claudetools/credentials.md

# Credentials & Authorization Reference

**Last Updated:** 2026-03-24
**Purpose:** Centralized credentials for Claude Code context recovery
**Project:** ClaudeTools MSP Work Tracking System
**Backend:** 1Password (vaults: Infrastructure, Clients, Projects, MSP Tools)

## How to Read Secrets

```bash
# Single field
op read "op://VaultName/ItemTitle/field_name"

# Full item
op item get "ItemTitle" --vault VaultName

# With service account (no biometric)
export OP_SERVICE_ACCOUNT_TOKEN="op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential"
```

---

## Infrastructure - SSH Access

### GuruRMM Server (172.16.3.30)
- **Host:** 172.16.3.30
- **Hostname:** gururmm / gururmm-build
- **User:** op://Infrastructure/GuruRMM Server/username
- **SSH Password:** op://Infrastructure/GuruRMM Server/password
- **Sudo Password:** op://Infrastructure/GuruRMM Server/password
- **SSH Port:** 22
- **Role:** Production server hosting ClaudeTools database and API, GuruRMM system, cross-platform builds
- **Services:**
  - MariaDB 10.6.22 (Port 3306)
  - PostgreSQL 14 (Port 5432)
  - ClaudeTools API (Port 8001)
  - GuruRMM API (Port 3001)
  - Nginx reverse proxy (Port 80/443)
- **ClaudeTools Database:**
  - Database: claudetools
  - User: op://Infrastructure/GuruRMM Server/Databases.MariaDB User
  - Password: op://Infrastructure/GuruRMM Server/Databases.MariaDB Password
- **GuruRMM Database (PostgreSQL):**
  - Database: gururmm
  - User: op://Infrastructure/GuruRMM Server/Databases.PostgreSQL User
  - Password: op://Infrastructure/GuruRMM Server/Databases.PostgreSQL Password
  - Connection: postgres://[user]:[pass]@172.16.3.30:5432/gururmm
- **GuruRMM API Access:**
  - Base URL: http://172.16.3.30:3001
  - Production URL: https://rmm-api.azcomputerguru.com
  - Admin Email: op://Infrastructure/GuruRMM Server/GuruRMM API.Admin Email
  - Admin Password: op://Infrastructure/GuruRMM Server/GuruRMM API.Admin Password
  - JWT Secret: op://Infrastructure/GuruRMM Server/GuruRMM API.JWT Secret
- **OS:** Ubuntu 22.04 LTS
- **SSH Keys:** guru@wsl, guru@gururmm-build (ed25519)

### Jupiter (Unraid Primary - 172.16.3.20)
- **Host:** 172.16.3.20
- **User:** op://Infrastructure/Jupiter (Unraid Primary)/username
- **SSH Port:** 22
- **Password:** op://Infrastructure/Jupiter (Unraid Primary)/password
- **WebUI Password:** op://Infrastructure/Jupiter (Unraid Primary)/password
- **Role:** Primary container host, Gitea server, NPM, GuruRMM, Seafile
- **Services:**
  - Gitea (Port 3000, SSH 2222)
  - Docker containers
  - NPM (Nginx Proxy Manager) - Ports 1880 (HTTP), 18443 (HTTPS), 7818 (admin)
  - GuruRMM API (Port 3001)
  - Seafile Pro (Port 8082)
- **iDRAC (Dell Remote Management):**
  - IP: 172.16.1.73 (DHCP)
  - User: op://Infrastructure/Jupiter (Unraid Primary)/iDRAC.iDRAC User
  - Password: op://Infrastructure/Jupiter (Unraid Primary)/iDRAC.iDRAC Password
  - IPMI Key: op://Infrastructure/Jupiter (Unraid Primary)/iDRAC.IPMI Key
  - Web UI: https://172.16.1.73/
- **SSH Keys:** claude-code@localadmin (ed25519), root@GuruSync (ed25519), guru@wsl (ed25519), guru@gururmm-build (ed25519)

### IX Server (Hosting - 172.16.3.10)
- **Host:** ix.azcomputerguru.com
- **Internal IP:** 172.16.3.10
- **External IP:** 72.194.62.5
- **User:** op://Infrastructure/IX Server/username
- **SSH Port:** 22
- **Password:** op://Infrastructure/IX Server/password
- **OS:** Rocky Linux (WHM/cPanel)
- **Role:** Primary cPanel hosting server for client websites (80+ accounts)
- **Services:**
  - WHM (Web Host Manager) - Port 2087
  - cPanel - Port 2083
  - Apache/LiteSpeed web server
  - MariaDB (multiple client databases)
  - PHP-FPM
- **Access Methods:**
  - SSH (external): ssh root@ix.azcomputerguru.com
  - SSH (internal): ssh root@172.16.3.10
  - WHM: https://ix.azcomputerguru.com:2087
  - cPanel: https://ix.azcomputerguru.com:2083
- **VPN Required:** Yes (for external SSH access)
- **Hosted Sites:** 40+ WordPress sites

### WebSvr (Legacy Hosting - websvr.acghosting.com)
- **Host:** websvr.acghosting.com
- **External IP:** 162.248.93.81
- **User:** op://Infrastructure/WebSvr (Legacy Hosting)/username
- **SSH Port:** 22
- **Password:** op://Infrastructure/WebSvr (Legacy Hosting)/password
- **OS:** CentOS 7 (WHM/cPanel)
- **Role:** Legacy cPanel hosting server, DNS management for ACG Hosting domains
- **API Token:** op://Infrastructure/WebSvr (Legacy Hosting)/API.API Token
- **Status:** Active - DNS management, some legacy sites

### pfSense Firewall (172.16.0.1)
- **Host:** 172.16.0.1
- **SSH Port:** 2248
- **User:** op://Infrastructure/pfSense Firewall/username
- **Password:** op://Infrastructure/pfSense Firewall/password
- **OS:** FreeBSD (pfSense 2.8.1)
- **Role:** Primary network firewall, VPN gateway, Tailscale gateway
- **Services:**
  - Firewall rules
  - VPN server
  - Tailscale subnet router
  - DHCP server
- **Tailscale:**
  - Tailscale IP: 100.79.69.82 (pfsense-1) / 100.119.153.74 (pfsense-2)
  - Subnet Routes: 172.16.0.0/22
- **Web UI:** https://172.16.0.1
- **Status:** CRITICAL PRODUCTION - Network gateway
- **Network:**
  - LAN Subnet: 172.16.0.0/16
  - OpenVPN: 192.168.6.0/24
  - WAN (Fiber): 98.181.90.163/31
  - Public IPs: 72.194.62.2-10, 70.175.28.51-57

### Saturn - DECOMMISSIONED
- **Host:** formerly 172.16.3.21 (IP reused by Uranus 2026-04)
- **User:** op://Infrastructure/Saturn (DECOMMISSIONED)/username
- **Password:** op://Infrastructure/Saturn (DECOMMISSIONED)/password
- **OS:** Unraid 6.x
- **Status:** DECOMMISSIONED - Migration to Jupiter complete (Seafile migrated 2025-12-27)

### Uranus (Unraid Secondary - 172.16.3.21)
- **Host:** 172.16.3.21
- **Hostname:** Uranus
- **User:** root
- **Password:** `bash D:/vault/scripts/vault.sh get-field infrastructure/uranus-unraid.sops.yaml credentials.password`
- **OS:** Unraid 7.2.4 (kernel 6.12.54)
- **Hardware:** Dell PowerEdge R730xd
- **CPU:** Intel Xeon E5-2630 v3 @ 2.40GHz, 32 threads
- **RAM:** 7.7 GiB (LOW — upgrade planned before Windows build VM deploys)
- **Array:** 6+ x 12 TB + 16 TB drives (~75 TB raw)
- **Role:** Additional storage, Pavon Archive (SMB share `Storage`), future Windows build VM
- **History:** Formerly 'Pavon' server at 172.16.1.33 (client-side). Renamed and re-IP'd April 2026 when moved into ACG infrastructure.
- **OwnCloud integration:** external storage mount ID 6 on `cloud.acghosting.com` — SMB `Storage` share mounted as `/Archive` for user `pavon`.

### OwnCloud VM (172.16.3.22)
- **Host:** 172.16.3.22
- **Hostname:** cloud.acghosting.com
- **User:** op://Infrastructure/OwnCloud VM/username
- **Password:** op://Infrastructure/OwnCloud VM/password
- **OS:** Rocky Linux 9.6
- **Role:** OwnCloud file synchronization server

### VMware Workstation Pro (192.168.3.24)
- **Host:** 192.168.3.24
- **User:** op://Infrastructure/VMware Workstation/username
- **Password:** op://Infrastructure/VMware Workstation/password

### HP iLO (172.16.9.125)
- **Host:** 172.16.9.125
- **User:** op://Infrastructure/HP iLO/username
- **Password:** op://Infrastructure/HP iLO/password

---

## External/Client Servers

### GoDaddy VPS (208.109.235.224) - Grabb & Durando
- **Host:** 208.109.235.224
- **User:** root
- **Auth:** SSH key (id_ed25519)
- **OS:** CloudLinux 9.6
- **Status:** OFFLINE - migration complete
- **Database Credentials:** op://Clients/GoDaddy VPS - Grabb & Durando (OFFLINE)/Database.*

### Neptune Exchange Server (67.206.163.124)
- **Hostname:** neptune.acghosting.com
- **Public IP:** 67.206.163.124
- **Internal IP:** 172.16.3.11 (requires Dataforth VPN)
- **Admin User:** op://Clients/Neptune Exchange Server/username
- **Admin Password:** op://Clients/Neptune Exchange Server/password
- **Exchange Version:** Exchange Server 2016
- **OWA URL:** https://neptune.acghosting.com/owa/
- **Status:** Active
- **Notes:** Requires VPN access (OpenVPN to Dataforth network)

---

## Dataforth Infrastructure

### ESXi Host (192.168.0.122)
- **Host:** 192.168.0.122
- **User:** op://Clients/Dataforth ESXi 122/username
- **Password:** op://Clients/Dataforth ESXi 122/password
- **Web UI:** https://192.168.0.122
- **SSH User:** op://Clients/Dataforth ESXi 122/SSH.SSH User
- **SSH Password:** op://Clients/Dataforth ESXi 122/SSH.SSH Password
- **VMs:** AD1, AD2, FILES-D1, PBX

### ESXi Host (192.168.0.124)
- **Host:** 192.168.0.124
- **User:** op://Clients/Dataforth ESXi 124/username
- **Password:** op://Clients/Dataforth ESXi 124/password

### PBX (192.168.100.2)
- **Host:** 192.168.100.2
- **Hostname:** pbx.intranet.dataforth.com
- **User:** op://Clients/Dataforth PBX/username
- **Password:** op://Clients/Dataforth PBX/password
- **OS:** Debian 12 (Sangoma FreePBX 17)
- **Network:** VLAN100 (192.168.100.0/24)
- **SIP Trunk:** FirstDigital (66.7.123.215, PJSIP)
- **Extensions:** 201-343 range (~35 endpoints)

### AD2 (Production Server - 192.168.0.6)
- **Host:** 192.168.0.6
- **Hostname:** AD2.intranet.dataforth.com
- **Domain:** INTRANET
- **User:** op://Clients/Dataforth AD2/username
- **Password:** op://Clients/Dataforth AD2/password
- **OS:** Windows Server 2022
- **Role:** Production server, Secondary Domain Controller
- **Service Account:**
  - User: op://Clients/Dataforth AD2/Service Account.Service User
  - Password: op://Clients/Dataforth AD2/Service Account.Service Password
  - UPN: ClaudeTools-ReadOnly@dataforth.local
- **Notes:** SMB1 disabled for security (after crypto attack). WinRM port 5985, SSH port 22.

### AD1 (Primary Domain Controller - 192.168.0.27)
- **IP:** 192.168.0.27
- **Hostname:** AD1.intranet.dataforth.com
- **User:** op://Clients/Dataforth AD1/username
- **Password:** op://Clients/Dataforth AD1/password
- **Role:** Primary DC, NPS/RADIUS server
- **NPS Ports:** 1812/1813 (auth/accounting)

### D2TESTNAS (SMB1 Proxy - 192.168.0.9)
- **Host:** 192.168.0.9
- **SSH User:** op://Clients/Dataforth D2TESTNAS/username
- **SSH Password:** op://Clients/Dataforth D2TESTNAS/password
- **Web User:** op://Clients/Dataforth D2TESTNAS/Web.Web User
- **Web Password:** op://Clients/Dataforth D2TESTNAS/Web.Web Password
- **Engineer Access:** op://Clients/Dataforth D2TESTNAS/SMB.Engineer User / op://Clients/Dataforth D2TESTNAS/SMB.Engineer Password
- **Role:** SMB1 proxy/bridge for DOS 6.22 machines
- **Shares:** \\D2TESTNAS\test (T:), \\D2TESTNAS\datasheets (X:)

### Dataforth DOS Machines (TS-XX)
- **Network:** 192.168.0.0/24
- **OS:** MS-DOS 6.22
- **Count:** ~30 machines for QC testing
- **Credentials:** None (local DOS machines, NULL SMB passwords)
- **Network Drives:** T: = \\D2TESTNAS\test, X: = \\D2TESTNAS\datasheets

### UDM (UniFi Dream Machine - 192.168.0.254)
- **IP:** 192.168.0.254
- **SSH User:** op://Clients/Dataforth UDM/username
- **SSH Password:** op://Clients/Dataforth UDM/password
- **Web User:** op://Clients/Dataforth UDM/Web.Web User
- **Web Password:** op://Clients/Dataforth UDM/Web.Web Password
- **Notes:** 2FA push enabled. OpenVPN 192.168.6.0/24.

---

## Services - Web Applications

### Gitea (Git Server)
- **URL:** https://git.azcomputerguru.com/
- **SSH:** ssh://git@172.16.3.20:2222
- **Username:** op://Infrastructure/Gitea/username
- **Password:** op://Infrastructure/Gitea/password
- **API Token:** op://Infrastructure/Gitea/API.API Token
- **Repository:** azcomputerguru/ClaudeTools, azcomputerguru/claude-projects

### NPM (Nginx Proxy Manager)
- **Admin URL:** http://172.16.3.20:7818
- **User:** op://Infrastructure/NPM (Nginx Proxy Manager)/username
- **Password:** op://Infrastructure/NPM (Nginx Proxy Manager)/password
- **Cloudflare API Token:** op://Infrastructure/NPM (Nginx Proxy Manager)/Cloudflare.Cloudflare API Token
- **Proxy Hosts:**
  - emby.azcomputerguru.com -> 172.16.2.99:8096
  - git.azcomputerguru.com -> 172.16.3.20:3000
  - plexrequest.azcomputerguru.com -> 172.16.3.31:5055
  - rmm-api.azcomputerguru.com -> 172.16.3.20:3001
  - unifi.azcomputerguru.com -> 172.16.3.28:8443
  - sync.azcomputerguru.com -> 172.16.3.20:8082

### ClaudeTools API (Production)
- **URL:** http://172.16.3.30:8001
- **Docs:** http://172.16.3.30:8001/api/docs
- **Database:** op://Projects/ClaudeTools Database/*
- **Auth:** JWT tokens (POST /api/auth/token)
- **JWT Secret:** op://Projects/ClaudeTools API Auth/credential
- **Test User:** op://Projects/ClaudeTools API Auth/Test Email / op://Projects/ClaudeTools API Auth/Test Password

### Seafile Pro (File Sync)
- **URL:** https://sync.azcomputerguru.com
- **Username:** op://Infrastructure/Seafile Pro/username
- **Password:** op://Infrastructure/Seafile Pro/password
- **Database:** op://Infrastructure/Seafile Pro/Database.*
- **Microsoft Graph API:** op://Infrastructure/Seafile Pro/Microsoft Graph.*
- **Storage:** 11.8TB

### Cloudflare
- **API Token (Full DNS):** op://Infrastructure/Cloudflare/API Token Full DNS
- **API Token (Legacy):** op://Infrastructure/Cloudflare/API Token Legacy
- **Domain:** azcomputerguru.com

### Matomo Analytics
- **URL:** https://analytics.azcomputerguru.com
- **Username:** op://Infrastructure/Matomo Analytics/username
- **Password:** op://Infrastructure/Matomo Analytics/password
- **Database:** op://Infrastructure/Matomo Analytics/Database.*
- **Site IDs:** 1=azcomputerguru.com, 2=community forum, 3=radio show

---

## Projects - ClaudeTools

### Database (MariaDB)
- **Host:** 172.16.3.30
- **Port:** 3306
- **Database:** claudetools
- **User:** op://Projects/ClaudeTools Database/username
- **Password:** op://Projects/ClaudeTools Database/password
- **Connection String:** op://Projects/ClaudeTools Database/Connection String
- **Tables:** 38 tables (fully migrated)
- **Encryption:** AES-256-GCM for credentials table

### Encryption Keys
- **Method:** AES-256-GCM (Fernet)
- **Key:** op://Projects/ClaudeTools Encryption Key/credential
- **Key Storage:** Environment variable ENCRYPTION_KEY
- **Warning:** DO NOT COMMIT TO GIT

### API Authentication
- **Method:** JWT tokens
- **JWT Secret:** op://Projects/ClaudeTools API Auth/credential
- **Token Endpoint:** POST /api/auth/token
- **Test User:** op://Projects/ClaudeTools API Auth/Test Email
- **Test Password:** op://Projects/ClaudeTools API Auth/Test Password

---

## Projects - GuruRMM

### Dashboard/API Login
- **URL:** https://rmm.azcomputerguru.com
- **Email:** op://Projects/GuruRMM Dashboard/username
- **Password:** op://Projects/GuruRMM Dashboard/password

### Database (PostgreSQL)
- **Host:** 172.16.3.30
- **Port:** 5432
- **Database:** gururmm
- **User:** op://Projects/GuruRMM Database/username
- **Password:** op://Projects/GuruRMM Database/password
- **Connection:** op://Projects/GuruRMM Database/Connection String

### API Server
- **External URL:** https://rmm-api.azcomputerguru.com
- **Internal URL:** http://172.16.3.30:3001
- **JWT Secret:** op://Projects/GuruRMM API Server/credential

### Microsoft Entra ID (SSO)
- **App ID:** op://Projects/GuruRMM Entra SSO/App Registration.App ID
- **Client Secret:** op://Projects/GuruRMM Entra SSO/App Registration.Client Secret
- **Secret Expires:** 2026-12-21
- **Redirect URIs:** https://rmm.azcomputerguru.com/auth/callback, http://localhost:5173/auth/callback

### CI/CD (Build Automation)
- **Webhook URL:** http://172.16.3.30/webhook/build
- **Webhook Secret:** op://Projects/GuruRMM CI-CD/credential
- **Build Script:** /opt/gururmm/build-agents.sh
- **Deploy Path:** /var/www/gururmm/downloads/

### Clients & Sites

#### Glaztech Industries (GLAZ)
- **Site Code:** DARK-GROVE-7839
- **API Key:** op://Projects/GuruRMM Glaztech Site/credential

#### AZ Computer Guru (Internal)
- **Site Code:** SWIFT-CLOUD-6910

---

## Projects - GuruConnect

### Database (PostgreSQL)
- **Host:** localhost (172.16.3.30)
- **Port:** 5432
- **Database:** guruconnect
- **User:** op://Projects/GuruConnect Database/username
- **Password:** op://Projects/GuruConnect Database/password
- **DATABASE_URL:** op://Projects/GuruConnect Database/DATABASE_URL

---

## Client - MVAN Inc

### Microsoft 365 Tenant 1
- **Tenant:** mvan.onmicrosoft.com
- **Admin User:** op://Clients/MVAN M365/username
- **Password:** op://Clients/MVAN M365/password

---

## Client - BG Builders LLC

### Microsoft 365 Tenant
- **Tenant ID:** ededa4fb-f6eb-4398-851d-5eb3e11fab27
- **onmicrosoft.com:** sonorangreenllc.onmicrosoft.com
- **Admin User:** op://Clients/BG Builders M365/username
- **Password:** op://Clients/BG Builders M365/password
- **Cloudflare Zone ID:** op://Clients/BG Builders M365/Cloudflare Zone ID
- **Licenses:** 8x Business Standard, 4x Exchange Online Plan 1, 1x Basic

### Email Security (Configured 2025-12-19)
| Record | Status | Details |
|--------|--------|---------|
| SPF | OK | `v=spf1 include:spf.protection.outlook.com -all` |
| DMARC | OK | `v=DMARC1; p=reject; rua=mailto:sysadmin@bgbuildersllc.com` |
| DKIM | OK | selector1/selector2 CNAMEs configured |
| MX | OK | bgbuildersllc-com.mail.protection.outlook.com |

---

## Client - CW Concrete LLC

### Microsoft 365 Tenant
- **Tenant ID:** dfee2224-93cd-4291-9b09-6c6ce9bb8711
- **Default Domain:** NETORGFT11452752.onmicrosoft.com
- **Notes:** De-federated from GoDaddy 2025-12

---

## Client - Dataforth

### Microsoft 365
- **Tenant ID:** 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
- **Admin:** op://Clients/Dataforth M365/username / op://Clients/Dataforth M365/password
- **Entra App (Claude-Code-M365):**
  - App ID: op://Clients/Dataforth M365/Entra App.App ID
  - Client Secret: op://Clients/Dataforth M365/Entra App.Client Secret
  - Expires: 2027-12-22

### NPS RADIUS Configuration
- **Server:** 192.168.0.27 (AD1)
- **Port:** 1812/UDP (auth), 1813/UDP (accounting)
- **Shared Secret:** op://Clients/Dataforth M365/NPS RADIUS.Shared Secret
- **RADIUS Client:** unifi (192.168.0.254)

---

## Client - Valley Wide Plastering (VWP)

### UDM
- **IP:** 172.16.9.1
- **User:** op://Clients/VWP UDM/username
- **Password:** op://Clients/VWP UDM/password

### VWP-DC1
- **IP:** 172.16.9.2
- **Hostname:** VWP-DC1.VWP.US
- **User:** op://Clients/VWP DC1/username
- **Password:** op://Clients/VWP DC1/password
- **NPS RADIUS Shared Secret:** op://Clients/VWP DC1/NPS.Shared Secret

### Citrix XenServer
- **Management IP:** 192.168.0.104
- **User:** op://Clients/VWP XenServer/username
- **Password:** op://Clients/VWP XenServer/password
- **iDRAC IP:** 192.168.3.30
- **iDRAC User/Pass:** op://Clients/VWP XenServer/iDRAC.*

### QuickBooks Server iDRAC
- **iDRAC IP:** 192.168.3.189
- **User:** op://Clients/VWP QuickBooks Server iDRAC/username
- **Password:** op://Clients/VWP QuickBooks Server iDRAC/password

---

## Client - Khalsa

### UCG
- **IP:** 172.16.50.1
- **User:** op://Clients/Khalsa UCG/username
- **Password:** op://Clients/Khalsa UCG/password

### Switch
- **User:** op://Clients/Khalsa Switch/username
- **Password:** op://Clients/Khalsa Switch/password

### Accountant Machine (172.16.50.168)
- **User:** op://Clients/Khalsa Accountant Machine/username
- **Password:** op://Clients/Khalsa Accountant Machine/password
- **Local Admin:** op://Clients/Khalsa Accountant Machine/Local Admin User / op://Clients/Khalsa Accountant Machine/Local Admin Password

---

## Client - Scileppi Law Firm

### RS2212+ (Primary NAS)
- **IP:** 172.16.1.59
- **User:** op://Clients/Scileppi RS2212+/username
- **Password:** op://Clients/Scileppi RS2212+/password
- **Storage:** 25TB total, 6.9TB used
- **User Accounts:** op://Clients/Scileppi RS2212+/Users.*

### DS214se / Unraid (POWERED OFF)
- Credentials in op://Clients/Scileppi DS214se (POWERED OFF)/* and op://Clients/Scileppi Unraid (POWERED OFF)/*

---

## Client - heieck.org

### Microsoft 365 Migration
- **Tenant:** heieckorg.onmicrosoft.com
- **Mailbox passwords:** op://Clients/heieck.org M365/*

---

## Client - Sombra Residential LLC

### Server2013 (primary server)
- **Hostname:** Server2013
- **OS:** Windows Server 2012 (build 9200) — name is just a label; **EOL 2023-10-10**
- **Remote access:** ScreenConnect (ACG SC instance)
- **Administrator password:** SOPS `clients/sombra-residential/server2013.sops.yaml` (field `credentials.password`)
- **sysadmin password:** TBD — pending capture
- **GuruRMM:** Sombra Residential LLC / main office, agent `5383e9c1-56e1-4389-9c89-1991a77bbc3a`
- **Full context:** `clients/sombra-residential/CONTEXT.md`

---

## MSP Tools

### Syncro (PSA/RMM)
- **API Base URL:** https://computerguru.syncromsp.com/api/v1
- **API Key:** op://MSP Tools/Syncro/credential

### Autotask (PSA)
- **API Zone:** webservices5.autotask.net
- **API Username:** op://MSP Tools/Autotask/API Username
- **API Password:** op://MSP Tools/Autotask/API Password
- **Integration Code:** op://MSP Tools/Autotask/credential

### CIPP (M365 Management)
- **URL:** https://cippcanvb.azurewebsites.net
- **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d
- **App ID:** op://MSP Tools/CIPP/OAuth.App ID
- **Client Secret:** op://MSP Tools/CIPP/OAuth.Client Secret
- **Scope:** op://MSP Tools/CIPP/OAuth.Scope

### Claude-MSP-Access (Multi-Tenant Graph API)
- **Tenant ID:** ce61461e-81a0-4c84-bb4a-7b354a9a356d
- **App ID:** op://MSP Tools/Claude-MSP-Access (Graph API)/App ID
- **Client Secret:** op://MSP Tools/Claude-MSP-Access (Graph API)/credential

### ACG-MSP-Access (Google Workspace)
- **Service Account:** op://MSP Tools/ACG-MSP-Access (Google Workspace)/Service Account Email
- **Key File:** temp/acg-msp-access-8f72339997e5.json
- **Onboarded Tenants:** lonestarelectrical.net

---

## VPN Access

### Peaceful Spirit VPN (L2TP/IPSec)
- **Server IP:** 98.190.129.150
- **Username:** op://Clients/Peaceful Spirit VPN/username
- **Password:** op://Clients/Peaceful Spirit VPN/password
- **Pre-Shared Key:** op://Clients/Peaceful Spirit VPN/VPN.Pre-Shared Key
- **Remote Network:** 192.168.0.0/24

---

## Tailscale Network

| Tailscale IP | Hostname | Owner | OS | Notes |
|--------------|----------|-------|-----|-------|
| 100.79.69.82 | pfsense-1 | mike@ | freebsd | Gateway |
| 100.125.36.6 | acg-m-l5090 | mike@ | windows | Workstation |
| 100.92.230.111 | acg-tech-01l | mike@ | windows | Tech laptop |
| 100.96.135.117 | acg-tech-02l | mike@ | windows | Tech laptop |
| 100.113.45.7 | acg-tech03l | howard@ | windows | Tech laptop |
| 100.77.166.22 | desktop-hjfjtep | mike@ | windows | Desktop |
| 100.101.145.100 | guru-legion9 | mike@ | windows | Laptop |
| 100.119.194.51 | guru-surface8 | howard@ | windows | Surface |
| 100.66.103.110 | magus-desktop | rob@ | windows | Desktop |
| 100.66.167.120 | magus-pc | rob@ | windows | Workstation |

---

## SSH Public Keys

### guru@wsl (Windows/WSL)
- **Key Type:** ssh-ed25519
- **Public Key:** AAAAC3NzaC1lZDI1NTE5AAAAIAWY+SdqMHJP5JOe3qpWENQZhXJA4tzI2d7ZVNAwA/1u guru@wsl
- **Sudo Password:** op://Infrastructure/GuruRMM Server/password (same as SSH)
- **Authorized on:** GuruRMM build server, IX server, Jupiter, Saturn

### azcomputerguru@local (Mac)
- **Key Type:** ssh-ed25519
- **Public Key:** ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDrGbr4EwvQ4P3ZtyZW3ZKkuDQOMbqyAQUul2+JE4K4S azcomputerguru@local
- **Authorized on:** GuruRMM build server, IX server, AD2, D2TESTNAS

### claude-code@localadmin (Windows)
- **Key Type:** ssh-ed25519
- **Public Key:** ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABnQjolTxDtfqOwdDjamK1oyFPiQnaNT/tAgsIHH1Zo
- **Authorized On:** pfSense

---

## 1Password Service Account

- **Item:** op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential
- **Vaults Accessible:** Infrastructure, Clients, Projects, MSP Tools (Read & Write)
- **Usage:** Set OP_SERVICE_ACCOUNT_TOKEN env var for non-interactive CLI access

---

## Context Recovery Usage

When a new Claude session starts or context is lost:

1. **Read this file first** - Get all infrastructure details and op:// paths
2. **Use `op read`** to fetch actual credentials as needed
3. **Check session-logs/** - Find recent work and decisions
4. **Read SESSION_STATE.md** - Get project status and phase

**Quick credential fetch:**
```bash
# Set service account token first
export OP_SERVICE_ACCOUNT_TOKEN=$(op read "op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential")

# Then read any credential
op read "op://Infrastructure/IX Server/password"
op read "op://Projects/ClaudeTools Database/password"
op read "op://Clients/Dataforth AD2/password"
```

---

## Security Notes

- **Secrets are stored in 1Password** - op:// references are safe to commit to private repos
- **Never commit resolved .env files** - only .env.tpl with op:// references
- **ClaudeTools encrypts credentials in database with AES-256-GCM**
- **Service account token** should be set as environment variable, not committed
- **Rotate on exposure** - update in 1Password, re-inject everywhere