# Credentials & Authorization Reference

**Last Updated:** 2026-01-19
**Purpose:** Centralized credentials for Claude Code context recovery
**Project:** ClaudeTools MSP Work Tracking System

---

## Infrastructure - SSH Access

### GuruRMM Server (172.16.3.30)
- **Host:** 172.16.3.30
- **User:** guru
- **SSH Port:** 22
- **Role:** Production server hosting ClaudeTools database and API
- **Services:**
  - MariaDB 10.6.22 (Port 3306)
  - ClaudeTools API (Port 8001)
  - Nginx reverse proxy (Port 80/443)
- **Database:**
  - Database: claudetools
  - User: claudetools
  - Password: CT_e8fcd5a3952030a79ed6debae6c954ed
- **Notes:** Primary ClaudeTools infrastructure, systemd service auto-starts API

### Jupiter (Unraid Primary - 172.16.3.20)
- **Host:** 172.16.3.20
- **User:** root
- **SSH Port:** 22
- **Password:** Th1nk3r^99##
- **Role:** Primary container host, Gitea server
- **Services:**
  - Gitea (Port 3000, SSH 2222)
  - Docker containers
- **Notes:** Used for code repository management and version control

---

## Dataforth Infrastructure

### AD2 (Production Server - 192.168.0.6)
- **Host:** 192.168.0.6
- **Domain:** INTRANET
- **User:** INTRANET\sysadmin
- **Password:** Paper123!@#
- **OS:** Windows Server 2022
- **Local Path:** C:\Shares\test
- **Share Access:** \\192.168.0.6\C$ (admin share, requires credentials)
- **Role:** Production server for Dataforth DOS machines
- **Services:**
  - Active Directory Domain Controller
  - File Server (SMB3)
  - Scheduled sync task (Sync-FromNAS.ps1 every 15 min)
  - WinRM (PowerShell Remoting) on port 5985
  - OpenSSH Server on port 22
- **Network:** 192.168.0.0/24
- **Automation Access:**
  - **Service Account:** INTRANET\ClaudeTools-ReadOnly
  - **Service Password:** vG!UCAD>=#gIk}1A3=:{+DV3
  - **Service UPN:** ClaudeTools-ReadOnly@dataforth.local
  - **Permissions:** Read-only AD access, Remote Management Users group
  - **Scripts Location:** C:\ClaudeTools\Scripts\
  - **Logs Location:** C:\ClaudeTools\Logs\Transcripts\
- **SSH Key (sysadmin account):**
  - **Key Type:** ED25519
  - **Fingerprint:** SHA256:JsiEDAJ/fD19d6W7B5iuV78f8dLKZbLTrMor7b9CXSQ
  - **Public Key:** ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHpk0bdronDasfx5RYjky4N4xIeUJF5xIJdX08rb3+Ui sysadmin@AD2-automation
  - **Private Key Location:** C:\Users\sysadmin\.ssh\id_ed25519
- **WinRM Configuration:**
  - **TrustedHosts:** 172.16.*,192.168.*,10.* (LAN/VPN access)
  - **Listener:** HTTP on port 5985
  - **Transcript Logging:** Enabled (all remote sessions logged)
  - **Module Logging:** Enabled
  - **Script Block Logging:** Enabled
- **Connection Method (SMB Share):**
  ```powershell
  $pass = ConvertTo-SecureString 'Paper123!@#' -AsPlainText -Force
  $cred = New-Object System.Management.Automation.PSCredential('INTRANET\sysadmin', $pass)
  New-PSDrive -Name Z -PSProvider FileSystem -Root '\\192.168.0.6\C$' -Credential $cred
  # Access: Z:\Shares\test\
  ```
- **Connection Method (WinRM - Admin):**
  ```powershell
  $password = ConvertTo-SecureString 'Paper123!@#' -AsPlainText -Force
  $cred = New-Object System.Management.Automation.PSCredential('INTRANET\sysadmin', $password)
  Enter-PSSession -ComputerName 192.168.0.6 -Credential $cred
  ```
- **Connection Method (WinRM - Read-Only):**
  ```powershell
  $password = ConvertTo-SecureString 'vG!UCAD>=#gIk}1A3=:{+DV3' -AsPlainText -Force
  $cred = New-Object System.Management.Automation.PSCredential('INTRANET\ClaudeTools-ReadOnly', $password)
  Enter-PSSession -ComputerName 192.168.0.6 -Credential $cred
  ```
- **Connection Method (SSH):**
  ```bash
  ssh INTRANET\\sysadmin@192.168.0.6
  # Password: Paper123!@#
  # Or with key: ssh -i path/to/id_ed25519 INTRANET\\sysadmin@192.168.0.6
  ```
- **Software Update Locations:**
  - Common (all machines): C:\Shares\test\COMMON\ProdSW\ and C:\Shares\test\_COMMON\ProdSW\
  - Station-specific: C:\Shares\test\TS-XX\ProdSW\
  - System files: C:\Shares\test\COMMON\DOS\
- **Notes:**
  - SMB1 disabled for security (after crypto attack)
  - Sync mechanism moved from NAS to AD2 due to WINS crashes
  - Files sync to NAS within 15 minutes after placement
  - DOS machines pull from NAS (not directly from AD2)

### D2TESTNAS (SMB1 Proxy - 192.168.0.9)
- **Host:** 192.168.0.9
- **HTTP:** http://192.168.0.9/
- **User (Web):** admin
- **Password (Web):** Paper123!@#-nas
- **SSH User:** root
- **SSH Auth:** ed25519 key (passwordless)
- **Role:** SMB1 proxy/bridge for DOS 6.22 machines
- **OS:** Linux (NAS appliance)
- **Share:** \\D2TESTNAS\test (maps to /data/test)
- **Services:**
  - SMB1 server (for DOS machine compatibility)
  - SSH server (Port 22)
- **Notes:**
  - Bridges DOS machines (SMB1) with AD2 (SMB3)
  - Previous sync location (moved to AD2)
  - Network path: /data/test/

### Dataforth DOS Machines (TS-XX)
- **Network:** 192.168.0.0/24
- **OS:** MS-DOS 6.22
- **Count:** ~30 machines for QC testing
- **Naming:** TS-01 through TS-30
- **Network Share:** T: drive (maps to \\D2TESTNAS\test)
- **Machine Variable:** %MACHINE% (set in AUTOEXEC.BAT)
- **Backup Location:** T:\%MACHINE%\BACKUP\
- **Update Path:** T:\COMMON\
- **Credentials:** None (local DOS machines)
- **Notes:**
  - SMB1 protocol required
  - DOS 6.22 limitations: no %COMPUTERNAME%, no IF /I
  - Network stack: MS Client 3.0, Netware VLM client
  - Update workflow: AD2 → D2TESTNAS → DOS machines
  - Startup sequence: AUTOEXEC.BAT → STARTNET.BAT → MENUX.EXE
  - MENUX menu provides test module selection interface

### AD2-NAS Sync System
- **Script:** C:\Shares\test\scripts\Sync-FromNAS.ps1
- **Runs:** Every 15 minutes (Windows Scheduled Task)
- **User:** INTRANET\sysadmin
- **Direction:** Bidirectional
- **Tools:** PuTTY (plink.exe, pscp.exe)
- **Log:** C:\Shares\test\scripts\sync-from-nas.log
- **Status:** C:\Shares\test\_SYNC_STATUS.txt (monitored by DattoRMM)
- **Last Verified:** 2026-01-19 12:09 PM (running successfully)
- **PULL (NAS → AD2):**
  - Test results: /data/test/TS-XX/LOGS/*.DAT → C:\Shares\test\TS-XX\LOGS\
  - Reports: /data/test/TS-XX/Reports/*.TXT → C:\Shares\test\TS-XX\Reports\
  - Files deleted from NAS after successful sync
  - DAT files imported to database automatically
- **PUSH (AD2 → NAS):**
  - Common updates: C:\Shares\test\COMMON\ProdSW\ → /data/test/COMMON/ProdSW/
  - Station updates: C:\Shares\test\TS-XX\ProdSW\ → /data/test/TS-XX/ProdSW/
  - Root utility: C:\Shares\test\UPDATE.BAT → /data/test/UPDATE.BAT
  - One-shot tasks: C:\Shares\test\TS-XX\TODO.BAT → /data/test/TS-XX/TODO.BAT
- **Notes:**
  - Moved from NAS to AD2 in January 2026
  - Reason: WINS crashes and SSH lockups on NAS
  - NAS script (/root/sync-to-ad2.sh) is DEPRECATED

---

## Services - Web Applications

### Gitea (Git Server)
- **URL:** https://git.azcomputerguru.com/
- **Web Port:** 3000
- **SSH:** ssh://git@172.16.3.20:2222
- **Username:** azcomputerguru
- **Email:** mike@azcomputerguru.com
- **Password:** Gptf*77ttb123!@#-git
- **SSH Key:** claude-code (ed25519) - CONFIGURED AND WORKING
- **SSH Fingerprint:** SHA256:E+dhx8dYK+pWyqFUcAVAeJtaQEI3cOiIs7eac1w3Dnk
- **API Token:** (Generate via web UI as needed)
- **Repository:** azcomputerguru/ClaudeTools
- **Role:** Source code version control, project sync
- **Docker Container:** gitea (on Jupiter server)
- **Notes:**
  - Web login: azcomputerguru / Gptf*77ttb123!@#-git
  - SSH access: `ssh -T -p 2222 git@172.16.3.20` (verified working 2026-01-19)
  - Git remote: `ssh://git@172.16.3.20:2222/azcomputerguru/ClaudeTools.git`
  - Password reset: `docker exec -u git gitea gitea admin user change-password --username azcomputerguru --password 'NEW_PASSWORD'`
  - SSH key added: 2026-01-19 15:09 (claude-code)

### ClaudeTools API (Production)
- **URL:** http://172.16.3.30:8001
- **Docs:** http://172.16.3.30:8001/api/docs
- **Database:** 172.16.3.30:3306/claudetools
- **Auth:** JWT tokens (POST /api/auth/token)
- **Test User:**
  - Email: test@example.com
  - Password: testpassword123
- **Role:** Primary MSP work tracking API
- **Endpoints:** 95+ endpoints across 17 entities
- **Notes:** Systemd service, auto-starts on boot

---

## Projects - ClaudeTools

### Database (MariaDB)
- **Host:** 172.16.3.30
- **Port:** 3306
- **Database:** claudetools
- **User:** claudetools
- **Password:** CT_e8fcd5a3952030a79ed6debae6c954ed
- **Connection String:**
  ```
  mysql+pymysql://claudetools:CT_e8fcd5a3952030a79ed6debae6c954ed@172.16.3.30:3306/claudetools?charset=utf8mb4
  ```
- **Tables:** 38 tables (fully migrated)
- **Encryption:** AES-256-GCM for credentials table
- **Backup:** Daily automated backups

### API Authentication
- **Method:** JWT tokens
- **Password Hashing:** Argon2
- **Token Endpoint:** POST /api/auth/token
- **Token Format:** Bearer token in Authorization header
- **Example:**
  ```bash
  curl -X POST http://172.16.3.30:8001/api/auth/token \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "username=test@example.com&password=testpassword123"
  ```

### Encryption Keys
- **Method:** AES-256-GCM (Fernet)
- **Key Storage:** Environment variable ENCRYPTION_KEY
- **Usage:** Credentials table password encryption
- **Notes:** Never commit encryption key to git

---

## Projects - Dataforth DOS

### Update Workflow
- **Admin Deposits:** \\AD2\test\COMMON\ (on AD2)
- **Sync Mechanism:** AD2 scheduled task (location TBD)
- **DOS Pull:** T:\COMMON\ (from D2TESTNAS)
- **Backup Target:** T:\%MACHINE%\BACKUP\

### Key Files
- **UPDATE.BAT:** Machine backup utility (runs on DOS)
- **NWTOC.BAT:** Network to Computer updates
- **CTONW.BAT:** Computer to Network uploads
- **STAGE.BAT:** System file staging for reboot
- **REBOOT.BAT:** Auto-generated, applies staged updates
- **AUTOEXEC.BAT:** DOS startup, sets %MACHINE% variable
- **CONFIG.SYS:** DOS system configuration
- **STARTNET.BAT:** Network stack initialization

### Folder Structure
```
\\AD2\test\
├── COMMON\              # Shared updates for all machines
│   ├── DOS\            # System files (AUTOEXEC.NEW, CONFIG.NEW)
│   ├── ProdSW\         # Production software updates
│   └── NewSW\          # New software distributions
└── TS-XX\              # Individual machine folders
    └── Backup\         # Machine-specific backups
```

---

## Connection Testing

### Test Database Connection
```bash
mysql -h 172.16.3.30 -u claudetools -p claudetools
# Password: CT_e8fcd5a3952030a79ed6debae6c954ed
```

### Test API Connectivity
```bash
curl http://172.16.3.30:8001/api/health
```

### Test Gitea SSH
```bash
ssh -p 2222 git@172.16.3.20
# Should return: "Hi there! You've successfully authenticated..."
```

### Test AD2 Access (from Dataforth network)
```cmd
net use T: \\192.168.0.6\test /user:INTRANET\sysadmin Paper123!@#
```

### Test NAS Access (from Dataforth network)
```cmd
net use T: \\192.168.0.9\test
```

---

## Security Notes

- **Never commit this file to public repositories**
- **Credentials are stored unredacted for context recovery**
- **ClaudeTools encrypts credentials in database with AES-256-GCM**
- **JWT tokens expire after configured duration**
- **SSH keys required for Gitea access (ed25519)**
- **Dataforth network is isolated (192.168.0.0/24)**
- **AD2 has SMB1 disabled for security (post crypto-attack)**
- **All production credentials should be rotated regularly**

---

## VPN Access

### Peaceful Spirit VPN (L2TP/IPSec)
- **Server IP:** 98.190.129.150
- **Tunnel Type:** L2TP/IPSec
- **Pre-Shared Key (PSK):** z5zkNBds2V9eIkdey09Zm6Khil3DAZs8
- **Username:** pst-admin
- **Password:** 24Hearts$
- **Connection Name:** Peaceful Spirit VPN
- **Purpose:** Remote access to Peaceful Spirit Country Club network
- **Authentication:** MS-CHAPv2 with PSK
- **Split Tunneling:** Enabled (only CC traffic uses VPN)
- **Setup Script:** D:\ClaudeTools\Create-PeacefulSpiritVPN.ps1
- **Quick Setup:** D:\ClaudeTools\VPN_QUICK_SETUP.md

**Network Configuration (UniFi Router at CC):**
- **Remote Network:** 192.168.0.0/24
- **DNS Server:** 192.168.0.2
- **Gateway:** 192.168.0.10

**Complete Setup (Run as Administrator):**
```powershell
# Step 1: Create VPN connection with split tunneling
Add-VpnConnection -Name "Peaceful Spirit VPN" -ServerAddress "98.190.129.150" -TunnelType L2tp -L2tpPsk "z5zkNBds2V9eIkdey09Zm6Khil3DAZs8" -AuthenticationMethod MsChapv2 -EncryptionLevel Required -AllUserConnection -RememberCredential -SplitTunneling $true

# Step 2: Add route for CC network (192.168.0.0/24)
Add-VpnConnectionRoute -ConnectionName "Peaceful Spirit VPN" -DestinationPrefix "192.168.0.0/24" -AllUserConnection

# Step 3: Configure DNS server
Set-DnsClientServerAddress -InterfaceAlias "Peaceful Spirit VPN" -ServerAddresses "192.168.0.2"

# Step 4: Save credentials for pre-login access
rasdial "Peaceful Spirit VPN" "pst-admin" "24Hearts$"
rasdial "Peaceful Spirit VPN" /disconnect

# Step 5: Enable pre-login VPN
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "UseRasCredentials" -Value 1 -Type DWord
```

**Quick Connect:**
```powershell
rasdial "Peaceful Spirit VPN"
```

**Disconnect:**
```powershell
rasdial "Peaceful Spirit VPN" /disconnect
```

---

## Context Recovery Usage

When a new Claude session starts or context is lost:

1. **Read this file first** - Get all credentials and infrastructure details
2. **Check session-logs/** - Find recent work and decisions
3. **Read SESSION_STATE.md** - Get project status and phase
4. **Read .claude/claude.md** - Get project overview

This ensures full context recovery without asking user for information already documented.