Compare commits
2 Commits
ff7025d912
...
d5020a6415
| Author | SHA1 | Date | |
|---|---|---|---|
| d5020a6415 | |||
| 0da31cbb65 |
@@ -153,6 +153,7 @@
|
||||
- [GuruConnect](project_guruconnect.md) — v2 direction (native-first full key fidelity Win+R/Ctrl+Alt+Del + bidirectional file cut/paste/drag; WebRTC fallback only; standalone-first + RMM contract; tenancy-ready schema; Mike willing to scrap v1). Manual deploy procedure to 172.16.3.30 (build-on-server in login shell; sqlx runtime queries; NPM `CONNECT_TRUSTED_PROXIES=172.16.3.20` gotcha). v2 live since 2026-05-30.
|
||||
- [Apple MDM + Developer certs (GuruRMM mobile)](project_apple_mdm_certs.md) — ACG holds Apple Developer+signing and Apple MDM Push certs (acquired 2026-05-29) for SPEC-017. MDM push cert RENEWS ANNUALLY on the same Apple ID or all enrolled iOS devices break.
|
||||
- [Only RMM & GC are versionable products](project_versionable_products.md) — GuruRMM + GuruConnect are the only products with own repos/submodules; everything else stays in the claudetools monorepo. Split only for independent pipeline OR versioned external consumer.
|
||||
- [GuruRMM legacy 1.77 build disabled](project_gururmm_legacy_disabled.md) — legacy (2008R2/Win7) Rust 1.77 variant DISABLED 2026-07-04 (`LEGACY_ENABLED=false`) after an edition2024 dep (chacha20/rand_core 0.10.1) broke the unpinned 1.77 re-resolve and fail-closed the whole Windows build; existing legacy artifacts preserved at 0.6.76. Do NOT re-enable blindly — 2008R2 support returns via a C++/.NET or clean-rewrite legacy agent (Mike, required).
|
||||
- [Quantum GoDaddy M365 tenant](project_quantum_godaddy_m365_tenant.md) — quantumwms.com parked in a GoDaddy-provisioned M365 tenant (id ddf3d2c9-b76c-40d9-a216-9f11a1a26f97, netorg18235235.onmicrosoft.com); blocks Pax8 migration until GoDaddy removed.
|
||||
- [Howard-Home LAN shadow (RESOLVED)](howard-home-lan-shadow.md) — Howard-Home renumbered 2026-06-16 to **10.137.42.0/24** (gw 10.137.42.1, UniFi — NOT pfSense), off the old 192.168.0.0/24 that shadowed Cascades pfSense .0.x over the VPN. Cascades .0.x should now route via the tunnel; this machine is 10.137.42.x now (not 192.168.0.x).
|
||||
- [Cascades CARF tech plan](project_cascades_carf_tech_plan.md) — Ashley's "technology plan" is a CARF accreditation deliverable (Aging Services Technology and System Plan standard); must use CARF action-plan structure (owner/cost/target+completion dates per area), persons-served assistive-tech lens, annual-review sign-off; it's Cascades' leadership-adopted plan, ACG supplies content.
|
||||
|
||||
27
.claude/memory/project_gururmm_legacy_disabled.md
Normal file
27
.claude/memory/project_gururmm_legacy_disabled.md
Normal file
@@ -0,0 +1,27 @@
|
||||
---
|
||||
name: project_gururmm_legacy_disabled
|
||||
description: GuruRMM's legacy Rust 1.77 (Server 2008R2 / Win7) build variant is DISABLED as of 2026-07-04 — do not just re-enable it; 2008R2 support returns via a separate legacy agent (C++/.NET or clean rewrite)
|
||||
metadata:
|
||||
type: project
|
||||
---
|
||||
|
||||
The GuruRMM Windows build's **legacy Rust 1.77 variant is disabled** (2026-07-04) via
|
||||
`LEGACY_ENABLED=false` in `deploy/build-pipeline/build-windows.sh`.
|
||||
|
||||
**Why:** the legacy build moves `Cargo.lock` aside and re-resolves deps unpinned; crates.io now
|
||||
serves edition2024 versions of transitive deps (`chacha20`/`rand_core` 0.10.1) that Rust 1.77
|
||||
cannot parse ("feature `edition2024` is required"). This fail-closed the ENTIRE Windows build and
|
||||
blocked modern (amd64/x86/tray) deploys. It is a **BUG-021 recurrence** and is NOT caused by any
|
||||
agent code change — it reproduces at any base commit right now. This is at least the 3rd edition2024
|
||||
break of the 1.77 build (the `agent/Cargo.toml` transitive-pin list is a monument to it).
|
||||
|
||||
**What the disable does:** skips the legacy wave/copy/deploy/symlink and EXCLUDES legacy from the
|
||||
artifact cleanup, so the last-built legacy binaries (**0.6.76**) are PRESERVED and existing Server
|
||||
2008R2 / Win7 endpoints stay supported *frozen at 0.6.76*. Modern agents advance normally.
|
||||
|
||||
**Mike's directive (2026-07-04):** "Kill the legacy version for now, but we will come back to it" —
|
||||
2008R2 support is REQUIRED (a number are still in the wild) and will return via a **different
|
||||
architecture (C++/.NET) or a clean rewrite for legacy**, NOT by flipping `LEGACY_ENABLED` back on
|
||||
without first solving the 1.77 edition2024 pin problem. Do NOT re-enable it blindly. Tracked in
|
||||
`projects/msp-tools/guru-rmm/docs/RMM_THOUGHTS.md`. Related: the policy-controlled tray feature that
|
||||
was shipping when this surfaced ([[project_guruconnect]] is a different project).
|
||||
Submodule projects/msp-tools/guru-rmm updated: a7ecb9f116...23a7bcca20
@@ -137,7 +137,7 @@ Signal conditioning / data acquisition manufacturer in Tucson, AZ. Long-standing
|
||||
| ESXi hosts | 192.168.0.122, 192.168.0.124 | VMware ESXi hypervisors | ESXi | — |
|
||||
| UDM Firewall | 192.168.0.254 | Perimeter firewall/router | UniFi OS 5.1.15 | MAC d0:21:f9:6c:11:02. Also responds on 192.168.0.1. SSH: `azcomputerguru@192.168.0.254`, root SSH key added 2026-06-08, 2FA push required. Vault: `clients/dataforth/udm.sops.yaml`. C2 IPs blocked via iptables (NOT permanent — need to add to UniFi UI). Boot scripts in `/data/on_boot.d/`: `10-neptune-snat.sh` (Neptune outbound SNAT), `30-freepbx-sip-forward.sh` (SIP DNAT, WAN UDP 5060 source-locked to 66.7.123.0/24 → 192.168.100.2; SIP-only — do NOT add RTP forward). **[WARNING] Confirmed 2026-06-23: the SIP DNAT rule can be silently flushed by a UniFi controller provision/update, not only a reboot** — the on_boot.d script only re-applies at boot, so a mid-uptime provision event leaves inbound calls dead until the script is manually re-run. Recommend adding a persistent UI port-forward rule as a belt-and-suspenders measure (still not done as of 2026-07-04). |
|
||||
| PBX (Sangoma FreePBX) | 192.168.100.2 | VoIP PBX — production phones on 192.168.100.0/24 | Sangoma FreePBX 17 / Asterisk 22.5.2, Debian 12 | FirstDigital PJSIP trunk; SBC 66.7.123.215:5060 (Sonus), match 66.7.123.0/24; IP-auth (no registration). `qualify_frequency=0` (FD SBC ignores OPTIONS — do NOT revert). TFTP provisioning for Cisco SPA502G phones. Extensions 201-343. SSH: `sangoma@192.168.100.2` (ACG SSH key also authenticates). Vault: `clients/dataforth/pbx.sops.yaml` — password corrected 2026-06-23 (prior entry had a backslash-escaping corruption in the stored value; re-verify the vault entry byte-for-byte before use rather than assuming it is stale). [WARNING] Re-apply `PJSip.class.php` line-504 patch after any `fwconsole ma updateall`. **NOTE:** `sangoma` user is in the `sudo` group but sudo authorization on this box appears not actually granted — verify before assuming privileged ops will work via sudo. |
|
||||
| **MYDATA TPSys SMT Controller** (`myserver`) | **192.168.1.1** (VLAN2, SSH-confirmed 2026-07-04) | MYDATA/Mycronic TPSys pick-and-place SMT production-line controller | Fedora Core 3 "Heidelberg" (Nov 2004), kernel 2.6.16.20, glibc ~2.3.5, bash 3.00, **LILO** bootloader, **SysV init** (no systemd) | **NEW, discovered 2026-07-04.** On VLAN 2 "mydata" (192.168.1.0/24). **[WARNING] The box's own IP 192.168.1.1 collides with the address recorded as the VLAN 2 gateway — reconcile: either this box IS the gateway/router for the SMT line, or there is an IP conflict with the UDM. Confirm before relying on either.** TPSys operator UI runs under X started from tpsys's autologin `.profile` -> `startx` on tty1 (default runlevel is **3**, not 5); local PostgreSQL backs TPSys. Accounts: `root`, `tpsys` (TPSys app user), `tpspool` (TPSys spool), `postgres`. **No credential existed prior to discovery** — root was RESET via physical-console LILO recovery, vaulted at `clients/dataforth/mydata-smt.sops.yaml` (initial entry had a password typo, corrected 2026-07-04 — re-read the vault value byte-for-byte). **[CRITICAL] root was intentionally PASSWORDLESS on this appliance** — TPSys's launcher `/home/tpsys/bin/go` escalates repeatedly via `su -c` with no tty, so *setting a root password broke every escalation* -> PostgreSQL/controller never start -> **X comes up empty (fvwm2 only, no TPSys UI).** **Resolved 2026-07-04:** `gpasswd -a tpsys wheel` + uncommented `auth sufficient .../pam_wheel.so trust use_uid` in `/etc/pam.d/su` (backup `su.bak-20260704`), restoring passwordless `su` while keeping a real root password; verified across a reboot (TPSys `mmi` came up). **Do NOT blank root, remove tpsys from wheel, or re-comment the trust line — the SMT line goes down.** Remote access: ACG RSA key `clients/dataforth/mydata-smt-ssh-key.sops.yaml` (FC3 OpenSSH 3.9 needs legacy `-o KexAlgorithms=+diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o MACs=+hmac-sha1 -o Ciphers=+aes128-cbc`), or root pw. **GuruRMM agent CANNOT run on this box** — see Patterns below. |
|
||||
| **MYDATA TPSys SMT Controller** (`myserver`) | **192.168.1.1** (VLAN2, SSH-confirmed 2026-07-04) | MYDATA/Mycronic TPSys pick-and-place SMT production-line controller | Fedora Core 3 "Heidelberg" (Nov 2004), kernel 2.6.16.20, glibc ~2.3.5, bash 3.00, **LILO** bootloader, **SysV init** (no systemd) | **NEW, discovered 2026-07-04.** On VLAN 2 "mydata" (192.168.1.0/24). **[WARNING] The box's own IP 192.168.1.1 collides with the address recorded as the VLAN 2 gateway — reconcile: either this box IS the gateway/router for the SMT line, or there is an IP conflict with the UDM. Confirm before relying on either.** TPSys operator UI runs under X started from tpsys's autologin `.profile` -> `startx` on tty1 (default runlevel is **3**, not 5); local PostgreSQL backs TPSys. Accounts: `root`, `tpsys` (TPSys app user), `tpspool` (TPSys spool), `postgres`. **No credential existed prior to discovery** — root was RESET via physical-console LILO recovery, vaulted at `clients/dataforth/mydata-smt.sops.yaml` (initial entry had a password typo, corrected 2026-07-04 — re-read the vault value byte-for-byte). **[CRITICAL] root was intentionally PASSWORDLESS on this appliance** — TPSys's launcher `/home/tpsys/bin/go` escalates repeatedly via `su -c` with no tty, so *setting a root password broke every escalation* -> PostgreSQL/controller never start -> **X comes up empty (fvwm2 only, no TPSys UI).** **Resolved 2026-07-04:** `gpasswd -a tpsys wheel` + uncommented `auth sufficient .../pam_wheel.so trust use_uid` in `/etc/pam.d/su` (backup `su.bak-20260704`), restoring passwordless `su` while keeping a real root password; verified across a reboot (TPSys `mmi` came up). **Do NOT blank root, remove tpsys from wheel, or re-comment the trust line — the SMT line goes down.** Remote access: ACG RSA key `clients/dataforth/mydata-smt-ssh-key.sops.yaml` (FC3 OpenSSH 3.9 needs legacy `-o KexAlgorithms=+diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o MACs=+hmac-sha1 -o Ciphers=+aes128-cbc`), or root pw. **DR backup (2026-07-04):** hybrid live image — partition table + MBR/LILO + raw `dd` of OS partitions (hda1/2/5/6) + `/home` tar + `pg_dumpall`, ~640 MB, SHA256-verified, with `README-RESTORE.md` runbook. Copies: **on-site** `D2TESTNAS:/root/dr-backups/mydata-tpsys/2026-07-04/`; **offsite** `AD1 C:\Shares\ITSvc\DR\mydata-tpsys\2026-07-04\` (inside AD1's MSP360 Files plan → B2 bucket `ACG-Dataforth`, nightly 2 AM). TODO: full offline 80 GB `dd`/Clonezilla image in a maintenance window; install a backup agent on D2TESTNAS so the on-site DR store self-protects to B2. **GuruRMM agent CANNOT run on this box** — see Patterns below. |
|
||||
|
||||
**Neptune Exchange (ACG infrastructure, physically at Dataforth D2):**
|
||||
- `neptune.acghosting.com` | internal `172.16.3.11` | external inbound `67.206.163.124` / outbound `67.206.163.122`
|
||||
|
||||
Reference in New Issue
Block a user