CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new notes

Browse Source
This commit is contained in:
Petar Cubela
2025-03-18 14:23:17 +01:00
parent e6c2775f5f
commit 6c47451c60
58 changed files with 1648 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

216
.obsidian/workspace.json vendored
View File

@@ -1,19 +1,19 @@
{
"main": {
"id": "c3823584f4358411",
"id": "71dfa2440edaadbd",
"type": "split",
"children": [
{
"id": "960d55609bf2009e",
"id": "74039cad74999421",
"type": "tabs",
"children": [
{
"id": "7fced607c3398dbf",
"id": "b33c492fc56076a9",
"type": "leaf",
"state": {
"type": "markdown",
"state": {
"file": "todo.md",
"file": "projects/sbx/sbx-lab-network.md",
"mode": "source",
"source": true,
"backlinks": true,
@@ -28,16 +28,16 @@
}
},
"icon": "lucide-file",
"title": "todo"
"title": "sbx-lab-network"
}
},
{
"id": "08af676996feb317",
"id": "b865e0663684cf60",
"type": "leaf",
"state": {
"type": "markdown",
"state": {
"file": "diary/2025-03-05.md",
"file": "diary/2025-03-18.md",
"mode": "source",
"source": true,
"backlinks": true,
@@ -52,16 +52,16 @@
}
},
"icon": "lucide-file",
"title": "2025-03-05"
"title": "2025-03-18"
}
},
{
"id": "d1e1009b0c06a970",
"id": "717fd6a524c18321",
"type": "leaf",
"state": {
"type": "markdown",
"state": {
"file": "projects/phytron/nextcloud_gitlab_after_hack.md",
"file": "projects/kwa/firewall_migration/20250317_first-meeting.md",
"mode": "source",
"source": true,
"backlinks": true,
@@ -76,16 +76,16 @@
}
},
"icon": "lucide-file",
"title": "nextcloud_gitlab_after_hack"
"title": "20250317_first-meeting"
}
},
{
"id": "2bfd35757409ddca",
"id": "7015f217fb3c366b",
"type": "leaf",
"state": {
"type": "markdown",
"state": {
"file": "projects/VZ/Win11-autoinstall-iso.md",
"file": "projects/kwa/firewall_migration/20250318-OPNsense_Migration.md",
"mode": "source",
"source": true,
"backlinks": true,
@@ -100,24 +100,49 @@
}
},
"icon": "lucide-file",
"title": "Win11-autoinstall-iso"
"title": "20250318-OPNsense_Migration"
}
},
{
"id": "c9a075b0cc368a00",
"type": "leaf",
"state": {
"type": "markdown",
"state": {
"file": "projects/sbx/orga/knowledgebase.md",
"mode": "source",
"source": true,
"backlinks": true,
"backlinkOpts": {
"collapseAll": false,
"extraContext": false,
"sortOrder": "alphabetical",
"showSearch": false,
"searchQuery": "",
"backlinkCollapsed": false,
"unlinkedCollapsed": true
}
},
"icon": "lucide-file",
"title": "knowledgebase"
}
}
]
],
"currentTab": 4
}
],
"direction": "vertical"
},
"left": {
"id": "af7dadba7bc5833e",
"id": "0a6bbda3a1029c3d",
"type": "split",
"children": [
{
"id": "b07f9f65c8529a91",
"id": "bb1e9b34a5ae5435",
"type": "tabs",
"children": [
{
"id": "fe0f502c739faef4",
"id": "7f34f69c4ed7fd46",
"type": "leaf",
"state": {
"type": "file-explorer",
@@ -130,7 +155,7 @@
}
},
{
"id": "5013966ea75012dd",
"id": "0ac8a62144d6c1ac",
"type": "leaf",
"state": {
"type": "search",
@@ -147,7 +172,7 @@
}
},
{
"id": "ce27e27dd2531d1e",
"id": "591d7a6711e72b8c",
"type": "leaf",
"state": {
"type": "bookmarks",
@@ -163,20 +188,20 @@
"width": 300
},
"right": {
"id": "308c4e4ecfe58c49",
"id": "5b34d545737e7719",
"type": "split",
"children": [
{
"id": "a98dbbc69f803a26",
"id": "360cb2ba99247ad2",
"type": "tabs",
"children": [
{
"id": "6e427c63cddb7819",
"id": "222c294de12351fd",
"type": "leaf",
"state": {
"type": "backlink",
"state": {
"file": "diary/2024-10-17.md",
"file": "diary/2025-03-05.md",
"collapseAll": false,
"extraContext": false,
"sortOrder": "alphabetical",
@@ -186,50 +211,40 @@
"unlinkedCollapsed": true
},
"icon": "links-coming-in",
"title": "Backlinks for 2024-10-17"
"title": "Backlinks for 2025-03-05"
}
},
{
"id": "2dfee402a2faf806",
"id": "fabbfc7dc23ddbf8",
"type": "leaf",
"state": {
"type": "outgoing-link",
"state": {
"file": "diary/2024-10-17.md",
"file": "diary/2025-03-05.md",
"linksCollapsed": false,
"unlinkedCollapsed": true
},
"icon": "links-going-out",
"title": "Outgoing links from 2024-10-17"
"title": "Outgoing links from 2025-03-05"
}
},
{
"id": "f51ed00b8705deda",
"id": "a1ae58e4fdb1dfdb",
"type": "leaf",
"state": {
"type": "tag",
"state": {
"sortOrder": "frequency",
"useHierarchy": true
"useHierarchy": true,
"showSearch": false,
"searchQuery": ""
},
"icon": "lucide-tags",
"title": "Tags"
}
},
{
"id": "34147a5a77354aa5",
"type": "leaf",
"state": {
"type": "outline",
"state": {
"file": "diary/2024-10-17.md"
},
"icon": "lucide-list",
"title": "Outline of 2024-10-17"
}
},
{
"id": "415b0322f85322e0",
"id": "379a41ec49127d3f",
"type": "leaf",
"state": {
"type": "all-properties",
@@ -243,25 +258,30 @@
}
},
{
"id": "9ce980421087cbed",
"id": "3ffafe95a73f93d8",
"type": "leaf",
"state": {
"type": "outline",
"state": {
"file": "diary/2025-03-05.md",
"followCursor": false,
"showSearch": false,
"searchQuery": ""
},
"icon": "lucide-list",
"title": "Outline of 2025-03-05"
}
},
{
"id": "789a903ffec44ae4",
"type": "leaf",
"state": {
"type": "file-properties",
"state": {
"file": "diary/2025-03-04.md"
"file": "diary/2025-03-13.md"
},
"icon": "lucide-info",
"title": "File properties for 2025-03-04"
}
},
{
"id": "23c12d0b0cd48e64",
"type": "leaf",
"state": {
"type": "advanced-tables-toolbar",
"state": {},
"icon": "spreadsheet",
"title": "Advanced Tables"
"title": "File properties for 2025-03-13"
}
}
],
@@ -274,64 +294,52 @@
},
"left-ribbon": {
"hiddenItems": {
"table-editor-obsidian:Advanced Tables Toolbar": false,
"switcher:Open quick switcher": false,
"graph:Open graph view": false,
"canvas:Create new canvas": false,
"daily-notes:Open today's daily note": false,
"templates:Insert template": false,
"command-palette:Open command palette": false,
"table-editor-obsidian:Advanced Tables Toolbar": false,
"templater-obsidian:Templater": false
}
},
"active": "7fced607c3398dbf",
"active": "c9a075b0cc368a00",
"lastOpenFiles": [
"diary/2025-03-05.md",
"projects/VZ/Win11-autoinstall-iso.md",
"projects/phytron/nextcloud_gitlab_after_hack.md",
"diary/2025-03-04.md",
"projects/phytron",
"projects/VZ/ninja-install-archive.md",
"diary/2025-03-03.md",
"projects/sbx/sbx-unattendedWinstall.md",
"projects/VZ",
"projects/sbx/knowledgebase.md",
"projects/sbx/sbx-linux-server-status.md",
"projects/sbx/sbx-myrules.md",
"projects/kwa/firewall_migration/20250318-OPNsense_Migration.md",
"projects/kwa/firewall_migration/20250317_first-meeting.md",
"projects/sbx/orga/sbx-myrules.md",
"projects/sbx/orga",
"projects/kwa/mail_migration",
"projects/kwa/mail_migration/20241211-Max-Meeting-Kerio2M365.md",
"projects/sbx/RACI-Matrix",
"projects/sbx/orga/knowledgebase.md",
"diary/2025-03-18.md",
"diary/2025-03-14.md",
"diary/2025-03-12.md",
"diary/2025-03-11.md",
"projects/sbx/sbx-proxmox-test-server.md",
"projects/beta/windows-auto-deployment.md",
"projects/OPNsense/opnsense-proposal-draft.md",
"diary/2025-02-27.md",
"diary/2025-02-25.md",
"todo.md",
"projects/OPNsense/opnsense-checklists.md",
"diary/2025-02-26.md",
"projects/OPNsense/Initial-Notes/OPNsense-config.md",
"projects/OPNsense/Initial-Notes/OPNsense-future.md",
"projects/OPNsense/Initial-Notes/OPNsense-config_summary.md",
"projects/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md",
"projects/OPNsense/Initial-Notes/OPNsense-about.md",
"projects/OPNsense/Initial-Notes/OPNsense.md",
"projects/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md",
"projects/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md",
"projects/bvv",
"files/neosphere/firewall-appfilter.png",
"files/neosphere/firewall-ips.png",
"files/neosphere",
"files/New folder",
"files/kwa/kwa-pp-admin.png",
"projects/neosphere",
"archive/blocherer",
"projects/discopharma",
"ressources/windows",
"ressources/macOS",
"files/sbx/important.png",
"files/sophos/vpn-portal-manual_02.png",
"files/hannes_roessler/20241118_switch-mac-addresses.png",
"files/apsa/pfsense_ppp-setup.png",
"files/apsa/pfsense_wan_interface_conf.png",
"files/sophos/vpn-portal-manual_06.png",
"files/sophos/vpn-portal-manual_05.png",
"Untitled.canvas"
"areas/OPNsense/opnsense-proposal-draft.md",
"projects/kwa/20250318-mailstore-lizenz.md",
"projects/discopharma/20250317-finishing-meeting.md",
"projects/discopharma/20250310-Next_Steps.md",
"diary/2025-03-17.md",
"projects/phytron/nextcloud_gitlab_after_hack.md",
"projects/sbx/sbx-lab-network.md",
"projects/discopharma/20250311-metabase-environment.md",
"projects/kwa/firewall_migration",
"diary/2025-03-16.md",
"areas/OPNsense/plugins/net-snmp.md",
"areas/OPNsense/Schulungen/20250305-initial_ideas.md",
"projects/discopharma/20250312-metabase-deployment.md",
"projects/discopharma/reverse-proxy.md",
"diary/2025-03-13.md",
"areas/OPNsense/plugins",
"tum-netxtcloud.md",
"projects/patryk-projekt/202503012-initial.md",
"projects/patryk-projekt",
"projects/neosphere/qumulus",
"areas/OPNsense/Cluster",
"areas/OPNsense/Schulungen"
]
}

23
areas/OPNsense/Cluster/20250307-cluster-test-on-sg310.md Normal file
View File

@@ -0,0 +1,23 @@
## Setup Interfaces
### Master
| Interface | Net |
| --------- | -------------- |
| LAN | 192.168.1.1/24 |
| WAN | 10.11.12.2/24 |
| pfSync | 10.0.0.1/31 |
#### Virtual IP
WAN IP address: 10.11.12.4/24
LAN IP address: 192.168.1.3/24
### Slave
| Interface | Net |
| --------- | -------------- |
| LAN | 192.168.1.2/24 |
| WAN | 10.11.12.3/24 |
| pfSync | 10.0.0.2/31 |

0
projects/OPNsense/Initial-Notes/OPNsense-about.md → areas/OPNsense/Initial-Notes/OPNsense-about.md
View File

0
projects/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md → areas/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md
View File

0
projects/OPNsense/Initial-Notes/OPNsense-config.md → areas/OPNsense/Initial-Notes/OPNsense-config.md
View File

0
projects/OPNsense/Initial-Notes/OPNsense-config_summary.md → areas/OPNsense/Initial-Notes/OPNsense-config_summary.md
View File

0
projects/OPNsense/Initial-Notes/OPNsense-future.md → areas/OPNsense/Initial-Notes/OPNsense-future.md
View File

0
projects/OPNsense/Initial-Notes/OPNsense.md → areas/OPNsense/Initial-Notes/OPNsense.md
View File

0
projects/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md → areas/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md
View File

39
areas/OPNsense/Schulungen/20250305-initial_ideas.md Normal file
View File

@@ -0,0 +1,39 @@
## Intro
Ziel: Gebe Kollegen und Kolleginnen einen Ueberblich ueber die wichtigsten Funktionender OPNsense, sodass sie effizient und selbststaendig damit arbeiten koennen.
## Notes
- Template/Anleitung fuer Firewall Regeln in IT-Glue
## Erste Schulung
### Ort
Hybrid: Teams + Meetingraum
### Zeit
Vorraussichtlich der 14.03.2025 um 10:00.
### Themen
#### Allgemein/System
- Lobby/Dashboard - Grundlagen, Customizierbar,
- System/Firmware - Einspielen, Richitges Mirror und Caveat, Updates, Plugins und Packages
- Gehe allgemein und grob die Einstellungen durch und Ihre Positionen
-
#### Firewall
- Aliass - sehr wichtig und praktisch - sollte durch OPNcentral gepushed werden
- NAT
- Rules
- Unterschiede zu Sophos - kein Masquerading erforderlich (macht opnsense automatisch?)
#### Interfaces
### VPN

0
projects/OPNsense/apsa-pfsense_vs_opnsense/setup-notes.md → areas/OPNsense/apsa-pfsense_vs_opnsense/setup-notes.md
View File

0
projects/OPNsense/opnsense-bussines-edition.md → areas/OPNsense/opnsense-bussines-edition.md
View File

0
projects/OPNsense/opnsense-central-management.md → areas/OPNsense/opnsense-central-management.md
View File

0
projects/OPNsense/opnsense-checklists.md → areas/OPNsense/opnsense-checklists.md
View File

0
projects/OPNsense/opnsense-frankeriger-current.md → areas/OPNsense/opnsense-frankeriger-current.md
View File

0
projects/OPNsense/opnsense-planing.md → areas/OPNsense/opnsense-planing.md
View File

0
projects/OPNsense/opnsense-proposal-draft.md → areas/OPNsense/opnsense-proposal-draft.md
View File

0
projects/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md → areas/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md
View File

0
projects/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md → areas/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md
View File

0
projects/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md → areas/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md
View File

57
areas/OPNsense/plugins/net-snmp.md Normal file
View File

@@ -0,0 +1,57 @@
## SNMP Konfiguration mit bsnmpd
Die hier beschriebene Anleitung konfiguriert SNMP in der Version 2c.
**Installiere nicht das SNMP Plugin! (i.e.: os-net-smp)**
Es wird nicht mit **bsnmp** funktionieren.
## Schritte auf der OPNsense
1. Oeffne eine OPNsense Konsole (zum Beispiel: ssh ueber vpn) und melde dich als `root`-user an. (Befehl: `su`)
2. Aktiviere den `bsnmpd`-Dienst durch Erstellung der Datei `/etc/rc.conf.d/bsnmpd` mit dem folgenden Inhalt:
`bsnmpd_enable="YES"`
3. Auskommentiere die folgenden Zeilen in `/etc/snmpd.config`, um benoetigte SNMP Module zu aktivieren:
```
read := "your_snmp_community"
begemotSnmpdModulePath."hostres" = "/usr/lib/snmp_hostres.so"
begemotSnmpdModulePath."pf" = "/usr/lib/snmp_pf.so"
```
Trage fuer die Variable `read` den genutzten Community Namen ein.
4. Starte den `bsnmpd`-Dienst mit dem folgenden Befehl:
`/etc/rc.d/bsnmpd start`
5. Setze eine Firewall Regel auf, welche es erlaubt von einem Quell Geraet die OPNsense ueber den SNMP Port (161) zu erreichen.
6. Teste die Verbindung durch eine SNMP Abfrage an der OPNsense.
## Dont use
```
*** This port installs snmpd, header files and libraries but does not
start snmpd by default.
If you want to auto-start snmpd and snmptrapd, add the following to
/etc/rc.conf:
snmpd_enable="YES"
snmpd_flags="-a"
snmpd_conffile="/usr/local/share/snmp/snmpd.conf /etc/snmpd.conf"
snmptrapd_enable="YES"
snmptrapd_flags="-a -p /var/run/snmptrapd.pid"
**** You may also specify the following make variables:
NET_SNMP_SYS_CONTACT="zi@FreeBSD.org"
NET_SNMP_SYS_LOCATION="USA"
DEFAULT_SNMP_VERSION=3
NET_SNMP_MIB_MODULES="host smux mibII/mta_sendmail ucd-snmp/diskio"
NET_SNMP_LOGFILE=/var/log/snmpd.log
NET_SNMP_PERSISTENTDIR=/var/net-snmp
to define default values (or to override the defaults). To avoid being
prompted during the configuration process, you should (minimally) define
the first two variables. (NET_SNMP_SYS_*)
You may also define the following to avoid all interactive configuration:
BATCH="yes"
```

11
diary/2025-03-05.md
View File

@@ -4,7 +4,16 @@ $i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\
## Timestamps
- 08:00 - 08:15: Neue OS einrichten, Teste gebrauchte tools auf Linux Client
- 08:00 - 08:30: Neue OS einrichten, Teste gebrauchte tools auf Linux Client
- 08:30 - 08:45: Mail an Phytron
- 08:45 - 09:00: Plan fuer OPNsense Schulungen
- 09:00 - 10:00: Phytron: Telefonat mit Herr Herrgesell
- 10:00 - 10:30: Unterstuetzung Philipp zu DNS und VPN Thema bei der glt Netz der TUM
- 10:30 - 11:00: Meeting mit Max zu M365 bei KWA
- 11:00 - 12:30: Nextcloud LDAP
- 12:30 - 13:30: Pause
- 13:30 - 14:30: Gitlab LDAP
- 16:30 - 17:30: Gitlab LDAP aktivieren und konfigurieren
## Tuesday

101
diary/2025-03-06.md Normal file
View File

@@ -0,0 +1,101 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Timestamps
- 08:15 - 09:00: Fuer Markus versuchen BeA.exe Installation zu automatisieren, [x] 0815-0830: Backup in Sophos Firewal bei Trudering einspielen
- 09:00 - 09:15: Pause
- 09:15 - 09:45: [x] Firewall pruefen, Bakcup wurde eingespielt, Admin Passwort von Web-UI stimmt nicht
- 09:45 - 10:00: Markus unterstuetzen bei Installation
- 10:00 - 10:30: Phytron - design und it-glue doku anpassen
- 10:30 - 11:00: Recherche: oauth2 zu office365 via postfix
- 11:00 - 11:30: opnsense - schulung planen und termin aufstellen - notizen dazu erstellen,
- 11:30 - 13:00: Pause
- 13:00 - 13:30: Privat (linkedin, roundmail, linuxfoundation acc)
- 13:30 - 14:00: Firewall Uebergabe an Michael, stunden eintragen
- 14:00 - 14:30: OPNsense Schulung planen und Termin rausschicken
- 14:30 - 15:00: Research Vectorwork 2023 problem [1.](https://appletoolbox.com/app-is-damaged-cannot-be-opened-mac/),[2](https://iboysoft.com/tips/app-is-damaged-and-cannot-be-opened.html)
- 15:00 - 15:30: TUM - Firewall advanced threate protection hat Caddy markiert. Ueberpruefe Server und lasse lynis drueber laufen
- 15:30 - 16:00: Hetzner PVE Server full boot partition - try to remove old kernels manually... do not find enough info
- 16:00 - 16:15: OPNsense Firewallregel erstellung besprechen in Anlehung an Problem bei der Radiochemie
- 16:30 - 17:00:
## Wednesday
- 08:00 - 08:30: Neue OS einrichten, Teste gebrauchte tools auf Linux Client
- 08:30 - 08:45: [x] Mail an Phytron
- 08:45 - 09:00: Plan fuer OPNsense Schulungen
- 09:00 - 10:00: Phytron: Telefonat mit Herr Herrgesell
- 10:00 - 10:30: Unterstuetzung Philipp zu DNS und VPN Thema bei der glt Netz der TUM
- 10:30 - 11:00: Meeting mit Max zu M365 bei KWA
- 11:00 - 12:30: Nextcloud LDAP
- 12:30 - 13:30: Pause
- 13:30 - 14:30: Gitlab LDAP
- 16:30 - 17:30: Sophos XGS fuer Trudering: Ersteinrichtung und Firmware aktuallisieren
## Tuesday
- 08:00 - 08:30: Linux Server updaten und rebooten, welche schon laenger als 90 Tage Laufzeit hatten, Ticketpflege
- 08:30 - 09:00: Telfonat mit Dominik Thoma
- 09:15 - 09:45: Telefonat mit Sebastian und Dominik: Punkte notieren und Max deshalb schreiben, Versuchen Herrn Fuechsle zu erreichen, Mail verfassen an Herrn Kurz wegen Phishing Mail
- 09:45 - 10:15: [x] Juri Telefonat: Outlook einrichten
- 10:15 - 10:30: Mit Patryk Muell entsorgen und Labor etwas aufraeumen
- 10:30 - 11:00: Aldi
- 11:00 - 11:45: Pause
- 11:45 - 14:15: VZ iso installation weiter machen
- 14:15 - 15:30: Phytron VM erstellen fuer Gitlab Instanz
- 15:30 - 15:45: NeoSphere: Firewall anschauen weil eine Cluster Node down ist; versuche noden zu pingen (ueber vpn) und versuche noden ueber web zu erreichen, nicht moeglich
- 15:45 - 16:00: Phytron weiter machen
- 16:00 - 16:30: Kommunikation mit Martin
- 16:30 - 17:00: Gitlab aufsetzen, installation, passwort aendern von root, it-glue anpassen. Fortsetzung: <https://docs.gitlab.com/omnibus/installation/>
## todo
- [ ] smtp relay - oauth2: <https://github.com/tarickb/sasl-xoauth2>
- [ ] herr fuechsle wegen homepage (kwa/ssr)
- [ ] discopharma kontakt
- [ ] vz iso weitermachen
- [ ] bind/named anleitung schreiben; named slave instanz aufsetzen
- [ ] radiochemie - irgendwie http challenge automatisieren
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
### Today
### General
- [ ] plan for beta automatic os deployment/windows 10 to 11 upgrade
- [ ] mailstore update ssr/kwa
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] raci matrix - plan fuer monitoring und automation (pxe boot; win autoconfig; test server for ad; test firewalls; services; vlan std im buero mit Ordnung; pikvm fuer einfachere installation)
- [ ] sbx - opsreportcad summary for action plan
- [ ] sbx - disney workshop - planung
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

109
diary/2025-03-07.md Normal file
View File

@@ -0,0 +1,109 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Timestamps
- 08:30 - 09:00: Ankunft;, pxe boot auf pve aufsetzen; sbx it-glue sortieren und archivieren; pve.lab.softbox.net einrichten, pxe aufsetzen und testen (fail)
- 09:00 - 09:30: Debug pxe boot fail, probiere efi und legacy boot aus, efi geht nicht, legacy klappt, installiere testweise rocky linux
- 09:30 - 11:00: Pruefe Ninja Link fuer die VZ, neu erzeugter link identisch, gehe mit micahel iso installation durch, test ninja installation klappt, teste aenderung des computernamens und sync durch ninja, bespreche vorgehen mit hannah, fange rezept liste an zu schreiben,
- 11:00 - 12:00: Pause
- 12:30 - 13:00: VZ usb sticks bestellen (20x), besprechung mit michael, teste ninja installation
- 12:30 - 13:00: OPNsense Cluster mit CARP, docs.opnsense.org lesen,
## Thursday
- 08:15 - 09:00: Fuer Markus versuchen BeA.exe Installation zu automatisieren, [x] 0815-0830: Backup in Sophos Firewal bei Trudering einspielen
- 09:00 - 09:15: Pause
- 09:15 - 09:45: [x] Firewall pruefen, Bakcup wurde eingespielt, Admin Passwort von Web-UI stimmt nicht
- 09:45 - 10:00: Markus unterstuetzen bei Installation
- 10:00 - 10:30: Phytron - design und it-glue doku anpassen
- 10:30 - 11:00: Recherche: oauth2 zu office365 via postfix
- 11:00 - 11:30: opnsense - schulung planen und termin aufstellen - notizen dazu erstellen,
- 11:30 - 13:00: Pause
- 13:00 - 13:30: Privat (linkedin, roundmail, linuxfoundation acc)
- 13:30 - 14:00: Firewall Uebergabe an Michael, stunden eintragen
- 14:00 - 14:30: OPNsense Schulung planen und Termin rausschicken
- 14:30 - 15:00: Research Vectorwork 2023 problem [1.](https://appletoolbox.com/app-is-damaged-cannot-be-opened-mac/),[2](https://iboysoft.com/tips/app-is-damaged-and-cannot-be-opened.html)
- 15:00 - 15:30: TUM - Firewall advanced threate protection hat Caddy markiert. Ueberpruefe Server und lasse lynis drueber laufen
- 15:30 - 16:00: Hetzner PVE Server full boot partition - try to remove old kernels manually... do not find enough info
- 16:00 - 16:15: OPNsense Firewallregel erstellung besprechen in Anlehung an Problem bei der Radiochemie
- 16:30 - 17:00:
## Wednesday
- 08:00 - 08:30: Neue OS einrichten, Teste gebrauchte tools auf Linux Client
- 08:30 - 08:45: [x] Mail an Phytron
- 08:45 - 09:00: Plan fuer OPNsense Schulungen
- 09:00 - 10:00: Phytron: Telefonat mit Herr Herrgesell
- 10:00 - 10:30: Unterstuetzung Philipp zu DNS und VPN Thema bei der glt Netz der TUM
- 10:30 - 11:00: Meeting mit Max zu M365 bei KWA
- 11:00 - 12:30: Nextcloud LDAP
- 12:30 - 13:30: Pause
- 13:30 - 14:30: Gitlab LDAP
- 16:30 - 17:30: Sophos XGS fuer Trudering: Ersteinrichtung und Firmware aktuallisieren
## Tuesday
- 08:00 - 08:30: Linux Server updaten und rebooten, welche schon laenger als 90 Tage Laufzeit hatten, Ticketpflege
- 08:30 - 09:00: Telfonat mit Dominik Thoma
- 09:15 - 09:45: Telefonat mit Sebastian und Dominik: Punkte notieren und Max deshalb schreiben, Versuchen Herrn Fuechsle zu erreichen, Mail verfassen an Herrn Kurz wegen Phishing Mail
- 09:45 - 10:15: [x] Juri Telefonat: Outlook einrichten
- 10:15 - 10:30: Mit Patryk Muell entsorgen und Labor etwas aufraeumen
- 10:30 - 11:00: Aldi
- 11:00 - 11:45: Pause
- 11:45 - 14:15: VZ iso installation weiter machen
- 14:15 - 15:30: Phytron VM erstellen fuer Gitlab Instanz
- 15:30 - 15:45: NeoSphere: Firewall anschauen weil eine Cluster Node down ist; versuche noden zu pingen (ueber vpn) und versuche noden ueber web zu erreichen, nicht moeglich
- 15:45 - 16:00: Phytron weiter machen
- 16:00 - 16:30: Kommunikation mit Martin
- 16:30 - 17:00: Gitlab aufsetzen, installation, passwort aendern von root, it-glue anpassen. Fortsetzung: <https://docs.gitlab.com/omnibus/installation/>
## todo
- [ ] smtp relay - oauth2: <https://github.com/tarickb/sasl-xoauth2>
- [ ] herr fuechsle wegen homepage (kwa/ssr)
- [ ] vz iso weitermachen
- [ ] bind/named anleitung schreiben; named slave instanz aufsetzen
- [ ] radiochemie - irgendwie http challenge automatisieren
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
### Today
### General
- [ ] plan for beta automatic os deployment/windows 10 to 11 upgrade
- [ ] mailstore update ssr/kwa
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] raci matrix - plan fuer monitoring und automation (pxe boot; win autoconfig; test server for ad; test firewalls; services; vlan std im buero mit Ordnung; pikvm fuer einfachere installation)
- [ ] sbx - opsreportcad summary for action plan
- [ ] sbx - disney workshop - planung
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

66
diary/2025-03-10.md Normal file
View File

@@ -0,0 +1,66 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Timestamps
- 08:45 - 09:30: Ticketpflege
- 09:30 - 10:00: Recherche Hardware fuer OPNsense Cluster
- 10:00 - 10:30: Studium: Security Zones und Spamhaus DROP fuer OPNsense
- 10:30 - 11:00: Telefonat mit Marko: Ninja Installtion auf Mac Book
- 11:00 - 12:00: Discopharma: Metabase compose file schrieben, setze teste vm auf, installiere docker und security features, instalilere postgres und metabase via docker compose, metabase erstkonfiguration
- 12:00 - 13:00: Pause
- 13:30 - 14:15: Bind dns in lab aufsetzen
- 14:15: - 14:45: Metabase https via nginx/traefik/or something different??
- 14:45 - 16:45: Anleitung verfassen fuer NeoSphere: Qumulus und Ice Installation
- 16:45 - 17:00: Zeiten eintragen
## todo
- [ ] teste discopharma docker installation von metabase
- [ ] smtp relay - oauth2: <https://github.com/tarickb/sasl-xoauth2>
- [ ] herr fuechsle wegen homepage (kwa/ssr)
- [ ] vz iso weitermachen
- [ ] bind/named anleitung schreiben; named slave instanz aufsetzen
- [ ] radiochemie - irgendwie http challenge automatisieren
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
### Today
### General
- [ ] plan for beta automatic os deployment/windows 10 to 11 upgrade
- [ ] mailstore update ssr/kwa
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] raci matrix - plan fuer monitoring und automation (pxe boot; win autoconfig; test server for ad; test firewalls; services; vlan std im buero mit Ordnung; pikvm fuer einfachere installation)
- [ ] sbx - opsreportcad summary for action plan
- [ ] sbx - disney workshop - planung
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

81
diary/2025-03-11.md Normal file
View File

@@ -0,0 +1,81 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Timestamps
- 08:30 - 09:15: Emails pruefen, discopharma, anleitung lesen fuer metabase, separate datenbank besser in production
- 09:15 - 09:30: Pause
- 09:30 - 09:45: Mail an KWA zu Firewall Thema, Pruefe KWA wildcard cert: Expiration 20.04
- 09:45 - 10:00: Beobachte mit Michael dir Installation bei der VZ von Martin
- 10:00 - 10:30: Gespraech mit Thilo zu Anleitung zu Setup von Neosphre, Recherche zu wildcard Zertifikat bei KWA
- 10:30 - 11:00: VZ beobachten mit Michael
- 11:00 - 12:00: Meeting mit DiscoPharma
- 12:00 - 12:30: Gespraech mit Oli zu KWA/SSR (Firewall, Telefonie, Lizenzen, MacBook Einrichtung)
- 12:30 - 13:30: Pause
- 13:30 - 17:00: DiscoPharam Netzwerkstruktur - write manual, import vm image to proxmox, disk.raw mounten und auslesen, db suchen und einbinden, leer, import disk in proxmox, no passwd
## Monday
- 08:45 - 09:30: Ticketpflege
- 09:30 - 10:00: Recherche Hardware fuer OPNsense Cluster
- 10:00 - 10:30: Studium: Security Zones und Spamhaus DROP fuer OPNsense
- 10:30 - 11:00: Telefonat mit Marko: Ninja Installtion auf Mac Book
- 11:00 - 12:00: Discopharma: Metabase compose file schrieben, setze teste vm auf, installiere docker und security features, instalilere postgres und metabase via docker compose, metabase erstkonfiguration
- 12:00 - 13:00: Pause
- 13:30 - 14:15: Bind dns in lab aufsetzen
- 14:15: - 14:45: Metabase https via nginx/traefik/or something different??
- 14:45 - 16:45: Anleitung verfassen fuer NeoSphere: Qumulus und Ice Installation
- 16:45 - 17:00: Zeiten eintragen
## todo
- [ ] kwa/ssr - offene Rechungen zu MacBook Ersteinrichtungen
- [ ] neosphere - ueberblick anleitung zum qumulus und dem computing cluster
- [ ] teste discopharma docker installation von metabase
- [ ] smtp relay - oauth2: <https://github.com/tarickb/sasl-xoauth2>
- [ ] herr fuechsle wegen homepage (kwa/ssr)
- [ ] vz iso weitermachen
- [ ] bind/named anleitung schreiben; named slave instanz aufsetzen
- [ ] radiochemie - irgendwie http challenge automatisieren
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
### Today
### General
- [ ] plan for beta automatic os deployment/windows 10 to 11 upgrade
- [ ] mailstore update ssr/kwa
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] raci matrix - plan fuer monitoring und automation (pxe boot; win autoconfig; test server for ad; test firewalls; services; vlan std im buero mit Ordnung; pikvm fuer einfachere installation)
- [ ] sbx - opsreportcad summary for action plan
- [ ] sbx - disney workshop - planung
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

88
diary/2025-03-12.md Normal file
View File

@@ -0,0 +1,88 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Timestamps
- 08:30 - 09:00: Disco check
- 09:00 - 09:15: Telefonat mit Nina. T20250312.0008
- 09:15 - 11:00: Discopharma. Versuche postgres database zu exportieren und in neue datenbank zu importieren
- 11:00 - 12:00: Meeting mit Discopharam und Fortsetzung
- 12:00 - 13:00: Pause
- 13:00 - 13:30: Delete existing database entries on my own instance. Import the dump of the old ps database
- 13:30 - 16:30: Setup new metabase isntance: pkgs to install, docker, setup docker; import old application database; test accessability of metabase; harden vm; setup unattended upgrades, allow in firewall communication between all VMs via private ips
## Wednesday
- 08:30 - 09:15: Emails pruefen, discopharma, anleitung lesen fuer metabase, separate datenbank besser in production
- 09:15 - 09:30: Pause
- 09:30 - 09:45: Mail an KWA zu Firewall Thema, Pruefe KWA wildcard cert: Expiration 20.04
- 09:45 - 10:00: Beobachte mit Michael dir Installation bei der VZ von Martin
- 10:00 - 10:30: Gespraech mit Thilo zu Anleitung zu Setup von Neosphre, Recherche zu wildcard Zertifikat bei KWA
- 10:30 - 11:00: VZ beobachten mit Michael
- 11:00 - 12:00: Meeting mit DiscoPharma
- 12:00 - 12:30: Gespraech mit Oli zu KWA/SSR (Firewall, Telefonie, Lizenzen, MacBook Einrichtung)
- 12:30 - 13:30: Pause
- 13:30 - 17:00: DiscoPharam Netzwerkstruktur - write manual, import vm image to proxmox, disk.raw mounten und auslesen, db suchen und einbinden, leer, import disk in proxmox, no passwd
## Monday
- 10:30 - 11:00: Telefonat mit Marko: Ninja Installtion auf Mac Book
- 11:00 - 12:00: Discopharma: Metabase compose file schrieben, setze teste vm auf, installiere docker und security features, instalilere postgres und metabase via docker compose, metabase erstkonfiguration
- 13:30 - 14:15: Bind dns in lab aufsetzen
- 14:15: - 14:45: Metabase https via nginx/traefik/or something different??
- 14:45 - 16:45: Anleitung verfassen fuer NeoSphere: Qumulus und Ice Installation
- 16:45 - 17:00: Zeiten eintragen
## todo
- [ ] kwa/ssr - offene Rechungen zu MacBook Ersteinrichtungen
- [ ] neosphere - ueberblick anleitung zum qumulus und dem computing cluster
- [ ] teste discopharma docker installation von metabase
- [ ] smtp relay - oauth2: <https://github.com/tarickb/sasl-xoauth2>
- [ ] herr fuechsle wegen homepage (kwa/ssr)
- [ ] vz iso weitermachen
- [ ] bind/named anleitung schreiben; named slave instanz aufsetzen
- [ ] radiochemie - irgendwie http challenge automatisieren
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
### Today
### General
- [ ] plan for beta automatic os deployment/windows 10 to 11 upgrade
- [ ] mailstore update ssr/kwa
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] raci matrix - plan fuer monitoring und automation (pxe boot; win autoconfig; test server for ad; test firewalls; services; vlan std im buero mit Ordnung; pikvm fuer einfachere installation)
- [ ] sbx - opsreportcad summary for action plan
- [ ] sbx - disney workshop - planung
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

98
diary/2025-03-13.md Normal file
View File

@@ -0,0 +1,98 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Timestamps
- 07:45 - 08:15: Ankunft, Privates: HomeLab DNS Infrastructure
- 08:15 - 08:45: Ticketpflege, Traeumen
- 09:00 - 09:45: Meeting mit KWA (max, nina, dominik, sebastian) zu M365 Migration
- 09:45 - 10:00: Aftermeeting Meeting mit Max
- 10:00 - 10:30: Meeting mit Thilo, Ticketpflege
- 10:30 - 11:00: Meeting mit Patryk
- 11:00 - 11:45: [x] Status Update mit DiscoPharma, Certs issue, Configure Firewall in Gcloud
- 11:45 - 12:00: Kommunikation mit Holger zu neoSphere
- 12:00 - 12:30: Racuhen, versuche bjoern zu erreichen
- 12:30 - 12:45: Bond zwischen 2 25Gbit Interfaces am ubt02 konfigurieren und testen - netplan config setzen
- 12:45 - 13:15: TUM mit philipp: smtp auf port 25 mit nextcloud geht nicht: config.php anpassen, sodass self signed allowed
- 13:15 - 13:45: Puase
- 13:45 - 14:15: Gespraech mit Sebastian: Radiochemie: IMC server kann firewall nicht monitoren: snmp service an fw geht nicht und ssh authentication failed
- 14:15 - 16:00: VZ autoinstall
- 16:00 - 16:30: Sebastian snmp und ssh communication between imc and opnsense
## Wednesday
- 09:00 - 09:15: Telefonat mit Nina. T20250312.0008
- 13:00 - 13:30: Delete existing database entries on my own instance. Import the dump of the old ps database
- 13:30 - 16:30: Setup new metabase isntance: pkgs to install, docker, setup docker; import old application database; test accessability of metabase; harden vm; setup unattended upgrades, allow in firewall communication between all VMs via private ips
## Tuesday
- 08:30 - 09:15: Emails pruefen, discopharma, anleitung lesen fuer metabase, separate datenbank besser in production
- 09:30 - 09:45: Mail an KWA zu Firewall Thema, Pruefe KWA wildcard cert: Expiration 20.04
- 09:45 - 10:00: Beobachte mit Michael dir Installation bei der VZ von Martin
- 10:00 - 10:30: Gespraech mit Thilo zu Anleitung zu Setup von Neosphre, Recherche zu wildcard Zertifikat bei KWA
- 10:30 - 11:00: VZ beobachten mit Michael
- 12:00 - 12:30: Gespraech mit Oli zu KWA/SSR (Firewall, Telefonie, Lizenzen, MacBook Einrichtung)
## Monday
- 10:30 - 11:00: Telefonat mit Marko: Ninja Installtion auf Mac Book
- 13:30 - 14:15: Bind dns in lab aufsetzen
## todo
- [ ] kwa/ssr - offene Rechungen zu MacBook Ersteinrichtungen
- [ ] neosphere - ueberblick anleitung zum qumulus und dem computing cluster
- [ ] smtp relay - oauth2: <https://github.com/tarickb/sasl-xoauth2>
- [ ] herr fuechsle wegen homepage (kwa/ssr)
- [ ] vz iso weitermachen
- [ ] bind/named anleitung schreiben; named slave instanz aufsetzen
- [ ] radiochemie - irgendwie http challenge automatisieren
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
### Today
### General
- [ ] plan for beta automatic os deployment/windows 10 to 11 upgrade
- [ ] mailstore update ssr/kwa
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] raci matrix - plan fuer monitoring und automation (pxe boot; win autoconfig; test server for ad; test firewalls; services; vlan std im buero mit Ordnung; pikvm fuer einfachere installation)
- [ ] sbx - opsreportcad summary for action plan
- [ ] sbx - disney workshop - planung
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

88
diary/2025-03-14.md Normal file
View File

@@ -0,0 +1,88 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Timestamps
- 08:30 - 08:45: Alle Projekte aufschreiben
- 08:45 - 09:00: Pruefe NAS von KWA wegen fehlgeschlagenem Backup
- 09:00 - 09:30: Ticketpflege, Gespraech mit Sebastian zu OPNsense und IMC
- 09:30 - 09:45: Sebastian unterstuetzen: OPNsense SNMP in IMC Server einbinden
- 09:45 - 10:30: OPNsense: Schriebe Anleitung fuer SNMP Server bei OPNsense. Fuege Anleitung in Ordner in TI-Glue hinzu
- 10:30 - 10:35: Gespraech mit Dominik Thoma
- 10:45 - 10:50: Bjoern Schwalb anrufen
- 10:50 - 11:00: Gespraech mit Oli zu KWA Firewall Migration
- 11:00 - 11:15: Stelle Failover Bond ein bei ubt02: Machine ID zweimal aendern, neustarten
- 11:15 - 11:30: Termin planen fuer Firewall Migration und rausschicken
- 11:30 - 11:45: Bond bei ubt02 aktivieren und pruefen, dass MAC adresse nicht gleich ist zu ubt03. bond scheint zu funktionieren. Reboot und nachdem pruefen
- 11:45 - 12:30: KWA Mail; Zaehle Anzahl der Kontakte, welche nicht direkt im Kontakte Ordner hinterlegt waren, schreibe skript um alle kontakte aus den projektordnern zu kopieren, exportiere
- 12:30 - 13:30: Pause
- 13:30 - 14:00: Meeting with disopharma: Discussion fw rules and network tags
- 14:00 - 15:00: Clean https configs in disco reverse proxy, restart web server, http://metabase.discopharma.de now reachable, test new certificates: not working
- 15:00 - 17:00: draw.io. network diagram for qumulo
## Tuesday
- 09:30 - 09:45: Mail an KWA zu Firewall Thema, Pruefe KWA wildcard cert: Expiration 20.04
- 10:15 - 10:30: Recherche zu wildcard Zertifikat bei KWA
- 12:00 - 12:30: Gespraech mit Oli zu KWA/SSR (Firewall, Telefonie, Lizenzen, MacBook Einrichtung)
## Monday
- 10:30 - 11:00: Telefonat mit Marko: Ninja Installtion auf Mac Book
## todo
- [ ] kwa/ssr - offene Rechungen zu MacBook Ersteinrichtungen
- [ ] neosphere - ueberblick anleitung zum qumulus und dem computing cluster
- [ ] herr fuechsle wegen homepage (kwa/ssr)
- [ ] bind/named anleitung schreiben; named slave instanz aufsetzen
- [ ] radiochemie - irgendwie http challenge automatisieren
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
### KWA
- KWA: Dominik teams Berechtigungen noch nicht freigegeben
- KWA: Veraendere Bild Groesse von anhaengen (bild format)
- KWA: Bei teilen direkt mit Outlook teilen
### Today
### General
- [ ] plan for beta automatic os deployment/windows 10 to 11 upgrade
- [ ] mailstore update ssr/kwa
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] sbx - opsreportcard summary for action plan
- [ ] sbx - disney workshop - planung
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

59
diary/2025-03-16.md Normal file
View File

@@ -0,0 +1,59 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Timestamps
## todo
- [ ] kwa/ssr - offene Rechungen zu MacBook Ersteinrichtungen
- [ ] neosphere - ueberblick anleitung zum qumulus und dem computing cluster
- [ ] herr fuechsle wegen homepage (kwa/ssr)
- [ ] bind/named anleitung schreiben; named slave instanz aufsetzen
- [ ] radiochemie - irgendwie http challenge automatisieren
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
### KWA
- KWA: Dominik teams Berechtigungen noch nicht freigegeben
- KWA: Veraendere Bild Groesse von anhaengen (bild format)
- KWA: Bei teilen direkt mit Outlook teilen
### Today
### General
- [ ] plan for beta automatic os deployment/windows 10 to 11 upgrade
- [ ] mailstore update ssr/kwa
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] sbx - opsreportcard summary for action plan
- [ ] sbx - disney workshop - planung
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

73
diary/2025-03-17.md Normal file
View File

@@ -0,0 +1,73 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Timestamps
- 08:30 - 08:45: Linux Server manuell updaten wo ninja failed
- 08:45 - 09:00: Bereinige boot partition von hetzner pve: manuelles loschen von alten kernel
- 09:00 - 09:15: Tagesaufgaben planen
- 09:15 - 09:30: Rauchen
-
- 09:30 - 10:30: [x] Vorlagen Tabelle OPNsense Migration auffuellen: 32 Stunden Arbeit Notizen machen zu dem Projekt
- 10:45 - 11:00 DiscoPharma Meeting Vorbereitung
- 11:00 - 11:15: Meeting mit DiscoPharma
- 11:15 - 11:30: Rauchen
- 11:30 - 12:30: Pause
- 12:30 - 13:30: [x] Recherche: "OPnsense in industry": [zenarmor-opnsense_vs_fortinet](https://www.zenarmor.com/docs/network-security-tutorials/opnsense-vs-fortinet), [opnsense forum discussion](https://forum.opnsense.org/index.php?topic=43572.0),
- 13:30 - 14:00: [x] Meeting mit Oli zu KWA Firewall Migration Erst Meeting
- 14:15 - 15:15: Meeting mit Patryk zu seiner Projektarbeit und ConnectSecure
- 15:15 - 15:30: Pause
- 15:30 - 16:00: [x] Vergleiche Sophos und OPNsense verfasssen (Preise, Features, Vor und Nachteile )
- 16:00 - 16:30: Discopharma Postgres Backup
- 16:30 - 17:00: [x] Ticketpflege
## todo
- [ ] opnsense schulung planen
- [ ] kwa/ssr - offene Rechungen zu MacBook Ersteinrichtungen
- [ ] neosphere - ueberblick anleitung zum qumulus und dem computing cluster
- [ ] herr fuechsle wegen homepage (kwa/ssr)
- [ ] bind/named anleitung schreiben; named slave instanz aufsetzen
- [ ] radiochemie - irgendwie http challenge automatisieren
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
### Today
### General
- [ ] plan for beta automatic os deployment/windows 10 to 11 upgrade
- [ ] mailstore update ssr/kwa
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] sbx - opsreportcard summary for action plan
- [ ] sbx - disney workshop - planung
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

83
diary/2025-03-18.md Normal file
View File

@@ -0,0 +1,83 @@
$i\hbar \frac{\partial}{\partial t} \Large{|}\psi \Large{>} = \hat{H} \Large{|}\psi \Large{>}$
![important](files/sbx/important.png)
## Timestamps
- 08:30 - 08:45: Ticketpflege
- 08:45 - 09:00: Meeting mit KWA vorbereiten. XGS136 specs recherchieren
- 09:00 - 10:15: Meeting mit KWA: Sophos vs. OPNsense
- 10:15 - 10:30: Pause
- 10:30 - 10:45: Mailstore Lizenz bei KWA nachschauen und Angebot anfragen. Infos fuer Angebot fuer Firewall Migration einholen
- 11:00 - 11:15: Juri anrufen
- 11:15 - 12:15: Kalkulation erstellen fuer KWA
- 12:30 - 12:45: KWA IT-Glue sortieteren
- 12:45 - 13:45: Pause
- 13:45 - 14:15: SSR IT-Glue sortieren und neue Ordner anlegen
## Monday
- 08:30 - 08:45: [x] Linux Server manuell updaten wo ninja failed
- 08:45 - 09:00: [x] Bereinige boot partition von hetzner pve: manuelles loschen von alten kernel
- 09:00 - 09:15: [x] Tagesaufgaben planen
- 09:30 - 10:30: [x] Vorlagen Tabelle OPNsense Migration auffuellen: 32 Stunden Arbeit Notizen machen zu dem Projekt
- 10:45 - 11:00: [x] DiscoPharma Meeting Vorbereitung
- 11:00 - 11:15: [x] Meeting mit DiscoPharma
- 12:30 - 13:30: [x] Recherche: "OPnsense in industry": [zenarmor-opnsense_vs_fortinet](https://www.zenarmor.com/docs/network-security-tutorials/opnsense-vs-fortinet), [opnsense forum discussion](https://forum.opnsense.org/index.php?topic=43572.0),
- 13:30 - 14:00: [x] Meeting mit Oli zu KWA Firewall Migration Erst Meeting
- 14:15 - 15:15: Meeting mit Patryk zu seiner Projektarbeit und ConnectSecure
- 15:15 - 15:30: Pause
- 15:30 - 16:00: [x] Vergleiche Sophos und OPNsense verfasssen (Preise, Features, Vor und Nachteile )
- 16:00 - 16:30: [x] Discopharma Postgres Backup
- 16:30 - 17:00: [x] Ticketpflege
## todo
- [ ] opnsense schulung planen
- [ ] kwa/ssr - offene Rechungen zu MacBook Ersteinrichtungen
- [ ] neosphere - ueberblick anleitung zum qumulus und dem computing cluster
- [ ] herr fuechsle wegen homepage (kwa/ssr)
- [ ] bind/named anleitung schreiben; named slave instanz aufsetzen
- [ ] radiochemie - irgendwie http challenge automatisieren
- [ ] verbraucherzentrale cybercns ueberpruefung - kw ab dem 16.01 wegen baldiger sicherheitspruefung
### Today
### General
- [ ] plan for beta automatic os deployment/windows 10 to 11 upgrade
- [ ] mailstore update ssr/kwa
- [=] filewave - integrate new admin user - integrated in filewave - need to be tested and then deployed on all macs
- [ ] kwa/ssr snmp karten fuer usv
- [ ] update filewave admin und central
### SBX
- [ ] check if possible to monitor vsphere passwd expiration
- [ ] create obsidian templates (Meetings, People, )
- [ ] sbx - opsreportcard summary for action plan
- [ ] sbx - disney workshop - planung
- [ ] fuege bharchitekten zu connectsecure hinzu
- [ ] erstelle connectsecure report fuer grasslfing
- [ ] cybercns bei heilmaier
- [ ] Fuer Synology Monitoring smtp einrichten wegen HyperBackups
#### OPNsense
1. check franke rieger firewall setup
2. replicate config on opncentral (IDS/IPS, OpenVPN, Web Proxy, antivirus, acme ground {needs specific manual how to setup on spot}, ...)
3. test management via opncentral
4. write manual for on-boarding
- setup wan manually
- couple to opncentral
- send generic config via opncentral
- use manual for missing specific configs
- check workings of everything

31
projects/VZ/Rezept-Installation.md Normal file
View File

@@ -0,0 +1,31 @@
## Source
- [unattended Winstall - Github](https://github.com/memstechtips/UnattendedWinstall)
- [answer files](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs?view=windows-11)
- [unattended-generator](https://schneegans.de/windows/unattend-generator/)
## 20250303 - Todo
- [ ] Zertifikat (VZBY_SecurityAppliance_SSL_CA.cer) einfuegen
- [ ] Vantage Tool Installieren im Userkontext
- [ ] Energiesparmodus bei Netzbetrieb auf 'nie' setzen
- [ ] Freigabe [\\vzby-srv-fp01\install$](file://vzby-srv-fp01/install$) (nur als Domain-Admin) mappen wäre praktisch…
- [ ] SW - M365, MS Teams, PDF24, Sophos Connect, Sophos Endpoint Agent, Firefox, Acrobat Reader, Teamviewer QS aus Public Desktop, Netlogon Script als Verknuepfung auf Plublic Desktop
- [ ] SW in Userkontext - SBX-Generator
- [ ] Taskleiste:
- [ ] ausblenden von: Copilot, Store, Outlook New
- [x] Suchefeld auf "nur Suchsymbol setzen"
- [ ] Aktive Anwendungen auf "aus"
- [x] Taskleiste auf "links" verschieben
- [ ] Sophos Connect (wenn installiert), auf "dauerhaft" im SysTray platzieren
## Rezept
The steps we want to implement:
1. Win 11 OS autoinstall - the idea is to use Microsoft's own "Answer files" and install NinjaOne Agent autmatically
2. Change Computername
3. AD coupling - it probably possible to also use the Answer files for this
4. SW Installation - Use NinjaOne
5. OS and SW Configuration and Personalization - Use NinjaOne

1
projects/VZ/Win11-autoinstall-iso.md
View File

@@ -22,6 +22,7 @@
## VZ requirements
- Kein Secure Boot benoetigt
- USB sticks anzahl
### User

149
projects/discopharma/20250310-Next_Steps.md Normal file
View File

@@ -0,0 +1,149 @@
## Goal
Setup a metabase instance via docker with https support and a professional Deployment Pipeline
## Questions
- Separate Reverse Proxy or local Web Server enough??
- Exisiterende SSL Zertifikate nutzen?
- Kriege ich irgendwie Zugang?
### 20250311
- How many users?
- What is the old db software? Maybe we can reuse it? Are there backups of the old database ?
- DNS Verwaltung
- is the metabase version a requirement?
## Meeting-20250311
Teilnehmer: Lukas Maas, Milos Nikolic, Petar Cubela
### Answers
- DB: MySQL. Backup dump exist.
- Version needs to be 0.49.18
- 20 people
- Existing certs
- Use Reverse Proxy
- I will get access to the machines
### My Time/ Steps
1. Databse Instance MySQL (0.5h -1h)
2. Metabase (.50 h)
3. VM R2verse Proxy (.50 h)
4. Find and Test the recreation of the data/dashboard database (metabase.db/) (1-2h)
5. write overwivew network setup (ip address, open ports in firewall, metabase.discopharma.de -> public ip ) (1h)
6. Recreate in discopharma setup: (2-3h)
1. dns setup properly
2. network setup properly
3. creation of the VMs (oeither discopharma or me)
4. Installation process (db exist, docker deployment of metabase, reverse proxy)
5. Test
## List of requirements regarding Metabase deployment (discopharma)
1. Find or create backup of Metabase Dashboard data within Docker image on the old machine (marketplace image that was compromised, or a previous image of it)
2. Solution architecture that obeys to best practices of security, so that
- DISCO employees can connect to a DISCO-internal metabase application using a web browser and the URL “metabase.discopharma.de”
- The application is not exposed to the public
- All connections to the application are encrypted (https)
3. Solution architecture that includes a
- Productive instance (highest priority)
- Development/sandbox instance (lower priority)
- A process to deploy upgrades of the application (lower priority)
4. Metabase version 0.49.18
## Requirements
- properly configured and firewalled google cloud; VMs should only be able to communicate via private IPs!
- VM in google cloud for the metabase instance; Public IP address, port 80 and 443 forwarded; 1 cores, 2GB RAM (depends on user number)
- VM in google cloud for the metabase database instance; Private IP address; 1 cores, 1GB RAM (depends on user number); PostgreSQL
- Use existing SSL certs(??) with web server/reverse proxy like nginx/traefik/etc
## Software
- Debian 12
- Docker
- Metabase
- PostgreSQL
- Traefik/Nginx (depends)
## Notes
### 20250311
- <https://www.metabase.com/learn/metabase-basics/administration/administration-and-operation/metabase-in-production#metabase-application-server-size>
- Run separate database (PostgreSQL) and application server instances
#### Metabase application server size
- Metabase needs at least 1 core and 1GB of RAM
- For every 20 concurrent people it needs 1CPU and 2GB of RAM
#### Metabase application database server size
- Database needs at least 1 core and 2GB of RAM
- For every 40 concurrent people it needs 1CPU and 1GB of RAM
## docker-compose.yml example
```yml
services:
metabase:
image: metabase/metabase:latest
container_name: metabase
hostname: metabase
restart: unless-stopped
volumes:
- /dev/urandom:/dev/random:ro
- "./metabase-db:/metabase.db"
- ./plugins:/plugins
ports:
- 3000:3000
environment:
JAVA_TIMEZONE: Europe/Berlin
MB_DB_FILE=/metabase.db
MB_DB_TYPE: postgres
MB_DB_DBNAME: metabase
MB_DB_PORT: 5432
MB_DB_USER_FILE: /run/secrets/db_user
MB_DB_PASS_FILE: /run/secrets/db_password
MB_DB_HOST: postgres
networks:
- metanet1
secrets:
- db_password
- db_user
healthcheck:
test: curl --fail -I http://localhost:3000/api/health || exit 1
interval: 15s
timeout: 5s
retries: 5
postgres:
image: postgres:latest
container_name: postgres
hostname: postgres
restart: unless-stopped
environment:
POSTGRES_USER_FILE: /run/secrets/db_user
POSTGRES_DB: metabase
POSTGRES_PASSWORD_FILE: /run/secrets/db_password
networks:
- metanet1
secrets:
- db_password
- db_user
networks:
metanet1:
driver: bridge
secrets:
db_password:
file: db_password.txt
db_user:
file: db_user.txt
```

65
projects/discopharma/20250311-metabase-environment.md Normal file
View File

@@ -0,0 +1,65 @@
## VM Ressources and Setup
The listed IP Addresses are only example values here and can be chosen on your judgement. Important is that the machines can communicate with each other.
### MySQL Database
- Name: MySQL Database
- OS: Debian 12
- hostname: db.discopharma.de (unimportant)
- IP Address: 10.156.0.5/24
- CPU: 1 core
- RAM: 2 GB (2048 MB)
- Storage: depends (30 GB)
- DNS entry: none
- Note: for every 40 concurrent users: needs 1CPU and 1GB of RAM more
### Metabase Server
- Name: Metabase Server
- OS: Debian 12
- hostname: mb.discopharma.de (unimportant)
- IP Address: 10.156.0.6/24
- CPU: 1 core
- RAM: 1 GB (1024 MB)
- Storage: depends (30 GB)
- DNS entry: none
- Note: for every 20 concurrent users: needs 1CPU and 2GB of RAM more
### Reverse Proxy
- Name: Reverse Proxy
- OS: Debian 12
- hostname: rproxy.discopharma.de (unimportant)
- IP Address: 10.156.0.7/24 + \<PUBLIC IP\> address (only activated in the end)
- CPU: 1 core
- RAM: 1 GB (1024 MB)
- Storage: depends (16 GB)
- DNS entry: metabase.discopharma.de -> \<PUBLIC IP\>
- Note: for every concurrent users: needs 1CPU and 2GB of RAM more
## SSL/TSL certificates
- we need the discopharma wildcard certificate placed on the Reverse Proxy
- usually two files enough called `privkey.pem` and `fullchain.pem`
- you can put all the cert files on the reverse proxy and we will then use only the needed ones or convert them in the process if necessary
## Firewall Setup
I list all necessary communications and respective ports needed:
(Abbreviations:
- Databse: db = 10.156.0.5
- Metabse: mb = 10.156.0.6
- ReverseProxy: rp = 10.156.0.7)
| Source | SourcePort | Destination | DestPort | Description |
| ------------- | ----------------- | --------------- | ----------------- | ------------------------------------------------------------------------------------------- |
| mb | 3306/tcp | db | 3306/tcp | 3306 is the standard mysql port. Communication of mb to db |
| rp | 3000/tcp,3000/udp | mb | 3000/tcp,3000/udp | 3000 is the metabase web port (arbitrary). Reverse Proxy sends request via this port to mb. |
| OPEN INTERNET | any | PUBLIC IP of rp | 443/tcp | 443 is the https port to communicate to rp over internet |
You could also limit the access to the public ip such that only your company ip can reach it. The 443 port should be opened as the last thing when everything is done.
When the VMs are in the same private network, they should be able to openly communicate with each other; the first two entries in the table should be already open.

19
projects/discopharma/20250312-metabase-deployment.md Normal file
View File

@@ -0,0 +1,19 @@
## Metabase Instance
### Requirements
- [x] unattended-updates
- [x] docker
### Database
- name: metabase
- user: metabase
- pass: /E^bOu|<C{Y{bZu
### Reverse Proxy
- [x] unattended-updates
- [x] fail2ban
- [x] nginx

11
projects/discopharma/20250317-finishing-meeting.md Normal file
View File

@@ -0,0 +1,11 @@
## To do's:
- Cloud SQL dump load and user mgmt (Miloš)
- Docker licensing (Lukas)
- backup procedure for MB application db (Petar)
- Documentation/ manual (Petar)
- For example,
- how deployment works,
- what docker image to select
- how the routing in the reverse proxy is done

12
projects/kwa/20250318-mailstore-lizenz.md Normal file
View File

@@ -0,0 +1,12 @@
## Lizenzfile
License-ID: 47ac3c43-b120-4577-ad8f-57abd4d7a5e9
License-Type: MSV3
Customer-Name: Knopp Wassmer Architekten PartG mbB
Product-Name: MailStore Server
Product-Version: 25.1.0.22653
Product-Key: HRETS-CBTGE-HPNGP-GNKLL-MREBM
Max-Named-Users: 20
Machine-Name: SRVW-KWA-MAILST
Support-Expiry-Date: 2025-05-03
Support-Level: Standard Service

52
projects/kwa/firewall_migration/20250317_first-meeting.md Normal file
View File

@@ -0,0 +1,52 @@
## Base Info
- Time: 18.03.2025 09:00 Uhr
- Location: Teams
- Participants: Nina Schiffel, ~Markus Wassmer~, Sebastian Peter, Oliver Kaspar, Petar Cubela
## Todo
- [x] Kalkulation fuer OPNsense
- [x] Kalkulation fuer Sophos
- [x] Kosten einer Sophos?
## Topics
- Sophos or OPNsense - HW, SW
- Zeitrahmen: vor dem 03.05
- Arbeitszeit besprechen
- Rekonstruktion der Kerio Firewall
## Sophos
- Trusted industry standard firewall which delivers default features needed in the industry.
- Support for several years vie expensive license and expensive hardware which becomes useless after license expiration
## OPNsense
- Open Source product. No cost for the OS
- Can be installed on any hardware (as long as it has two network interfaces)
- Yearly (or 3 years) license (~150/500 euro) which enables management features and commercial firmware repository
## Preis
| Topic | Preis - OPNsense | Preis - Sophos |
| --------------------- | -------------------------------------------------------------------- | ------------------------------------------------------------ |
| HW | Vorhandene Hardware oder neue Hardware (Kosten: 500 - 1000 Euro) | ein Preis fuer HW + OS + Lizenz |
| OS | Keine Kosten | n/a |
| Lizenz | Business License: 130 Euro/Yearly + Support License: 300 Euro/yearly | 7600 Euro (Lizenz gueltig fuer 3 Jahre) |
| Arbeitsstunden | ~40h, ~4000 Euro | ~30h, ~3000 Euro |
| Wartungspauschale | TBA - Bespreche mit Thilo und Oli | ?? |
| Summary \[euro/year\] | 4000 (5000) Euro Einbau + 500 Euro/yearly Lizenz | 3000 Euro Einbau + 7600 Euro auf 3 Jahre (~2500 Euro/yearly) |
## Meeting 20250317
- diskutiere laufdauer bestehender hardware
- ueberlegen neuer hw bestellung thomas-krenn
- vergleiche preise: stunden + lizenz kosten + hw kosten
- deadline 03.05
- opnsense vs sophos - security features
- wartungspauschale?
- herrman fragen wegen opnsense lizenz

34
projects/kwa/firewall_migration/20250318-OPNsense_Migration.md Normal file
View File

@@ -0,0 +1,34 @@
## Base Info
- Deadline: 03.05
- Anzahl User: 15
## Angebot Liste
- Arbeitstunden ausrechnen
- Angebot fuer Lizenzen raussuchen ([Business License](https://shop.opnsense.com/product/opnsense-business-edition/), [Business Support Subscription](https://shop.opnsense.com/product/opnsense-business-support-subscription/))
- Keine Hardware noetig
## Bestehende Hardware
- System: Linux, Memory: 7888 MB, 8 processors
- No PPPoe (done by Fritz)
## Funktionen
- Basis Setup (routing, Generische Einstellung, Firewall Regeln, Authentizierung via AD,..)
- VLANs als Grundlage (MGMT, SRV, CLIENT, WLAN, WLAN-Guest)
- VPN (OpenVPN)
- Free SSL certs (via ACME)
- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL Inspection, https de-/encryption) (!NOTE! OPNsense CA needs to be trusted by every client. Distribute via Filewave)
- OPNsense Antivirus Loesung (Clamav + C-Icap)
- IDS/IPS
- WAF
- OPNcentral
## Zertifikate
- SSL for https (Let's Encrypt oder gekaufte Wildcard)
- Self Signed for Web Proxy (SSL Inspection)
- Self Signed for OpenVPN

0
projects/sbx/20241211-Max-Meeting-Kerio2M365.md → projects/kwa/mail_migration/20241211-Max-Meeting-Kerio2M365.md
View File

0
projects/neosphere/20250502-storage-cluster.md → projects/neosphere/qumulus/20250502-storage-cluster.md
View File

51
projects/neosphere/qumulus/manual_25Gbit-nic.md Normal file
View File

@@ -0,0 +1,51 @@
## Quellen
### Treiber
- [ice treiber](https://www.intel.com/content/www/us/en/download/19630/intel-network-adapter-driver-for-e810-series-devices-under-linux.html)
- [key in bios](https://support.hpe.com/hpesc/public/docDisplay?docId=a00112581en_usen_us&page=GUID-E4427875-D123-4BBF-9056-342168478A02.html&docLocale=en_US)
- [installationsanaleitung (nicht 1zu1 anwendbar; use case different)](https://clouddocs.f5.com/cloud/public/v1/kvm/kvm_intel.html)
- [troubleshooting(SR-IOV)](https://forum.endeavouros.com/t/intel-e810xxv-25g-network-card-not-working-no-ice-driver/39633/7)
- [troubleshooting(BIOS - virt)](https://forum.proxmox.com/threads/troubleshooting-intel-e810-xxvam2-nic-setup.146257/)
### Configure LACP bond with failover
- [bonding_router-template](https://github.com/canonical/netplan/blob/main/examples/bonding_router.yaml)
- [bonding_manual(nicht 1zu1 angewendet!)](https://netrouting.com/knowledge_base/configuring-bonding-on-ubuntu-with-netplan/)
### Cloning Problem
- [Aendere Machine ID](https://unix.stackexchange.com/questions/402999/is-it-ok-to-change-etc-machine-id)
- [troubleshooting bonds have same mac (same machine id)](https://askubuntu.com/questions/1126037/netplan-generates-the-same-mac-address-for-bridges-on-two-different-machines)
## Anleitung
1. Lade die [Intel Ice Treiber](https://www.intel.com/content/www/us/en/download/19630/intel-network-adapter-driver-for-e810-series-devices-under-linux.html) fuer die verfuegbar Netzwerkkarte herunter. Fuer eine Debian-basierte GNU/Linux OS wird die .tar.gz Datei benoetigt und `intel-public-key-ice-ko.zip`. Die .tar Datei kann an einem beliebigen Ort abgespeichert werden, zum Beispiel, `/home/username/ice`.
2. Folge der [hpe Anleitung](https://support.hpe.com/hpesc/public/docDisplay?docId=a00112581en_usen_us&page=GUID-E4427875-D123-4BBF-9056-342168478A02.html&docLocale=en_US), um den Intel Public Key im BIOS zu hinterlegen und aktiviere Secure Boot im BIOS(!). Secure Boot ist wichtig, damit der signierte Treiber authentiziert werden kann; dies geht nur im Secure Boot Mode, wo auch der Key hinterlegt wurde. Zusammengasst BIOS Aenderung:
- Key File im Secure Boot Key Store hinterlegen
- Secure Boot anschalten
- SR-IOV abschalten; Im BIOS selbst UND direkt bei den pcie Einstellungen des NICs
- Bei Problemen mit der Installation spaeter kann es sein, dass BIOS Einstellungen im Zusammenhang Virtualisierung abegeschaltet werden muessen. Siehe dazu letzten drei Links in Quellen Liste zu den Treibern
3. Untar/unzip die archiv-Datei, wobei "<x.x.x>" die Versions Nummer ist:
> `tar zxvf ice-<x.x.x>.tar.gz`
4. Wechsle in das `src`-Verzeichnis:
> `cd ice-<x.x.x>/src/`
5. Kompiliere das Treiber modul (als root user!)
> `make install`
> Das Binary wird installiert als: `/lib/modules/<KERNEL VER>/updates/drivers/net/ethernet/intel/ice/ice.ko`
6. Reboote das System und schalte Secure Boot wieder aus (das Linux Kernel ist gelocked, mit Secure Boot und daher koennte das Modul nicht angeschaltet werden)
7. Nach erfolgreichem Neustart kann die Version des Treibers gecheckt und aktiviert werden mit den Befehlen: (deaktivieren des Moduls mit: `rmmod ice`)
> `modinfo ice`
> `modprobe ice`
8. Um Nachrichten zu Netzwerlinks in der Konsole zu sehen, muss `dmesg` angepasst werden: `dmesg -n 8`. Nach dem aktivieren des Treibers sollten die Kernel Logs mit dem folgenden Befehl geprueft werden: `dmesg | grep '\<ice\>`.
9. Bei erfolgreicher Installation sollte der Befehl `lshw -c network` die Interfaces der netzwerkkarte anzeigen.
## Notizen
### Nuetzliche Befehle
- Zeige Netzwerk Specs der Hardware an: `lshw -c network`
- Zeige Bonding Konfiguration an: `cat /proc/net/bonding/<name-des-bonds>` ;hier: `cat /proc/net/bonding/bond0`
- Kernel Logs zu ice Treibern pruefen: `dmesg | grep '\<ice\>`

34
projects/neosphere/qumulus/manual_lacp-bonding.md Normal file
View File

@@ -0,0 +1,34 @@
## Beispiel Config ubt01
Netplan Konfigurationsdatei: `/etc/netplan/00-bonding.yaml`
```yaml
network:
version: 2
renderer: networkd
ethernets:
ens2f0:
dhcp4: no
ens2f1:
dhcp4: no
bonds:
bond0:
interfaces:
- ens2f0
- ens2f1
addresses:
- 192.168.60.200/24
- 192.168.60.210/24
routes:
- to: default
via: 192.168.60.254
nameservers:
addresses:
- 192.168.60.254
parameters:
mode: active-backup
mii-monitor-interval: 100
gratuitious-arp: 5
```

22
projects/neosphere/qumulus/manual_qumulus.md Normal file
View File

@@ -0,0 +1,22 @@
## Qumulus MGMT
Zur Adminstration des Qumulus Cluster besuchen Sie das Qumulus Dashboard (ueber VPN oder sonst im Netzwerk befindlich):
<https://192.168.60.11-15>
Das Qumulus Dashboard kann ueber jede IP Adresse der Cluster Node erreicht werden; entsprechend haben die Noden IP Adressen von .11 bis .15.
Das Qumulus Cluster arbeitet im Grunde wie ein klassische NAS:
- Es bietet elaborierte Analysedaten zur Funktionsweise ders Clusters
- Sharing im Dashboard konfigurierbar:
- smb shares
- nfs exports
- s3 buckets
- ftp
- Authentizierung und Authorizierung:
- Locale User und Gruppen
- AD
- LDAP
- Role Management
- Snapshots moeglich
- Replizierung zu S3

0
projects/neosphere/qumulus/overview-qumulus_and_comp-nodes.md Normal file
View File

15
projects/patryk-projekt/202503012-initial.md Normal file
View File

@@ -0,0 +1,15 @@
## Data
- Datum: Anmeldung, Abgabe
- Projekt Beschreibung
- Titel
- Infrastuktur
- Komponenten
- Quellen
## Quellen
- <https://wazuh.com/>
- <https://documentation.wazuh.com/>

35
projects/phytron/nextcloud_gitlab_after_hack.md
View File

@@ -1,10 +1,45 @@
## General
- [x] Change Admin Passwords to: General Domain Administrator Password
## Nextcloud
IP address: 192.168.66.66
Domain: https://cloud.phytron.de
### Resources
- <https://docs.nextcloud.com/server/28/admin_manual/configuration_server/occ_command.html#user-commands-label>
### User MGMT
- [x] Gruppe: Nextcloud_extern (fuer externe nutzer)
### Design
- Integrate Phytron CI
- Ask Holger
- Primary Gray/ Secondary Red (Related to Homepage)
### Folder
**Expiration time: 6 months** (user choses a time which is maximally 6 months..)
- [x] Ablaufdatum erzwungen bei public shares
- [x] delete default files and folders which are generated for each new user
- [x] Check if its possible that files/folders are deleted automatically after some time and that the user is notified about it
- [x] two kinds of share folders: one folder 'intern' without expiration dates and one folder 'extern' with a strict expiration date
- [ ] possibility to edit 'Microsoft Words' files
## Gitlab
IP address: 192.168.66.67
Domain: http://git.phytron.local
### Design
- Check CI

2
projects/project-list.md
View File

@@ -1,4 +1,4 @@
## List
- [sbx-knowledgebase](/projects/sbx/knowledgebase)
- [sbx-knowledgebase](knowledgebase.md)

0
projects/sbx/raci_matrix-automation.md → projects/sbx/RACI-Matrix/raci_matrix-automation.md
View File

0
projects/sbx/raci_matrix-monitoring.md → projects/sbx/RACI-Matrix/raci_matrix-monitoring.md
View File

0
projects/sbx/disney-workshop.md → projects/sbx/orga/disney-workshop.md
View File

0
projects/sbx/knowledgebase.md → projects/sbx/orga/knowledgebase.md
View File

0
projects/sbx/sbx-myrules.md → projects/sbx/orga/sbx-myrules.md
View File

18
projects/sbx/sbx-lab-network.md Normal file
View File

@@ -0,0 +1,18 @@
## network
- Gateway/Firewall Static IP: 10.11.12.254/24
- DHCP: 10.11.12.100 - 10.11.12.200
### Static IPs
| hostname | mac | IP | comment |
| -------- | ----------------- | ------------ | --------------------- |
| gw | | 10.11.12.254 | sophos fw |
| dns1 | | 10.11.12.253 | bind master |
| dns2 | | 10.11.12.252 | bind slave |
| pxe | BC:24:11:99:2D:8A | 10.11.12.69 | netbbot_xyz |
| node1 | | 10.11.12.2 | opnsense cluster test |
| node2 | | 10.11.12.3 | opnsense cluster test |
| vip-wan | | 10.11.12.4 | opnsense cluster test |
| metabase | | 10.11.12.99 | test for discopharma |

4
projects/sbx/sbx-proxmox-test-server.md
View File

@@ -1,4 +0,0 @@
mac-address:
- 00:19:99:b9:9a:a2 of interface enp8s0f0
- 00:19:99:b9:??:?? of interface enp8s0f1

11
tum-netxtcloud.md Normal file
View File

@@ -0,0 +1,11 @@
```ini
'mail_smtpstreamoptions' =>
array (
'ssl' =>
array (
'allow_self_signed' => true,
'verify_peer' => false,
'verify_peer_name' => false,
),
),
```