### Service Account +- **Name:** Agentic_Cli +- **Token stored:** op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential +- **Access:** Read & Write on Infrastructure, Clients, MSP Tools. **Read-only on Projects** (immutable after creation -- needs new SA to fix) +- **Usage:** `export OP_SERVICE_ACCOUNT_TOKEN="token"` then `op read "op://..."` without biometric +- **Note:** Service account permissions are immutable after creation. To change, must delete and recreate. + +### Key Decisions +- **Vault organization:** MSP-oriented (Infrastructure/Clients/Projects/MSP Tools) rather than per-client +- **credentials.md strategy:** Replaced with op:// references -- file stays as documentation, actual secrets only in 1Password +- **Service account:** Created for non-interactive CLI access, avoids biometric prompt on every op command +- **Backup:** Original credentials.md saved as credentials.md.bak (to be deleted after verification) + +### 1Password CLI Notes +- **Version:** 2.32.1 +- **Account:** mike@azcomputerguru.com (my.1password.com) +- **Desktop app integration:** Prompts for biometric auth every CLI call (10min timeout) +- **Service account:** Bypasses biometric entirely via OP_SERVICE_ACCOUNT_TOKEN env var +- **Service account limitations:** Cannot access Private vault, permissions immutable after creation +- **Fish config (CachyOS):** Add `set -gx OP_SERVICE_ACCOUNT_TOKEN "token"` to ~/.config/fish/config.fish + +### Credentials Referenced +- 1Password CLI: op (v2.32.1) +- Service Account Token: ops_eyJ... (stored in 1Password itself) +- All credentials from original credentials.md (58 items total) + +### Files Changed +- `credentials.md` -- Replaced with op:// reference version (no plaintext secrets) +- `credentials.md.bak` -- Backup of original plaintext version (DELETE after verification) +- `.claude/CLAUDE.md` -- Updated with 1Password access instructions, /1password skill reference +- `credentials.op.md` -- Intermediate draft (merged into credentials.md) + +### Pending/Incomplete +1. **Projects vault write access** -- Service account has read-only. Needs new SA with write perms to fix. +2. **Other machines setup** -- Install op CLI + set OP_SERVICE_ACCOUNT_TOKEN on Mac and Windows workstations +3. **Fish config** -- Add OP_SERVICE_ACCOUNT_TOKEN to ~/.config/fish/config.fish on CachyOS +4. **Delete credentials.md.bak** -- After verifying all op:// refs resolve correctly +5. **launch-in-terminal.sh** -- Needs Linux adaptation (currently macOS-only osascript)