azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
61081f70c22c816c8408ca3615ca88e543aafa42
claudetools/.claude/memory/reference_resource_map.md
Mike Swanson 0c000109dc chore(memory): consolidate scattered feedback/project/reference files 
Compressed memory store 104 -> 71 files via four passes:

- Syncro: 19 scattered feedback_syncro_* files merged into 3 rule files
  (api/billing/workflow) + an on-demand feedback_syncro_history.md for
  incident detail, quotes, and tech/product ID tables.
- Four near-duplicate merges: Howard paste-safety, Pluto build server,
  Howard backend deferral, IX server access (ssh+tailscale).
- Per-cluster rule/state/history split applied to GuruConnect (2->1),
  Dataforth (3->2), Cascades (7->3), GuruRMM (13->3).
- New reference_resource_map.md: single auto-loaded cheatsheet for
  "do I have access to X and how do I connect from this machine?"
- MEMORY.md rewritten to match the new layout.

Health: broken backlinks 8->7, overlap clusters 12->5, orphans 17->0.
2026-06-01 16:25:45 -07:00

265 lines
18 KiB
Markdown
Raw Blame History

---
name: ACG resource map — what I have access to and how to connect
description: Cheatsheet for every resource ACG has access to (servers, services, APIs, M365 tenants, MSP tools). For each: what it is, default access method, per-machine exceptions (if any), gotchas, and pointer to the existing detail file. Use this FIRST when a task says "connect to X" / "check Y" — don't search; look here.
type: reference
---
**Use this first.** When a task references a resource ("ssh into Jupiter", "check Syncro", "look at the Cascades tenant"), look here BEFORE searching for credentials or trying random connection methods. This is the lookup table; the detail lives in the linked `reference_*` / `project_*` files.
## First principles (apply to ~everything)
- **Vault wrapper** (NEVER hardcode the vault path):
```bash
VAULT="$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh"
bash "$VAULT" get-field <path> <field> # e.g. infrastructure/gururmm-server.sops.yaml credentials.password
bash "$VAULT" search <keyword> # search without decrypting
bash "$VAULT" list # full inventory
```
Reads `vault_path` from `.claude/identity.json` per-machine (Windows `c:/Users/guru/vault`, Mac `~/vault`, etc.).
- **Tailscale must be on** to reach anything on `172.16.x.x` from outside the office. Office LAN is `172.16.0.0/22`.
- **SSH on Windows:** always use **system OpenSSH** (`C:\Windows\System32\OpenSSH\ssh.exe`), **NEVER Git for Windows SSH**. Git for Windows ssh has subtle key handling differences that break auth silently.
- **Git Bash on Windows:** never redirect to Windows paths with backslashes (`echo X > D:\path`) — Git Bash strips backslashes and substitutes the colon with a Unicode PUA char, creating a garbled junk file. Use forward slashes (`/d/path`) or workspace-relative paths.
- **1Password fallback:** service-account token in vault at `infrastructure/1password-service-account.sops.yaml`. Set `OP_SERVICE_ACCOUNT_TOKEN`, then `op read "op://Vault/Item/field"`. Each workstation's age key backup lives at `op://Infrastructure/age Key - <HOSTNAME>`.
---
## Office servers & VMs (all on Tailscale + 172.16.0.0/22)
### Jupiter — Unraid primary (172.16.3.20)
- **What:** Unraid host. Runs ALL ACG VMs (GuruRMM server, OwnCloud, UniFi, Pluto, etc.) and the Docker stack (NPM, Gitea, Seafile).
- **Default:** `ssh root@172.16.3.20`. Password `infrastructure/jupiter-unraid-primary.sops.yaml` `credentials.password`. iDRAC out-of-band at 172.16.1.73.
- **Notes:** `guru@wsl` + `guru@gururmm-build` + Mac keys all authorized. Unraid web UI on port 80 — use VM console when a VM's SSH fails.
- Detail: [[infra_office_network]].
### gururmm-server (172.16.3.30, hostname `gururmm`)
- **What:** Linux VM on Jupiter. THE workhorse — runs MariaDB, PostgreSQL, ClaudeTools API (`:8001`), GuruRMM API (`:3001`), GuruConnect server (`:3002`), coord API, Gitea Actions runner, build pipeline, webhook.
- **Default:** `ssh guru@172.16.3.30`. Password `infrastructure/gururmm-server.sops.yaml` `credentials.password`. User is **`guru`** NOT `mike`. Home `/home/guru/`.
- **Gotcha:** for cargo/protoc/PATH, use a **login shell**: `ssh guru@172.16.3.30 'bash -lc "..."'`. Non-interactive shell doesn't source `~/.profile` and these look "missing".
- **Layout:** repo at `/home/guru/gururmm`, build pipeline at `/opt/gururmm/` (auto-synced from repo `deploy/build-pipeline/` by `build-shared.sh`).
- Detail: [[reference_gururmm]], [[project_gururmm]], [[project_guruconnect]].
### Pluto — Windows build VM (172.16.3.36, Unraid VM "Claude-Builder")
- **What:** Windows Server 2019 VM. Native MSVC builds — Rust, WiX MSI, Azure Trusted Signing.
- **Default:** `ssh -i ~/.ssh/id_ed25519 Administrator@172.16.3.36` (key auth, no password).
- **Per-machine:** Only `gururmm-build@gururmm-server` and `guru@gururmm-build` keys are authorized. From **GURU-5070** (Mike's main) the pubkey is NOT authorized → use `/rmm` (PLUTO agent) instead of trying SSH.
- **Gotcha:** if adding a key, `administrators_authorized_keys` MUST be ASCII. PowerShell `>` writes UTF-16 BOM and silently breaks SSH. Use `[System.IO.File]::WriteAllText(..., $key, [System.Text.Encoding]::ASCII)`.
- Detail: [[reference_pluto_build_server]].
### IX server (172.16.3.10 / ix.azcomputerguru.com)
- **What:** Rocky Linux cPanel/WHM. 40+ client WordPress sites + Matomo + Flarum forum + radio show site.
- **Default:** `ssh root@172.16.3.10`. Password `infrastructure/ix-server.sops.yaml` `credentials.password`. Tailscale-reachable directly (no separate VPN). WHM at `:2087`, cPanel at `:2083`.
- **Per-machine:** **GURU-5070's pubkey is NOT authorized** (was CachyOS, reinstalled to Win11, key never re-added) → use `sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no -o PubkeyAuthentication=no root@172.16.3.10`. Suppress warnings with `| grep -v WARNING`. Other machines: re-verify per machine.
- Detail: [[reference_ix_server_access]].
### Uranus — Unraid secondary (172.16.3.21)
- **What:** Unraid secondary. Pavon archive storage, planned future Windows build VM. Low RAM (7.7GB).
- **Default:** `ssh root@172.16.3.21`. Password `infrastructure/uranus-unraid.sops.yaml`.
- **Note:** NOT the Seafile proxy. Mounted as OwnCloud external storage (SMB → `/Archive`).
### OwnCloud VM (172.16.3.22 / cloud.acghosting.com)
- **What:** Rocky Linux 9.6 VM on Jupiter. OwnCloud file sync.
- **Default:** SSH per `infrastructure/owncloud-vm.sops.yaml`.
- **Note:** distinct from Seafile (`sync.azcomputerguru.com` is Seafile on Jupiter Docker).
### Neptune (67.206.163.124 / neptune.acghosting.com)
- **What:** Exchange Server 2016. **Physically at Dataforth's D2 facility**, NOT the ACG office (despite the `acghosting.com` name). Email for ACG-hosted clients.
- **Default:** RDP/admin via `clients/dataforth/neptune-exchange.sops.yaml`. OWA at `https://neptune.acghosting.com/owa/`.
- **Note:** to reach from the ACG office, route via D2TESTNAS (192.168.0.9) — Dataforth UDM subnet overlaps 172.16.x.x. **It is NOT Dataforth's mail system** — Dataforth uses M365 (see below).
### WebSvr (162.248.93.81 / websvr.acghosting.com)
- **What:** Legacy CentOS 7 cPanel. DNS for ACG Hosting domains + some legacy sites.
- **Default:** `ssh root@websvr.acghosting.com`. `infrastructure/websvr-legacy-hosting.sops.yaml`.
### pfSense firewall (172.16.0.1)
- **What:** FreeBSD pfSense 2.8.1. Firewall + OpenVPN + Tailscale subnet router for 172.16.0.0/22.
- **Default:** SSH on **port 2248** (not 22), user `admin`. Creds `infrastructure/pfsense-firewall.sops.yaml`. Web UI `https://172.16.0.1`.
- **Gotcha:** Tailscale gateway — losing pfSense = no remote access to anything in office. Don't drop SSH/Tailscale config without an alternative path verified.
---
## Office network services (Docker on Jupiter)
### Gitea — internal (`http://172.16.3.20:3000` / `https://git.azcomputerguru.com`)
- **What:** Self-hosted git. ALL ACG repos (`claudetools`, `gururmm`, `guru-connect`, `vault`, projects).
- **Default:** for API/automation use **internal** `http://172.16.3.20:3000` (bypasses NPM SSL-renewal blips). For Howard-attributed PR merges: `services/gitea-howard.sops.yaml` `credentials.password`. For admin API: `services/gitea.sops.yaml` `credentials.api.api-token`. Git over SSH: `ssh://git@172.16.3.20:2222`.
- **Gotcha:** public `git.azcomputerguru.com` is **NOT** behind Cloudflare — it's the office Cox IP NAT'd to NPM. Internal `:3000` is more reliable.
- Detail: [[reference_gitea_internal]], [[reference_gitea_api_credential]].
### NPM (Nginx Proxy Manager)
- **What:** openresty reverse proxy for all `*.azcomputerguru.com` services.
- **Default:** admin UI `http://172.16.3.20:7818`. `services/npm.sops.yaml`.
- **Note:** proxy configs at `/data/nginx/proxy_host/*.conf` on Jupiter. Cert renewals briefly drop external `:443`.
### Seafile Pro (`sync.azcomputerguru.com`)
- 11.8TB file sync. `services/seafile-pro.sops.yaml`.
### Cloudflare (DNS for `azcomputerguru.com`)
- API tokens in `services/cloudflare.sops.yaml`. Analytics record is proxied; git is NOT.
### GoDaddy API
- Domain registrar API. `services/godaddy-api.sops.yaml`.
---
## PSA / ticketing
### Syncro — primary (`computerguru.syncromsp.com`)
- **What:** Primary PSA / RMM (Kabuto agent). ACG's tickets, invoices, customers, time entries.
- **Default:** API key `msp-tools/syncro.sops.yaml` `credentials.api_key`; Howard's own key `msp-tools/syncro-howard.sops.yaml`. Base `https://computerguru.syncromsp.com/api/v1`. Skill: `/syncro`.
- **Gotchas:** **NO idempotency on any endpoint — ALWAYS GET before retrying any POST.** Content-Type header required. Comments need `subject`. `add_line_item` uses internal ticket ID, not ticket number. Timers no longer used for billing.
- Detail: [[feedback_syncro_api]], [[feedback_syncro_billing]], [[feedback_syncro_workflow]], [[feedback_syncro_history]].
### Autotask — secondary
- **What:** Legacy/secondary PSA. **Default to Syncro** unless task explicitly says "Autotask".
- **Default:** `msp-tools/autotask.sops.yaml` (API username, password, integration code; zone `webservices5.autotask.net`).
- Detail: [[feedback_psa_default_syncro]].
---
## RMM / remote control
### GuruRMM — ACG's own (`rmm.azcomputerguru.com`)
- **What:** Rust/Axum server @ `172.16.3.30:3001`. Agents on all ACG-managed endpoints. Drives `/rmm` skill.
- **Default:** JWT login `POST /api/auth/login`. Creds `infrastructure/gururmm-server.sops.yaml` fields `credentials.gururmm-api.admin-email` / `admin-password`. External `https://rmm-api.azcomputerguru.com`. Dashboard `https://rmm.azcomputerguru.com`.
- **Gotchas:** use `context: "user_session"` for cmdlets that fail as SYSTEM with "NonInteractive mode" (see [[reference_gururmm]]). Linux agent runs in a **systemd sandbox** — `findmnt`/`/proc/mounts` from the agent lie (sandbox view, not host). SSH the host directly for ground truth.
- Detail: [[reference_gururmm]], [[project_gururmm]], [[feedback_gururmm]].
### ScreenConnect / CW Control
- Primary remote-access tool. `msp-tools/screenconnect.sops.yaml`.
- **Gotcha:** Toolbox scripts truncate lines >80 chars silently; no inline comments mid-script. See [[reference_msp_audit_scripts]].
### Splashtop (SOS / Streamer)
- Secondary remote-access in the stack. Portal — verify vault entry if needed.
### Datto RMM (CagService / Aemagent)
- Part of ACG stack on managed endpoints. **Expected, not a threat.** Portal creds — verify in vault.
### GuruConnect — ACG's own (`connect.azcomputerguru.com`)
- **What:** ACG's own remote-access product. v2 live since 2026-05-30. Native-first, full key fidelity, bidirectional file transfer.
- **Default:** server `172.16.3.30:3002` behind NPM. Portal creds `projects/guruconnect/portal.sops.yaml`. DB `projects/guruconnect/database.sops.yaml`.
- Detail: [[project_guruconnect]].
---
## Security / EDR / AV
### Bitdefender GravityZone (Cloud MSP partner tenant)
- **What:** ACG partner tenant. Endpoint AV/EDR.
- **Default:** API creds `msp-tools/gravityzone.sops.yaml`. Skill: `/bitdefender`.
- **Gotcha:** skill talks to **live production** partner tenant — destructive ops gated.
### Datto EDR / Datto AV
- **What:** Managed AV on ACG endpoints. When active, **Windows Defender real-time is OFF by design** — that's expected, not a gap.
- Detail: [[reference_acg_msp_stack]].
---
## Cloud storage
### Backblaze B2
- **What:** Per-client MSP360/CloudBerry backup destinations. Account ID `46f69bc61163`, region `us-west-001`.
- **Default:** API key `projects/claudetools/backblaze-b2.sops.yaml`. Skill: `/b2`.
### MSP360 API (backup orchestration)
- `msp-tools/msp360-api.sops.yaml`.
---
## M365 / Google Workspace tenants
ACG manages multiple M365 tenants via the **ComputerGuru tiered MSP app suite** (Security Investigator / Exchange Operator / User Manager / Tenant Admin / Defender Add-on / Intune Manager). Per-tenant tokens in `msp-tools/computerguru-*.sops.yaml`. Use the **`/remediation-tool`** skill — NOT CIPP (CIPP creds exist at `msp-tools/cipp.sops.yaml` but the ComputerGuru suite is the primary path).
| Tenant | Vault path |
|--------|------------|
| ACG own (computerguru) | `msp-tools/computerguru-*.sops.yaml` (partner tenant) |
| Dataforth | `clients/dataforth/m365.sops.yaml` |
| Cascades Tucson | `clients/cascades-tucson/m365-admin.sops.yaml`, `m365-sysadmin.sops.yaml` |
| QuantumWMS | `clients/quantumwms/m365-breakglass.sops.yaml` |
| BG Builders | `clients/bg-builders/m365.sops.yaml` |
| MVAN | `clients/mvan/m365.sops.yaml` |
| Heieck.org | `clients/heieck-org/m365.sops.yaml` |
| CW Concrete | `clients/cw-concrete/m365.sops.yaml` |
| Kittle (M. Sanchez) | `clients/kittle/m365-michael-sanchez.sops.yaml` |
Also: multi-tenant Graph API service principal at `msp-tools/claude-msp-access-graph-api.sops.yaml`.
**Google Workspace:** ACG service account `msp-tools/acg-msp-access-google-workspace.sops.yaml`. Client-specific: `clients/lonestar-electrical/google-workspace.sops.yaml`.
Detail: [[project_cascades]], [[project_dataforth]], [[project_quantum_godaddy_m365_tenant]].
---
## Internal APIs (all on `172.16.3.30`)
### ClaudeTools main API (`:8001`)
- 95+ endpoints, JWT auth, MariaDB. Docs `/api/docs`. Auth creds `projects/claudetools/api-auth.sops.yaml`.
### ClaudeTools coord API (`:8001/api/coord`)
- Inter-session coordination (locks, messages, todos, component state). **NO AUTH.** Direct curl. Spec in `CLAUDE.md` + [[reference_coord_messages_api_shape]].
### GuruRMM API (`:3001`) / GuruConnect API (`:3002`)
- See respective sections above.
---
## Other services
### Matomo Analytics (`analytics.azcomputerguru.com`)
- PHP analytics on IX server. Tracks 3 sites. Creds `services/matomo-analytics.sops.yaml` (verify; older docs hardcoded the password — should now be vault-only).
- Detail: [[reference_matomo_analytics]].
### Flarum forum (`community.azcomputerguru.com`)
- Flarum 1.8.14 on IX server cPanel `azcomputerguru`. Skill: `/forum-post`.
- **Gotcha:** **Cloudflare blocks external Flarum API calls.** Must SSH to IX and run PHP/DB script — the `/forum-post` skill handles this via paramiko SSH.
- Detail: [[reference_community_forum]].
### Radio show (`radio.azcomputerguru.com`)
- Astro static site, source at `projects/radio-show/website/`. Build `npm run build` → rsync `dist/` to IX server cPanel.
- Detail: [[reference_radio_website]].
### TickTick
- OAuth creds `services/ticktick.sops.yaml`. MCP server + token cache at `mcp-servers/ticktick/.tokens.json`. Detail: [[reference_ticktick_integration]].
### Ollama (local, per-machine)
- **Tier-0 LLM** (drafts, summaries, classification). Endpoint per-machine in `.claude/identity.json` `.ollama.endpoint`. Models: `qwen3:14b` / `qwen3.6` (structured) / `codestral:22b` (code). See `.claude/OLLAMA.md`.
### GrepAI (local watcher + MCP server)
- Semantic code search over `claudetools/` + `session-logs/`. MCP tools `grepai_search`, `grepai_trace_callers/callees`. CLI `$CLAUDETOOLS_ROOT/grepai search`. Watcher runs as scheduled task per machine.
### Discord bot
- `projects/discord-bot/anthropic-api.sops.yaml` + `bot-token.sops.yaml`. Runs as `.venv/Scripts/python.exe -m bot.main` from `projects/discord-bot/`.
### Azure Trusted Signing
- Windows code signing (Pluto `signtool`). `services/azure-trusted-signing.sops.yaml`.
### Apple Developer Program
- macOS code signing + MDM Push cert. `infrastructure/apple-developer-program.sops.yaml`. **MDM Push cert renews annually on the same Apple ID** or enrolled iOS devices break. See [[project_apple_mdm_certs]].
---
## Client systems (per-client vault pattern)
Every managed client has access entries at `clients/<slug>/<system>.sops.yaml`. Examples by frequency: **Cascades Tucson** (pfSense / Synology / CS-SERVER / accountant PC / multiple admin accounts), **Dataforth** (AD1, AD2, ESXi 122/124, D2TESTNAS, PBX, UDM, Neptune, M365, OAuth), **VWP** (UDM / DC1 / XenServer / iLO / etc.), **Peaceful Spirit** (server + L2TP VPN), plus: Anaise, BG Builders, Birth Biologic, CryoWeave, CW Concrete, Grabb & Durando, Heieck, IMC, Khalsa, Kittle, Lens Auto Brokerage, Lonestar Electrical, MVAN, QuantumWMS, Rednour, Scileppi, Sif-Oidak, Sombra Residential, Stamback Septic, Tucson Golden Corral, Key Paul, Glaztech (GuruRMM site key only). Sweep `bash $VAULT search <client>` first.
Doc layout (`overview/network/servers/cloud/security/rmm`) and wiki articles at `wiki/clients/<slug>.md`. Detail: [[reference_client_docs_structure]].
**Notable gotcha — D2TESTNAS:** `root@192.168.0.9` with `Paper123!@#` (NOT `sysadmin`). See [[feedback_d2testnas_ssh]].
---
## Per-machine access gotchas (consolidated)
| Machine | Gotchas |
|---------|---------|
| **GURU-5070** (Mike's Win11 primary) | IX pubkey not authorized → use `sshpass`. Pluto pubkey not authorized → use `/rmm` agent PLUTO instead. Has full local Rust toolchain (`cargo` + MSVC + `protoc`) — build GuruConnect locally; set `$env:PROTOC` to the winget path. See [[reference_guru5070_rust_toolchain]]. |
| **GURU-BEAST-ROG** (Win11 secondary) | Verify SSH key deployment per resource. See [[machine_windows_guru_setup_status]]. |
| **GURU-KALI** (Linux) | Subject to GuruRMM agent sandbox issue ([[reference_gururmm]] §sandbox) for Linux-agent dispatched commands. |
| **Mikes-MacBook-Air** | gururmm `install-hooks.sh` still pending — see [[project_gururmm]]. Vault path is `~/vault`. |
| **Howard-Home / ACG-TECH03L** | Vault path varies — read from `.claude/identity.json` `vault_path`. |
| **All Windows machines** | Use **system OpenSSH** (`C:\Windows\System32\OpenSSH\ssh.exe`) NEVER Git for Windows SSH. NEVER redirect to backslashed Windows paths from Git Bash (`echo X > D:\path` corrupts to junk file). |
| **All machines** | Tailscale must be on for any `172.16.x.x` from outside office. |
Reference in New Issue View Git Blame Copy Permalink