Skip to content

Services

Active Directory

Running on Windows Server.

  • Domain: ad.victorbush.com
  • DSRM password: in Proton Pass
  • NetBIOS domain name: VICTORBUSH

Azure AD Connect

  • Created an Azure AD tied to Microsoft account for victorbush@gmail.com.
  • Using Azure AD Connect to sync the server’s active directory with the cloud Azure AD.
  • Had to create a new Global Admin in the cloud AD first in order to install the AD Connect client on the server.
  • It wasn’t working. I left it for a few days and came back and it started working.

Notes

  • Domain password policy:
    • In the Group Policy Management, edit the default domain policy.
    • Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password policy
    • Max password age: 0
    • Min password age: 0

Archive Files Web Server

The archive files share contains a collection of saved games, applications, and other files available for download via a web browser.

Caddy is used as the web and file server. The application is secured via Cloudflare Zero Trust.

Notes

  • Download and extract Caddy into C:\Portable\caddy.
  • Edit the PATH system environment variable to include this directory.
  • Create a Windows service: sc.exe create caddy start=auto binPath="C:\Portable\caddy\caddy.exe run"
  • Create a Caddyfile (no extension): C:\Portable\caddy\Caddyfile.
:8189 {
    root * D:\Shares\archive
    file_server browse
}
  • Start the service: sc.exe start caddy
  • Do not expose the port in Windows Firewall. External access will only be via the Cloudflare tunnel.

Cloudflare Setup

Create a private application to protect with Zero Trust.

  • Application name: Kremlin Archive
  • Internal hostname or IP: 10.10.0.10
  • Application protocol: HTTP
  • Application port: 8189
  • Public domain: archive.kremlin.dev
  • Assign the correct policy for access ("Allow Kremlin users" policy).

Need to create a Tunnel.

  • Create tunnel using Cloudflare dashboard.
  • Follow the instructions to connect the Tunnel.
  • When running the installer, I was getting "Access is denied." I had to use an admin command prompt and use msiexec /i name_of_installer.msi.
  • I had to navigate into the C:\Program Files (x86)\cloudflared directory, then run the cloudflared.exe service install xxx command that is provided by the Cloudflare dashboard.
  • The tunnel should then appear as "healthy" in the Cloudflare dashboard.
  • Open the tunnel in the Cloudflare dashboard. Go to Published application routes tab.
  • Create a new route that maps archive.kremlin.dev to http://localhost:8189. You will have to delete any existing DNS records for archive.kremlin.dev first.

DNS

DNS setup:

  • The router’s DHCP server provides server-02 as the DNS server.
  • Pihole is running on server-02 and acts as primary DNS for clients.
  • Pihole uses Cloudflare as the upstream DNS (1.1.1.3 and 1.0.0.3).
  • server has a DNS server running on Windows Server. I believe this was required for Active Directory stuff? It has forwarders setup to an outside DNS (currently Cloudflare).

Notes

  • Firewall rule required in router to allow access to DNS from Guest/IoT networks.

Emby

Emby media server. Runs on server.

  • Admin user:
    • Username: Victor
    • Password: in Proton Pass
    • Linked to Emby Connect user: victorbush@gmail.com
  • A firewall rule in the router is set to allow access to Emby from the IoT network. This allows direct access to the server from the Firestick.

Old notes (not used anymore):

  • Configured to run as a service.
    • Uses NSSM to run as a service.
    • Emby must be set to NOT “run server at startup” when running as a service. The service takes care of that.
  • Configured to use the TV tuner for live TV. The WinTV 10 software is required for this to work.

FTP

There is an FTP server configured on the Windows Server. I don’t always have it enabled, but it comes in handy sometimes.

Setup:

  • Create a self-signed certificate. The ones created through IIS don’t work for FTP over TLS. Use an admin powershell:
    • New-SelfSignedCertificate -FriendlyName "FTP Server" -CertStoreLocation cert:\localmachine\my -DnsName kremlin.victorbush.com
  • In IIS Manager, select the root server. Go to FTP Firewall Support.
    • Set the data channel ports to 41200-41300.
  • Create an FTP site in IIS and set desired settings.
    • Require SSL - choose the self-signed cert.
    • In FTP Firewall Support for this site, set the external WAN IP address.
  • Forward the following ports in the router:
    • 21 TCP (FTP)
    • 990 TCP (FTPS)
    • 41200-41300 (FTP Passive)
  • Verify server firewall rules (should already exist).

Connecting with client:

  • Use FileZilla. Make sure it’s up-to-date.
  • Protocol: FTP
  • Host: kremlin.victorbush.com
  • Port: leave blank
  • Encryption: Require explicit FTP over TLS
  • Logon: Normal or Ask for password
  • User: kremlin.victorbush.com|victor
    • The username must be prefixed with kremlin.victorbush.com|

Pi-hole

A DNS sinkhole for ad-blocking.

  • Runs on server-02 in a Docker container.
  • Admin password is stored in the docker compose file 🙈.
  • Ports
    • 53 (tcp/udp) - DNS.
    • 67 (udp) - Unknown.
    • 9001 (tcp) - Web interface.

The DNS server on Ubuntu Server must be disabled to free up port 53 for the Pi-hole container.

Plex

Running as a Windows application on the Windows Server. It is configured to start automatically upon login to the server. Did not appear to be a clean way to run as a service, but could use more investigation.

Ports

Notes

  • Was previously running in a Docker container, but moved to running natively to try and get the TV tuner working.
  • TV tuner:
  • Metadata/config directory on Windows:
    • Set the registry key:
      • HKEY_CURRENT_USER\Software\Plex, Inc.\Plex Media Server\LocalAppDataPath
      • REG_SZ
      • Value: D:\Shares\plex\config\Library\Application Support\

Portainer

Docker management Web app. Runs in a Docker container.

Tailscale

  • server - installed on Windows Server using standard installation instructions.
    • Enabled run unattended.
  • server-02 - installed on Linux server using the standard install script.

    • After install, configured as an exit node and subnet router.

      • Used the following:

        • echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
        • echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
        • sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
        • sudo tailscale up --advertise-exit-node --advertise-routes=10.10.0.0/24

      • I disabled key expire for this server too, to prevent having to re-auth the box in 6 months. Not sure if that’s the best move.

      • The -advertise-routes option allows acting as a subnet router to allow access to the local network remotely.

Traefik

Used as a reverse proxy for services. See Kremlin repo for configuration details.

UniFi Controller

Unifi controller. Runs in a Docker container.

Ports

  • List of ports used by Unifi controller:
  • Web interface is on port 8443.
    • Note that you must use https explicitly, there is no redirect from http.
    • It is not required to expose the Unifi controller externally for remote access. Linking to a Unifi account will allow remote access via unifi.ubnt.com.

Notes

  • The UniFi controller container is now running on a linux host. Previously, it was running on Docker for Windows. The UniFi configuration volume is mounted as a host-mounted share. This works when running Docker on Linux. When on Windows, MongoDB does not work in Docker using host-mounted shares. The solution in that case is to use a Docker volume instead of mounting the share directly to the host’s file system. Since moving to Linux, a Docker volume was no longer needed.
  • To adopt devices to the controller after the container is running, the easiest way is to do a layer 3 adoption:
    • SSH into the access point (or whatever device you are adopting).
      • ssh admin@10.10.0.3 (or whatever the AP’s IP is).
      • mca-cli
      • set-inform http://<controller_ip>:8080/inform

Veeam Backup and Replication

Installed a 256 GB SSD to hold Veeam B&R install.

Installed Veeam B&R directly to Windows Server. Updated install paths to point to the SSD.

Ports

  • Catalog service port: 9393
  • Veeam Backup service port: 9392
  • Secure connections port: 9401
  • REST API service port: 9419

(Retired) GitLab

2022-07-03 - GitLab currently not running.

Runs in Docker container on server-vm02. Managed with Portainer.

(Retired) OpenVPN

Update 2023-08-07 - Shutdown OpenVPN server. Using Tailscale instead now.

Old OpenVPN notes can be found in the old Kremlin documentation in Google Drive.

(Retired) PassCore

Update 2026-03-16 - I am trying to move away from using Active Directory accounts for other users and instead using Cloudflare One. Therefore, I am retiring this site. Historically this was needed to allow users to change their passwords without being on-premise. I have stopped the application in IIS, but have not completely removed it. I have removed the DNS records, ports, and Traefik configs.

A web-based password reset utility for Active Directory.

  • https://github.com/unosquare/passcore
  • Used since the free version of Azure AD does not have User Writeback or Web-based password reset. This provides a Web interface that allows the on-premise users to change their passwords without logging in to a domain PC.
  • Port: 8990
  • Make sure to update the appsettings.json accordingly.

  • Passcore is run and managed with IIS Manager.

  • Recaptcha managed at: https://www.google.com/recaptcha/admin

    • Keys are put in the appsettings.json for Passcore.

(Retired) SSLH

UPDATE (2023-08-07) - No longer used. Since we’re no longer using OpenVPN, this is no longer necessary. I was noticing some bad performance with proxied traffic. I wonder if this was because the OpenVPN server was shutdown and sslh was having problems dealing with that. Moving 443 traffic to go right to Traefik made the performance issues go away.

Used as a reverse proxy that splits OpenVPN traffic and HTTPS traffic.

  • OpenVPN traffic is routed to the OpenVPN access server.
  • HTTPS traffic is routed to the NGINX reverse proxy.

Ports

  • SSLH runs on port 443.
  • Nginx runs on ports 80 (HTTP) and 8400 (HTTPS).

(Retired) Teamspeak

Update (2026-03-16): This was removed a while back. We use Discord now.

Teamspeak server. Runs in a Docker container.

Ports

  • 9987 UDP (Voice) (Opened on router)
  • 10011 TCP (ServerQuery) (NOT opened on router)
  • 30033 TCP (Filetransfer) (Opened on router)

Notes

  • Server password: SplinterHoganFife2319
  • Server Query Admin
    • Login: serveradmin
    • Password: in Proton Pass
  • ServerAdmin privilege key:
    • in Proton Pass

(Retired) Xbox Control

Update (2026-03-16): This was removed a while back.

A Node.js web application to control an Xbox using the SmartGlass protocol.

Domain

Ports

  • Uses port 4000 internally in the Docker container.
  • Docker container exposes port 8999. This port must have a firewall exception on the server.

SSL

  • Uses the ‘generic-kremlin-cert’ certificate and private key. A copy of the certificate is used by the reverse proxy to handle SSL proxying.