CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250404

Browse Source
This commit is contained in:
Petar Cubela
2025-04-04 10:57:26 +02:00
parent e1d3a98fd2
commit 7becbea415
28 changed files with 1760 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
projects/boschmann+feth/20250326-Preparation.md Normal file
View File

@@ -0,0 +1,131 @@
## ToDo
- [=] ap integrieren
- [=] ap ip anpassen
- [x] server auf maintenance in ninja einstellen
- [x] mount kid befestingen
- [=] switch ip anpassen
- [x] vlans erstellen
- [=] switch vlans konfigurieren
- [x] dns einstellungen anpassen
- [x] client rechner an switch (welche ports brauchen untagged client net)
- [x] fw regeln fuer vpn
- [x] second admin vpn
- [ ] star money, datev for ssl inspection exclude
- [ ] services.starfinanzen.de
- [ ] frontgate-eu.factsetdigitalsolutions.com
- [ ] starmoney.aboalarm.de
- [ ] web.starmoney.de
- [ ] starfinanz.de
- [ ] starmoney.de
- [ ] naechste Woche mehr kure gruene kabel mitnehmen (.25m)
## Einsatz
- WLAN-Intern: d5C9nhBBDGhd
- fP33-y4be-M8Qk
### Switch Ports
| Port | Device(s) | VLANs | Note |
| ---- | -------------------- | -------------------------------- | --------------- |
| 1 | Firewall | tagged: default, untagged: all | |
| 2 | HP | | ws |
| 4 | Mitel (phone) | untagged: 11, tagged: none | |
| 13 | Mitel (phone) | untagged: 11, tagged: none | |
| 19 | Mitel (phone) | untagged: 11, tagged: none | Printer |
| 25 | ? | | |
| 27 | Mitel (phone) | untagged: 11, tagged: none | WS-Boschmann |
| 28 | Mitel (phone) and HP | untagged: 11, tagged: none | WS |
| 34 | Mitel (phone) and HP | untagged: 11, tagged: none | WS-07 |
| 35 | Mitel (phone) | untagged: 11, tagged: none | |
| 37 | Mitel (phone) | untagged: 11, tagged: none | |
| 38 | HP | | ws |
| 39 | Mitel (phone) and HP | untagged: 11, tagged: none | WS |
| 40 | Mitel (phone) | untagged: 11, tagged: none | |
| 41 | Mitel (phone) and HP | untagged: 11, tagged: none | WS-14 |
| 43 | Sophos AP | untagged: default, tagged: 30,40 | several devices |
| 44 | HP | | ws |
| 46 | Mitel (phone) | untagged: 11, tagged: none | |
| 47 | ? | | |
| 48 | Server in UG | untagged: 11, tagged: none | |
## Basis
### Network
#### Interfaces
- LAN (Port1): Network 192.168.11.254/24
- [x] define V11_LAN_SERVER for this network
- [x] Call physical LAN interface V50_LAN_MGMT
- WAN (Port2 and Port8): Two Configured
- [x] Port2: PPPoE (versatel) 104.151.27.221/32
- [x] Port8: Static 192.168.178.254/24 (Fritzbox. For phone?)
- WiFi (BuF_Gast): Network: 192.168.111.100
#### VLANs
Currently no VLANs (except this weird wifi thing).
VLANs for new Firewall:
- V11_LAN_SERVER
- V20_LAN_CLIENT
- V30_WLAN_INTERNAL
- V40_WLAN_GUEST
- V50_LAN_MGMT
- (V70_LAN_PHONE ??)
#### DHCP
- DHCP only for WLAN_Gast: 192.168.111.101 - 192.168.111.120
- DC is doing DHCP for 192.168.11.0/24 network: 192.168.11.80 - .159
#### Services
- Star Money (banking)
- Teamviewer
- Cosoba
- DATEV
- Zoom
- DropBox
- Google Drive
- OneDrive
- M365
- Sharepoint
#### DNS
- [x] Configure DNS request route to DC for new Firewall
- DC is doing DNS when acting as DHCP Server
### Authentication
#### Server
- Server Type: AD
- Server Name: BUF-SRV-DC-01
- Server IP/Domain: 192.168.11.13
- Connection Sec: SSL/TLS
- Port: 636
- NetBIOS domain: BUF
- ADS user name: sophos_ldap
- Password: IT-Glue
- Emal address attribute: mail
- Domain name: buf.local
- Search Queries: dc=buf,dc=local
### Phone
- not separate configuration needed. Only Set WAN to fritz correctly. Check the connectivity to phones after migration
### VPN

136
projects/bvv/bind-manual.md
View File

@@ -1,10 +1,142 @@
## Intro
Goal: Have a detailed manual for making changes at a running bind server without destroying it.
Motivation: The bind config had been successfully destroyed by accident. (by leaving out a \$-symbol)
- Ziel: Schreibe eine detailierte Anleitung, welche es moeglich die DNS Eintraege von bind zu aendern ohne den Server kaputt zu machen.
- Motivation: Die bind Konfiguration wurde versehentlich erfolgreich zerstoert, was dazu fuehrte, dass der bind Server nicht mehr funktionierte.
## Receipt
Um Aenderungen am bind9 Server beim BVV durchzufuehren muss der Syntax von bind beachtet werden. Bei Fehlern kann es sein, dass die ganze DNS Aufloesung nicht mehr funktioniert.
### Einfuehrung
Alle Konfigurationsdateien fuer bind liegen im Ordner `/etc/bind/` am ns2 Server. Die Hauptkonfigurationsdatei fuer bind ist hierbei `/etc/bind/named.conf` von der Alles ausgeht. `named` ist herbei der Dienst zu `bind` zugehoerige Dienst, welcher im Hintergrund laueft; der Status der `named`-Dienstes kann geprueft werden mit: `systemctl status named`.
Saemtliche Zonen fuer die von diesem `bind` Server verwalteten Domaenen sind in der Datei `/etc/bind/named.conf.local` hinterlegt; die zugehoerige Datei fuer jede Domaene wo die DNS Eintrage gesetzt werden sind hier in der Datei `/etc/bind/named.conf.local` definiert unter der Variablen `file`. Unter der hier genutzten Strukturierung sind die DNS Eintraege hinterlegt in den Dateien `/etc/bind/db.<tld>.<domain>`. Zum Beispiel die DNS Eintraege fuer die Domaene `vhs-bayern.de` liegt in der Datei `/etc/bind/db.de.vhs-bayern`.
### Aenderungen der DNS Eintraege
Um die DNS Eintraege einer bestimmten Domaene zu aendern, muss die jeweilige Zonen Datei geoeffnet werden; zum Beispiel `/etc/bind/db.de.vhs-bayern.de` fuer die Domaene `vhs-bayern.de`:
```conf
$ORIGIN vhs-bayern.de.
$TTL 60
@ IN SOA ns1.vhs-bayern.de. hostmaster.vhs-bayern.de. (
2024121702 ; serial number (yyyymmddxx)
14400 ; refresh every 4 hours
14400 ; retry after 4 hours
604800 ; expire after 7 days
43200) ; default ttl is 12 hours
IN A 49.13.175.195 ; old: 144.76.93.148
IN NS ns1.vhs-bayern.de.
IN NS ns1.m-online.net.
IN NS ns2.m-online.net.
;;;;;;;;;;;;;;;;;;;;;;;;;;
;;; Local Host Address ;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;
localhost IN A 127.0.0.1
;;;;;;;;;;;;;;;;;;;;
;;; NS Eintraege ;;;
;;;;;;;;;;;;;;;;;;;;
newsletter.vhs-bayern.de. 1800 IN NS ns0.isprit2.de.
newsletter.vhs-bayern.de. 1800 IN NS ns1.isprit2.de.
;;;;;;;;;;;;;;;;;;;;
;;; MX Eintraege ;;;
;;;;;;;;;;;;;;;;;;;;
listserver.vhs-bayern.de. IN MX 10 listserver.vhs-bayern.de.
;;;vhs-bayern.de. IN MX 10 mx01.vhs-bayern.de.
ns1.vhs-bayern.de. IN MX 10 mx01.vhs-bayern.de.
intmx IN MX 10 domino
intmx IN MX 20 domino2
mailtest.vhs-bayern.de. 60 IN MX 10 mailtest
vhs-bayern.de. IN MX 0 vhsbayern-de0i.mail.protection.outlook.com.
;;;;;;;;;;;;;;;;;;;;;
;;; TXT Eintraege ;;;
;;;;;;;;;;;;;;;;;;;;;
;;vhs-bayern.de. 60 IN TXT "v=spf1 a mx ip4:62.245.128.64/27 ip4:62.245.128.96/27 include:spf.protection.outlook.com -all"
vhs-bayern.de. 60 IN TXT "v=spf1 a mx ip4:20.50.178.65/32 ip4:62.245.128.64/27 ip4:62.245.128.96/27 include:spf.protection.outlook.com -all"
vhs-bayern.de. 3600 IN TXT "MS=ms64478158"
;_dnsauth.vhs-bayern.de. 300 IN TXT "2024021509350769xvfne3rv45zuft4zpkil5d67tbpvkvnjlfei3862b34yrbsj"
_dnsauth.vhs-bayern.de. 300 IN TXT "202411121019550lyjgntwd5v35uvf533roxftuvkf9hbv20okc4g3xt0umpn6p8"
_dnsauth.www.vhs-bayern.de. 300 IN TXT "202411121019550lyjgntwd5v35uvf533roxftuvkf9hbv20okc4g3xt0umpn6p8"
;;;;;;;;;;;;;;;;;;;;;;;
;;; CNAME Eintraege ;;;
;;;;;;;;;;;;;;;;;;;;;;;
autodiscover CNAME autodiscover.outlook.com.
selector1._domainkey CNAME selector1-vhsbayern-de0i._domainkey.bvv1.onmicrosoft.com.
selector2._domainkey CNAME selector2-vhsbayern-de0i._domainkey.bvv1.onmicrosoft.com.
;;;;;;;;;;;;;;;;;;;
;;; A Eintraege ;;;
;;;;;;;;;;;;;;;;;;;
mx01 IN A 62.245.128.92
rproxy2 IN A 62.245.128.84
mail-gw1 IN A 62.245.128.85
;analytics IN A 62.245.128.69
domino IN A 192.168.1.108
domino2 IN A 192.168.1.109
;2009 IN A 62.245.128.90 deaktiviert 17.12.2024
;rproxy IN A 62.245.128.65
;eportfolio IN A 62.245.128.75
;ksc IN A 62.245.128.71
;ksc2 IN A 62.245.128.71
;portal1 IN A 192.168.1.117
;portal2 IN A 192.168.1.118
;db2portal IN A 192.168.1.119 deaktiviert 17.12.2024
;ntp IN A 192.168.1.110 deaktiviert 17.12.2024
;ntp IN A 192.168.1.130 deaktiviert 17.12.2024
ns1 IN A 62.245.128.66
vpn IN A 62.245.128.125
;ol3 IN A 62.245.128.89 deaktiviert 17.12.2024
;icsdb2 IN A 192.168.1.131 deaktiviert 17.12.2024
;ics1 IN A 192.168.1.132
;ics2 IN A 192.168.1.133
icsweb1 IN A 62.245.128.70 ;Staecker fragen
mailtest 60 IN A 62.245.128.94 ;?
;ttwportal 60 IN A 144.76.93.148 deaktiviert 17.12.2024
;www.ttwportal 60 IN A 144.76.93.148 deaktiviert 17.12.2024
www 60 IN A 49.13.175.195 ;Neuer Provider old: 144.76.93.148
production IN A 49.13.175.195 ;Neuer Provider 4motion
testing IN A 49.13.175.195 ;Neuer provider 4motion
analytics IN A 49.13.175.195 ;Neuer Provider 4motion
```
**Wichtig zu beachten hier ist, dass bei jeder Aenderung einer dieser Zonendateien die Seriennummer (ganz oben in der Datei im ersten DNS Eintrag) *erhoeht* werden muss. Egal um welchen Wert; die Seriennummer muss nur groesser sein, als die vorherige! Uebliches Schema ist das heutige Datum mit einer nachgestellten Zaehlung fuer jede Aenderung des Tages; zum Bespiel: 2025032401. Ohne diesen Schritt wuerde der Dienst Fehlermeldungen ausgeben und nicht mehr funktionieren.**
Sagen wir fuegen der obigen Datei einen DNS-Eintrag: `test IN A <ip-address>` ein. Damit dieser wirksam wird muss die Seriennummer im ersten DNS Eintrag erhoeht werden:
```conf
$ORIGIN vhs-bayern.de.
$TTL 60
@ IN SOA ns1.vhs-bayern.de. hostmaster.vhs-bayern.de. (
--------> 2025032401 ; serial number (yyyymmddxx) <---------------
14400 ; refresh every 4 hours
14400 ; retry after 4 hours
604800 ; expire after 7 days
43200) ; default ttl is 12 hours
IN A 49.13.175.195 ; old: 144.76.93.148
IN NS ns1.vhs-bayern.de.
IN NS ns1.m-online.net.
IN NS ns2.m-online.net.
```
Nachdem die Anpassung durchgefuehrt wurde sollten zu Sicherheit die Konfigurationsdateien auf Richtigkeit geprueft werden:
1. Pruefe die Konfiguration der 'Master'-Datei: `named-checkconf /etc/bind/named.conf`. Keine Ausgabe bedeutet: Alles gut!
2. Pruefe die Zonendatei mit: `named-checkzone vhs-bayern.de /etc/bind/db.de.vhs-bayern`:
```sh
root@ns2:/etc/bind# named-checkzone vhs-bayern.de db.de.vhs-bayern
zone vhs-bayern.de/IN: loaded serial 2024121702
OK
```
Der Befehl zeigt auch die aktuelle Seriennummer der Zone an!
3. Sofern es bei den zwei vorherigen Schritten keine Fehlermeldungen gab, kann der `named`-Dienst neugestartet werden mit: `systemctl restart named`
4. Pruefe noch den Status den `named`-Dienstes mit `systemctl status named`. Wenn es keine Fehler gibt sollte der neu hinzugefuegt Eintrag funktionieren.

11
projects/discopharma/20250317-finishing-meeting.md
View File

@@ -1,11 +0,0 @@
## To do's:
- Cloud SQL dump load and user mgmt (Miloš)
- Docker licensing (Lukas)
- backup procedure for MB application db (Petar)
- Documentation/ manual (Petar)
- For example,
- how deployment works,
- what docker image to select
- how the routing in the reverse proxy is done

300
projects/discopharma/20250320-manual-project.md Normal file
View File

@@ -0,0 +1,300 @@
---
title: "Metabase - Setup Manual"
author: Petar Cubela
date: March 20, 2025
geometry: margin=1.5cm
output: pdf_document
---
## Intro
Setting up a Metabase instance via Docker with a PostgreSQL application database and a secure web connection via https mediated by a public facing reverse proxy (nginx) and commercial TLS/SSL certificates.
### Goals and Requirements
### Software
- Google Cloud Platform (GCP)
- [Debain 12 (OS)](https://www.debian.org/download)
- [Docker (Containerization Platform)](https://docs.docker.com/engine/install/debian/)
- [NGINX (Web Server, Reverse Proxy)](https://docs.nginx.com/)
- [Postgres (as Container)](https://hub.docker.com/_/postgres)
- [Metabase (as Container)](https://hub.docker.com/r/metabase/metabase)
## VM Specs
### Metabase Server
- Name: Metabase Server
- OS: Debian 12
- hostname: mb-prod
- IP Address: `10.156.0.6/24`
- CPU: 2 core
- RAM: 2 GB (2048 MB)
- Storage: depends (30 GB)
- DNS entry: none
- Note: for every 20 concurrent users: needs 1CPU and 2GB of RAM more
### Reverse Proxy
- Name: Reverse Proxy
- OS: Debian 12
- hostname: rproxy
- IP Address: `10.156.0.7/24` + `<PUBLIC IP>` address (only activated in the end)
- CPU: 1 core
- RAM: 1 GB (1024 MB)
- Storage: depends (16 GB)
- DNS entry: metabase.discopharma.de -> `<PUBLIC IP>`
- Note: for every concurrent users: needs 1CPU and 2GB of RAM more
### Firewall
I list all necessary communications and respective ports needed:
Abbreviations:
- Metabse: mb-prod = `10.156.0.6`
- Metabse Dev: mb-dev = `10.156.0.8`
- ReverseProxy: rp = `10.156.0.7`
| Source | SourcePort | Destination | DestPort | Description |
| ------------- | ----------------------- | --------------- | ----------------------- | ------------------------------------------------------------------------------- |
| mb-prod | 3306/tcp | db | 3306/tcp | 3306 is the standard mysql port. Communication of mb-prod to db |
| rp | 3000/tcp </br> 3000/udp | mb-prod | 3000/tcp </br> 3000/udp | 3000 is the metabase web port. Reverse Proxy sends request via this port to mb. |
| rp | 3000/tcp </br>3000/udp | mb-dev | 3000/tcp </br> 3000/udp | 3000 is the metabase web port. Reverse Proxy sends request via this port to mb. |
| OPEN INTERNET | any | PUBLIC IP of rp | 443/tcp | 443 is the https port to communicate to rp over internet |
### Network Diagram
![diagram](/files/discopharma/discopharma-infra.drawio.png)
## Metabase Application Server and Database
### Administration
#### Update
In order to update the metabase containers change to the `~/metabase/` folder (where `compose.yml` file resides) and use the following command:
```bash
docker compose pull && docker compose up -d
```
Monitor the container logs to see if there are any errors by using the command:
```bash
docker compose logs -f
```
The `docker compose pull` command searches for images which are specified by a tag in the image variable in the `compose.yml` file:
`image: metabase/metabase:latest`
`latest` is here the tag and can also be changed to a version number which can be extracted from the [docker-hub](https://hub.docker.com/r/metabase/metabase/tags).
To simplify the process I wrote a simple bash script which updates the container images and removes old container images. The script is in the folder `/home/lukas_discopharma_de/scripts/metabase-update.sh`.
The update has to be done manually.
#### Backup
There is a script `/home/lukas_discopharma_de/db-backup.sh` which creates a database dump from the postgres instance running in the container and places the dump into the folder at `/home/lukas_discopharma_de/backup-db` including the current date in the filename.
The scripts runs weekly mondays at 2 a.m. via a cronjob. You should secure the backups/dumps to a secure location.
### Development Instance
Go step-by-step through the installation and setup of a development metabase instance.
#### 1. Setup VM
Setup the a new VM with specs as described in the [VM specs](#vm-specs) section. The OS we are using is Debian 12. The private ip address can be chosen as `10.156.0.8`
#### 2. Update pkgs and install docker and compose
After Installation of the OS perform a pkg update:
```bash
sudo apt update && sudo apt upgrade -y
```
In order to install docker engine we will follow the official [documentation](https://docs.docker.com/engine/install/debian/).
1. Set up Docker's `apt` repository
```bash
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
```
2. Install the Docker packages (which includes docker compose)
```bash
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
```
3. Verify that the installation is successful by running the `hello-world` image
```bash
sudo docker run hello-world
```
It is possible to manage Docker as a non-root user. It the next steps we describe how to achieve this.
We need to create a `docker` group and add to user we wish to use:
1. Create the `docker` group
```bash
sudo groupadd docker
```
2. Add your user to the `docker` group.
```bash
sudo usermod -aG docker $USER
```
3. Log out and log back in so that your group membership is re-evaluated
4. Verify that you can run `docker` commands without `sudo`
```bash
docker run hello-world
```
#### 3. Create folder and compose file
After getting Docker Engine to work we can setup the necessary files and folders for the metabase container.
Create a metabase folder for the docker compose files in your home folder:
``` bash
mkdir -p ~/metabase/plugins
```
In addition create two files where the database user name and password will be placed:
```bash
touch ~/metabase/{db_user.txt,db_password.txt}
```
Create a `compose.yml` file which will be used to spin up the containers:
```yaml
---
services:
metabase:
image: metabase/metabase:latest
container_name: mb-dev
hostname: mb-dev
restart: unless-stopped
volumes:
- /dev/urandom:/dev/random:ro
- ./plugins:/plugins
ports:
- 3000:3000
environment:
JAVA_TIMEZONE: Europe/Berlin
MB_DB_TYPE: postgres
MB_DB_DBNAME: metabase
MB_DB_PORT: 5432
MB_DB_USER_FILE: /run/secrets/db_user
MB_DB_PASS_FILE: /run/secrets/db_password
MB_DB_HOST: postgres
networks:
- metanet1
secrets:
- db_password
- db_user
healthcheck:
test: curl --fail -I http://localhost:3000/api/health || exit 1
interval: 15s
timeout: 5s
retries: 5
postgres:
image: postgres:latest
container_name: postgres-dev
hostname: postgres-dev
restart: unless-stopped
environment:
POSTGRES_USER_FILE: /run/secrets/db_user
POSTGRES_DB: metabase
POSTGRES_PASSWORD_FILE: /run/secrets/db_password
networks:
- metanet1
secrets:
- db_password
- db_user
networks:
metanet1:
driver: bridge
secrets:
db_password:
file: db_password.txt
db_user:
file: db_user.txt
```
Choose a name for the database user and place it in the `db_user.txt` file, e.g.:
```bash
echo "metabase" > db_user.txt
```
and accordingly for the password:
```bash
echo "SecurePass" > db_password.txt
```
Change the permissions of the files such that they are read-only for your own user:
```bash
chmod 400 db_*.txt
```
#### 4. Pull images and start container
The pull of the container images and the start of the containers can be simply done by one command. Change the working directory to the metabase folder,
```bash
cd ~/metabase
```
and execute the command:
```bash
docker compose up -d
```
During the startup the log files for the containers should be monitored for possible errors by using the command:
```bash
docker compose logs -f
```
If you see now errors and if you have the possibility to reach the server you can visit the metabase instance using the URL `http://<private-ip-of-server>:3000`. Port 3000 has to be open and you have to be able to reache the server via its private ip address.
## Reverse Proxy
The software which is used on the reverse proxy server is called `nginx`. This is a standard common web server/reverse proxy. Its configuration files reside in the folder `/etc/nginx/` and its log files can be found in `/var/logs/nginx/`.
The configuration file which accomplishes the reverse proxying for your metabase instance is `/etc/nginx/sites-available/metabase.conf`:
```conf
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name metabase.discopharma.de;
ssl_certificate /etc/nginx/ssl/discopharma.de/discopharma_fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/discopharma.de/discopharma_private.key;
if ($ssl_protocol = "") {
return 301 https://$server_name$request_uri;
}
location / {
proxy_pass http://10.156.0.6:3000;
proxy_set_header HOST $host;
}
}
```
In order to reverse proxy traffic to a development instance you can proceed as follows:
1. Create a nginx configuration file for the dev metabase instance by copying the existing config: `cp /etc/nginx/sites-available/metabase.conf /etc/nginx/sites-available/mb-dev.conf`
2. Open the new file using any text editor `nano /etc/nginx/sites-available/mb-dev.conf` and edit the `server_name` and `proxy_pass` variables to reflect your new dev instance, e.g.: `server_name mb-dev.discopharma.de;` (the corresponding dns entry for `mb-dev.discopharma.de` has to point to the public ip of the reverse proxy) and `proxy_pass http:<private-ip-of-server>:3000;`
3. Create a symbolic link (nignx reads the config files in `sites-enabled`):
```bash
ln -sf /etc/nginx/sites-available/mb-dev.conf /etc/nginx/sites-enabled/
```
4. Restart the `nignx` service: `systemctl restart nginx`
5. Setup your google firewall such that the reverse proxy can reach your dev metabase instance via port 3000.
6. Visit `https://mb-dev.discopharma.de`. The homepage should working ssl certificates which are configured in the `nginx` configuration file for mb-dev.

0
projects/discopharma/20250310-Next_Steps.md → projects/discopharma/Meetings/20250310-Next_Steps.md
View File

11
projects/discopharma/Meetings/20250317-finishing-meeting.md Normal file
View File

@@ -0,0 +1,11 @@
## To do's:
- [x] Cloud SQL dump load and user mgmt (Miloš)
- [x] Docker licensing (Lukas)
- [x] backup procedure for MB application db (Petar)
- Documentation/ manual (Petar)
- For example,
- how deployment works,
- what docker image to select
- how the routing in the reverse proxy is done

12
projects/discopharma/Meetings/20250324-meeting_in_prod.md Normal file
View File

@@ -0,0 +1,12 @@
## Members
- Lukas Maas, Petar Cubela
## Topics
- Manual
- Backups of database
- Updates of Container

14
projects/kwa/firewall_migration/20250318-OPNsense_Migration.md
View File

@@ -1,9 +1,21 @@
---
title: "OPNsense - KWA Migration"
author: Petar Cubela
date: March 20, 2025
geometry: margin=1.5cm
output: pdf_document
---
## Base Info
- Deadline: 03.05
- Anzahl User: 15
## Termin
- 11.04, 14.04 - 17.04 (Friday 18.04: Karfreitag); 16.04 Vor-Ort
- 22.04 - 25.04 (Monday 21.04: Ostermontag), 24.04 Vor-Ort
## Angebot Liste
- Arbeitstunden ausrechnen (40 Stunden)

0
projects/neosphere/qumulus/overview-qumulus_and_comp-nodes.md → projects/neosphere/qumulus/overview-qumulo_and_comp-nodes.md
View File

17
projects/sbx/firewall-std/std-network.md Normal file
View File

@@ -0,0 +1,17 @@
## Interfaces
- Port1: V50_MGMT: 192.168.50.254/24
- Port2: WAN: PPPoE or Static
## VLANs
| Name | Net |
| ----------------- | ----------------- |
| V10_SERVER | 192.168.10.254/24 |
| V20_CLIENT | 192.168.20.254/24 |
| V30_WLAN_INTERNAL | 192.168.30.254/24 |
| V40_WLAN_GUEST | 192.168.40.254/24 |
| V50_MGMT | 192.168.50.254/24 |
| V60_PRINT | 192.168.60.254/24 |
| V60_PHONE | 192.168.70.254/24 |

4
projects/sbx/firewall-std/std-tools.md Normal file
View File

@@ -0,0 +1,4 @@
- mounting rack screws
- label tool
- screw driver

19
projects/sbx/manuals/Sophos-SG_PPPoE-data.md Normal file
View File

@@ -0,0 +1,19 @@
## Configure SSH
1. Sophos SG Web-UI anmelden
2. Management -> System Settings -> Shell Access:
1. Setze Passwort fuer den `root` und `loginuser`
2. Fuege das von dir Netzwerk zu "Erlaubten Netzwerken" hinzu
3. Erlaube Passwort Authentifizierung
3. Oeffne Putty oder ein Terminal (PowerShell neuer als 2019) und melde dich als `loginuser` an, mit dem zuvor gesetzten Passwort
1. PowerShell: `ssh loginuser@<lan-gw-ip>`
4. Melde dich als `root`-user an, mit dem Befehl `sudo su` und durch Nutzung des `root` Passworts
## Extract pppoe data
1. Extrahiere Internetzugangsdaten
```bash
# cat /var/sec/chroot-pppoe/etc/ppp/chap-secrets
"<symbole-und-zahlen>@<provider>" * "Passwort" *
```

2
projects/ssr/202504-4architekten/notes.md Normal file
View File

@@ -0,0 +1,2 @@
- [php5.6-manual](https://community.localwp.com/t/how-to-run-php-5-6-on-local-v8-and-above/44488)