Working Group IT: Difference between revisions

• Test if it's easier to use than authentik

• IT group in authentic
• test connecting wiki to authentik
• check security warnings: https://nextcloud.munichmakerlab.de/settings/admin/overview
• IaC configuration of nextcloud e.g. https://docs.goauthentik.io/integrations/services/nextcloud/#nextcloud-1 => setup, testing needed
• Checkout backup database and storage location of data
• check best practice and hardening advices
• check, how we handle groups and how you register: challenge?
• check how to handle unique usernames across multiple tools => https://docs.goauthentik.io/docs/customize/policies/expression/unique_email => open
• double check integration e.g. it seems like you can be added to authentik admin group from nextcloud
• check privacy of user (which emails shown etc.)

• containerize wiki and migrate to saturn => done
• fix theme plugin for categories (sometimes shows error message)
• fix request account plugin => done (issue did not pop up on manual testing)
• update wiki and check how to handle better plugins e.g. with composer
• add integration with SSO
• check best practices and performance

• Setup second lightburn licence on VM
• Expose VM with some secure remote connection

• Old setup is on mars with Postfix and Mailman 2 (prevents Debian update): Check for details and related services Mars
• Discuss what to use: Maybe https://mailcow.email/de/ or https://docker-mailserver.github.io/docker-mailserver/latest/ (less documentation, no UI?) or https://mailinabox.email/
• Setup on saturn some mail tool with Mailman 3 => test with Mailcow and test mail domain
• Migrate all data to saturn: how? Lists: https://docs.mailman3.org/en/latest/migration.html
• Update Authentik and pretix mail config
• Migrate existing stuff
• check best practice and hardening advices
• Check how to better handle spam => should we remove the plain mail links on the homepage and the wiki e.g. basic [at...] or better with javascript hacks or similar: https://www.matthewthom.as/blog/stop-email-scraping/ https://munichmakerlab.de/contact.html

• Connect to SSO => TODO
• Setup for production => TODO
• Setup Email list/group
• Setup Event Mails
• Deprecate old ticket system

Existing setup https://github.com/homeofmaking/OpenUnitState/tree/master

Migrate existing token from TBD Adjust Lasercutter and door(?) to this DB

• Setup FQDN tooljet.munichmakerlab.de => Done
• Check how existing setup is working

...

• Check out cards feature for IT Working group?
• Create shared folders e.g. for password safe
• Check limitation of storage or how to add external storage => set quota for user
• Create partition for the user files and configure owncloud to use this partition
• Create calender and integrate into website
• Replace google calender with next cloud calender
• integrate new calender on homepage, kreativquartier, ticket system etc.

• Setup Firewall => Done
• Add fail2ban => https://blog.lrvt.de/configuring-fail2ban-with-traefik/ or https://plugins.traefik.io/plugins/628c9ebcffc0cd18356a979f/fail2-ban
• Add firewall to ansible = done
• Check Firewall together with docker: https://www.reddit.com/r/docker/s/RyUl8Akhy2 => https://github.com/chaifeng/ufw-docker?tab=readme-ov-file Test manually with nmap before
• update docker networks for better separation?
• limit docker daemon with systemd slices to 90% RAM and CPU: https://unix.stackexchange.com/questions/537645/how-to-limit-docker-total-resources => done
• Add dynamic blocking mechanism to traefik => check out fail2ban https://blog.lrvt.de/configuring-fail2ban-with-traefik/, https://plugins.traefik.io/plugins/628c9ebcffc0cd18356a979f/fail2-ban or crowdsec: https://www.crowdsec.net/blog/enhance-docker-compose-security => open
• add docker log rotation => done
• Limit all containers e.g. via Docker compose => in progress
• Check, that no container are exposed without reason (e.g. Authentik and pretix might miss) => done
• Check Log rotation for pretix and authentik => in progress
• Adjust log rotation for mosquitto or disable persistent logs => configured to stdout, so it will be handled with docker daemon => done
• Check backups
• Check logs and metrics

Metrics:

• Setup docker compose for Grafana + Prometheus: https://grafana.com/docs/grafana-cloud/send-data/metrics/metrics-prometheus/prometheus-config-examples/docker-compose-linux/ => done
• Limit Prometheus Storage: https://prometheus.io/docs/prometheus/latest/storage/#right-sizing-retention-size => prometheus
• Setup useful alerts and fix not proplery showing up ones => in progress
• Authentication via Authentik
• Fetch metrics: influx-db sensors, docker, traefik, system

Logs:

• ELK Stack: https://www.elastic.co/blog/getting-started-with-the-elastic-stack-and-docker-compose
• Grafana Loki
• Authentication via Authentik
• Create useful alerts
• Fetch Logs: Traefik, docker, Server

Data:

• Setup Influx DB: https://docs.influxdata.com/influxdb/v2/install/use-docker-compose/=> done
• Send Particular Sensor Data to influx DB
• Send Spacestatus to Influx DB
• Create Grafana Dashboards for Data

• Add adaption for nextcloud OIDC?

Compare Network and MuMaBus

check remaining stuff in the lab, if something depends on old ports: MuMaBus ; Cleanup also acl.conf

Migrate the device status php script to saturn

• shared password safe
• it group email => done
• cleanup old accounts

• Update homepage => done
• Move homepage to mastodon => done
• Update Homepage content for better information (what is the makerlab, open Thursday) => done
• Add FAQ Content: Frequently Asked Questions => done

• Setup Ansible in Repo => Done
• Playbook for Server => Done
• Playbook for Docker => done
• Add swap file => done
• Add docker resource limit => done
• Add docker prune job => done

• Check out cards feature for IT Working group?
• Create shared folders e.g. for password safe
• Check limitation of storage or how to add external storage => set quota for user
• Create partition for the user files and configure owncloud to use this partition
• Create calender and integrate into website
• Replace google calender with next cloud calender
• integrate new calender on homepage, kreativquartier, ticket system etc.

• Setup DNS => Done
• Setup Pretix => Done
  • files and config copied over. Execute "docker compose up --build" in /data/pretix => issues: connection to redis and database seems not to work. => connection issue with docker network? issue with traefik? => redis was deactivated via config, but also database connections does not work => TODO remove treafik from docker compose; debug docker networking e.g. by connecting to the server and double check.
• Setup Email ticket@munichmakerlab.de => done

Latest: 4.0.5

- Open firewall (ufw) for 1880 => done

- Migrate data to saturn and adjust settings for new version => done

- Create systemd for node red for version 4.0.5 => done

- Test container with new version - fix broken stuff => done

• containerize wiki and migrate to saturn => done
• fix request account plugin => done (issue did not pop up on manual testing)

• test authentik on saturn => done
• test connecting authentik and nextcloud => done
• authentic password reset => done
• migrate docker compose to /data/sso => done

Connect with Adrian => https://munichmakerlab.slack.com/archives/C79T8NFU7/p1731197933279969

• migrate /etc/system/systemd/docker-traefik.service to use config file => done
• adjust new /data/traefik/config/traefik.yml to integrate MQTT => done
• create mosquito config /data/mqtt/ with old config and new requirements => done
• migrate db /var/lib/mosquitto/mosquitto.db => done
• create /etc/system/systemd/docker-mosquitto.service => done
• test to start new mqqt service and restart traefik => done
• add new ports to ufw => done
• add new ports to ansible ufw: https://github.com/munichmakerlab/infrastructure/tree/debian-security-ansible=> done
• change FQDN to saturn and test => Done
• Test migrated Broker => Done

• wipe and re-install local server with proxmox => vulpix.intern.munichmakerlab.de
• setup home-assistant

=> old local server was removed