Working Group IT: Difference between revisions

• test authentik on saturn => done
• test connecting authentik and nextcloud => done
• authentic password reset => done
• migrate docker compose to /data/sso => done
• IT group in authentic
• test connecting wiki to authentik
• check security warnings: https://nextcloud.munichmakerlab.de/settings/admin/overview
• IaC configuration of nextcloud e.g. https://docs.goauthentik.io/integrations/services/nextcloud/#nextcloud-1 => setup, testing needed
• Checkout backup database and storage location of data
• check best practice and hardening advices
• check, how we handle groups and how you register: challenge?
• check how to handle unique usernames across multiple tools => https://docs.goauthentik.io/docs/customize/policies/expression/unique_email => open
• double check integration e.g. it seems like you can be added to authentik admin group from nextcloud
• check privacy of user (which emails shown etc.)

• containerize wiki and migrate to saturn => done
• fix theme plugin for categories
• fix request account plugin
• update wiki and check how to handle better plugins e.g. with composer
• add integration with SSO
• check best practices and performance

• Setup second lightburn licence on VM
• Expose VM with some secure remote connection

Latest: 4.0.5

- Open firewall (ufw) for 1880 => done

- Migrate data to saturn and adjust settings for new version => done

- Create systemd for node red for version 4.0.5 => done

- Test container with new version - fix broken stuff => done

- Remove unused flows

• Old setup is on mars with Postfix and Mailman 2 (prevents Debian update): Check for details and related services Mars
• Discuss what to use: Maybe https://mailcow.email/de/ or https://docker-mailserver.github.io/docker-mailserver/latest/ (less documentation, no UI?)
• Setup on saturn some mail tool with Mailman 3 => test with Mailcow and test mail domain
• Migrate all data to saturn: how? Lists: https://docs.mailman3.org/en/latest/migration.html
• Update Authentik and pretix mail config
• Migrate existing stuff
• check best practice and hardening advices
• Check how to better handle spam => should we remove the plain mail links on the homepage and the wiki e.g. basic [at...] or better with javascript hacks or similar: https://www.matthewthom.as/blog/stop-email-scraping/ https://munichmakerlab.de/contact.html

• Setup DNS => Done
• Setup Pretix => Done
  • files and config copied over. Execute "docker compose up --build" in /data/pretix => issues: connection to redis and database seems not to work. => connection issue with docker network? issue with traefik? => redis was deactivated via config, but also database connections does not work => TODO remove treafik from docker compose; debug docker networking e.g. by connecting to the server and double check.
• Connect to Authentic => TODO
• Setup for production => TODO
• Setup Email ticket@munichmakerlab.de
• Setup Email list/group
• Setup Event Mails
• Deprecate old ticket system

Existing setup https://github.com/homeofmaking/OpenUnitState/tree/master

Migrate existing token from TBD Adjust Lasercutter and door(?) to this DB

• Setup FQDN tooljet.munichmakerlab.de => Done
• Check how existing setup is working

...

• Setup nextcloud => done
• Integrate Authentik login => done
• Check out cards feature for IT Working group?
• Create shared folders e.g. for password safe
• Check limitation of storage or how to add external storage => set quota for user
• Create partition for the user files and configure owncloud to use this partition
• Create calender and integrate into website
• Replace google calender with next cloud calender
• integrate new calender on homepage, kreativquartier, ticket system etc.

• Setup Firewall => Done
• Add fail2ban => in progress, settings needs to get adjusted
• Add firewall to ansible: https://github.com/munichmakerlab/infrastructure/tree/debian-security-ansible
• Check Firewall together with docker: https://www.reddit.com/r/docker/s/RyUl8Akhy2 => https://github.com/chaifeng/ufw-docker?tab=readme-ov-file Test manually with nmap before
• update docker networks for better separation?
• limit docker daemon with systemd slices to 90% RAM and CPU: https://unix.stackexchange.com/questions/537645/how-to-limit-docker-total-resources => done
• Limit all containers e.g. via Docker compose
• Check, that no container are exposed without reason (e.g. Authentik and pretix might miss)
• Check backups
• Check logs and metrics

Metrics:

• Setup docker compose for Grafana + Prometheus: https://grafana.com/docs/grafana-cloud/send-data/metrics/metrics-prometheus/prometheus-config-examples/docker-compose-linux/ => done
• Setup useful alerts and fix not proplery showing up ones => in progress
• Authentication via Authentik
• Fetch metrics: influx-db sensors, docker, traefik, system

Logs:

• ELK Stack: https://www.elastic.co/blog/getting-started-with-the-elastic-stack-and-docker-compose
• Grafana Loki
• Authentication via Authentik
• Create useful alerts
• Fetch Logs: Traefik, docker, Server

Data:

• Setup Influx DB: https://docs.influxdata.com/influxdb/v2/install/use-docker-compose/=> done
• Send Particular Sensor Data to influx DB
• Send Spacestatus to Influx DB
• Create Grafana Dashboards for Data

• Setup Ansible in Repo => Done by Severin
• Playbook for Server => Done
• Playbook for Docker => in progress
• Add adaption for nextcloud OIDC
• Add swap file => open
• Add docker resource limit => open
• Add docker prune job

Compare Network and MuMaBus

check remaining stuff in the lab, if something depends on old ports: MuMaBus ; Cleanup also acl.conf

• Update homepage => done
• Move homepage to mastodon => done
• Update Homepage content for better information (what is the makerlab, open Thursday) => in progress
• Add FAQ Content: Frequently Asked Questions => done

• shared password safe
• it group email => done
• cleanup old accounts

Connect with Adrian => https://munichmakerlab.slack.com/archives/C79T8NFU7/p1731197933279969

• migrate /etc/system/systemd/docker-traefik.service to use config file => done
• adjust new /data/traefik/config/traefik.yml to integrate MQTT => done
• create mosquito config /data/mqtt/ with old config and new requirements => done
• migrate db /var/lib/mosquitto/mosquitto.db => done
• create /etc/system/systemd/docker-mosquitto.service => done
• test to start new mqqt service and restart traefik => done
• add new ports to ufw => done
• add new ports to ansible ufw: https://github.com/munichmakerlab/infrastructure/tree/debian-security-ansible=> done
• change FQDN to saturn and test => Done
• Test migrated Broker => Done

• wipe and re-install local server with proxmox => vulpix.intern.munichmakerlab.de
• setup home-assistant

=> old local server was removed