claudetools/session-logs/2026-04-06-session.md

# Session Log: 2026-04-06

## Session Summary

Mixed infrastructure session covering ScreenConnect redirect page, UniFi OS Server migration, and related networking changes.

### Work Completed

1. **ScreenConnect redirect page at azcomputerguru.com/sc**
   - Created PHP redirect at `/home/azcomputerguru/public_html/sc/index.php` on IX server
   - Initially tried .htaccess RewriteRule but Apache mangled `%2B` encoding in the RSA key
   - Switched to PHP `header()` redirect which preserves URL encoding exactly
   - Correct SC download URL: `https://computerguru.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest&c=&c=&c=&c=&c=&c=&c=&c=DirectDownload`
   - Original attempt used wrong binary name (`ConnectWiseControl.ClientSetup.exe`) and included h/p/k params -- the correct URL from SC admin is simpler

2. **UniFi OS Server - Docker troubleshooting on Jupiter (abandoned)**
   - `unifi-os-server` Docker container on Jupiter (172.16.3.20) had "no internet" error on setup screen
   - Container actually had full internet -- all Ubiquiti endpoints reachable
   - Likely an application-level self-check issue
   - `unifi-controller-reborn` Docker was crash-looping due to missing symlink targets:
     - `logs` -> `/var/log/unifi` -> `/unifi/log` (didn't exist)
     - `run` -> `/var/run/unifi` -> `/unifi/run` (didn't exist)
   - Only `/unifi/var` was volume-mounted, not `/unifi/log` or `/unifi/run`
   - Created missing directories, MongoDB started, container went healthy
   - User ultimately removed Docker approach in favor of a dedicated VM

3. **UniFi OS Server - VM installation (172.16.3.29)**
   - New Rocky Linux 9.1 VM set up by user at 172.16.3.29
   - Hostname: `unifi.azcomputerguru.com`
   - Installed `podman` (5.6.0) and `slirp4netns` (1.3.3) via dnf
   - Downloaded UOS Server 5.0.6 installer (803MB) from Ubiquiti
   - Ran installer with `echo y | ./installer` (requires interactive confirmation)
   - Installer uses Podman internally to run a container as user `uosserver` (UID 1000)
   - Service: `uosserver.service` (systemd)
   - Web UI: https://172.16.3.29:11443/

4. **Firewall - Rocky Linux VM**
   - Opened all required UniFi ports in firewalld:
   - TCP: 11443, 8443, 8080, 8880, 8881, 8882, 8444, 6789, 5671, 5005, 9543, 11084
   - UDP: 3478, 10001, 1900, 5514, 10003

5. **pfSense NAT updates**
   - Checked existing NAT rules on pfSense (172.16.0.1:2248)
   - `Unifi_Server` alias was pointing to `172.16.3.28` (old Docker container IP)
   - User manually updated alias to `172.16.3.29` (new VM)
   - Existing port forwards on public IP 72.194.62.10: 8443/tcp, 3478/tcp+udp
   - NPM (172.16.3.20) handles HTTPS on 72.194.62.10:443 -> port 18443

6. **UniFi inform URL configuration**
   - Set `system_ip=unifi.azcomputerguru.com` in system.properties inside Podman container
   - Path: `/usr/lib/unifi/data/system.properties` (inside container)
   - Restarted uosserver service to apply
   - Devices will inform to: `http://unifi.azcomputerguru.com:8080/inform`

7. **NPM proxy host update**
   - User updated `unifi.azcomputerguru.com` proxy host in NPM to point to new VM
   - Port changed from 443 to 11443, scheme HTTPS

### Key Decisions
- Abandoned Docker approach for UniFi OS on Jupiter -- too many symlink/volume issues
- Dedicated Rocky Linux 9.1 VM is cleaner for UOS Server
- UOS Server 5.0.6 uses Podman internally (not Docker) even on bare metal install
- Recommended bumping VM RAM from 8GB to 16GB before migrating ~300 devices

---

### Credentials

#### UniFi VM (172.16.3.29)
- SSH: root / Gptf*77ttb123!@#-unifi
- OS: Rocky Linux 9.1
- Hostname: unifi.azcomputerguru.com

#### IX Server (172.16.3.10)
- SSH: root / Gptf*77ttb!@#!@# (port 22)
- Requires sshpass or paramiko (no SSH key auth from this workstation)

#### pfSense (172.16.0.1)
- SSH: admin / r3tr0gradE99!! (port 2248)
- See vault: infrastructure/pfsense-firewall.sops.yaml

#### NPM (Nginx Proxy Manager)
- Host: 172.16.3.20:7818
- See vault/1Password for credentials

---

### Infrastructure & Servers

| Server | IP | Role | Notes |
|--------|-----|------|-------|
| IX Server | 172.16.3.10 | Web hosting (cPanel) | azcomputerguru.com WordPress |
| Jupiter | 172.16.3.20 | Unraid, NPM, Gitea | NPM on port 7818/18443 |
| UniFi VM | 172.16.3.29 | UniFi OS Server 5.0.6 | Rocky Linux 9.1, 8 vCPU, 7.4GB RAM |
| pfSense | 172.16.0.1 | Firewall/router | SSH port 2248 |

### DNS / Proxy
- `unifi.azcomputerguru.com` -> 72.194.62.10 (public) -> NPM -> 172.16.3.29:11443
- `azcomputerguru.com/sc/` -> PHP redirect to ScreenConnect installer

### Files Created/Modified
- `/home/azcomputerguru/public_html/sc/index.php` (IX server) -- SC redirect
- `/usr/lib/unifi/data/system.properties` (inside UOS Podman container) -- inform URL
- Firewalld rules on 172.16.3.29 -- all UniFi ports opened
- pfSense `Unifi_Server` alias updated from 172.16.3.28 to 172.16.3.29

---

### Pending/Incomplete Tasks
- [ ] Bump UniFi VM RAM from 8GB to 16GB (recommended for ~300 devices)
- [ ] Migrate from old UniFi Network controller to new UOS Server (backup + restore)
- [ ] Verify all pfSense port forwards are working correctly after alias change
- [ ] Consider adding port 11443 NAT rule on pfSense for external UOS web UI access
- [ ] Set up SSH key auth on IX server and UniFi VM for this workstation
- [ ] Note: captive portal port changed from 8843 (legacy) to 8444 (UOS Server)

### Port Reference - UniFi OS Server
| Port | Protocol | Purpose |
|------|----------|---------|
| 11443 | TCP | UOS Web UI (maps to 443 inside container) |
| 8443 | TCP | UniFi Application HTTPS |
| 8080 | TCP | Device inform |
| 8444 | TCP | Captive portal HTTPS (was 8843 on legacy) |
| 8880 | TCP | HTTP portal redirect |
| 3478 | UDP | STUN |
| 10001 | UDP | Device discovery |
| 1900 | UDP | L2 discovery |
| 5514 | UDP | Remote syslog |

### UOS Server Management Commands
```bash
sudo systemctl stop uosserver
sudo systemctl start uosserver
sudo systemctl restart uosserver
sudo systemctl status uosserver
# Container runs as user 'uosserver' via podman
su - uosserver -c "podman exec uosserver <command>"
```