Administration

Admin & Server Manual

This handbook is restricted. Enter the admin password to continue.

Incorrect password. Please try again.
For administrators only. If you have lost access, contact the system owner.
SOiLAdmin & Server Manual
Operations & Systems Handbook
Last updated: 18 June 2026 · v1.0

Start here

About this manual

Everything needed to run SOiL's internal systems — the staff portal, the dashboards, the domain, email, and remote access to Sage Evolution — written so that someone new could pick it up and keep things running.

It is in two parts. Part A (Admin User) is for the person who manages the portal day to day — staff access, the dashboards, HR records. Part B (Server Administrator) is for whoever maintains the underlying infrastructure — the domain, Cloudflare, deployments, and the Sage server.

Passwords are not written into this document. Where a real secret is needed it shows 🔒 in Bitwarden — meaning the value lives in Bitwarden, SOiL's password vault (see the Credential register). Keep that rule: this page is gated, but documents get copied and shared, so secrets stay in Bitwarden.

Keep this current
Whenever a password, link, or process changes, update this manual the same day. A handbook that is wrong is worse than none. The source file is soiloils-hub/admin-manual.html; redeploy the hub after editing (see Dashboards & deploys).

Start here

System overview

SOiL runs four things you need to understand. They are independent — a problem in one rarely affects the others.

SystemWhat it isWhere it lives
The portal (hub)The staff landing page. A login screen, then tiles linking to each dashboard and resource.Cloudflare Pages → hub.soiloils.com
The dashboardsPeople (HR), Performance, and Pricing/Incentive. Self-contained web pages.Cloudflare Pages → people / performance subdomains
Domain & emailThe soiloils.com domain and all company email.DNS managed in Cloudflare; mailboxes hosted at xneelo
Sage remote accessA secure way to reach the Sage Evolution accounting PC from any browser.Cloudflare Tunnel + the soil-server PC on-site
The one rule that matters
Cloudflare is the control centre for everything except the mailboxes themselves and Sage. The domain registrar is xneelo, but DNS is delegated to Cloudflare. Login to Cloudflare = login to almost everything.

Quick links

WhatLinkWho needs it
Staff portalhub.soiloils.comEveryone
People (HR) dashboardpeople.soiloils.comAdmin / HR
Performance dashboardperformance.soiloils.comAdmin / management
Sage remote accesssage.soiloils.com (via App Launcher)Authorised finance staff
Cloudflare dashboarddash.cloudflare.comServer admin
Cloudflare Zero Trust (Sage gate)one.dash.cloudflare.comServer admin
Sage App Launcherbold-frost-4f30.cloudflareaccess.comAuthorised finance staff
Domain registrar / mail hostkonsoleH (xneelo)Server admin

Part A — Admin User Guide

The portal & login

The portal is the front door for staff. It lives at hub.soiloils.com and branded as Veld Botanicals — Elements of Wellness.

How staff log in

Each person signs in with a personal username and a shared password. The username controls their name, role label, and which dashboards they see; the password is currently the same for all staff (the general portal PIN — 🔒 in Bitwarden).

Adding, removing, or editing a portal user

Users are defined in a list near the top of the hub's code. To change them you edit the hub file and redeploy.

  1. Open soiloils-hub/index.html in a text editor.
  2. Find the block of lines that look like: 
    { username: "natalie", password: "••••••", name: "Natalie",
  role: "Admin", access: ["people","performance","production"] },
  3. Copy a line, change username, name, role, and access. To remove someone, delete their line (or put // at the start to disable it).
  4. access is the list of dashboards that person can open — use any of people, performance, production.
  5. Save, then redeploy the hub (see Dashboards & deploys).
Note on security
This login is a convenience gate, not bank-grade security — the check happens in the browser. It keeps casual visitors out and personalises the view. Do not store anything truly sensitive behind it alone. The genuinely sensitive system (Sage) has a separate, stronger gate (see Part B).

Part A — Admin User Guide

The dashboards

Three dashboards hang off the portal. Each is a self-contained page; staff reach them through the tiles on the hub once logged in.

DashboardAddressPurpose
People (HR)people.soiloils.comStaff records, leave, sick days, and the employee records register (see below).
Performanceperformance.soiloils.comSales and operational performance views.
Pricing / Incentivesoiloils-pricing.pages.devIncentive and pricing analysis, fed by monthly Sage inventory exports.
Why an edit sometimes "doesn't show"
The live sites are served by Cloudflare. If you change a dashboard file on your computer, the live site does not update until you deploy it (Part B). Opening the local file shows your change; the public URL shows the last deployed version.

Part A — Admin User Guide

HR employee records

The People dashboard has an Employee Records tab holding each employee's statutory details:

  • V number — the internal employee number (e.g. V002).
  • ID number — the SA ID; the first six digits are the date of birth, which the dashboard works out and displays automatically.
  • Tax number — SARS income-tax reference.
  • UIF reference — the company UIF reference.

The fields are locked by default

To prevent accidental edits, these fields are read-only until an admin unlocks them. There is a separate HR admin password for this (🔒 in Bitwarden — distinct from the portal login).

  1. Open the Employee Records tab.
  2. Click Unlock and enter the HR admin password.
  3. Fields become editable, and the Add employee button appears.
  4. Make your changes — they save automatically. The lock re-engages when you reload.
Privacy
ID and tax numbers are sensitive personal information. Only unlock on a trusted device, never on a shared screen, and lock again when done.

Part A — Admin User Guide

Sage remote access (for staff)

Finance staff who are authorised can open the Sage Evolution desktop in a browser tab — no software to install. From the portal's Systems & Access section, click Sage Evolution — Remote Access (or go to the App Launcher at bold-frost-4f30.cloudflareaccess.com).

They will be asked to sign in twice:

  1. Cloudflare gate — enter your authorised work email; a one-time PIN is emailed to you; enter it.
  2. Windows login — username .\sageuser and the Sage Windows password (🔒 in Bitwarden).

Only emails on the approved list can pass the first gate. To add or remove someone, the server admin edits the policy (Part B). The full technical setup is in Part B and in the file sage-browser-rdp-setup.md.

Part B — Server Administrator Guide

Accounts & credentials

Before touching anything, know where the keys are. SOiL's systems rest on a small number of accounts:

AccountUsername / identifierControls
Cloudflaresoilorganicoils@gmail.comDNS, all dashboards (Pages), the Sage tunnel & gate
xneelo / konsoleHAccount holder loginDomain registration, mailboxes
Sage server (Windows).\sageuser (+ Administrator)The Sage Evolution PC desktop
This manualAdmin passwordAccess to this handbook

All passwords for these live in Bitwarden, not in this file (see the Credential register). If you are taking over and do not have access to the Bitwarden vault, that is the first thing to obtain from the outgoing owner.

Part B — Server Administrator Guide

Cloudflare account

Cloudflare is the hub of everything. One free-tier account holds the domain's DNS, every dashboard (as "Pages" projects), and the Sage remote-access setup (under "Zero Trust").

Logindash.cloudflare.com · soilorganicoils@gmail.com · 🔒 in Bitwarden
Account ID85548a513420cad9dff92c4702d907a9
PlanFree (covers DNS, Pages, Zero Trust under 50 users, and the Tunnel)
Recurring costR0 — nothing is billed for the current setup
Protect this login
If the Cloudflare account is lost, the websites, the gate, and Sage access all go dark. Enable two-factor authentication on it, keep recovery codes in the vault, and make sure at least two trusted people can reach the Gmail inbox it uses.

Part B — Server Administrator Guide

Domain & DNS

The domain soiloils.com is registered at xneelo, but its DNS is delegated to Cloudflare. That means: domain renewal and mailboxes are managed at xneelo; everything else (which address points where) is managed in Cloudflare → DNS → Records.

SettingValue
Registrar / mail hostxneelo — konsoleH
Nameservers (set at xneelo)alex.ns.cloudflare.com · alina.ns.cloudflare.com
DNS managed inCloudflare → soiloils.com → DNS → Records

What points where

NameTypeTargetProxy
hubCNAMEsoiloils-hub.pages.devProxied
peopleCNAMEsoiloils-people.pages.devProxied
performanceCNAMEsoiloils-performance.pages.devProxied
sageCNAMEbc4070df-…cfargotunnel.comProxied
@ / www / mailA197.221.10.81DNS-only
Adding a new dashboard subdomain
The clean way: in the Pages project, add the custom domain (Pages → project → Custom domains). Cloudflare creates the record for you. If you ever migrate the zone again, note that Pages domains attached before a migration need their CNAME re-added by hand.

Part B — Server Administrator Guide

Email — the thing you must not break

Company email is hosted at xneelo; Cloudflare only carries the DNS records that route mail. If those records are wrong, email stops. Treat them as sacred.

RecordNameValue
MX@mail.soiloils.com (priority 10)
Amail197.221.10.81DNS-only
TXT (SPF)@v=spf1 mx a include:spf.host-h.net ?all
TXT (DKIM)xneelo._domainkeylong DKIM key — leave exactly as is
CNAMEsmtp / imap / pop / relaymail.soiloils.com — DNS-only
Rules for email records
1) Mail records must be DNS-only (grey cloud), never proxied (orange). 2) Never delete the MX, SPF, or DKIM records. 3) After any DNS change, send a test email in and out of a @soiloils.com address to confirm mail still flows. The full record map is saved in soiloils-cloudflare-import.txt.

Part B — Server Administrator Guide

Dashboards & how to deploy them

Each website is a Cloudflare Pages project. The source is a folder of files on the work computer; "deploying" means uploading that folder so the live site updates.

Live sitePages projectSource folder
hub.soiloils.comsoiloils-hubArtifacts/SOiL/soiloils-hub/
people.soiloils.comsoiloils-peopleArtifacts/SOiL/soiloils-people/
performance.soiloils.comsoiloils-performanceArtifacts/SOiL/…/
(pricing)soiloils-pricingArtifacts/SOiL/…/

Deploy by drag-and-drop (the reliable method, ~30 seconds)

  1. Go to dash.cloudflare.comWorkers & Pages → open the project (e.g. soiloils-hub).
  2. Click Create new deployment.
  3. Drag the whole project folder onto the upload area and confirm.
  4. Wait for "Success". The live site updates within a minute.
This manual is part of the hub
This page is the file soiloils-hub/admin-manual.html. To publish an edit to it, redeploy the soiloils-hub project the same way. It is then reachable at hub.soiloils.com/admin-manual.html.

Part B — Server Administrator Guide

Sage remote access — how it works

Goal: let authorised staff use the Sage Evolution desktop from any browser, securely, with no software install. The pieces:

  • The server — a PC on-site called soil-server running Sage Evolution and Windows Remote Desktop.
  • Cloudflare Tunnel — a small program (cloudflared) on that PC that makes a secure outbound connection to Cloudflare. No router ports are opened. Tunnel name sage-evolution-pc.
  • Browser-based RDP — Cloudflare's Access-for-Infrastructure feature renders the Windows desktop in the browser. Free under 50 users.
  • The gate — a Cloudflare Access policy that emails a one-time PIN, restricted to an approved email list.
ItemValue
Public addresssage.soiloils.com (reached via the App Launcher)
App Launcher / team domainbold-frost-4f30.cloudflareaccess.com
Tunnel name / IDsage-evolution-pc · bc4070df-cf49-4194-9700-44923c3c494a
Target (the PC)sage-pc192.168.2.100 port 3389
Access policySage Authorized Staff — currently grant@soil.co.za, natalie@soil.co.za
Windows login.\sageuser + password (🔒 in Bitwarden)

To authorise a new person for Sage

  1. Cloudflare → Zero TrustAccess → Applications → open the Sage app → its policy Sage Authorized Staff.
  2. Add their work email to the Include → Emails list. Save.
  3. Give them the Windows login (.\sageuser + password) separately and securely.
Where the full build is written down
Every Cloudflare setting, the route, the Target, the Gateway policy, and the history of how it was built are in sage-browser-rdp-setup.md in the SOiL folder. Read it before changing anything on the Cloudflare side.

Part B — Server Administrator Guide

The Sage server (soil-server)

DetailValue
Device namesoil-server
OSWindows 10 Pro 22H2
LAN IP192.168.2.100
RDP port3389
HardwareIntel i5-10400, 16 GB RAM
RunsSage Evolution, plus cloudflared as a service
Windows accountsAdministrator, Soil Server (both admins), and sageuser (for remote login)

The Sage remote login account

Staff log into the Sage desktop with a dedicated account, sageuser, created so the main admin account stays separate. If you ever need to recreate it, open PowerShell as Administrator on the server and run:

net user sageuser <STRONG_PASSWORD> /add
net localgroup "Remote Desktop Users" sageuser /add
wmic useraccount where "name='sageuser'" set PasswordExpires=false

Then record the password in the vault. The Sage tile login is .\sageuser + that password.

"Access is denied" running these?
The PowerShell window is not elevated. Close it, then Start menu → right-click Windows PowerShellRun as administrator, and run them again.

If Sage remote access stops working

Almost always the server, not Cloudflare. The most common cause is the PC being off, asleep, or the Remote Desktop listener not running after an update. Check, on the server:

Test-NetConnection 192.168.2.100 -Port 3389

If TcpTestSucceeded is False, Remote Desktop is not listening — reboot the server (after hours; it is the live Sage box). After reboot the same command should return True, and the Sage tile will work again. Keep the PC set to never sleep.

Part B — Server Administrator Guide

Routine maintenance

How oftenTask
MonthlySend a test email in & out of a @soiloils.com address — confirm mail flows.
MonthlyOpen each dashboard URL and the Sage tile to confirm all are up.
QuarterlyConfirm cloudflared service on soil-server is running and set to start automatically; update it if a new version is out, then restart the service.
QuarterlyReview the Sage authorised-email list — remove anyone who has left.
AnnuallyConfirm the soiloils.com domain renewal at xneelo is paid and not lapsing.
On staff changeUpdate portal users (hub) and the Sage policy as needed.
On any changeUpdate this manual and redeploy the hub.

Reference

Credential register

Passwords are deliberately not printed here. This table lists every credential, who/what it is for, and where the actual value is kept. All real values live in Bitwarden, SOiL's password vault (free, set up as described below).

CredentialUsername / identifierValue
Cloudflare accountsoilorganicoils@gmail.com🔒 in Bitwarden
Cloudflare API token (deploys)🔒 in Bitwarden
xneelo / konsoleHAccount holder🔒 in Bitwarden
Sage Windows login.\sageuser🔒 in Bitwarden
Sage server adminAdministrator / Soil Server🔒 in Bitwarden
Portal staff login (shared PIN)personal usernames🔒 in Bitwarden
HR records admin unlock🔒 in Bitwarden
This manual's admin password🔒 in Bitwarden (change instructions below)

Setting up the vault (Bitwarden)

SOiL uses Bitwarden — a free, open-source password manager — as the single home for every secret in this manual.

  1. Create the account. Sign up at bitwarden.com with a strong master password that is not reused anywhere else. This master password is the one thing never written down digitally — memorise it.
  2. Turn on two-factor authentication (Settings → Security → Two-step login).
  3. Add every credential from the register above as a Bitwarden item: Cloudflare login + recovery codes, the Cloudflare API token, xneelo/konsoleH, .\sageuser, the server admin accounts, the portal PIN, the HR unlock, and this manual's password.
  4. Share with one trusted colleague. Bitwarden's free plan includes a 2-person Organisation — create one, put the SOiL credentials in a shared collection, and invite a second trusted person (e.g. a manager). This ensures the company is never locked out if one person is unavailable.
  5. Make a break-glass backup. Print the credential list once, seal it in an envelope, and store it in a locked drawer or safe at the office — for the rare case nobody can reach Bitwarden itself.
Master password
The Bitwarden master password unlocks everything. Keep it only in your head and on the sealed paper backup — never in a file, email, or note.

Changing this manual's password

Open soiloils-hub/admin-manual.html, find the line near the bottom that reads const ADMIN_PW = "…";, change the value, save, and redeploy the hub. Record the new value in the vault.

Vault hygiene
Use real, unique, strong passwords everywhere. Enable two-factor on Bitwarden, Cloudflare, xneelo, and the Gmail account. Ensure at least two trusted people can reach the Bitwarden vault and the Gmail inbox, so a single absence never locks the company out.

Reference

Troubleshooting

SymptomMost likely cause & fix
A dashboard edit "won't show" on the live URLNot deployed. Redeploy the project (drag-drop). The live site only changes on deploy.
A site shows "NXDOMAIN" / won't resolveMissing DNS record. In Cloudflare → DNS, confirm the CNAME exists and is proxied; or re-add the custom domain in the Pages project.
Email stops sending/receivingCheck the MX, SPF, DKIM records in Cloudflare are present, correct, and DNS-only. Compare against soiloils-cloudflare-import.txt.
Sage tile: "no route to host" / won't connectServer-side. Run Test-NetConnection 192.168.2.100 -Port 3389 on soil-server; if False, reboot the server after hours.
Sage gate won't let someone inTheir email isn't on the Sage Authorized Staff policy. Add it in Zero Trust → Access.
"Access is denied" on a server commandPowerShell isn't elevated. Reopen it as Administrator.
Can't log into CloudflareUse the Gmail account's recovery; this is why two people must hold access. Without it, nothing can be changed.

Reference

Glossary

DNSThe internet's address book — translates names like people.soiloils.com into the right destination.
NameserversThe servers that hold a domain's DNS. Ours are delegated to Cloudflare.
Cloudflare PagesFree website hosting. Each dashboard is one "Pages project".
DeployUploading the website files so the live site updates.
Proxied (orange) vs DNS-only (grey)Whether traffic passes through Cloudflare. Websites = proxied; email = DNS-only.
Cloudflare Tunnel / cloudflaredA secure outbound connection from the Sage PC to Cloudflare, so no firewall ports are opened.
RDPRemote Desktop — viewing/controlling the Sage PC's screen remotely.
Zero Trust / AccessCloudflare's security layer that gates Sage behind an email PIN.
MX / SPF / DKIMDNS records that route and authenticate email. Do not delete.