TSYSGroupBOD/TSYSGroupHandbook
2
0
Fork 0
Code Pull Requests Actions Packages Projects Releases Activity

moved to knel bizop repo

Browse Source
This commit is contained in:
Charles N Wyble
2024-12-26 15:45:26 -05:00
parent 2d64ea459a
commit 9ad3a8a7eb
38 changed files with 0 additions and 2698 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/CIO/.Ulysses-Group.plist
View File

Binary file not shown.

176
src/CIO/KnelCharter.md
View File

@@ -1,176 +0,0 @@
# Known Element Enterprises LLC (KNEL) Charter
- [Known Element Enterprises LLC (KNEL) Charter](#known-element-enterprises-llc-knel-charter)
- [Purpose of this document](#purpose-of-this-document)
- [KNEL Mission](#knel-mission)
- [Accountability](#accountability)
- [Independence](#independence)
- [Areas of responsibility](#areas-of-responsibility)
- [Scope](#scope)
- [Authority](#authority)
- [Assessment and Advisory Services](#assessment-and-advisory-services)
- [Risk Management Services](#risk-management-services)
## Purpose of this document
The purpose of this document is to outline areas of responsibility and operational interaction within KNEL. The reader should be able to obtain the following information from this document:
- Understanding the Organizational Structure of KNEL
- Understanding the Operational Responsibilities of the various hierarchical layers within the Organizational Structure
- Understanding the Intra-Operational Model of KNEL
- Understanding the Inter-Operational Model of KNEL
## KNEL Mission
Known Element Enterprises LLC (KNEL) supports the TSYS Group mission by fostering the information technology , information security/assurance/assessment and privacy approaches across all component
entities of TSYS Group.
KNEL is a top level component entity of TSYS Group. KNEL has total responsibility for procurement, deployment, architecture operational support and retirement of the entire infrastructure stack
used to provision all IT services across TSYS Group.
Known Element Enterprises seeks to establish a very specific culture that provides consistent, long term, zero variable , predictable , successful and stable outcomes in all tasks/projects and ongoing
service delivery and operations.
KNEL core cultural tenants:
- ruthless execution
- outstanding service delivery that pleasantly surprises and delights all stakeholders every time
- integrity and consistency
- privacy
- collaboration
- documentation , knowledge capture and dissemination
- sustainability
- stewardship
- strong information security/information assurance
This culture underpins KNEL ability to be a good steward of TSYS Group information entrusted to it by its stakeholders.
The goal of KNEL is to implement a framework of safeguards to protect the:
- confidentiality (authorized access)
- integrity
- availability
of TSYS Group information technology resources and information, and to ensure TSYS Group is able to meet statutory and regulatory obligations in a manner that enables and respects individual privacy.
## Accountability
The TSYS Group CIO, CISO , VP of Technical Operations and IT Director (the IT Management Committee) manage KNEL assets and staff and are accountable directly to the TSYS Group Board to:
- Establish the strategic direction of KNEL
- Ensure the continuous enhancement and effectiveness of KNEL to present a proactive approach to information security at TSYS Group
- Promote public information sharing throughout TSYS Group
- To provide a one-stop point of information and accountability for information security and privacy at TSYS Group
- Provide periodic assessments on the adequacy and effectiveness of the TSYS Group processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
- Report significant issues affecting privacy, including recommended process improvements, and provide follow-up on mitigation.
- Provide information on the status and results of campus unit security assessments and Privacy Impact Assessments.
- Coordinate with, and provide oversight of, other privacy compliance, control, and monitoring functions.
## Independence
To provide for the independence of KNEL, the IT Management Committee reports directly to the TSYS Group Board. This ensures fierce independence of the IT organization and allows the Board to remain fully informed in it's role of providing effective and engaged group wide oversight and governance.
In too many organizations, IT is stymied by senior management and it results in situations like the Equifax breach or ransomware.
Also by being an independent LLC under TSYS Group, it's able to function on an equal level with other TSYS Group components.
Like all TSYS Group component entities, it has an independent P&L (following the TSYS Group zero internal cost center model).
That's right, IT can be a profit center!
## Areas of responsibility
- Facilities IT (power/cooling/physical security)
- Enterprise IT (hypervisor/storage/networking/monitoring,alerting/backups)
- Platform IT - Data (database,block,object,file stores)
- Platform IT - Middleware (batch/sync/async task execution, API/microservices, enterprise service bus, intra system/application messaging,e-mail)
- Platform IT - Application Runtime (container runtime, legacy applications, PAAS)
- SRE (TSYS Group application catalog)
## Scope
The scope of Information Security/Assurance/Assessment and Privacy comprises multiple focus areas:
- Policy
- Training/Awareness
- Incident Management and Response
- Consulting
- Assessments
- Risk Management
- Survivability
- KNEL develops policies and guidelines to assist technology and information users to understand their responsibilities.
- Through Training and Awareness initiatives, stakeholders learn secure behaviors that support the protection of TSYS Group, as well as personal, information.
- When security incidents or privacy breaches occur, quick and effective response is crucial to limit damage and quickly restore services. The focus area of Incident Management & Response supports this effort by promoting consistent means to prepare, respond to, recover from, and report incidents.
- KNEL partners and consults with component entities across TSYS Group to assist them in meeting their privacy and information security objectives.
- KNEL conducts information security and privacy assessments in accordance with approved plans and its established policies and procedures.
- Risk Management allows units to determine the risks that exist in their environments and how those risks can be reduced or eliminated.
- Survivability supports the planning for recovery of technology services following an emergency or system disruption.
The scope of information security centers on implementing appropriate technical, operational and management controls to protect confidentiality (authorized access), integrity, and availability of resources.
The information privacy scope of work is to determine whether TSYS Group recognizes the risk associated with collecting and storing protected data and that TSYS Group is aware of and in compliance with applicable policies and laws. This supports:
- The expectation that personally identifiable information collected, processed, or stored by TSYS Group is protected from misuse or unauthorized access;
- Limiting personal data collection to only those data items required for legitimate business purposes;
- Respecting the rights of the data owners as guaranteed by laws, regulations, and contractual obligations;
- Confirming TSYS Group organizations incorporate privacy procedures as an integral part of business system design processes;
- Significant legislative or regulatory privacy issues impacting the organization are recognized and addressed properly.
## Authority
KNEL is authorized to:
- Have access to all functions, records, property, and personnel required for information security and privacy assessments.
- Make specific reports directly to TSYS Group Board and other entities as deemed appropriate.
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish information security objectives.
- When conducting risk reviews and assessments, obtain the necessary assistance of personnel in TSYS Group units, as well as specialized services from within or outside the organization.
Responsibilities
KNEL has responsibility to:
- Maintain a professional staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this charter.
- Develop an information security strategy that presents a high-level plan for achieving information security goals.
- Research best practices and technologies that support information security.
- Establish a quality assurance program by which the Director assures the operation of KNEL activities.
## Assessment and Advisory Services
KNEL conducts information security and privacy assessments in accordance with Board approved plans and its established policies and procedures.
KNEL can also conduct independent information security and privacy impact assessments.
Assessment and Advisory services include:
- Developing a flexible annual plan in consultation with the Board using appropriate risk-based methodology, including risks or control concerns identified by TSYS Group corporate/component leadership.
- Examining and evaluating the adequacy and effectiveness of the systems of internal privacy controls.
- Evaluating and assessing significant new or changing services, processes, operations, and controls coincident with their development and implementation.
- In coordination with the Board assessing compliance with laws, regulations, contract/grant provisions, and internal policies, plans, and procedures.
- Reviewing operations or programs to ascertain whether results are consistent with established objectives.
- Performing consulting services, assurance services, to assist component entities in meeting privacy objectives.
- Evaluating emerging information technology audit/assessment trends and implementing best practices.
## Risk Management Services
The focus area of Risk Management is the key to a successful information security program.
Information security is not exact or all-encompassing. No one can ever eradicate all risk of improper, malicious or capricious use of information and resources. The goal of information security is that in a particular situation, the controls are commensurate with the value of the protected resource and weighed against the cost that would be incurred --financial or otherwise - in the event of unauthorized disclosure, degradation, or loss. The process of balancing risks, costs of protection strategies, and resource value is risk management.
Risk Management Services include:
- Partnering with TSYS Group units to conduct risk reviews that highlight strengths and weaknesses of a unit's information security profile;
- Consulting with TSYS Group units determine how best to minimize risk and protect resources;
- Directing assessments of critical program areas or new services to ensure appropriate security controls are in place;
- Perform network monitoring, intrusion detection/prevention, web scanning, and other security procedures to help secure the infrastructure and in response to malicious activity.
- Evaluating new and emerging security strategies and technologies for use in TSYS Group environment;
- Collaborating with the information security technology team to plan and implement the SANS Top 20 Security Controls.

1
src/CIO/Policies/Authentication.md
View File

@@ -1 +0,0 @@
# Policies - Authentication

27
src/CIO/Policies/BusinessContinuityPlan.md
View File

@@ -1,27 +0,0 @@
# TSYS Group - IT Documentation - Policies - Business Continuity Plan
## Data
In the event of a data failure, data should be recovered from the most recent backup, to have as minimal impact on daily operations as possible.
* All data lives canonically at PFV
* All data resides in ZFS volumes on pfv-stor2 and pfv-stor1
* All ZFS volumes are continuously snapshotted in place on array
* All ZFS volumes are replicated at various intervals depending on recovery time objectives to pfv-stor1 backup drive
## Equipment
In the event of an equipment failure, equipment is to be replaced as soon as possible, utlizing insurance policies as necessary to recoup losses imposed. Replacesments are to be obtained, and data recovered, as soon as possible, to have as minimal impact on daily opersation as possible.
## Facility
As of the time of this writing, PFV is the only location, and in the event it should become permanently unavailable, obtaining use of a coworking space, such as WeWork or Capitol Factory, for continued dailiy operations is a must, until new dedicated facilities become available.
## Personnel
* In the event that the CEO is no longer willing or able to perform their duties, the next officer in succession is the CFO. The CFO shall perform the duties of both officers, until such time as a replacement can be found.
* In the event that the CFO is no longer willing or able to perform their duties, the next officer in succession is the CMO. The CMO shall perform the duties of both officers, until such time as a replacement can be found.
* In the event the CMO is no longer willing or able to perform their duties, the CTO shall perform the duties of CEO/CFO/CMO and will be acting CEO/CFO/COM until such time as a replacement can be found.

18
src/CIO/Processes/2fa.md
View File

@@ -1,18 +0,0 @@
# TSYS Group - IT Documentation - Processes - 2fa
- [TSYS Group - IT Documentation - Processes - 2fa](#tsys-group-it-documentation-processes-2fa)
- [Introduction](#introduction)
- [Applications](#applications)
## Introduction
This section is to document 2fa at TSYS.
## Applications
| Application | 2fa supported | 2fa enforced | 2fa documentation from vendor | 2fa enable page |
| ----------- | ------------- | ------------ | ----------------------------- | --------------- |
| Discourse | Yes | No | tbd | tbd |
| Bitwarden | Yes | Yes | tbd | tbd |
| Opnsense | Yes | Yes | tbd | tbd |

1
src/CIO/Processes/MoveToProduction.md
View File

@@ -1 +0,0 @@
# Processes - Move To Production

81
src/CIO/Processes/NewTeamMemberOnboarding.md
View File

@@ -1,81 +0,0 @@
# TSYS Group - IT Documentation - Processes - New Team Member Onboarding
- [TSYS Group - IT Documentation - Processes - New Team Member Onboarding](#tsys-group-it-documentation-processes-new-team-member-onboarding)
- [Introduction](#introduction)
- [Proces Overview](#proces-overview)
- [All users](#all-users)
- [R&D users](#r-d-users)
- [HR tasks](#hr-tasks)
- [Invite user to Discord](#invite-user-to-discord)
- [Inform TSYS point of contact of persons real name and Discord handle](#inform-tsys-point-of-contact-of-persons-real-name-and-discord-handle)
- [IT tasks](#it-tasks)
- [Application Access](#application-access)
- [System Access](#system-access)
- [Facillites Access](#facillites-access)
- [R&D access](#r-d-access)
- [Other tasks](#other-tasks)
- [Introduction](#introduction)
- [IT tasks](#it-tasks)
- [Application Access](#application-access)
- [System Access](#system-access)
- [Facillites Access](#facillites-access)
- [R&D access](#r-d-access)
- [HR tasks](#hr-tasks)
- [Other tasks](#other-tasks)# TSYS Group - IT Documentation - Processes - New Team Member Onboarding
## Introduction
On-boarding is an often overlooked and under documented aspect at companies ranging from startups to established multi national corporations.
We are starting things off right and are in the process of establishing a streamlined on-boarding process. More to come soon, as we work out the
final bugs!
## Proces Overview
### All users
* Invite user to Discord
* Create user account in UCS
* Send initial UCS username/ppassword via discord DM
* Have user change password at https://accounts.knownelement.com
* Once user has changed password, add them to appropriate UCS groups
### R&D users
* Create wireguard config with algo for any user systems
* Send user a discord DM with the algo config / QR
* Have user import TSYS Root CA certificate
## HR tasks
### Invite user to Discord
* Document process
### Inform TSYS point of contact of persons real name and Discord handle
* Document process (erpnext workflow)
## IT tasks
### Application Access
- LDAP Groups
- Application ACLs
### System Access
- Wireguard
- SSH key management
### Facillites Access
### R&D access
## Other tasks

125
src/CIO/Processes/PFVRunbook.md
View File

@@ -1,125 +0,0 @@
# TSYS Group - HQ data center documentation - runbook
- [TSYS Group - HQ data center documentation - runbook](#tsys-group-hq-data-center-documentation-runbook)
- [Introduction](#introduction)
- [Prerequisites and requirements](#prerequisites-and-requirements)
- [Scenarios](#scenarios)
- [Power lost and internet access isn't working after power is restored](#power-lost-and-internet-access-isn-t-working-after-power-is-restored)
- [UPS battery fails](#ups-battery-fails)
- [Air conditioning fails (E5 error)](#air-conditioning-fails-e5-error)
## Introduction
This book covers recovery scenarios for PFV. It is meant to be executed inside the PFV server room.
## Prerequisites and requirements
* Be in the PFV server room
* Have a headlamp so your hands are free
* Go slow and easyo
* Ask for help
* Lift up the cardboard on rack3 (bottom rack of the two half racks next to rack 5), so you can press buttons on the Keyboard/Video/Mouse (KVM) switcher
## Scenarios
### Power lost and internet access isn't working after power is restored
The Virtual machines are set to automatically start on boot of the virtual server hosts. However the virtual server hosts boot faster than the storage hosts.
So a manual intervention is needed to restore service.
Procedure:
Step 1)
Ensure that storage enclosures are at the login prompt. You'll be confirming two systems:
* pfv-stor1
* pfv-stor2
The buttons on the KVM switcher with the label
* s1
* s2
will show you the output from pfv-stor1/pfv-stor2 respectively (on the monitor sitting on top of the UPS rack)
* Press the button with the label s1
* Look at the monitor
* Ensure it's at a login prompt.
* Press the button with the label s2
* Look at the monitor
* Ensure it's at a login prompt.
Step 2)
Restart pfv-vm1
Procedure:
1) reboot the system labeled pfv-vm1:
* Press the button on the KVM switcher labeled v1
* quickly press and let go of the power button (just tap it and release). This will start a shutdown of the system.
* wait for power off and observe the output on the monitor . It will print out status as it shuts down.
* Press the power button and let go of the power button (just tape it and release). This will start the system back up.
* wait for power on and observe the output on the monitor . It will print out status as it starts up and will end at a login prompt.
* wait two minutes
* see if internet is working
2) start the guests by logging into the console of vm1 by typing at the login prompt
root
<password from the envelope in the safe>
Then type: qm start 120
This will start up the router
Then type: qm start 106
This will start up the virtual private network
You can use the command:
``` qm list ```
to get the current state
You may see additional systems other than those listed below, when you run qm list. They are not critical path for production and can be started by ops team once core critical path is operational.
* pfv-vmsrv-01
root@pfv-vm1:~# qm list
VMID NAME STATUS MEM(MB) BOOTDISK(GB) PID
120 pfv-core-rtr01 running 2048 20.00 3786 << this is the virtual router, if it's down, nothing else will work .
106 pfv-vpn running 2048 50.00 12814 << vpn server. No one will be able to access the network remotely if it's down
If the above two systems are functioning , then IT can start up the other systems remotely.
### UPS battery fails
Sometimes the UPS will continue to function, passing through utility power, with an active alarm.
Other times it will fail.
1) Report this to ops team as an incident, including
* which UPS (they are labeled front/back) is having an issue
* nature of the issue (total failure, alarm)
* include a picture of the front which will have some information
2) Replace the battery
* Access printed manual in the file cabinet in server room
* Follow battery replacement procedure
* Take pictures as you pull the battery pack out, to allow for easier re-wiring
* Go to batteries plus with the failed batteries (we replace whole packs at once) and they'll sell you replacements for the pack
* Wire pack and place into UPS
### Air conditioning fails (E5 error)
1) Shut down and unplug air conditioning unit
2) Take air conditioning unit outside (front porch)
3) Drain reservoir

0
src/CIO/Processes/VpnUser.md
View File

14
src/CIO/Processes/VulnerabilityManagmentNotes.md
View File

@@ -1,14 +0,0 @@
# Vulnerability management
* identify total asset base (use nmap and see if it matches librenms and resolve any discrepancies)
* perform scans of total asset base (using openvas/lynis/ossim)
* manage vulnerability ratings/scope
* notify/escalate to appropriate contacts
* address the vulns
* report metrics (i think the apps provide built in dashboards, may need some light modification)
i think ossim can do all the above ,also lynis/openvas (the three combined should provide complete coverage) (network scan/agent based combination)
librenms is our CMDB currently (for identifying assets/contacts). phpipam is our inventory.

30
src/CIO/README.md
View File

@@ -1,30 +0,0 @@
# TSYS Group - CIO Documentation
## Introduction
Welcome to the TSYS Group Handbook - CIO Documentation.
We strive to be as open, transparent and responsive as possible as we support the mission of the TSYS Group and it's component divisions.
We are glad you are here. :)
This manual serves as the sole source of documentation for all IT operations/systems/services of TSYS Group.
We strive to provide a complete suite of services utilizing an almost entirely FLO stack. The FLO exceptions are:
* Office 365 for e-mail
* Neat.com for expense receipt OCR
* Windows 10 workstations
* Apple IOS devices
The entirety of our servers are running Ubuntu 20.04 or later.
Other than the above exceptions, we utilize 100% FLO software to implement every single IT and Business service delivered to
the TSYS group. We hope our documentation helps you do the same.
Our business and IT service stack GIT Repository: <https://git.turnsys.com/TSGTechops/docs-techops>
## Todo list:
<https://git.turnsys.com/TSGTechops/docs-techops/issues>

0
src/CIO/Systems/Admin-AAA/Auditing.md
View File

17
src/CIO/Systems/Admin-AAA/Authentication.md
View File

@@ -1,17 +0,0 @@
# Authentication
## Password Management
### Shared Passwords
* We utilize bitwarden for shared password storage. For example for external vendors, social media etc. All external logins are 2fa.
### Privileged Access
* CEO/CFO have equivalent access in bitwarden, to absolutely everything.
* CIO has very limited access to shared passwords (just for pfv-stor until it's hooked into true command). Does not have access to domain admin or other shared passwords.
* CMO has access to all social media and all wordpress admin (but uses normal account for day to day use)
### VPN Endpoint Creation / Deletion
* Ansible recipe for algo (update users.yml and re-run ansible) (document more soon)

0
src/CIO/Systems/Admin-AAA/Authorization.md
View File

271
src/CIO/Systems/Admin-Application/AppsAndServices.md
View File

@@ -1,271 +0,0 @@
# TSYS / Redwood Group Applications and Services
The goal of this section is to document all applications and services utilized by TSYS Group.
Welcome to the future, welcome to the first open source conglomerate! We have broken the page up into a number of sections, to aid navigation.
To our knowledge, we are the only organization in the known universe to fully document our stack and to fully open source it. Enjoy!
Go forth and create your own conglomerates! Solve big problems!
- [TSYS / Redwood Group Applications and Services](#tsys--redwood-group--applications-and-services)
- [Web Properties](#web-properties)
- [Redwood Group Properties](#redwood-group-properties)
- [Non Profit Properties](#non-profit-properties)
- [For Profit Properties](#for-profit-properties)
- [Coop Properties](#coop-properties)
- [Misc Properties](#misc-properties)
- [Services](#services)
- [Externally provided services](#externally-provided-services)
- [Internally provided services](#internally-provided-services)
- [R&D Applications](#rd-applications)
## Web Properties
### Redwood Group Properties
The below table documents the not primarily for profit entities performing capital raising and management for TSYS Group entities and their members.
All sites below are proudly powered by the TSYS Wordpress platform.
| Entity | Description | Website |
| -------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------------ |
| Redwood Group LLC | Sibling organization to TSYS Group for all capital raising and management | <https://www.redwgr.com> |
| Redwood Springs Capital Partners Management Co LLC | management company of the various funds setup to finance TSYS Group operations | <https://www.rwscp.net> |
| Redwood Family Office LLC | Wealth management/healthcare/estate planning/tax advice broker for LLC members and their families | <https://www.redwfo.com> |
### Non Profit Properties
The below table documents the non profit entities performing the educational, advocacy, lobbying and legislative functions for TSYS Group.
All sites below are proudly powered by the TSYS Wordpress platform.
| Entity | Description | Website |
| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
| Americans For A Better Network INC | A non profit (seeking 501c3 status) to educate americans about internet provider choices | <https://www.afabn.org> |
| Free Network Foundation INC | A defunct 501c3 (replaced by AFABN) | <https://www.thefnf.org> |
| Free Network Foundation INC | (wiki) comprehensive body of knowledge about community networking | <https://commons.thefnf.org> |
| Free Network Foundation INC | (static files) Assets (pdfs etc) linked from blog/wiki | <https://staticbits.thefnf.org> |
| Side Door (Solutions) Group INC | A non profit (seeking 501c4) / PAC to drive the necessary legislative and executive changes to enable internet for all | <https://www.sidedoorgroup.org> |
| TSYS Group Non Profit Portal | Landing page for non profits | <https://nonprofit.turnsys.com> |
### For Profit Properties
The below table documents the not primarily for profit entities performing the R&D and providing supporting services functions for TSYS Group.
All sites below are proudly powered by the TSYS Wordpress platform.
| Entity | Description | Website |
| ------------------------------------------ | ---------------------------------------------------------------------------------------------- | ------------------------------------ |
| Axios Heart Studios LLC | Art, 2d,3d and other fabrication services for TSYS Group | <https://www.axiosheartstudios.com> |
| Suborbital Systems Development Company LLC | Manufacturer of Morse product line - technical blog and information | <https://www.suborbital-systems.com> |
| Suborbital Systems Development Company LLC | Manufacturer of Morse product line - product page | <https://www.meetmorse.com> |
| RackRental LLC | network and lab equipment rental by the hour for training, config testing, competitive testing | <https://www.rackrental.net> |
| Team Rental LLC | HR/staffing of IT/dev professionals (2 million net new job goal by 2025) | <https://www.teamrental.net> |
| Known Element Enterprises LLC | IT/business back office services | <https://www.knownelement.com> |
| Your Dream Name Here LLC | Business in a box | <https://www.yourdreamnamehere.com> |
| The PeerNet LLC | Community, media, public relations / (live/time shifted) streaming/broadcast service | <https://www.thepeernet.com> |
| The PeerNet LLC | Software platform powering ThePeerNet.com service | <https://www.ezpodstack.org> |
### Coop Properties
The below table documents the fairshares cooperatives for financing, building, owning and operating community networks.
| Entity | Description | Website |
| ----------------------------------------- | -------------------------------------------------------- | -------------------------------- |
| High Flight Network Finance Company LLC | Financing network builds | <https://www.hfnfc.net> |
| High Flight Network Operating Company LLC | User owned/operated network backbone | <https://www.hfnoc.net> |
| KickFund.me LLC | Crowdfunding of network and other infrastructure builds | <https://www.kickfund.me> |
| The Campus Trading Co LLC | treasury/investment management/market and other research | <https://www.thecampustrade.com> |
### Misc Properties
| Entity | Description | Website |
| -------------------- | -------------------------------------- | -------------------------------- |
| CNWCO LLC | Charles Wyble blog | <https://www.reachableceo.com> |
| Turn Net Systems LLC | Overall entity for many subsidiary LLC | <https://www.turnsys.com> |
| Turn Net Systems LLC | Governance information for TSYS group | <https://governance.turnsys.com> |
## Services
### Externally provided services
The below table documents the handful of things TSYS Group has yet to vertically integrate and turn into a profit center.
These are not free/libre/open services, that are externally hosted and represent a cost center.
| Function | Vendor Link |
| ----------------------------------------------- | -------------------------------------------------------------------------------------- |
| Corporate email | <https://www.microsoft.com/en-us/microsoft-365/buy/compare-all-microsoft-365-products> |
| OCR for expense management | <https://www.neat.com/> |
| Payment processing | <https://www.paypal.com/> <https://squareup.com/us/en)/> <https://stripe.com/> |
| Payment, treasury operations, wealth management | <https://www.goamplify.com/>) |
| Tax prep/audit and other CPA services | (coming soon) |
| Domain Registrar , DNS, | <https://www.ovh.com/ca/en/>) |
| Live audio/video and text chat | <https://discord.com/>) |
### Internally provided services
These are hosted services (internally hosted by IT) and accessed via either a thick client application or a web browser.
They are provided by Known Element Enterprises LLC.
| Function | Vendor | Application Instance |
| ---------------------------------------------- | --------------------------------------------------------------- | -------------------------------------------------- |
| Storage Array for enterprise wide use | <https://www.freenas.org/> | <http://pfv-stor1.turnsys.net/> |
| Storage Array for RackRental use | <https://www.freenas.org/> | <http://pfv-stor2.turnsys.net/> |
| Ad blocking | <https://pi-hole.net/> | <http://pihole1.turnsys.net/admin> |
| Ad blocking | <https://pi-hole.net/> | <http://pihole2.turnsys.net/admin> |
| IAM | <https://www.gluu.org/> | <https://accounts.turnsys.com> |
| Artifact store | <https://archiva.apache.org/> | <https://artifacts.turnsys.com> |
| Zero trust,BeyondCorp | <https://www.trasa.io/docs/> | <https://beyondcorp.turnsys.com/> |
| Billing platform | <https://killbill.io/> | <https://billing.turnsys.com> |
| Shared Bookmarks | <https://github.com/shaarli/Shaarli> | <https://bookmarks.knownelement.com/> |
| Building Automation | <https://www.home-assistant.io/> | <https://buildauto.turnsys.net/> |
| CAD | <https://collabcad.gov.in/eCollabCAD/> | <https://cad.turnsys.com> |
| CI/CD | <https://www.jenkins.io/> | <https://ci.turnsys.com/> |
| Support forum/KB/general discussion | <https://www.discourse.org/> | <https://community.turnsys.com/> |
| Editing of audio | <https://github.com/Yahweasel/craig | <https://craig.thepeernet.com> |
| Customer data analytics and management | <https://github.com/rudderlabs> | <https://custdash.turnsys.com> |
| Database access | <https://www.metabase.com/> | <https://db.turnsys.com> |
| ERP | <https://erpnext.org/> | <https://erp.turnsys.com/> |
| WebForms | <https://easyforms.dev/> | <https://forms.turnsys.com> |
| Configuration management | <https://github.com/team-video/aviary.sh> | <https://git.turnsys.com/TSGTechops/ConfigMgmt> |
| Source code management | <https://gitea.io/en-us/> | <https://git.turnsys.com> |
| Docker registry | <https://goharbor.io/> | <https://docker-reg.turnsys.com> |
| Customer Helpdesk | <https://freescout.net/> | <https://support.turnsys.com> |
| Business logic/workflow execution | <https://github.com/huginn/huginn> | <https://huginn.turnsys.com> |
| Asset management/inventory | <https://glpi-project.org/> | <https://inventory.turnsys.com/> |
| Mobile Device Management | <https://www.flyve-mdm.com/> | <https://inventory.turnsys.com> |
| SSH Jump <audited,logged,2fa etc> | <https://www.bastillion.io/> | <https://jumpssh.turnsys.com/> |
| Code Notebook | <https://www.github.com/jupyter/enterprise_gateway> | <https://jupyter.turnsys.com> |
| Engineering Notebook | <https://www.elabftw.net/> | <https://labnotebook.turnsys.com> |
| Training/coursework | <https://www.instructure.com/canvas/> | <https://learn.turnsys.com> |
| Mail Archiving/retention/legal/regulatory hold | <https://www.mailpiler.org/wiki/start> | <https://legalhold.turnsys.com> |
| Email Discussion lists | Mailman | <https://mailman.turnsys.com> |
| Marketing Campaigns | <https://www.mautic.org/> | <https://marketing.iurnsys.com/> |
| Out of band system access | <https://www.meshcommander.com/meshcommander> | <https://meshoob.turnsys.net> |
| Budget/Finance analytics/modeling etc | <https://www.firefly-iii.org/> | <https://moneystuff.turnsys.com/> |
| Service Availability Monitoring | <https://www.librenms.org/> | <https://halfthefarm.turnsys.com/> |
| File sync/Groupware | <https://nextcloud.com/hub/> | <https://nextcloud.turnsys.com/> |
| Video surveillance | <https://shinobi.video/> | <https://nvr.turnsys.net> |
| Automated Security Auditing and reporting | <https://openvas.org/> | <https://openvas.turnsys.com/> |
| Pastebin | <https://github.com/claudehohl/Stikked> | <https://paste.turnsys.com> |
| IP Routing/firewalling/DHCP/IDS/IPS/Proxy etc | <https://opnsense.org/> | <https://pfv-core-rtr01.turnsys.net/> |
| IP Routing/firewalling/DHCP/IDS/IPS/Proxy etc | <https://opnsense.org/> | <https://pfv-core-rtr02.turnsys.net/> |
| Photo Management | <https://piwigo.org/> | <https://photos.turnsys.com/> |
| IP Address Management | <https://phpipam.net/> | <https://phpipam.turnsys.com/index.php?page=login> |
| Outbound Newsletters | <https://www.phplist.com/> | <https://phplist.turnsys.com/lists/admin/> |
| Password Management | <https://github.com/dani-garcia/bitwarden_rs> | <https://pwvault.turnsys.com> |
| Secrets Management | <https://github.com/envwarden/envwarden> | <https://pwvault.turnsys.com> |
| Read later | <https://wallabag.com>> | <https://readlater.turnsys.com> |
| Research archive management | <https://archivebox.io/> | <https://research.turnsys.com> |
| Document review/change tracking workflow | <https://www.reviewboard.org/> | <https://review.turnsys.com/> |
| RSS Feed Management | <https://www.freshrss.org/> | <https://rss.knownelement.com> |
| orchestration | <https://www.rundeck.com/open-source> | <https://rundeck.turnsys.net/> |
| Document Creation and management | <https://sandstorm.io/> | <https://sandstorm.turnsys.com> |
| Full text Search | <https://ambar.cloud/> | <https://search.turnsys.com> |
| Host IDS / SIEM | <https://wazuh.com/> | <https://siem.turnsys.com> |
| Streaming of live audio/video | <https://openstreamingplatform.com/> | <https://streaming.thepeernet.com/> |
| Backups | BareOS | <https://tsys-dc-01.turnsys.net/bareos-webui/> |
| Inbound PSTN voice communications | <https://www.sipwise.com/> | <https://voice.turnsys.com> |
| Voting | TBD | <https://voting.turnsys.com> |
| Web Analytics | <https://matomo.org/> | <https://webstats.turnsys.com/> |
| Shared whiteboard | <https://wbo.ophir.dev/> | <https://whiteboard.turnsys.com/> |
| 501c3 donor management/CRM | <https://civicrm.org/home> | <https://www.afabn.org/crm> |
| 501c4 donor management/CRM | <https://civicrm.org/home> | <https://www.sidedoorgroup.org/crm> |
| Streaming of time shifted audio/video | <https://git.turnsys.com/ThePeerNetwork/PodcastAsAServiceStack> | N/A |
| Serverless | <https://github.com/openfaas/faasd/> | N/A |
| Offline Root CA | <https://hohnstaedt.de/xca/> | N/A |
| On demand system provisioning | <https://maas.io/> | N/A |
| Internal CA | <https://github.com/cloudflare/cfssl> | N/A (API Driven) |
| Business Process Mapping | TBD | TBD |
| Computer aided dispatch | TBD | TBD |
| E-signature and contract management | TBD | TBD |
| Process mining | TBD | TBD |
>
## R&D Applications
These are thick client applications installed locally on a developer workstation.
This software has two modes of deployment:
- downloaded from the vendor and setup on your physical workstation (used for dev/testing/experimenting)
- downloaded from the /subo directory and ran on your physical workstation or run from the /subo directory on a virtual workstation you login to remotely
The software that is built/deployed in /subo is the only version approved for production use.
The exception to that is if it has an OTS notation next to it's name, in which case you can use the latest stable version from the vendor.
| Program | Used By | Link | Product Scope |
| -------------------- | ------------------ | ------------------------------------------------------------------------ | ------------------------------------------------- |
| android studio (OTS) | Team-SwEng | <https://developer.android.com/studio> | MorsePod |
| argouml (OTS) | All | <https://github.com/argouml-tigris-org/argouml> | All |
| bitwaden (OTS) | All | <https://bitwarden.com/> | N/A |
| Blender | Team-MechEng/HwEng | <https://www.blender.org/> | MorseFlyer, MorseSkynet |
| bonita (OTS) | All | <https://www.bonitasoft.com/> | All |
| calibre (OTS) | All | <https://calibre-ebook.com/> | N/a |
| camotics | Team-MechEng | <https://camotics.org/> | MorseFlyer (avionics), MorseSkynet |
| chisel | Team-HwEng | <https://www.chisel-lang.org/> | MorseSkynet |
| CodeAster | Team-MechEng | <https://www.code-aster.org/V2/spip.php?rubrique2> | MorseFlyer (envelope/parafoil/airframe) |
| Cubit Toolkit | Team-MechEng | <https://cubit.sandia.gov/> | MorseFlyer (envelope/parafoil/airframe) |
| CUDA SDK | Team-HwEng | <https://developer.nvidia.com/cuda-zone> | MorseFlyer (envelope/parafoil/airframe) |
| Cura | Team-MechEng | <https://ultimaker.com/software/ultimaker-cura> | MorseFlyer (envelope/parafoil/airframe) |
| DbEaver(OTS) | Team-SwEng | <https://dbeaver.io/> | MorseFlyer(avionics), RacKRental.net, HFNOC |
| docear (OTS) | All | <https://docear.org/> | N/A |
| Docker Desktop (OTS) | All | <https://www.docker.com/products/docker-desktop> | All |
| embitz (OTS) | Team-SwEng/HwEng | <https://www.embitz.org/> | MorseSkynet |
| Esim | Team-HwEng | <https://esim.fossee.in/> | MorseFlyer (avionics), MorseSkynet |
| Flora | Team-HwEng/SwEng | <https://flora.aalto.fi/> | MorseFlyer (avionics), MorseSkynet |
| Freecad | Team-MechEng/HwEng | <https://github.com/FreeCAD> | MorseFlyer, MorseSkynet |
| gerber2graphtec | Team-HwEng | <https://github.com/pmonta/gerber2graphtec> | MorseFlyer, MorseSkynet |
| gerber2graphtec | Team-HwEng | <https://github.com/colinoflynn/gerber2graphtec/>> | MorseFlyer, MorseSkynet |
| Gerby | Team-HwEng | <http://gerbv.geda-project.org/> | MorseFlyer (avionics), MorseSkynet |
| ghidra (OTS) | Team-SwEng | <https://ghidra-sre.org/> | ALl (SDLC) |
| gnuradio | Team-HwEng | <https://www.gnuradio.org/> | MorseSkynet |
| GprMax | Team-HwEng | <https://github.com/gprMax/gprMax> | MorseFlyer (avionics), MorseSkynet |
| grass gis (OTS) | Team-SwEng | <https://grass.osgeo.org/> | HFNOC |
| graywolf | Team-HwEng | <https://github.com/rubund/graywolf> | MorseSkynet |
| inkscape | Team-HwEng/MechEng | <https://inkscape.org/> | MorseFlyer, MorseSkynet |
| jxplorer (OTS) | Team-IT | <http://jxplorer.org/> | HFNOC/HFNFC |
| keybase | All | <https://keybase.io> | N/A |
| Kicad | Team-HwEng | <https://gitlab.com/kicad/code/kicad> | MorseFlyer (avionics), MorseSkynet |
| Librecad | Team-MechEng/HwEng | <https://librepcb.org/> | MorseFlyer, MorseSkynet |
| LibrePCB | Team-hwEng | <https://librepcb.org/> | MorseFlyer (avionics), MorseSkynet |
| metasploit | Team-SwEng | <https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers> | All (SDLC) |
| Microsoft R (OTS) | Team-HwEng | <https://mran.microsoft.com/open> | MorseFlyer (envelope/parafoil/airframe)(avionics) |
| NasaTran95 | Team_MechEng | <https://github.com/nasa/trick> | MorseFlyer (envelope/parafoil/airframe) |
| NasaTrick | Team_MechEng | <https://github.com/nasa/trick> | MorseFlyer (envelope/parafoil/airframe) |
| NgSpice | Team-HwEng | <http://ngspice.sourceforge.net/resources.html> | MorseFlyer (avionics), MorseSkynet |
| obs (OTS) | All | <https://obsproject.com/> | N/A |
| Octave | Team-MechEng | <https://hg.savannah.gnu.org/hgweb/octave> | MorseFlyer (envelope/parafoil/airframe) |
| OneLAB | Team-MechEng | <http://onelab.info/> | MorseFlyer (envelope/parafoil/airframe) |
| open 3d model viewer | Team-MechEng | <https://acgessler.github.io/open3mod/> | MorseFlyer (envelope/parafoil/airframe) |
| OpenGribs | Team-SwEng | <https://opengribs.org/en/> | HFNOC |
| openscap (OTS) | Team-IT | <https://www.open-scap.org/tools/scap-workbench/> | All (SDLC) |
| OpenVSP | Team-MechEng | <http://openvsp.org/> | MorseFlyer (envelope/parafoil/airframe) |
| OWASP Threat Dragon | Team-SwEng | <https://owasp.org/www-project-threat-dragon/> | All (SDLC) |
| Pandoc (OTS) | All | <https://pandoc.org/> | All |
| Paraview | Team-MechEng | <https://www.paraview.org/> | MorseFlyer (envelope/parafoil/airframe) |
| PHP runtime | Team-SwEng | <http://devilbox.org/> | RackRental |
| polar (OTS) | All | <https://getpolarized.io/> | N/a |
| postman (OTS) | Team-SwEng | <https://www.postman.com/> | RackRental/HFNOC |
| qgis (OTS) | Team-SwEng | <https://qgis.org/en/site/> | HFNOC |
| qrouter | Team-HwEng | <http://opencircuitdesign.com/qrouter/> | MorseFlyer (avionics), MorseSkynet |
| rstudio (OTS) | Team-HwEng | <https://www.rstudio.com/> | MorseFlyer (envelope/parafoil/airframe) |
| SciKit-RF | Team-HwEng | <https://scikit-rf.readthedocs.io/en/latest/> | MorseFlyer (avionics), MorseSkynet |
| SciLab | Team-MechEng | <https://www.scilab.org/> | MorseFlyer (envelope/parafoil/airframe) |
| sdrsharp | Team-HwEng | <https://www.rtl-sdr.com/tag/sdrsharp/> | MorseSkynet |
| Solvespace | Team-MechEng | <https://solvespace.com/index.pl> | MorseFlyer, MorseSkynet |
| sweethome3d (OTS) | Team-MechEng | <http://www.sweethome3d.com/> | MorseCollective |
| udig (OTS) | Team-SwEng | <http://udig.refractions.net/> | HFNOC |
| VirtualSatellite | Team_MechEng | <https://github.com/virtualsatellite> | MorseFlyer (envelope/parafoil/airframe) |
| vym (OTS) | All | <http://www.insilmaril.de/vym/> | All |
| Warp3d | Team_MechEng | <http://www.warp3d.net/> | MorseFlyer (envelope/parafoil/airframe) |
| worldwind (OTS) | Team-HwEng | <https://worldwind.arc.nasa.gov/> | HFNOC |
| xilinx | Team-HwEng | <https://www.xilinx.com/> | MorseSkynet |
| Xilinx | Team-HwEng | <https://www.xilinx.com/support/download.html> | MorseSkynet |
| YoSys | Team-HwEng | <http://www.clifford.at/yosys/> | MorseSkynet |
| Evolus Pencil | Team-Design | <https://pencil.evolus.vn/> | All |
| yEd | Team-Design | <https://www.yworks.com/products/yed> | All |
| oss-fuzz | Team-IT | <https://github.com/google/oss-fuzz> | All |
| cluster fuzz | Team-IT | <https://github.com/google/clusterfuzz> | All |

98
src/CIO/Systems/Admin-Application/RuntimeLayer.md
View File

@@ -1,98 +0,0 @@
# TSYS Group Web Application Runtime Layer
## Introduction
The TSYS Group needs a web application runtime layer for it's myriad of applications.
## Broad Requirements for runtime layer
* No single point of failure
* High availability/auto recovery for containers
* Distributed/replicated persistent storage for containers
## Major components of runtime environment
### storage
Replicated storage that fulfills the persistent volume claim of docker containers.
Deployed on www1,2,3 virtual machines (k3s worker nodes).
Deployed on subord virtual machine (k3s worker node for r&d).
Using longhorn
### container runtime, control plane, control panel
* Kubernetes load balancer , (metallb). Only TCP load balancing is used , as all intelligence (certs/layer 7 etc) is handled by Opnsense
* Kubernetes runtime environment (k3s from Rancher labs)
* workers
* control plane
* control panel
* Kubernetes runtime environment control panel
* Rancher
* authenticates to TSYS LDAP
Control plane is deployed on db1,2,3
Workers are deployed on www1,2,3
### Core container functionality (running as containers on the platform)
* docker registry
* IAM
* API gateway
* Jenkins
* all the above installed as containers running on the kubernetes runtime.
* all the above configured for LDAP authentication
* all the above no other configuration of the components would be in scope
### Applications to deploy/migrate on the runtime platform
### PAAS
* blue/green and other standard deployment methodologies
* able to auto deploy from ci/cd
* orchestrate all of the primitives (load balancer, port assignment etc) (docker-compose target? helm chart? is Rancher suitable?)
## General notes
## A suggested prescriptive technical stack / Work done so far
Followed some of this howto:
<https://rene.jochum.dev/rancher-k3s-with-galera/>
Enough to get k3s control plane and workers deployed:
```
root@db1:/var/log/maxscale# kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
db2 Ready control-plane,master 30d v1.20.4+k3s1 10.251.51.2 <none> Ubuntu 20.04.2 LTS 5.4.0-70-generic containerd://1.4.3-k3s3
db3 Ready control-plane,master 30d v1.20.4+k3s1 10.251.51.3 <none> Ubuntu 20.04.2 LTS 5.4.0-70-generic containerd://1.4.3-k3s3
db1 Ready control-plane,master 30d v1.20.4+k3s1 10.251.51.1 <none> Ubuntu 20.04.2 LTS 5.4.0-70-generic containerd://1.4.3-k3s3
www1 Ready <none> 30d v1.20.4+k3s1 10.251.50.1 <none> Ubuntu 20.04.2 LTS 5.4.0-70-generic containerd://1.4.3-k3s3
www2 Ready <none> 30d v1.20.4+k3s1 10.251.50.2 <none> Ubuntu 20.04.2 LTS 5.4.0-70-generic containerd://1.4.3-k3s3
root@db1:/var/log/maxscale#
```
and a bit of load balancing setup going:
```
fenixpi% kubectl get pods -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
metallb-system speaker-7nsvs 1/1 Running 10 30d 10.251.51.2 db2 <none> <none>
kube-system metrics-server-86cbb8457f-64ckz 1/1 Running 18 16d 10.42.2.23 db1 <none> <none>
kube-system local-path-provisioner-5ff76fc89d-kcg7k 1/1 Running 34 16d 10.42.2.22 db1 <none> <none>
metallb-system controller-fb659dc8-m2tlk 1/1 Running 12 30d 10.42.0.42 db3 <none> <none>
metallb-system speaker-vfh2p 1/1 Running 17 30d 10.251.51.3 db3 <none> <none>
kube-system coredns-854c77959c-59kpz 1/1 Running 13 30d 10.42.0.41 db3 <none> <none>
kube-system ingress-nginx-controller-7fc74cf778-qxdpr 1/1 Running 15 30d 10.42.0.40 db3 <none> <none>
metallb-system speaker-7bzlw 1/1 Running 3 30d 10.251.50.2 www2 <none> <none>
metallb-system speaker-hdwkm 0/1 CrashLoopBackOff 4633 30d 10.251.51.1 db1 <none> <none>
metallb-system speaker-nhzf6 0/1 CrashLoopBackOff 1458 30d 10.251.50.1 www1 <none> <none>
```
Beyond that, it's greenfield.

94
src/CIO/Systems/Admin-Application/WebServerSetupNotes.md
View File

@@ -1,94 +0,0 @@
# TSYS Group - IT Documentation - Applications - Web Server Setup
- [TSYS Group - IT Documentation - Applications - Web Server Setup](#tsys-group-it-documentation-applications-web-server-setup)
- [packages to install](#packages-to-install)
- [php modifications](#php-modifications)
- [memcache](#memcache)
- [php config changes](#php-config-changes)
- [apache](#apache)
- [apache configuration mods needed](#apache-configuration-mods-needed)
- [apache modules needed](#apache-modules-needed)
- [apache tweaks performed](#apache-tweaks-performed)
- [scripts to load](#scripts-to-load)
- [TSYS root ca and UCS DC root cert](#tsys-root-ca-and-ucs-dc-root-cert)
These notes capture actions taken to build the www vm around 9/15 to 10/1 2020.
## packages to install
* php stuff and other packages needed :
```console
sudo apt install memcached php7.4 php7.4-mysqli php7.4-fpm php7.4-mbstring php7.4-xml php7.4-imap php7.4-json php7.4-zip php7.4-gd php7.4-curl php7.4-ldap php7.4-gd php7.4-gmp php-par php-apcu jq unzip python3-pip —no-install-recommends
```
## php modifications
### memcache
root@www:/etc/php/7.4/fpm/conf.d# grep -v ^\; 20-memcache.ini
extension=memcache.so
[memcache]
memcache.allow_failover="1"
memcache.max_failover_attempts="20"
memcache.default_port="11211"
memcache.hash_strategy="consistent"
session.save_handler="memcache"
session.save_path = 'tcp://10.251.51.1:11211,tcp://10.251.51.2:11211,tcp://10.251.51.3:11211'
memcache.redundancy=1
memcache.session_redundancy=4
### php config changes
Timezone
## apache
### apache configuration mods needed
-- alter site config for fpm socket to php7.4-fpm (from 7.3) (socket path)
### apache modules needed
* headers
* deflate
* rewrite
* proxy
* proxy_http
* proxy_fcgi
* cache_disk
### apache tweaks performed
* 1153 sudo a2dismod mpm_prefork
* 1154 sudo a2enmod mpm_event
* 1155 sudo apt install libapache2-mod-fcgid
* 1156 sudo a2enconf php7.2-fpm
* 1157 sudo a2enconf php7.-fpm
* 1158 sudo a2enconf php7.4-fpm
## scripts to load
```console
sandstorm-cert.sh
certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.sandstorm.turnsys.com' -d sandstorm.turnsys.com
```
## TSYS root ca and UCS DC root cert
Without having the domain root cert present, none of the apps will be able to validate teh domain controller certificate presented during authentication.
```console
root@www:/usr/local/share/ca-certificates# ls -l
total 12
drwxr-xr-x 2 root root 4096 Sep 28 20:43 extra
lrwxrwxrwx 1 root root 13 Sep 28 20:44 tsys-root.crt -> tsys-root.pem
-r--r--r-- 1 root root 822 Sep 28 20:43 tsys-root.pem
lrwxrwxrwx 1 root root 12 Sep 28 20:44 ucs-root.crt -> ucs-root.pem
-rw-r--r-- 1 root root 2094 Sep 28 20:43 ucs-root.pem
root@www:/usr/local/share/ca-certificates#
```

50
src/CIO/Systems/Admin-DataCenter/cooling/PFVCooling2021.md
View File

@@ -1,50 +0,0 @@
# TSYS Group - HQ data center documentation - cooling
## Introduction
Cooling is a critical component of any data center. It is often the dominate consumer of energy.
We keep our data center at about 70 degrees F.
## Make / model
We have a
* HiSense Portable Air Conditioner (standalone) the manual lists several possible models, unsure which exact one we have. It was about 700.00 at Lowes with a multiple year replacement warranty.
which is rated for:
* 15,000 BTU
It draws about 7 amps when the compressor is running.
With our heat load, the compressor does cycle on/off ,so it keeps cool pretty efficiently from an energy perspective.
## Tips/tricks
* Extended exhaust house
We moved the air conditioner to the front of the racks (cold aisle) and extended the exhaust
hose todo so.
* Heat barrier
We deployed a cardboard heat barrier above the racks, to keep hot air behind the racks. We also have a vent duct (made of cardboard) to a panel we removed above the doorway.
* Insulation
* Insulate the exhaust hose!
* Air movers
* We have a tower fan in the hot row (back), pushing the heat towards the duct.
* We have two small blowers in the cold row (front) helping "kick back" the air blowing from the HiSense.
## Instrumentation
We use:
* temper usb probe
* lm-sensors
* DRAC
all consumed via SNMP by librenms to monitor/alert on temperature.This lets us find hot/cold spots across the racks and make any necessary adjustments.

80
src/CIO/Systems/Admin-DataCenter/hypervisor/HighPerformanceSetting.md
View File

@@ -1,80 +0,0 @@
pfv-servers - performance
## vm 1-3 (optiplex)
### Commands to run
* cpupower frequency-set --governor performance
### links to reference
https://itectec.com/ubuntu/ubuntu-how-to-set-performance-instead-of-powersave-as-default/
https://www.cult-of-tech.net/2018/08/linux-ubuntu-cpu-power-frequency-scaling/
https://askubuntu.com/questions/1021748/set-cpu-governor-to-performance-in-18-04
https://metebalci.com/blog/a-minimum-complete-tutorial-of-cpu-power-management-c-states-and-p-states/
## vm 4/6 (xeon poweredge)
Appears to only run at the full frequency (which is what I want)
## Keep the NIC awake
notes taken on 03/20/2021 at 18:28
vm1/2/3 use intel nic
https://downloadcenter.intel.com/download/15817 is the driver (e1000e)
### vm1
root@pfv-vm1:/usr/local/bin# ethtool -i eno1
driver: e1000e
version: 3.2.6-k
firmware-version: 0.13-4
expansion-rom-version:
bus-info: 0000:00:19.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection I217-LM (rev 04)
### vm2
00:19.0 Ethernet controller: Intel Corporation 82579LM Gigabit Network Connection (rev 04)
root@pfv-vmsrv-02:~# ethtool -i enp0s25
driver: e1000e
version: 3.2.6-k
firmware-version: 0.13-3
expansion-rom-version:
bus-info: 0000:00:19.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
### vm3
00:19.0 Ethernet controller: Intel Corporation 82579LM Gigabit Network Connection (rev 04)
ethtool -i enp0s25
driver: e1000e
version: 3.2.6-k
firmware-version: 0.13-4
expansion-rom-version:
bus-info: 0000:00:19.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no

10
src/CIO/Systems/Admin-DataCenter/hypervisor/code/fixcpuperf.sh
View File

@@ -1,10 +0,0 @@
#!/bin/bash
#Script to set performance.
cpufreq-set -r -g performance
cpupower frequency-set --governor performance

59
src/CIO/Systems/Admin-DataCenter/hypervisor/code/newsrv.sh
View File

@@ -1,59 +0,0 @@
#!/bin/bash
#Setup a new server base
#curl -s http://dl.turnsys.net/newSrv.sh|/bin/bash
apt-get -y --purge remove nano
apt-get -y install ntp ntpdate
systemctl stop ntp
ntpdate 10.251.37.5
apt-get update
apt-get -y full-upgrade
apt-get -y install glances htop dstat snmpd screen lldpd lsb-release net-tools sudo gpg molly-guard lshw
rm -rf /usr/local/librenms-agent
curl -s http://dl.turnsys.net/librenms-agent/distro > /usr/local/bin/distro
chmod +x /usr/local/bin/distro
curl -s http://dl.turnsys.net/librenms.tar.gz > /usr/local/librenms.tar.gz
cd /usr/local ; tar xfs librenms.tar.gz
systemctl stop snmpd ; curl -s http://dl.turnsys.net/snmpd.conf > /etc/snmp/snmpd.conf
sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service
systemctl daemon-reload
systemctl restart snmpd
/etc/init.d/rsyslog stop
cat <<EOF> /etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
*.* @10.251.30.1:514
EOF
/etc/init.d/rsyslog start
logger "hi hi from $(hostname)"
bash <(curl -Ss https://my-netdata.io/kickstart.sh) --dont-wait
echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list
wget -q -O- http://www.webmin.com/jcameron-key.asc | sudo apt-key add
sudo apt update
sudo apt-get -y install webmin

36
src/CIO/Systems/Admin-DataCenter/hypervisor/code/omsa.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
#install dell omsa
#curl -s http://dl.turnsys.net/omsa.sh|/bin/bash
gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-key 1285491434D8786F
gpg -a --export 1285491434D8786F | apt-key add -
echo "deb http://linux.dell.com/repo/community/openmanage/930/bionic bionic main" > /etc/apt/sources.list.d/linux.dell.com.sources.list
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman-curl-client-transport1_2.6.5-0ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman-client4_2.6.5-0ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman1_2.6.5-0ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman-server1_2.6.5-0ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/s/sblim-sfcc/libcimcclient0_2.2.8-0ubuntu2_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/openwsman_2.6.5-0ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/multiverse/c/cim-schema/cim-schema_2.48.0-0ubuntu1_all.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/s/sblim-sfc-common/libsfcutil0_1.0.1-0ubuntu4_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/multiverse/s/sblim-sfcb/sfcb_1.4.9-0ubuntu5_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/s/sblim-cmpi-devel/libcmpicppimpl0_2.0.3-0ubuntu2_amd64.deb
dpkg -i libwsman-curl-client-transport1_2.6.5-0ubuntu3_amd64.deb
dpkg -i libwsman-client4_2.6.5-0ubuntu3_amd64.deb
dpkg -i libwsman1_2.6.5-0ubuntu3_amd64.deb
dpkg -i libwsman-server1_2.6.5-0ubuntu3_amd64.deb
dpkg -i libcimcclient0_2.2.8-0ubuntu2_amd64.deb
dpkg -i openwsman_2.6.5-0ubuntu3_amd64.deb
dpkg -i cim-schema_2.48.0-0ubuntu1_all.deb
dpkg -i libsfcutil0_1.0.1-0ubuntu4_amd64.deb
dpkg -i sfcb_1.4.9-0ubuntu5_amd64.deb
dpkg -i libcmpicppimpl0_2.0.3-0ubuntu2_amd64.deb
apt update
#apt -y install srvadmin-all
touch /opt/dell/srvadmin/lib64/openmanage/IGNORE_GENERATION
#logout,login, then run
# srvadmin-services.sh enable && srvadmin-services.sh start

12
src/CIO/Systems/Admin-DataCenter/hypervisor/code/prox.sh
View File

@@ -1,12 +0,0 @@
#!/bin/bash
#Make a proxmox server
rm -f /etc/apt/sources.list.d/*
echo "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list
wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
chmod +r /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg # optional, if you have a non-default umask
apt update && apt -y full-upgrade
apt-get -y install ifupdown2 ipmitool ethtool net-tools lshw
curl -s http://dl.turnsys.net/newSrv.sh|/bin/bash

17
src/CIO/Systems/Admin-DataCenter/networking/PFV-LAN.md
View File

@@ -1,17 +0,0 @@
# PFV Local Area Network
- [PFV Local Area Network](#pfv-local-area-network)
- [Introduction](#introduction)
- [Subnets](#subnets)
- [Diagram](#diagram)
- [Security considerations](#security-considerations)
## Introduction
## Subnets
- 10.251.0.0/16 (See phpipam for all the particulars)
## Diagram
## Security considerations

62
src/CIO/Systems/Admin-DataCenter/networking/PFV-WAN.md
View File

@@ -1,62 +0,0 @@
# PFV WAN
- [PFV WAN](#pfv-wan)
- [Introduction](#introduction)
- [Provider](#provider)
- [IP Allocation](#ip-allocation)
- [Diagram](#diagram)
- [Security considerations](#security-considerations)
- [Availaiblity considerations](#availaiblity-considerations)
## Introduction
The HQ data center provides both corporate network and WAN services. We utilize AT&T Uverse Busienss CLass VDSL service for IP transit.
### Provider
- AT&T Uverse
- Business DSL (fiber overbuild is projected for late 2021)
- 60 down/20 up is what I see in speed tests
## IP Allocation
- Static IP setup : <https://forums.att.com/conversations/att-internet-features/how-do-i-setup-an-att-internet-static-ip/5defee02bad5f2f606ea4054>
```text
Broadband Connection Up
Broadband Network Type Lightspeed
Broadband IPv4 Address 107.140.191.0
Gateway IPv4 Address 107.140.188.1
MAC Address 84:bb:69:e1:b1:e1
Primary DNS 68.94.156.9
Secondary DNS 68.94.157.9
Primary DNS Name
Secondary DNS Name
```
```text
Address: 104.182.29.16 01101000.10110110.00011101.00010 000
Netmask: 255.255.255.248 = 29 11111111.11111111.11111111.11111 000
Wildcard: 0.0.0.7 00000000.00000000.00000000.00000 111
=>
Network: 104.182.29.16/29 01101000.10110110.00011101.00010 000 (Class A)
Broadcast: 104.182.29.23 01101000.10110110.00011101.00010 111
HostMin: 104.182.29.17 01101000.10110110.00011101.00010 001
HostMax: 104.182.29.22 01101000.10110110.00011101.00010 110
Hosts/Net: 6
```
- 104.182.29.16 (network address)
- 104.182.29.17 rtr1
- 104.182.29.18 rtr2
- 104.182.29.19 float
- 104.182.29.20 FNFMail
- 104.182.29.21 WWW testing
- 104.182.29.22 (gateway)
- 104.182.29.23 (broadcast)
## Diagram
## Security considerations
## Availaiblity considerations

23
src/CIO/Systems/Admin-DataCenter/networking/code/fixeth.sh
View File

@@ -1,23 +0,0 @@
#!/bin/bash
#https://forum.proxmox.com/threads/e1000-driver-hang.58284/
#https://serverfault.com/questions/616485/e1000e-reset-adapter-unexpectedly-detected-hardware-unit-hang
#magic to detect main int
echo "Determining management interface..."
#export MAIN_INT=$(brctl show $(netstat -rn|grep 0.0.0.0|head -n1|awk '{print $NF}') | awk '{print $NF}'|tail -1|awk -F '.' '{print $1}')
export MAIN_INT=$(brctl show|grep vmbr0|awk '{print $NF}'|awk -F '.' '{print $1}')
echo "Management interface is: $MAIN_INT"
#fix the issue
echo "Fixing management interface..."
ethtool -K $MAIN_INT tso off
ethtool -K $MAIN_INT gro off
ethtool -K $MAIN_INT gso off
#https://forum.proxmox.com/threads/e1000-driver-hang.58284/
#https://serverfault.com/questions/616485/e1000e-reset-adapter-unexpectedly-detected-hardware-unit-hang

107
src/CIO/Systems/Admin-DataCenter/power/PFVPower2021Prod.md
View File

@@ -1,107 +0,0 @@
# TSYS Group - HQ data center documentation - power
- [TSYS Group - HQ data center documentation - power](#tsys-group-hq-data-center-documentation-power)
- [Introduction](#introduction)
- [Circuits](#circuits)
- [Outlets](#outlets)
- [Surge Protectors](#surge-protectors)
- [Extension cords](#extension-cords)
- [UPS units](#ups-units)
- [Prod](#prod)
- [UPS5](#ups5)
- [UPS7](#ups7)
- [R&D](#r-d)
- [UPS1](#ups1)
- [UPS3](#ups3)
- [UPS4](#ups4)
- [UPS6](#ups6)
- [PDU](#pdu)
- [Unmanaged PDUs](#unmanaged-pdus)
- [Managed PDUs](#managed-pdus)
## Introduction
This article covers the electrical power setup for the HQ data center. We've grown it over time, bringing online more and more protected capacity as we got good deals on UPS/batteries etc and have added additional load.
## Circuits
The server room is fed by two 20amp circuits:
* Circuit 8a serving:
* dedicated air conditioner (see our cooling article for details on that)
* vm(1-3) servers
* network equipment
* overhead and led lighting
* Circuit (xx) serving:
* pfv-stor1/stor2 enclosures and drive arrays
* vm(4-6)
(future plan)
* Connect a new outlet to the 20 amp circuit currently serving front porch outlet (which shares a wall with the server room).
* This would provide sustained 15 amps for the RackRental.net rentable inventory.
## Outlets
We have upgraded the standard 15amp outlets that serve the server room, to 20amp outlets. This allows us to run a full 15amps sustained load (on 20amp circuits)
## Surge Protectors
We utilize GE surge protectors , rated for 15amps. They are about $50.00 apiece. These are placed upstream of the UPS units (between the wall outlet and the UPS extension cord).
## Extension cords
We do not have outlets close to the UPS stack. We utilize 15amp rated extension cords (from the surge protectors) to feed the UPS inputs.
## UPS units
### Prod
* UPS2
* Make/Model: Dell UPS Rack 1000W LV
* PDU served:
* UMPDU1
* Protected load:
* pfv-stor1/pfv-stor2 (Dell PowerEdge 2950s)
* backup USB drives and USB hub
* external scratch/backup arrays
* Protected Load Runtime: 12 minutes
### UPS5
* CyberPower UPS (details tbd)
* PDU served:
* UMPDU4
* BenchPDU
* Cameras
* Protected load:
* pfv-vm1/2/3
* pfv-time1
* pfv-labsw*
* pfv-core-ap01
* pfv-coresw-01
* pfv-labsw*
* Protected Load Runtime: 12 minutes
### UPS7
* PDUs served: n/a
* Monitoring server: n/a (un-monitored ups)
* Protected load: locking relay for server room
## R&D
### UPS1
### UPS3
### UPS4
### UPS6
# PDU
### Unmanaged PDUs
### Managed PDUs

95
src/CIO/Systems/Admin-DataCenter/security/PhysicalSecurity.md
View File

@@ -1,95 +0,0 @@
# TSYS Group - HQ data center documentation - security
- [TSYS Group - HQ data center documentation - security](#tsys-group-hq-data-center-documentation-security)
- [Introduction](#introduction)
- [Badge reader](#badge-reader)
- [Hardware Components](#hardware-components)
- [Software Components](#software-components)
- [Cameras](#cameras)
- [Physical Keys/Badges](#physical-keys-badges)
- [Front Door (physical key)](#front-door-physical-key)
- [Server Room (rfid badge)](#server-room-rfid-badge)
- [Keybox in server room (physical key)](#keybox-in-server-room-physical-key)
- [Gates/Machine Room/Storage](#gates-machine-room-storage)
- [Critical Physical Assets](#critical-physical-assets)
- [server room](#server-room)
- [R&D Shop](#r-d-shop)
- [Amplify Credit Union](#amplify-credit-union)
## Introduction
This article covers the physical security setup for the HQ data center.
## Badge reader
### Hardware Components
- Raspberry Pi 3
- USB relay
- automated door action
- Belkin UPS for the relay
### Software Components
Coming soon
## Cameras
Internal facing
- <http://cam2.pfv.turnsys.net/> (door/rack front cam)
- <http://cam3.pfv.turnsys.net> (rack back cam)
- <http://cam1.pfv.turnsys.net/> (external camera)
## Physical Keys/Badges
### Front Door (physical key)
Charles Wyble
Patti Wyble
Michael Almaraz
### Server Room (rfid badge)
Charles Wyble
Patti Wyble
Michael Almaraz
### Keybox in server room (physical key)
Access to this box means you would have full physical access to all TSYS assets. Access is heavily restricted and granting of access grant requires approval of CEO/CFOO
and Board of Directors.
- Charles Wyble
- Patti Wyble
- Michael Almaraz
### Gates/Machine Room/Storage
- Charles Wyble
- Patti Wyble
- Michael Almaraz
## Critical Physical Assets
### server room
- racks
- air conditioner
- UPS systems
- Digital Information Processing Equipment (servers/drives/network)
- Sentry combination safe (on site cold storage for backup hard drives)
- PKI Safe
- Firebox for important paper records (Patti durable personal/corporate PoA, legal hold records)
- File cabinet (axios customer original contracts)
### R&D Shop
- lab area (tools/prototypes under development etc)
- tool storage and tools
- component storage and components
### Amplify Credit Union
- safety deposit box (off site cold storage for backup hard drives )
- Paper records
- safety deposit box (Patti durable PoA, legal hold records)

12
src/CIO/Systems/Admin-DataCenter/storage/PFVStorage2021.md
View File

@@ -1,12 +0,0 @@
# TSYS Group Storage
## Enclosures
## Arrays
## Block Storage
## Application Object Storage
## Container Object Storage

50
src/CIO/Systems/Admin-Network/WAN-HQ-routable.md
View File

@@ -1,50 +0,0 @@
- [WAN Network - HQ - Public Routed Space](#wan-network---hq---public-routed-space)
- [Proxmox/opnsense interface / layer 2 info](#proxmoxopnsense-interface--layer-2-info)
- [AT&T Small business fiber network information](#att-small-business-fiber-network-information)
# WAN Network - HQ - Public Routed Space
## Proxmox/opnsense interface / layer 2 info
net1 5c:74 vmbr1000 wan 5c:74
net17 3a:bc vmbr1000 uversebiz vtnet17 3a:bc
## AT&T Small business fiber network information
- Address: 99.91.198.81 01100011.01011011.11000110.01010 001
- Netmask: 255.255.255.248 = 29 11111111.11111111.11111111.11111 000
- Wildcard: 0.0.0.7 00000000.00000000.00000000.00000 111
- Network: 99.91.198.80/29 01100011.01011011.11000110.01010 000 (Class A)
- Broadcast: 99.91.198.87 01100011.01011011.11000110.01010 111
- HostMin: 99.91.198.81 01100011.01011011.11000110.01010 001
- HostMax: 99.91.198.86 01100011.01011011.11000110.01010 110
- Hosts/Net: 6
- WAN Rtr 1 IP: 99.91.198.81
- WAN Rtr 2 IP: 99.91.198.82
- wireguard vpn, WAN Float, SIP, other services not on 80/443 IP: 99.91.198.83
- Cloudron IP: 99.91.198.84
- Conost IP: 99.91.198.85
- GW IP: 99.91.198.86
```shell
dig @8.8.8.8 -x 99.91.198.81 +short
tsyshq-corertr-01.knownelement.com.
dig @8.8.8.8 -x 99.91.198.82 +short
tsyshq-corertr-02.knownelement.com.
dig @8.8.8.8 -x 99.91.198.83 +short
tsyshq-wanfloat.knownelement.com.
dig @8.8.8.8 -x 99.91.198.84 +short
my.knownelement.com.
dig @8.8.8.8 -x 99.91.198.85 +short
app02.knownelement.com.
```

28
src/CIO/Systems/Admin-Platform/DigitialSecurity.md
View File

@@ -1,28 +0,0 @@
#IT Security
## Logging
Currently into librenms central store
rsyslog configured to forward
## Monitoring
nedata for high fidelity metrics (push)
librenms for up/down (pull)
## Secrets
### Passwords (user secrets)
bitwarden
### Server secrets
envwarden
#### certs/keys
* Public facing (lets encrypt)
We use HTTP challenge via Opnsense LE/HA Proxy . All public facing certs live in OpnSense.
## IDS/IPS
## RBAC

35
src/CIO/Systems/Admin-Platform/OAM.md
View File

@@ -1,35 +0,0 @@
# Operations Administration Management Infrastructure at TSYS Group
## Introduction
(following is copied from our systems overview document)
This is the back office IT bits.
* Functions
* librenms (monitoring/alerting/long term metrics)
* netdata (central dashboard)
* upsd (central dashboard)
* rundeck (internal orchestration only)
* sshaudit
* lynis
* crash dump server
* openvas
* etc
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pfv-toolbox|121|vm3|stor2|tier2vm|
### The origin of the name toolbox
I can't take credit for coming up with naming a utility server toolbox. That credit goes to
the Big Gator. Back when we could freely roam, they let us s (when we could s, before I uncovered a massive federal felony and we had to take drastic action to avoid a consent decree...., I digress, this isn't that story (buy the book!)) to toolbox. It had many fun things.
So at every employer since, I've established at least one system called toolbox. It's fitting that my startup have the same , no?
### monitoring/alerting/metrics
### orchestration
### security auditing

261
src/CIO/Systems/Admin-Platform/TSYS-Systems.md
View File

@@ -1,261 +0,0 @@
# TSYS Systems
This article covers the (high level) systems architecture that supports TSYS/Redwood Group.
Other articles will go more in depth on specific systems. This article provides a general overview.
The architecture was designed to :
* meet the highest levels of information assurance and reliability (at a single site)
* support (up to) Top Secret workloads for R&D (SBIR/OTA) (non production) contract work
(by US Citizens only) being done for the United States Department of Defense/Energy/State
by various components of TSYS Group.
## Virtual Machines: Redundant (mix of active/passive active/active)
We are (with exception of R&D product development (being a hardware/IOT product) 99.9%) virtualized :
Exceptions to virtualized infrastructure:
* raspberry pi providing stratum0 (via hat) and server room badge reader functionality (via usb badge reader and lock relay)
* intermediate CA HSM passed through to a VM on vm3
* UPS units connected to vm3 via usb/serial
Any further exceptions to virtual infra require CEO/board approval and extensive justification.
### Networking
* Functions
* TFTP server
* DHCP server
* HaProxy (443 terminates here)
* Dev/qa/prod Core routing/firewall
* (multi provider) WAN edge routing/firewall
* Static/dynamic routing
* inbound/outbound SMTP handling
* Caching/scanning (via ClamAV)Web proxy
* Suricata IDS/IPS
All the above is provided on an active/passive basis via CARP IP with sub 2ms failover.
* Machines
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|---|
|pfv-core-rtr01|120|vm1|stor2|tier2vm|
|pfv-core-rtr02|xx|vm3|stor1|s1-wwwdb|
### DNS/NTP (user/server facing)
We do not expose the core domain controllers (dc2/3) directly to users or servers. Everything flows through pihole. We allow DNS (via firewall rules) to ONLY pihole 1,2 no other DNS is allowed. pihole 1,2 is only allowed to realy to the core dc, then the dc are allowed to relay to the internet (8.8.8.8).
This blocks the vast majority of spyware/trackerware/malware/c2c etc (using the pihole blacklists). DNS filtering is the first line of defense against attackers and far less false positives when doing log review.
* Functions
* DNS (with ad filtering) (pihole)
* NTP
* Machines
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pihole1|101|vm3|stor1|s1-wwwdb|
|pihole2|103|vm1|stor2|tier2vm|
### Database layer
All the data for all the things. Everything is clustered, shared service model.
* Functions
* Mysql (galera)
* Postgresql (patroni)
* ETcd
* MQTT Brok
* Rabbitmq
* Elasticsearch
* Longhorn
* K3s control plane
* Machines
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|db1|125|vm4|stor1|s1-wwwdb|
|db2|126|vm5|stor2|tier2vm|
|db3|127|vm1|stor2|tier2vm|
### Web/bizops/IT control plane application layer
All the websites for TSYS/Redwood Group live on this infra. It's served up via HAProxy (active/passive on r1/42) in an active/active setup (each node running 50% of workload, capable of 100% for handling node maintenace)
* Functions
* All brand properties
* Data repository (discourse)
* IT Control plane (job clustering/monitoring/alerting/siem etc)
* Business operations (marketing/sales/finance/etc)
* Apache server (for non dockerized applications)
* k3s worker nodes (we are moving all workloads to docker containers with longhorn PVC)
* Machines
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|www1|123|vm5|stor2|tier2vm|
|www2|124|vm4|stor1|s1-wwwdb|
### Line of business Application layer
* Functions
* Guacamole (serving up rackrental customer workloads, also developer workstations)
* Webmail (for a number of our domains, we don't use Office 365)
* Machines
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|tsys-dc-02|129|vm5|stor2|tier2vm|
|tsys-dc-03|130|vm4|stor1|s1-wwwdb|
## Network Security Monitoring
We will be using security onion in some fashion. Looking into that with OpenVAS/Lynis/Graylog as a SIEM/scanner. More to follow soon. It will be a distributed, highly available setup.
## Virtual Machines: Non Redundant
### VPN
You'll notice VPN missing from the redundant networking list. A few comments on that:
* We employ a zero trust access model for vast majority of systems
* We heavily utilize web interfaces/APIs for just about all systems/functionality and secure acces via 2fa/Univention Corporate Server ("AD") and a zero trust model.
* We do have our R&D systems behind the VPN for direct SSH access (as opposed to through various abstraction layers)
* We utilize WIreguard (via the ansible setup provided by algo trailofbits). We don't have a redundant Wireguard setup, just a single small Ubuntu VM. It's worked incredibly well and the occasional 90 seconds or so of downtime for kernel patching is acceaptable.
* Due to ITAR and other regulations, we utilize a VPN for access control. We may in the future, upon appropriate review and approval, setup haproxy with SSH SNI certifcates to route connections to R&D systems directly.
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pfv-vpn|106|vm3|stor2|tier2vm|
### Physical Surveilance
We can take 90 seconds of downtime for occasional kernel patching and not be processing the surveilance feeds for a bit. Everyone knows that criminals just loop the footage anyway....
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pfv-nvr|104|vm5|stor2|tier2vm|
### Building automation
We can take 90 seconds of downtime for occasional kernel patching and wait to turn on a light or whatever.
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|HomeAssistant|116|vm3|stor2|tier2vm|
### Sipwise
We can take 90 seconds of downtime for occasional kernel patching, and have the phones "stop ringing" for that long.
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|sipwise|105|vm4|stor1|s1-wwwdb|
### Online CA (Intermeidate to offline root)
We can take 90 seconds of downtime for occasional kernel patching.
We serve the CRL and other "always on" SSL related bits via cloudflare ssl toolkit in docker using
the web/app layer over HTTP(S) and it's fully redundant.
This VM is only used occasionally to issue long lived certs or perform needed maintenance.
It could be down for weeks/months without issue.
It's using XCA for administration and talking to the db cluster. It is locked to vm3, because
we pass through a Nitrokey HSM, works wonderully.
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pfv-ca|131|vm3|stor1|s1-wwwdb|
### Operations/administration/management (OAM)
This is the back office IT bits.
* Functions
* librenms (monitoring/alerting/long term metrics)
* netdata (central dashboard)
* upsd (central dashboard)
* rundeck (internal orchestration only)
* sshaudit
* lynis
* crash dump server
* openvas
* etc
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pfv-toolbox|121|vm3|stor2|tier2vm|
## Storage Infrastructure
* We keep it very simple and utilize TrueNAS Core on Dell PowerEdge 2950 with 32gb ram.
* We run zero plugins.
* We have a variety of pools setup and served out over NFS to the 10.251.30.0/24 network
* No samba, just NFS
* Utilize built in snapshots/replication for retention/backup
## Virtualization Infrastructure
* We keep it very simple and utilize Proxmox on a mix of :
* Dell Optiplex (i3/i7) (all with 32gb ram)
* Dell PowerEdge (dual socket, quad core xeon) (all with 32gb ram)
* Dell Precision system (i7) (16gb ram) (with nvida quadaro card passed through to kvm guest (either windows 10 or Ubuntu Server 20.04 depending on what we need todo)
* We run the nodes with single power supply and single OS drive.
Vm node failure is expected (we keep the likelihood low with use of thumb drives with syslog set to
only log to the virtualized logging infra), and we handle the downtime via the redundancy we
outlined above (by using virtual machines spread across hypervisors / arrays / enclosures ) and redundancy happens
at the application level).
Restoring a vritual server node would take maybe 30 minutes
(plug a new thumb drive, re-install, join cluster).
In the meantime the vm has auto migrated to another node using proxmox HA functionality (if it's an SPOF VM).
## Overall system move to production status
| Hostname | OSSEC | Rundeck | Netdata | librenms mon | librenms log | DNS | (x)DP | NTP | Slack | Lyris | SCAP | Auditd | OpenVAS | oxidized |
| -------------- | ----- | ------- | ------- | ------------ | ------------ | --- | ----- | --- | ----- | ----- | ---- | ------ | ------- | -------- |
| Pfv-vmsrv-01 | Y | Y | Y | Y | Y | Y | Y | Y | | | | | | N/A |
| Pfv-vmsrv-02 | Y | Y | Y | Y | Y | Y | Y | Y | | | | | | N/A |
| Pfv-vmsrv-03 | Y | Y | Y | Y | Y | Y | Y | Y | | | | | | N/A |
| Pfv-vmsrv-04 | Y | Y | Y | Y | Y | Y | Y | Y | | | | | | N/A |
| Pfv-vmsrv-06 | Y | Y | Y | Y | Y | Y | Y | Y | | | | | | N/A |
| Pfv-time1 | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| Pfv-stor1 | N/A | N/A | N/A | Y | | Y | Y | x | | | N/A | N/A | | N/A |
| Pfv-stor2 | N/A | N/A | N/A | Y | | Y | Y | x | | | N/A | N/A | | N/A |
| Pfv-consrv01 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | N/A | N/A | | N/A |
| Pfv-core-sw01 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | N/A | N/A | | |
| Pfv-core-ap01 | N/A | N/A | N/A | Y | N/A | Y | Y | x | | | N/A | N/A | | |
| Pfv-lab-sw01 | N/A | N/A | N/A | Y | | Y | Y | x | | | | | | |
| Pfv-lab-sw02 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | | | | |
| Pfv-lab-sw03 | N/A | N/A | N/A | Y | | Y | Y | x | | | | | | |
| Pfv-lab-sw04 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | | | | |
| 3dpsrv | Y | Y | Y | Y | Y | Y | N/A | Y | | | | | | N/A |
| Pfv-core-rtr01 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | N/A | N/A | | |
| Pfv-core-rtr02 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | N/A | N/A | | |
| tsys-dc-01 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| tsys-dc-02 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| tsys-dc-03 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| Tsys-dc-04 | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| pihole1 | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| pihole2 | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| pfv-toolbox | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| ca | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| www1 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| www2 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| www3 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| db1 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| db2 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| db3 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |

440
src/CIO/Systems/Admin-RandD/EngWorkstationBuildGuide.md
View File

@@ -1,440 +0,0 @@
# TSYS Group - IT Documentation - R&D - Workstation Build Guide
- [TSYS Group - IT Documentation - R&D - Workstation Build Guide](#tsys-group---it-documentation---rd---workstation-build-guide)
- [Introduction](#introduction)
- [Workstation details - RPI4 8Gb](#workstation-details---rpi4-8gb)
- [Out of box tweaks and basic setup](#out-of-box-tweaks-and-basic-setup)
- [Software Packages To Install](#software-packages-to-install)
- [magic mouse 2 driver](#magic-mouse-2-driver)
- [Nodejs](#nodejs)
- [Rust](#rust)
- [go](#go)
- [mdbook](#mdbook)
- [Recoll (local search)](#recoll-local-search)
- [Bitwarden CLI](#bitwarden-cli)
- [Krita](#krita)
- [Backslide](#backslide)
- [Docker](#docker)
- [RedNotebook (install from source, it just runs in place)](#rednotebook-install-from-source-it-just-runs-in-place)
- [OpenWebRx](#openwebrx)
- [csv2md](#csv2md)
- [helm](#helm)
- [kubectl / k3s](#kubectl--k3s)
- [docker](#docker-1)
- [docker-compose](#docker-compose)
- [metasploit](#metasploit)
- [scap workbench](#scap-workbench)
- [Bitscope](#bitscope)
- [docker based dev environment/pipeline](#docker-based-dev-environmentpipeline)
- [Mainline repo packages](#mainline-repo-packages)
- [Configuration Tweaks](#configuration-tweaks)
- [chrome setup](#chrome-setup)
- [passwords/bitwarden](#passwordsbitwarden)
- [web apps](#web-apps)
- [zsh](#zsh)
- [konsole setup](#konsole-setup)
- [xfce tweaks](#xfce-tweaks)
- [VsCode](#vscode)
- [CTO Stuff](#cto-stuff)
- [Upstream vendor software to checkout](#upstream-vendor-software-to-checkout)
- [Projects](#projects)
- [Special considerations for upstream](#special-considerations-for-upstream)
- [Workstation details - x86-64 vm](#workstation-details---x86-64-vm)
- [Workstation details - iPAD](#workstation-details---ipad)
- [Remaining projects](#remaining-projects)
- [SSH / GPT private key HSM](#ssh--gpt-private-key-hsm)
- [TurboVNC (3d accelerated) on rpi as client](#turbovnc-3d-accelerated-on-rpi-as-client)
- [Select an Investigative notebook](#select-an-investigative-notebook)
- [Research source material organization](#research-source-material-organization)
- [activitywatch](#activitywatch)
- [Get photo processing workflow setup](#get-photo-processing-workflow-setup)
- [switch mail from (just) thunderbird to thunderbird/(neo)mutt/notmuch/task warrior](#switch-mail-from-just-thunderbird-to-thunderbirdneomuttnotmuchtask-warrior)
## Introduction
In 01/2021 , Charles purchased a Raspberry Pi 4 as his daily driver with the intent of evaluating it for use as the standard issue equipment for TSYS personnel. This document is the results of his
experiments with it from 01/2021 to (as of time of writing) August 1st 2021.
Charles is the founder, CEO and acting CTO of TSYS Group. In his role, he does everything from business ops, to system administration to software/hardware engineering tasks. As such he was best
positioned to evaluate the rPI for all workloads.
The RPi4 has been approved as one of the standard/supported workstation for TSYS personnel across all teams/products.
The software mentioned in this document is a long list, reflecting the myriad of tasks/projects Charles may engage with on a daily basis. Most likely, you'll only need a subset of these tools,
don't despair! Feel free to install all of them or a subset as you wish based on your mission objectives.
We hope this document is useful to everyone at TSYS who wants to maximize their productivity. TSYS fully supports Debian/Ubuntu GNU Linux for workstation use, both on rPI4 and x86 virtual/physical
systems.
We do occasionally test Mac OSX and Windows 10, but they aren't officially supported.
Our experiments and daily use show that 85% or more of TSYS daily driver/workstation use (email/coding/research/browsing/document creation/discord/media editing/etc) can be done on an rPI4.
The few gaps can be done via an RDP session to an x86 system for the few things that have x86 dependencies or need 64bit os (64bit on pi isn't yet fully ready in our opinion as of August 2021).
## Charles Workstation details - RPI4 8Gb
- Operating System: RaspberryPi Os
- Hardware:
- Raspberry Pi 4 with 8gb RAM
- Accessories :
- Case : Argone One case <https://www.argon40.com/argon-one-m-2-case-for-raspberry-pi-4.html>
- Monitors: Dual Dell 24" monitors (IPS) <https://www.dell.com/support/home/en-us/product-support/product/dell-st2421l/overview>0
- Chair: Ikea MARKUS Office Chair: <https://www.ikea.com/us/en/p/markus-office-chair-vissle-dark-gray-90289172/>
- Keyboard: Matias Backlight Keyboard <https://www.matias.ca/aluminum/backlit/>
- Mouse: Apple Magic Mouse 2 Black
- Tablet: iPad Mini 5th Gen (see iPAD section for more)
- Headphones: JBL Over Ear (<https://www.jbl.com.au/TUNE750BTNC.html>)
- Tp-link 7 port USB 3.0 Powered Hub (for plugging in thumb drives, data acquisition devices / other random usb bits) <https://www.tp-link.com/us/home-networking/usb-hub/uh700/>
- IOGear card reader <https://www.iogear.com/product/GFR281/>
- Security Dongle: Yubikey 4 OTP+U2F+CCID
### Out of box tweaks and basic setup
1) Put Rasberry Pi 4 into Argone One Case (running it without case will cause it to overheat quickly)
2) Flash latest stable Raspbian 32bit to SD card and boot pi
3) connect usb keyboard and mouse
4) Run through first boot setup wizard
5) Setup pin+yubi long string for password for the pi user
6) Connect to wifi
5) Pair and trust Matias Backlight Keyboard
6) Pair and trust Apple Magic Mouse
7) fix date/time via ntpdate (ntpdate 10.251.37.5)
8) apt-get update ; apt-get -y full-upgrade
9) add vi mode to /etc/profile (heathens by default!)
10) clone dotfiles repo
11) enable i2c access via raspi-config
12) setup fan daemon <https://gitlab.com/DarkElvenAngel/argononed.git>
13) setup virtual desktops
- Desktop 1: Browsing/Editing/Shell (chrome / VsCode / Konsole / Remmina )
- Desktop 2: Comms (discourse/discord/irc etc/thunderbird/mutt)
- Desktop 3: Long Running: (calibre/recol/etc)
14) (coming soon) run curl htp://dl.turnsys.net/buildFullWorkstation.sh
### Software Packages To Install
#### magic mouse 2 driver
https://github.com/rohitpid/Linux-Magic-Trackpad-2-Driver
#### Nodejs
```console
curl -sL https://deb.nodesource.com/setup_15.x | sudo -E bash -
curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sud apt-get -y install nodejs
sudo apt-get update && sudo apt-get install yarn
```
#### Rust
```console
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
```
#### go
<https://pimylifeup.com/raspberry-pi-golang/>
#### mdbook
```console
cargo install mdbook
```
#### Recoll (local search)
```console
cat recoll-rbuster.list
deb [signed-by=/usr/share/keyrings/lesbonscomptes.gpg] http://www.lesbonscomptes.com/recoll/raspbian/ buster main
deb-src [signed-by=/usr/share/keyrings/lesbonscomptes.gpg] http://www.lesbonscomptes.com/recoll/raspbian/ buster main
```
#### Bitwarden CLI
```console
sudo npm install -g @bitwarden/cli
```
#### Krita
```console
sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
sudo flatpak -y install flathub org.kde.krita
```
#### Backslide
```console
sudo npm install -g backslide
sudo npm i -g decktape
sudo add chrome-aws-lambda
```
#### RedNotebook (install from source, it just runs in place)
<https://rednotebook.sourceforge.io/downloads.html>
<https://www.linuxlinks.com/raspberry-pi-4-chronicling-desktop-experience-dear-diary/>
#### OpenWebRx
on pi:
wget -O - <https://repo.openwebrx.de/debian/key.gpg.txt> | apt-key add
echo "deb <https://repo.openwebrx.de/debian/> buster main" > /etc/apt/sources.list.d/openwebrx.list
apt-get update
apt-get install openwebrx
or (on x86)
wget -O - https://repo.openwebrx.de/debian/key.gpg.txt | apt-key add
echo "deb https://repo.openwebrx.de/ubuntu/ hirsute main" > /etc/apt/sources.list.d/openwebrx.list
apt-get update
apt-get install openwebrx
#### csv2md
```console
npm install -g csv2md
```
#### metasploit
```console
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
sudo gem install wirble sqlite3 bundler nokogiri bundle
bundle install
```
#### scap workbench
Follow the readme
#### Bitscope
on pi
```console
wget http://bitscope.com/download/files/bitscope-dso_2.8.FE22H_armhf.deb
wget http://bitscope.com/download/files/bitscope-logic_1.2.FC20C_armhf.deb
wget http://bitscope.com/download/files/bitscope-meter_2.0.FK22G_armhf.deb
wget http://bitscope.com/download/files/bitscope-chart_2.0.FK22M_armhf.deb
wget http://bitscope.com/download/files/bitscope-proto_0.9.FG13B_armhf.deb
wget http://bitscope.com/download/files/bitscope-console_1.0.FK29A_armhf.deb
wget http://bitscope.com/download/files/bitscope-display_1.0.EC17A_armhf.deb
wget http://bitscope.com/download/files/bitscope-server_1.0.FK26A_armhf.deb
sudo dpkg -i *.deb
sudo apt-get -y -f install
```
on x86
TBD
#### docker based dev environment/pipeline
##### docker
```console
curl -sSL https://get.docker.com | sh
```
##### helm
```console
sudo snap install helm --classic
```
##### kubectl / k3s
```console
curl -sfL https://get.k3s.io | sh -
```
##### docker-compose
##### Todo
- local k0s (for gitops testing)
- (container) local docker reg
- (container) local jenkins
- (container) local all the apps for developing
#### Mainline repo packages
```console
apt-get -y install \
kicad librecad freecad gimp blender shellcheck jq net-tools\
ruby-full offlineimap zsh vim thunderbird enigmail highlight\
kleopatra zsh-autosuggestions zsh-syntax-highlighting screen \
mtr cifs-utils grass cubicsdr arduino jupyter-notebook \
dia basket vym code wings3d flatpak wireguard gnuplot \
pandoc python3-blockdiag texlive-fonts-extra clang \
spice-client-gtk spice-html5 virt-viewer gnome-system-monitor \
glances htop dstat apt-file kleopatra konsole telnet clang \
ripgrep recoll poppler-utils abiword wv antiword unrtf \
libimage-exiftool-perl xsltproc davmail kphotoalbum opensc \
yubikey-manager yubikey-personalization yubikey-personalization-gui \
openshot kdenlive pitivi inkscape scribus scdaemon seafile-gui qgis \
octave nodejs libreoffice calligra netbeans sigrok \
nodejs audacity wireshark nmap tcpdump ndiff etherape ghostscript \
lepton-eda ngspice graphicsmagick codeblocks scilab calibre paraview \
gnuradio build-essential libimobiledevice-utils libimobiledevice-dev \
libgpod-dev python3-numpy python3-pandas python3-matplotlib \
curl git make binutils bison gcc build-essential openjdk-11-jre-headless \
debootstrap cutecom minicom ser2net conman xsane gocr tesseract-ocr \
fonts-powerline build-essential zlib1g zlib1g-dev libxml2 libxml2-dev \
libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev \
libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget postgresql \
postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev ruby-dev \
openvas git-core postgresql curl nmap gem libsqlite3-dev cmake ninja-build libopenscap-dev \
qt5-default libqt5widgets5 libqt5widgets5 libqwt-headers libqt5xmlpatterns5-dev asciidoc \
lmms virt-manager gqrx-sdr multimon-ng rtl-sdr fldigi grads cdo xygrib xygrib-maps evince \
openwebrx xscreensaver blueman bluetooth pulseaudio-module-bluetooth blueman texlive-fonts-extra \
texlive-fonts-recommended
```
### Configuration Tweaks
#### zsh
- Use oh-my-zsh
- Use powerlevel10k
#### konsole setup
- settings -> edit current profile ->
- apperance (set to dark pastels)
- font (set to noto mono)
- mouse
- copy/paste
- copy on select
- paste from clipboard (default is paste from selection)
- un-set copy text as html
- settings - configure shortcuts
- next tab ctrl+tab
- previous ctrl+shift+tab
#### xfce tweaks
- Set focus follows mouse (settings/window manager/focus)
- (dark mode)? (only works for gtk apps)
- need to set other apps individually to dark mode
#### VsCode
fenix appears to include it in the default image, but it doesn't launch from the menu and shell says code not found. Search for code and it will pull up an entry with VsCode logo labeled as Text Editor. Use that.
to see how I set it up VsCode for a myriad of tasks, see the VsCode guide for tsys at:
<https://git.turnsys.com/TSGTechops/docs-techops/src/branch/master/src/Systems/Admin-RandD/TSYS-DevEnv-VsCode.md>
### CTO Stuff
#### mbed studio
#### eclipse
#### android studio
#### dbeaver
#### postman
#### sweethome3d
#### ghidra
#### Upstream vendor software to checkout
This is a massive work in progress , is mostly for Charles own notes only, really only applicable for large upstream packages that TSYS needs to support
long term/sync regularly with upstream, or part of a broader protfolio initiative etc.
Unless you have been specfically directed todo so in your roject readme, you don't need todo the below. In almost all cases , the work below is abstracted
for/from you into our artifact repository and build process.
##### Projects
- openwrt
- openmct
- raspi kernel
- FreeRTOS
- freedombox
- serval
- genode
- balena
##### Special considerations for upstream
## Workstation details - iPAD
- Operating System: iPAD OS
- Hardware: iPAD Mini 5th Generation
- Accessories:
- Lightining to USB3
- Lightining to HDMI
- I use same KB/Mouse that I do with the rPI
- Key Applications
- Working Copy
- Buffer Text Editor
- Blink.sh
- Jump remote Desktop
- GitJournal
- Microsoft Todo
- Neat
- Discourse
- FreeScout
- ErpNext
### Remaining projects
These items remain todo and document. They are listed in decreasing order of importance.
#### SSH / GPT private key HSM
- kleopatra
- yubikey ssh key
- yubikey gpg key
(not strictly related but in same family)
- xca (build from source)
#### TurboVNC (3d accelerated) on rpi as client
#### Select an Investigative notebook
- <https://github.com/kpcyrd/sn0int>
- <https://www.spiderfoot.net/>
- <https://github.com/smicallef/spiderfoot?ref=d>
- modelio <https://www.modelio.org/>
- <https://gephi.org/>
#### Research source material organization
- zotero
- docear <https://opensource.com/life/16/8/organize-your-scholarly-research-docear>
#### activitywatch
Effortless self instrumentation. Performed initial attempts/exploration. It builds (I think)
#### Get photo processing workflow setup
- currently exploring kphotoablbum
- Browser based Sharing / browsing via Photoprism (or perhaps piwgio ultimately, with photoprism as part of a processing work flow)?
- need something to sync to "cloud" with auto capture from phone
- reference material:
- <https://photoprism.app/>
- <https://kn100.me/declouding-replacing-google-photos-part-1/>
- <https://willem.com/blog/2020-08-31_free-from-the-icloud-escaping-apple-photos/>
#### switch mail from (just) thunderbird to thunderbird/(neo)mutt/notmuch/task warrior
This has been an ongoing on-again/off-again adventure....

302
src/CIO/Systems/Admin-RandD/VsCodeConfigGuide.md
View File

@@ -1,302 +0,0 @@
# TSYS Group - Engineering Documentation - Visual Studio Code Environment Setup Guide
- [TSYS Group - Engineering Documentation - Visual Studio Code Environment Setup Guide](#tsys-group---engineering-documentation---visual-studio-code-environment-setup-guide)
- [Introduction](#introduction)
- [Environmental considerations/assumptions](#environmental-considerationsassumptions)
- [External Software Programs/Services Used](#external-software-programsservices-used)
- [Short version](#short-version)
- [Requirements and dependencies](#requirements-and-dependencies)
- [Languages Used](#languages-used)
- [Deployment Targets](#deployment-targets)
- [General setup](#general-setup)
- [Plugins - Team-*](#plugins---team-)
- [General Tooling](#general-tooling)
- [Docker / k8s](#docker--k8s)
- [Git](#git)
- [(Cross) Compile / (Remote) Debug / (Remote) development](#cross-compile--remote-debug--remote-development)
- [Markdown (and documentation in )](#markdown-and-documentation-in-)
- [Data](#data)
- [Bash](#bash)
- [Plugins - Team-SWEng](#plugins---team-sweng)
- [API (rest) development](#api-rest-development)
- [Web App development](#web-app-development)
- [YAML](#yaml)
- [Rust](#rust)
- [C/C++](#cc)
- [Arduino/Seeduino](#arduinoseeduino)
- [CUDA](#cuda)
- [Java](#java)
- [PHP](#php)
- [Python](#python)
- [Plugins - Team-MechEng](#plugins---team-mecheng)
- [Octave](#octave)
- [R](#r)
- [Jupyter](#jupyter)
- [STL](#stl)
- [G-code](#g-code)
- [Gerber](#gerber)
## Introduction
This is the TSYS Visual Studio Code setup guide. It covers how to setup VsCode for all aspects of TSSY Group.
We have a very complex total stack, but don't despair, you will only need a small subset of this.
Which subset of course depends on what part of the TSYS mission you are supporting!
### Environmental considerations/assumptions
- Charles setup is the most comprehensive, as he is the co-founder and (as of Q3 2021) (acting) CTO and needs to develop for all pieces of the stack/products.
- Do not just blindly follow this guide! Pick the pieces you need for your work. If you have any questions, ask in Discord or post to Discourse.
- Working against a remote server/container/k8s cluster over SSH via VsCode Remote
- VsCode Remote Dev is heavily utilized (almost if not exclusively)
- Source code resides in home directory on the server farm, but is edited "locally" on your workstation with VsCode (Remote)
- Using TSYS self hosted Gitea git instance
- Using TSYS self hosted Jenkins CI
- docker/kubectl commands are present and configured to run against the cluster (and you are connected to the VPN)
- Developing in Windows 10/Mac OSX/Linux with a GUI environment running native VsCode (CNW daily driver is a raspberry pi 4 with 8gb ram to help ensure lowest common denominator support/good performance)
- Using Chrome web browser (firefox/safari may work, but are not supported at all)
- Developing primarily at the "git push, magic happens" abstraction layer
- Need to occasionally inspect/debug the magic at various stages of the pipeline
- Need to frequently debug running code on a variety of targets (pi/arduino etc)
- All text documentation is written in Markdown and is posted to Git/Discourse as Markdown
- (tbd soon, actively experimenting)
- All diagrams are created via text language
- All diagrams are produced using
- (blockdiag?
- uml?
- markdown extensions?
- all (or some mix) of the above?
- what extension(s)to use?)
### External Software Programs/Services Used
You'll need to setup some external tools and services to support the TSYS mission (in addition to VsCode).
Setup of external tools/services is outside the scope of this document. For guidance on tool/service selection and setup, please see the following links:
- <https://git.turnsys.com/TSGTechops/docs-techops/src/branch/master/src/Systems/Admin-Application/AppsAndServices.md>
- <https://git.turnsys.com/TSGTechops/docs-techops/src/branch/master/src/Systems/Admin-RandD/EngineeringWorkstatioNBuildBuide.md>
Once you've setup your needed external tools and services , return to this document and continue with setup of VsCode as needed to work with the tooling you installed.
### Short version
very soon (june 2021) you'll have two options for EZ stack deployment for your product development environment :
1) docker pull TSYSVSC and use with <https://code.visualstudio.com/docs/remote/containers>
2) Login to <https://desktop.turnsys.com> and get a full engineering stack for whatever product you are working on.
Read on to understand the pieces and particulars in case you want to build your own setup.
## Requirements and dependencies
Here is the tool and language requirements of all the TSYS engineering projects/programs/products.
### Languages Used
| Language | Used By | Product Scope |
|----------------------------------|--------------|------------------------------------|
| bash | TSYS wide | All |
| c/c++ | Team-SwEng | MorseFlyer |
| CUDA | Team MechEng | MorseFlyer (envelope/airframe) |
| dockerfile/docker compose | TSYS wide | All |
| geo spatial data | Team SwEng | MorseFlyer (avionics) |
| Gerber | Team HwEng | MorseSkynet, MorseFlyer (avionics) |
| Go | Team-SwEng | HFNOC/HFNFC/RackRental |
| helm charts | TSYS wide | All |
| Java | Team SwEng | MorseTrackerHUD,MorseTracker |
| javascript | Team SwEng | MorseTrackerHUD |
| Markdown | TSYS wide | All |
| octave | Team MechEng | MorseFlyer (envelope/airframe) |
| OpenFAAS | Team-SwEng | RackRental.net |
| PHP | TEam-SwEng | RackRental.net , HFNOC/HFNFC |
| python (Jupyter and stand alone) | Team MechEng | MorseFlyer (envelope/airframe) |
| R | Team MechEng | MorseFlyer (envelope/airframe) |
| Ruby | Team-SwEng | All (as part of SDLC testing) |
| Rust | Team-SwEng | HFNOC/HFNFC/RackRental |
| tcl/tk | Team HwEng | MorseSkynet |
| Xilinx | Team HwEng | MorseSkynet |
| YAML | TSYS wide | All |
### Deployment Targets
| Target | Used By | Product Scope |
|-----------------------------------------------------|-------------|------------------------------------|
| Arduino (cross compiled) | Team-SwEng | MorseFlyer (Avionics) |
| FreeRTOS (cross compiled) | Team-SwEng | MorseFlyer (Avionics) |
| Jenkins build pipelines | All teams | All |
| OpenMCT farm (java/micro services) | Team-SwEng | MorseTracker/MorseTrackerHUD |
| Raspberry Pi (cross compiled) | Team-SwEng | MorseFlyer (Avionics) |
| Subo pi farm (multi arch) Docker / k3s (and balena) | Team-SwEng | MorseFlyer (Avionics), MorseSkynet |
| TSYS K3S sandbox/dev/prod clusters | All teams | All |
| TSYS Web Farm (lots of PHP (wordpress etc)) | Team-WebEng | RackRental.net, HFNOC, HFNFC |
## General setup
These are steps you need to take before starting development in earnest.
Linux (or at least a mostly linux (WSL/mobaxterm)) environment is presumed for all the below.
You may well find GUI replacements and use them, especially on Windows/MACOSX. They are not supported in any way.
- Setup gitea
- Login once to <https://git.turnsys.com> so you can be added to the appropriate repos/teams/orgs.
- Customize any profile etc settings that you wish.
- Obtain API key to use with gitea-issues plugin
- Setup SSH
- Setup SSH key
- Add SSH public key to gitea
- Setup git
- For all git users:
- $ git config --global user.name "John Doe"
- $ git config --global user.email johndoe@example.com
- Setup git lg : git config --global alias.lg "log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit"
- for zsh users (and you really should use zsh/oh-my-zsh :)
- git config --add oh-my-zsh.hide-status 1
- git config --add oh-my-zsh.hide-dirty 1
## Plugins - Team-*
The plugins documented here are known to work, and are in active/frequent use by Charles as CTO as he hacks on the stack.
Other options exist for almost all the below. If you find something that works better for you, use it!
Consider the below as a suggested/supported baseline.
### General Tooling
- Code Spell Checker <https://marketplace.visualstudio.com/items?itemName=streetsidesoftware.code-spell-checker>
- Vim <https://marketplace.visualstudio.com/items?itemName=vscodevim.vim>
### Docker / k8s
- Docker:
- <https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-docker>
- <https://code.visualstudio.com/docs/containers/overview>
- Bridge to K8s <https://marketplace.visualstudio.com/items?itemName=mindaro.mindaro> <https://code.visualstudio.com/docs/containers/bridge-to-kubernetes>
### Git
- Git Extension Pack <https://marketplace.visualstudio.com/items?itemName=donjayamanne.git-extension-pack>
- Git Tree Compare <https://marketplace.visualstudio.com/items?itemName=letmaik.git-tree-compare>
- Git Tags <https://marketplace.visualstudio.com/items?itemName=howardzuo.vscode-git-tags>
- Gitea-VsCode <https://marketplace.visualstudio.com/items?itemName=ijustdev.gitea-vscode>
### (Cross) Compile / (Remote) Debug / (Remote) development
This section is a work in progress. Below is the current guides/plugins that are being tested. Roughly in decreasing order of confirmed stability/active usage.
YMMV, DD , Buyer Beware etc etc etc.
- <https://code.visualstudio.com/docs/remote/remote-overview>
- <https://code.visualstudio.com/docs/remote/ssh>
- <https://dimamoroz.com/2021/03/09/intel-nuc-for-development/>
- <https://github.com/Ed-Yang/rpidebug>
- <https://enes-ozturk.medium.com/remote-debugging-with-gdb-b4b0ca45b8c1>
- <https://enes-ozturk.medium.com/cross-compiling-with-cmake-and-vscode-9ca4976fdd1>
- <https://gist.github.com/aakashpk/e90d4651b074248b4823f6d2dc3373a0>
- <https://marketplace.visualstudio.com/items?itemName=webfreak.debug>
- <https://code.visualstudio.com/docs/cpp/config-linux>
### Markdown (and documentation in )
- Markdown All in One <https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-oneoo>
- Markdown Preview Enhanced <https://marketplace.visualstudio.com/items?itemName=shd101wyy.markdown-preview-enhanced>
- markdownlint <https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint>
- Excel to markdown table <https://marketplace.visualstudio.com/items?itemName=csholmq.excel-to-markdown-table>
- MdTableEditor < <https://marketplace.visualstudio.com/items?itemName=clover.md-table-editor>>
- Markdown Table Formatter https://marketplace.visualstudio.com/items?itemName=fcrespo82.markdown-table-formatter
- Gitdoc <https://marketplace.visualstudio.com/items?itemName=vsls-contrib.gitdoc>
- Draw.io integration <https://marketplace.visualstudio.com/items?itemName=hediet.vscode-drawio>
- PlantUML
- <https://marketplace.visualstudio.com/items?itemName=jebbs.plantuml>
- <https://www.freecodecamp.org/news/inserting-uml-in-markdown-using-vscode/>
- Latex Workshop <https://marketplace.visualstudio.com/items?itemName=James-Yu.latex-workshop>
### Data
- <https://marketplace.visualstudio.com/items?itemName=mtxr.sqltools>
- <https://marketplace.visualstudio.com/items?itemName=RandomFractalsInc.vscode-data-preview>
- <https://marketplace.visualstudio.com/items?itemName=RandomFractalsInc.geo-data-viewer>
- <https://marketplace.visualstudio.com/items?itemName=mechatroner.rainbow-csv>
### Bash
- <https://marketplace.visualstudio.com/items?itemName=mads-hartmann.bash-ide-vscode>
## Plugins - Team-SWEng
### API (rest) development
- <https://marketplace.visualstudio.com/items?itemName=humao.rest-client>
### Web App development
- <https://marketplace.visualstudio.com/items?itemName=iceworks-team.iceworks>
### YAML
- <https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml>
### Rust
- <https://marketplace.visualstudio.com/items?itemName=rust-lang.rust>
### C/C++
- <https://ludwiguer.medium.com/configure-visual-studio-code-to-compile-and-run-c-c-3cef24b4f690>
- <https://marketplace.visualstudio.com/items?itemName=ms-vscode.cpptools-extension-pack0>
- <https://marketplace.visualstudio.com/items?itemName=formulahendry.code-runner>
#### Arduino/Seeduino
-_<https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.vscode-arduino>
#### CUDA
TBD. Pull requests welcome.
### Java
- <https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-java-pack>
### PHP
- <https://github.com/cytopia/devilbox/blob/50ab236ea9780e6c3ba35d357a451d48aba9a5d2/docs/intermediate/configure-php-xdebug/linux/vscode.rst>
### Python
- <https://marketplace.visualstudio.com/items?itemName=ms-python.python>
## Plugins - Team-MechEng
### Octave
TBD. Pull requests welcome.
### R
TBD. Pull requests welcome.
### Jupyter
- <https://marketplace.visualstudio.com/items?itemName=ms-toolsai.jupyter>
### STL
- <https://marketplace.visualstudio.com/items?itemName=xdan.stlint-vscode-plugin>
- <https://marketplace.visualstudio.com/items?itemName=md2perpe.vscode-3dviewer>
- <https://marketplace.visualstudio.com/items?itemName=slevesque.vscode-3dviewer>
### G-code
TBD. Pull requests welcome.
### Gerber
TBD. Pull requests welcome.

1
src/CIO/Systems/TSYS-Systems.md
View File

@@ -1 +0,0 @@
# TSYS Systems Overview

38
src/CIO/Systems/code/ListAllSystems.sh
View File

@@ -1,38 +0,0 @@
host buildbox
host ca
host canonmfc
host db1
host db2
host db2
host nvr
host pfv-consrv01
host pfv-core-ap01
host pfv-core-rtr01
host pfv-core-sw01
host pfv-lab-sw01
host pfv-lab-sw02
host pfv-lab-sw03
host pfv-stor1
host pfv-stor1-oob
host pfv-stor2
host pfv-stor2-oob
host pfv-time1
host pfv-toolbox
host pfv-vmsrv-01
host pfv-vmsrv-02
host pfv-vmsrv-03
host pfv-vmsrv-04
host pfv-vmsrv-06
host pihole1
host pihole2
host sipwise
host subodev
host suboqa
host suboprod
host tsys-dc-01
host tsys-dc-02
host tsys-dc-03
host tsys-dc-04
host www1
host www2
host 3dpsrv

27
src/CIO/ThingsToDocument.md
View File

@@ -1,27 +0,0 @@
- [Things to document](#things-to-document)
- [System Admin](#system-admin)
- [Facilities](#facilities)
- [Network](#network)
- [Hypervisor](#hypervisor)
- [Storage](#storage)
- [Authentication](#authentication)
- [SRE](#sre)
# Things to document
## System Admin
### Facilities
### Network
VPN user addition to algo (opnsense soon)
### Hypervisor
### Storage
### Authentication
## SRE