# Dataforth — AOI / XP Optical-Tester VLAN + Backup Runbook

**Todo:** `37543f7f` · **Requested by:** Mike (relayed via Howard) · **Started:** 2026-06-01
**Goal:** Isolate the XP machine (which holds the AOI optical-inspection data) on its own VLAN,
and give it — and only it — access to a new backup share on D2TESTNAS over SMB1.

---

## >>> ACTUAL OUTCOME (2026-06-01) — this overrides the planned specifics below <<<

The plan below was drafted around a hypothetical new "VLAN 50". **What was actually done:**

- **VLAN:** XP placed on the **existing VLAN 2 "mydata"** (the SMT line, `192.168.1.0/24`), not a new
  VLAN. Moved **D2-Breakroom switch port 12** to mydata. XP static IP **192.168.1.175**, gw/DNS 192.168.1.1.
- **Share:** `\\192.168.0.9\aoibackup` on D2TESTNAS — `valid users = admin` (password matches XP login),
  `hosts allow = 192.168.1.175`, `browseable = no`. **DEPLOYED + verified** (XP maps Z: r/w).
- **NAS hardening:** `test`/`datasheets`/`snapshots` shares now `hosts deny = 192.168.1.175`; rsync(873)
  already excludes the XP. The XP can touch ONLY `aoibackup` on the NAS.
- **Credentials in vault:** `clients/dataforth/d2testnas.sops.yaml → credentials.smb.aoi-user`(=`admin`)
  /`.aoi-password`/`.aoi-share`.
- **Firewall (UDM):** Per **Mike** — *"it's part of SMT, so it can see anything in SMT"* — NO intra-SMT
  restriction. **Optional pending:** block XP(.175) → company LAN 192.168.0.0/24 (except NAS) + Internet.
- D2TESTNAS confirmed **Debian 13 / Samba 4.22.6** (repurposed Netgear ReadyNAS).

Read the section below as background/reference only; the specifics above are the source of truth.

---

## The setup (as understood)

- **AOI machine** = Automated Optical Inspection unit. Photographs circuit boards for production
  defects. Not a PC — it writes image data to an **external drive attached to an XP machine**.
- **XP machine** = the actual target. Holds the AOI external drive. Windows XP → cannot do SMB2/3,
  must use **SMB1**.
- **Backup target** = a new, locked-down share on **D2TESTNAS** (192.168.0.9). Only the XP may reach it.

## Why D2TESTNAS (not a server)

D2TESTNAS already runs **SMB1 globally** for the 64 DOS 6.22 test stations
(`server min protocol = CORE`, `ntlm auth = ntlmv1-permitted`). Pointing the XP box at it adds
**zero new SMB1 surface**. Enabling SMB1 on AD1/AD2 (Server 2016/2022) would create fresh
EternalBlue-class exposure on a domain controller — rejected. Security note in the todo:
"minimize SMB1 exposure — scope it to just the required server/share."

## Verified remotely (2026-06-01, before onsite)

| Item | Finding |
|---|---|
| D2TESTNAS OS | **Debian 13 (trixie)**, kernel 6.12, Samba **4.22.6**. (Wiki said CachyOS, vault said Netgear ReadyNAS — both stale. Was a Netgear, repurposed. Corrected.) |
| SMB1 | Already enabled globally (CORE..SMB3, NTLMv1 permitted, WINS on, workgroup `D2TESTING`). |
| Existing shares | `test`, `datasheets`, `snapshots` — all **guest/public, wide open**. New AOI share will be the opposite: authenticated + host-locked. |
| SMB accounts | **None** (DOS shares are guest). Will create a dedicated `aoi` user. |
| Disk | `/data` = 512 G, **71 G free (87 % full)**. ⚠ Confirm AOI data size + retention before bulk copy. |
| NAS host firewall | None restrictive (only Tailscale nft). Isolation enforced at **UDM**, Samba `hosts allow` = defense-in-depth. |
| UDM SSH | Password auth rejected (publickey + keyboard-interactive only; 2FA push on). `id_ed25519_udm` key not on Howard-Home → **UDM work is onsite via UniFi UI**, or add this machine's key first. |

---

## ONSITE — collect these first

1. **XP hostname**, current IP, and **MAC address** (`ipconfig /all` on the XP).
2. **Which switch + port** the XP is patched into (for the VLAN port profile).
3. **XP login username** (local or domain? has a password?) — needed for the scheduled-task run-as.
4. **AOI external drive letter + data path** (e.g. `E:\AOI_Data\...`), rough **size** and **growth rate**.
5. **Existing VLANs** — UniFi → Settings → Networks. Confirm proposed **VLAN 50 / 192.168.50.0/24**
   is free (known in use: default 192.168.0.0/24, Voice VLAN 100 = 192.168.100.0/24,
   unused UDM voice 192.168.1.0/24, OpenVPN 192.168.6.0/24).

---

## Step 1 — UDM: create the isolation VLAN (UniFi UI)

Settings → Networks → **New Virtual Network**:
- Name: `AOI-Isolated`
- VLAN ID: **50** (or next free)
- Gateway/Subnet: `192.168.50.1/24`
- DHCP: enable, but give the XP a **fixed IP** — either DHCP reservation by MAC or set the XP static
  to **192.168.50.10** (fixed IP keeps the firewall rule simple). Proposed: **192.168.50.10**.
- DNS: not required for backup-by-IP. Leave gateway default.
- **Do NOT use the simple "Isolate Network" toggle** — it's all-or-nothing and would also block the
  one flow we need. Use explicit firewall rules (Step 3) instead.

## Step 2 — UDM: assign the XP's switch port to VLAN 50

UniFi → switch → the XP's port → set **Native/Access VLAN = AOI-Isolated (50)**, tagged VLANs none.
(Effectively an access port on VLAN 50.) Confirm the AOI machine itself does NOT share this port/run
through the XP's NIC — if the AOI unit is daisy-chained behind the XP, flag it before changing the port.

## Step 3 — UDM: firewall rules (order matters — allow before block)

Zone-based firewall (new UniFi OS) or LAN IN (classic). Source = `AOI-Isolated (VLAN 50)`:

1. **ALLOW** → dest host `192.168.0.9` → **TCP 445, TCP 139** → Accept
   *(XP maps by IP; Windows tries 445 then 139. Add UDP 137 only if name resolution is needed.)*
2. **DROP** → dest `192.168.0.0/24` (rest of LAN) → Drop
3. **DROP** → dest `192.168.100.0/24` (voice) and any other internal VLANs → Drop
4. **DROP** → Internet/WAN (an XP box should not reach the internet) → Drop
   *(If the AOI/XP needs NTP or a license server, add a narrow allow above this.)*
- Return traffic (established/related) is handled automatically by UniFi.

## Step 4 — D2TESTNAS: create the locked-down share

Run remotely (Claude can apply once XP IP is known) or onsite via SSH `root@192.168.0.9`.
Substitute the XP's VLAN IP for `192.168.50.10`:

```bash
# 1. backup dir
mkdir -p /data/aoi-backup
chown root:root /data/aoi-backup
chmod 0770 /data/aoi-backup

# 2. dedicated samba user (NOT a Linux login shell)
useradd -M -s /usr/sbin/nologin aoi 2>/dev/null || true
smbpasswd -a aoi        # set a strong password -> store in vault clients/dataforth/d2testnas.sops.yaml
smbpasswd -e aoi

# 3. append share stanza to /etc/samba/smb.conf
cat >> /etc/samba/smb.conf <<'EOF'

[aoibackup]
    path = /data/aoi-backup
    comment = AOI Optical Tester Backup (XP only)
    browseable = no
    writable = yes
    guest ok = no
    public = no
    valid users = aoi
    force user = root
    force group = root
    create mask = 0660
    directory mask = 0770
    hosts allow = 192.168.50.10
    hosts deny = 0.0.0.0/0
EOF

# 4. validate + reload
testparm -s
systemctl reload smbd
```

Notes:
- `browseable = no` hides the share; `valid users = aoi` + `hosts allow` = two independent gates.
- Global `ntlm auth = ntlmv1-permitted` already lets XP authenticate over SMB1 — no global change.
- Store the `aoi` password in vault: `clients/dataforth/d2testnas.sops.yaml → credentials.smb.aoi`.

## Step 5 — XP: map the drive + scheduled backup

XP has no robocopy. Use `net use` + `xcopy` (incremental via `/D`). On the XP:

```bat
net use Z: \\192.168.0.9\aoibackup <aoi-password> /user:aoi /persistent:yes
xcopy "E:\AOI_Data\*" "Z:\" /D /E /C /I /H /R /Y
```
*(Replace `E:\AOI_Data` with the real AOI external-drive path. `/D` copies only newer files = incremental.)*

Schedule it (XP Task Scheduler or `schtasks`), e.g. daily off-shift:
```bat
schtasks /Create /TN "AOI Backup" /TR "C:\Scripts\aoi-backup.bat" /SC DAILY /ST 23:00 /RU <xp-user>
```
Put the two commands above in `C:\Scripts\aoi-backup.bat`.

## Step 6 — Verify

- From the XP: `net use` shows Z: connected; create a test file on Z:, confirm it lands in
  `/data/aoi-backup` on the NAS.
- From a **different** LAN host: confirm `\\192.168.0.9\aoibackup` is **denied** (host-locked).
- Confirm the XP **cannot** ping/reach other LAN hosts (e.g. `ping 192.168.0.27` fails) and has no internet.
- Run the scheduled task once manually; confirm files copy.

## Step 7 — Document

- Update `wiki/clients/dataforth.md`: add XP/AOI to workstation inventory, new VLAN 50 row, the
  `aoibackup` share, firewall ACL, and correct D2TESTNAS OS (Debian 13). Add Active Work + History entries.
- Correct the vault `os:` field on `clients/dataforth/d2testnas.sops.yaml` (Netgear ReadyNAS → Debian 13).
- Close todo `37543f7f`; update coord component `clients/dataforth`.

---

## Open questions for Mike / to resolve onsite

- AOI data **size + growth** vs. 71 G free — full mirror or incremental+retention? Prune policy?
- Is the **AOI unit networked separately**, or only ever via the XP's external drive? (Affects whether
  anything else needs VLAN 50 access.)
- Does the XP need **any** other LAN/internet flow to function (license, time, AOI vendor)? Default: none.