# Session Log: 2026-03-20

## Session Summary

Continued work on azcomputerguru.com web properties. Three major accomplishments:
1. **Flarum community forum theme redesign** - Complete CSS rewrite for readability (v1 → v2)
2. **Matomo analytics setup** - Self-hosted analytics installed and tracking all 3 sites
3. **Cloudflare proxy re-enabled** - community, radio, and analytics subdomains back to orange cloud

## Work Completed

### 1. Flarum Forum Theme v2 (community.azcomputerguru.com)

**Problem:** The v1 theme had severe readability issues - dark text on dark backgrounds, discussion titles nearly invisible, overall muddy appearance.

**Root Cause:** Flarum's base CSS applies near-black heading colors (`rgb(17,17,17)`) and dark link colors meant for light themes. The v1 custom LESS used CSS variables (`var()`) and `!important` but Flarum's compiled CSS had higher specificity on key elements like `h2`, `.DiscussionListItem-main`.

**Solution:** Complete theme rewrite (v2) with:
- Replaced transparent navy overlays with **solid, layered gray surfaces** (GitHub Dark inspired)
- Color palette: `--g-base: #0d1117`, `--g-surface-1: #161b22`, `--g-surface-2: #1c2129`, etc.
- Text: `--g-text-primary: #e6edf3` (13.5:1 contrast ratio on surface-1)
- Added "Flarum Base Overrides" section targeting actual DOM elements (`h1-h6`, `.DiscussionListItem-main`, `.DiscussionListItem a`)
- Fixed sidebar spacing (reduced padding from 8px to 5px, separator margins from 8px to 5px)
- Added 10px left padding to sidebar nav items

**Theme file:** `/home/guru/ClaudeTools/projects/community-forum/theme-v2.less`
**Stored in:** Flarum DB `settings.custom_less`
**Backup of v1:** `/tmp/theme-v1-backup.less` on IX server

**Key lesson:** Flarum's LESS compiler caches aggressively. To force recompile:
1. Delete `public/assets/forum.css` and `rev-manifest.json`
2. Clear `storage/cache/*`, `storage/less-cache/*`, `storage/framework/cache/*`
3. Run `php flarum cache:clear`
4. Hit the site from an external client to trigger lazy CSS compilation
5. Hard refresh browser (`Ctrl+Shift+R`)

### 2. Matomo Analytics (analytics.azcomputerguru.com)

**Installed:** Matomo 5.8.0 on IX server

**Setup steps:**
- DNS record for `analytics.azcomputerguru.com` was pointing to wrong IP (52.52.94.202) — updated to 72.194.62.5
- Matomo files extracted to `/home/azcomputerguru/public_html/analytics/`
- Had to create `.htaccess` file (not included in Matomo zip for hidden files)
- Had to fix directory permissions (`chmod 755` on analytics dir)
- Web installer completed: system check, database, tables, superuser, first website, tracking code

**Sites configured:**
| Site ID | Name | URL | Tracking Method |
|---------|------|-----|-----------------|
| 1 | AZ Computer Guru | https://azcomputerguru.com | WordPress mu-plugin (`wp-content/mu-plugins/matomo-tracking.php`) |
| 2 | Community Forum | https://community.azcomputerguru.com | Flarum `custom_header` DB setting (appended) |
| 3 | Radio Show | https://radio.azcomputerguru.com | PHP script injected tracking into 204 HTML files before `</head>` |

**Cron job:** Added to `azcomputerguru` crontab:
```
*/5 * * * * /usr/local/bin/php /home/azcomputerguru/public_html/analytics/console core:archive --url=https://analytics.azcomputerguru.com > /dev/null 2>&1
```

### 3. Cloudflare Changes

**Re-enabled proxy (orange cloud) on:**
- `community.azcomputerguru.com` (record ID: `a1d406f701d30957784fdb1cb1662748`)
- `radio.azcomputerguru.com` (record ID: `a7b1605203f9a72e146d7b290e840c45`)
- `analytics.azcomputerguru.com` (record ID: `a3e71224ef035b97160de99a8fff9980`) — also fixed IP from 52.52.94.202 → 72.194.62.5

**API used:** DNS token `DRRGkHS33pxAUjQfRDzDeVPtt6wwUU6FwtXqOzNj`
- Token has DNS read/write only — cannot check/change SSL/TLS mode or WAF rules

### 4. Research Completed

**Google Analytics:** No GA tracking on any of the 3 sites. WordPress has Site Kit installed with Search Console connected but no GA4. Deferred to future session.

**AI Crawler Rules:** Cloudflare has "AI Crawl Control" feature (free plan). Requires:
1. Proxy enabled (done)
2. Dashboard: AI Crawl Control > Crawlers tab
3. Allow: ChatGPT-User, Claude-Web, Perplexity-User (referral traffic)
4. Optional: GPTBot, ClaudeBot, Google-Extended (training)
5. Our API token lacks WAF permissions — must do via dashboard

**Self-hosted analytics comparison:** Evaluated Umami vs Matomo. Chose Matomo because it's pure PHP+MySQL (runs natively on cPanel) vs Umami requiring Node.js + reverse proxy.

## Credentials

### Matomo Analytics (analytics.azcomputerguru.com)
- **Admin User:** MikeSwanson / Mat0mo2026!CGS
- **Admin Email:** mike@azcomputerguru.com
- **DB Host:** localhost (on IX server 172.16.3.10)
- **DB Name:** azcompu_matomo
- **DB User:** azcompu_matomo
- **DB Password:** Mat0mo2026!CGS

### Flarum Forum (community.azcomputerguru.com) — unchanged
- **DB:** azcompu_flarum / azcompu_flarum / Fl@rum2026!CGS
- **API Key:** 581b6c8c162a383ba87757f41b4381e9bf8db61d71bd578ee97fe32b7aeac046

### IX Server SSH (from CachyOS workstation)
- **Must use:** `sshpass -p $'Gptf*77ttb!@#!@#' ssh -o StrictHostKeyChecking=no -o PubkeyAuthentication=no root@172.16.3.10`
- **Note:** `$'...'` quoting required for special chars in password — regular single quotes fail (exit code 5)

### Cloudflare
- **Zone ID:** 1beb9917c22b54be32e5215df2c227ce
- **DNS Token:** DRRGkHS33pxAUjQfRDzDeVPtt6wwUU6FwtXqOzNj (DNS read/write only)
- **NPM Token:** U1UTbBOWA4a69eWEBiqIbYh0etCGzrpTU4XaKp7w (broader, from Nginx Proxy Manager)

## Files Created/Modified

- `/home/guru/ClaudeTools/projects/community-forum/theme-v2.less` — new Flarum theme (created)
- IX: Flarum DB `settings.custom_less` — updated with theme v2
- IX: Flarum DB `settings.custom_header` — appended Matomo tracking (site ID 2)
- IX: `/home/azcomputerguru/public_html/analytics/` — Matomo installation (created)
- IX: `/home/azcomputerguru/public_html/analytics/.htaccess` — created for Apache
- IX: `/home/azcomputerguru/public_html/wp-content/mu-plugins/matomo-tracking.php` — WP tracking (created)
- IX: 204 HTML files in `/home/azcomputerguru/public_html/radio/` — Matomo tracking injected
- IX: `azcomputerguru` crontab — Matomo archive cron added
- `/home/guru/.claude/projects/-home-guru-ClaudeTools/memory/reference_matomo_analytics.md` — memory (created)
- `/home/guru/.claude/projects/-home-guru-ClaudeTools/memory/MEMORY.md` — updated index
- `/home/guru/ClaudeTools/credentials.md` — added Matomo section

## Pending/Incomplete Tasks

1. **Cloudflare SSL/TLS mode** — Verify it's "Full" or "Full (Strict)" in dashboard. Our API tokens can't check this.
2. **Cloudflare AI Crawl Control** — Configure in dashboard: allow ChatGPT-User, Claude-Web, Perplexity-User bots
3. **Google Analytics (GA4)** — Still needs setup. User deferred to future session. Need GA4 Measurement ID.
4. **WordPress Site Kit GA4** — Site Kit is installed on azcomputerguru.com with Search Console only. Can complete GA4 connection through Site Kit admin.
5. **Matomo API token** — Token came back empty during setup. May need to regenerate via Matomo admin panel.
6. **Radio site tracking durability** — HTML injection will be lost on next Astro rebuild/deploy. Should add to Astro layout component source instead.
7. **SSH key auth for IX** — Still using sshpass from CachyOS workstation. Should add ed25519 key.
8. **Broader Cloudflare API token** — Create one with WAF/Bot Management permissions for API-based AI crawler management.

---

## Update: 09:30 — VWP Infrastructure, Dataforth PBX, XenServer Migration Planning

### Session Summary

Major multi-client session: VWP infrastructure documentation, iDRAC console access, XenServer VM inventory, Dataforth phone system triage, and XenServer migration planning.

### 8. VWP Infrastructure Documentation

Updated credentials.md with VWP server details:

#### Citrix XenServer (PowerEdge R720)
- **Hypervisor:** XenServer 7.6.0
- **Hostname:** valleywide
- **Management IP:** 192.168.0.104 (DHCP, eth0)
- **MAC:** ec:f4:bb:d0:69:f8
- **Gateway:** 192.168.0.1
- **SSH:** root / r3tr0gradE99!
- **iDRAC IP:** 192.168.3.30
- **iDRAC MAC:** 78:45:C4:F1:CE:6E
- **iDRAC:** root / r3tr0gradE99#
- **Service Tag:** 52ZBVV1
- **iDRAC Firmware:** 2.60.60.60 (iDRAC 7)

#### QuickBooks Server (PowerEdge R640)
- **Hostname:** VWP-QBS.VWP.US
- **OS:** Windows Server 2022
- **iDRAC IP:** 192.168.3.189
- **iDRAC MAC:** 54:48:10:F2:A0:2E
- **iDRAC:** root / r3tr0gradE99#
- **Service Tag:** C84TTQ2
- **iDRAC Firmware:** 7.00.00.174 (iDRAC 9, HTML5 console works)

#### Hyper-V Server (PowerEdge R740)
- **Hostname:** VWP-HYPERV1
- **OS:** Windows Server 2025 Standard
- **IP:** 172.16.9.184
- **Domain:** VWP\VWP-HYPERV1
- **Specs:** 64 vCPUs (Xeon Platinum 8180M), 256GB RAM
- **Serial:** BN82FX2

### 9. iDRAC 7 Virtual Console Fix (192.168.3.30)

**Problem:** iDRAC 7 Java virtual console fails on modern systems, HTML5 console also fails.

**Steps taken via racadm over SSH:**
- Set `PluginType` from 1 (Java) to 2 (HTML5): `racadm set iDRAC.VirtualConsole.PluginType 2`
- Set TLS to 1.2 Only (was TLS 1.1+): `racadm set iDRAC.Webserver.TLSProtocol 2`
- Disabled console encryption: `racadm set iDRAC.VirtualConsole.EncryptEnable 0`
- Reset iDRAC: `racadm racreset soft`

**SSH command for iDRAC 7:**
```
sshpass -p 'r3tr0gradE99#' ssh -o StrictHostKeyChecking=no -o PubkeyAuthentication=no -o KexAlgorithms=+diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-rsa -o Ciphers=+aes128-cbc,aes256-cbc root@192.168.3.30
```

**Java 8 setup for legacy iDRAC (if needed):**
- Installed `jre8-openjdk`, `jre8-openjdk-headless`, `icedtea-web`
- Set as default: `sudo archlinux-java set java-8-openjdk/jre`
- Relaxed security in `/usr/lib/jvm/java-8-openjdk/jre/lib/security/java.security`:
  - `jdk.certpath.disabledAlgorithms=MD2`
  - `jdk.tls.disabledAlgorithms=SSLv3, NULL, anon`
- Backup at `java.security.bak`

**Status:** HTML5 console still not working in Chrome (TLS cipher mismatch even with 1.2). Firefox with relaxed TLS profile also had issues. May need iDRAC firmware update to 2.65.65.65.

### 10. OpenVPN Setup for VWP

- **OVPN file:** `~/Downloads/OpenVPN-Server.ovpn`
- **Auth file:** `/etc/openvpn/vwp-auth.txt` (sysadmin / r3tr0gradE99#)
- **Connect command:** `sudo openvpn --config ~/Downloads/OpenVPN-Server.ovpn --auth-user-pass /etc/openvpn/vwp-auth.txt --group nobody --daemon vwp-vpn --log /tmp/vwp-vpn.log`
- **VPN IP:** 192.168.4.3
- **Routes:** 172.16.9.0/24, 192.168.0.0/24, 192.168.3.0/24
- **Remote:** 4.18.160.106:1194 TCP

**IMPORTANT: Tailscale and VWP VPN conflict** — Tailscale's policy routing (table 52) for `192.168.0.0/24` (Dataforth subnet via D2TESTNAS) overrides VPN routes to VWP's `192.168.0.0/24`. Must `sudo tailscale down` before using VWP VPN for `192.168.0.x` access.

### 11. XenServer SSH Access

**Problem:** SSH to `192.168.0.104` returned "Connection refused" even though sshd was running.

**Root causes (two):**
1. Tailscale routing `192.168.0.0/24` to Dataforth instead of VWP VPN
2. XenServer iptables `RH-Firewall-1-INPUT` chain blocking non-local SSH

**Fixes:**
1. `sudo tailscale down` (or `sudo ip rule add to 192.168.0.104/32 lookup main priority 100`)
2. On XenServer console: `iptables -I RH-Firewall-1-INPUT -p tcp --dport 22 -j ACCEPT`

**SSH command for XenServer:**
```
sshpass -p $'r3tr0gradE99!' ssh -o StrictHostKeyChecking=no -o PubkeyAuthentication=no root@192.168.0.104
```
Note: Must use `$'...'` quoting for the `!` in the password.

### 12. XenServer VM Inventory

| VM | OS | IP | State | vCPUs | RAM | Disk | Notes |
|----|----|----|-------|-------|-----|------|-------|
| BACKUP-SRV | Server 2019 Datacenter | 192.168.0.22 | running | 2 | 15GB | 240GB (140+100) | Installed 2024-01-17 |
| server 2012 R2 | Server 2012 R2 Standard | 192.168.0.19 | running | 4 | 16GB | 200GB | Installed 2019-04-14 |
| server 2003 | Server 2003 Enterprise SP2 | 192.168.0.20 | running | 4 | 3GB | 130GB (30+100) | **G: drive - document storage - PRIORITY** |
| XP | Windows XP | (no IP reported) | running | 2 | 3GB | 40GB | No PV tools? |
| Windows 7 (32-bit) | Windows 7 | 192.168.0.40 | halted | 2 | 4GB | 80GB | Intentionally off |

**Storage:** Local LVM — 1.47TB used of 2.24TB (~820GB free)

**Server 2003 disk detail:**
- xvda: 30GB (OS/C: drive) — VDI `4c99e07d-72ad-46f2-bb54-8c1154dc6eb1`
- xvdb: 100GB (**G: drive documents**) — VDI `828ea0ff-04c7-4f7c-9e4d-baa9e15d72bd`

### 13. Server 2003 Snapshot (Document Protection)

**Snapshot created:** `server2003-backup-20260320`
- **UUID:** `866638f5-9c9c-bf24-8c05-393d904fcead`
- **Type:** Live snapshot (no downtime)
- **Covers:** Both disks (30GB OS + 100GB G: drive)
- **Purpose:** Protect document storage before weekend migration

### 14. Dataforth PBX Triage

**Issue:** Phones reported down again.

**Diagnosis:**
- Asterisk running, 30+ extensions registered
- FirstDigital SIP trunk showing "Unavailable" — but this is **normal** for their setup
- SIP is inbound-only, forwarded via UDM port forward to PBX on VLAN100
- PBX doesn't register outbound with FirstDigital
- The `ens224` interface (10.208.107.118/30) has no working gateway — `10.208.107.117` unreachable
- Test call to 520-741-1404 **worked** — transient FirstDigital issue

**PBX network:**
- Management: `192.168.100.196` (DHCP, was .2 before)
- SIP interface: `10.208.107.118/30` on ens224 (dead gateway)
- SIP transport: `0.0.0.0:5060` UDP

### 15. Matomo Tracking Issue (Cloudflare)

**Problem:** Matomo tracking code on community/radio sites returning 503 for `matomo.js`.

**Root cause:** Cloudflare proxy on `analytics.azcomputerguru.com` was blocking/challenging cross-origin requests. The origin SSL cert is expired (Apr 2025) causing Cloudflare-to-origin connection failures.

**Current state:** Analytics subdomain switched back to proxied. SSL/TLS mode needs to be set to "Full" (not "Full Strict") in Cloudflare dashboard — our API tokens lack permission.

**Workaround needed:** Either fix SSL cert via AutoSSL or set Cloudflare SSL mode via dashboard.

### Credentials (this session)

#### VWP OpenVPN
- **User:** sysadmin
- **Password:** r3tr0gradE99#
- **Auth file:** /etc/openvpn/vwp-auth.txt

#### VWP XenServer (192.168.0.104)
- **SSH:** root / r3tr0gradE99!
- **Note:** `$'...'` quoting required for `!`

#### VWP iDRAC - Citrix R720 (192.168.3.30)
- **SSH/Web:** root / r3tr0gradE99#
- **racadm SSH:** requires `-o KexAlgorithms=+diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-rsa -o Ciphers=+aes128-cbc,aes256-cbc`

#### VWP iDRAC - QB R640 (192.168.3.189)
- **Web:** root / r3tr0gradE99#

#### Dataforth PBX (192.168.100.2)
- **SSH:** sangoma / Gptf*77ttb!@#!@#
- **sudo:** same password via `echo 'Gptf*77ttb!@#!@#' | sudo -S`

### Files Modified
- `/home/guru/ClaudeTools/credentials.md` — added VWP XenServer, QB server, Hyper-V details
- `/etc/openvpn/vwp-auth.txt` — VWP VPN credentials (created)
- `/usr/lib/jvm/java-8-openjdk/jre/lib/security/java.security` — relaxed TLS for iDRAC
- `/tmp/firefox-idrac/user.js` — Firefox profile with relaxed TLS

### Packages Installed
- `jre8-openjdk` + `jre8-openjdk-headless` — Java 8 for iDRAC
- `icedtea-web` — Java Web Start (javaws)

### Pending/Incomplete Tasks

1. **XenServer → Hyper-V migration** — Planned for weekend. All 5 VMs need to migrate to VWP-HYPERV1 (172.16.9.184). Server 2003 (G: drive) is priority. Snapshot taken as protection.
2. **Xen Orchestra** — Install web-based XenServer management (alternative to XenCenter for Linux)
3. **iDRAC 7 virtual console** — HTML5 not working despite config changes. May need firmware update to 2.65.65.65. Java fallback works but cumbersome.
4. **Cloudflare SSL/TLS mode** — Set to "Full" in dashboard for analytics.azcomputerguru.com
5. **Cloudflare AI Crawl Control** — Configure in dashboard
6. **Google Analytics (GA4)** — Deferred
7. **Matomo analytics tracking** — Working on main site, community needs Flarum cache clear + Cloudflare fix, radio needs SSL fix
8. **XenServer iptables persistence** — The SSH firewall rule added is not persistent across reboots
9. **PBX management IP changed** — Was 192.168.100.2, now .196 via DHCP. Should set static.
10. **Java 8 is now default JRE** — May need to switch back to Java 25 for other tasks: `sudo archlinux-java set java-25-openjdk`