TSYSGroupCorporate/tsysstaticsites
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

merge: plan.knownelement.com (7 pages)

Browse Source 
git-subtree-dir: content/plan.knownelement.com
git-subtree-mainline: e6384cc4e1
git-subtree-split: 5418b03a87
This commit is contained in:
Charles N Wyble
2026-03-02 16:49:04 -05:00
parent e6384cc4e1 5418b03a87
commit 1c82448205
47 changed files with 2938 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
content/plan.knownelement.com/.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
book
.vscode/sftp.json

6
content/plan.knownelement.com/BuildAndShip.sh Normal file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
mdbook \
build \
. \
-d book

235
content/plan.knownelement.com/LICENSE Normal file
View File

@@ -0,0 +1,235 @@
GNU AFFERO GENERAL PUBLIC LICENSE
Version 3, 19 November 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The GNU Affero General Public License is a free, copyleft license for software and other kinds of works, specifically designed to ensure cooperation with the community in the case of network server software.
The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, our General Public Licenses are intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things.
Developers that use our General Public Licenses protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License which gives you legal permission to copy, distribute and/or modify the software.
A secondary benefit of defending all users' freedom is that improvements made in alternate versions of the program, if they receive widespread use, become available for other developers to incorporate. Many developers of free software are heartened and encouraged by the resulting cooperation. However, in the case of software used on network servers, this result may fail to come about. The GNU General Public License permits making a modified version and letting the public access it on a server without ever releasing its source code to the public.
The GNU Affero General Public License is designed specifically to ensure that, in such cases, the modified source code becomes available to the community. It requires the operator of a network server to provide the source code of the modified version running there to the users of that server. Therefore, public use of a modified version, on a publicly accessible server, gives the public access to the source code of the modified version.
An older license, called the Affero General Public License and published by Affero, was designed to accomplish similar goals. This is a different license, not a version of the Affero GPL, but Affero has released a new version of the Affero GPL which permits relicensing under this license.
The precise terms and conditions for copying, distribution and modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU Affero General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based on the Program.
To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work.
A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source.
The Corresponding Source for a work in source code form is that same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures.
When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified it, and giving a relevant date.
b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices".
c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.
A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:
a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b.
d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d.
A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.
"Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).
The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or authors of the material; or
e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors.
All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11).
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party.
If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it.
A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.
13. Remote Network Interaction; Use with the GNU General Public License.
Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.
Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the work with which it is combined will remain governed by version 3 of the GNU General Public License.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of the GNU Affero General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU Affero General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU Affero General Public License, you may choose any version ever published by the Free Software Foundation.
If the Program specifies that a proxy can decide which future versions of the GNU Affero General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program.
Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.
KNEL-bizopprodplan
Copyright (C) 2024 KNEL
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If your software can interact with users remotely through a computer network, you should also make sure that it provides a way for users to get its source. For example, if your program is a web application, its interface could display a "Source" link that leads users to an archive of the code. There are many ways you could offer source, and different solutions will be better for different programs; see section 13 for the specific requirements.
You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU AGPL, see <http://www.gnu.org/licenses/>.

1
content/plan.knownelement.com/Policies/Authentication.md Normal file
View File

@@ -0,0 +1 @@
# Policies - Authentication

27
content/plan.knownelement.com/Policies/BusinessContinuityPlan.md Normal file
View File

@@ -0,0 +1,27 @@
# TSYS Group - IT Documentation - Policies - Business Continuity Plan
## Data
In the event of a data failure, data should be recovered from the most recent backup, to have as minimal impact on daily operations as possible.
* All data lives canonically at PFV
* All data resides in ZFS volumes on pfv-stor2 and pfv-stor1
* All ZFS volumes are continuously snapshotted in place on array
* All ZFS volumes are replicated at various intervals depending on recovery time objectives to pfv-stor1 backup drive
## Equipment
In the event of an equipment failure, equipment is to be replaced as soon as possible, utlizing insurance policies as necessary to recoup losses imposed. Replacesments are to be obtained, and data recovered, as soon as possible, to have as minimal impact on daily opersation as possible.
## Facility
As of the time of this writing, PFV is the only location, and in the event it should become permanently unavailable, obtaining use of a coworking space, such as WeWork or Capitol Factory, for continued dailiy operations is a must, until new dedicated facilities become available.
## Personnel
* In the event that the CEO is no longer willing or able to perform their duties, the next officer in succession is the CFO. The CFO shall perform the duties of both officers, until such time as a replacement can be found.
* In the event that the CFO is no longer willing or able to perform their duties, the next officer in succession is the CMO. The CMO shall perform the duties of both officers, until such time as a replacement can be found.
* In the event the CMO is no longer willing or able to perform their duties, the CTO shall perform the duties of CEO/CFO/CMO and will be acting CEO/CFO/COM until such time as a replacement can be found.

18
content/plan.knownelement.com/Processes/2fa.md Normal file
View File

@@ -0,0 +1,18 @@
# TSYS Group - IT Documentation - Processes - 2fa
- [TSYS Group - IT Documentation - Processes - 2fa](#tsys-group-it-documentation-processes-2fa)
- [Introduction](#introduction)
- [Applications](#applications)
## Introduction
This section is to document 2fa at TSYS.
## Applications
| Application | 2fa supported | 2fa enforced | 2fa documentation from vendor | 2fa enable page |
| ----------- | ------------- | ------------ | ----------------------------- | --------------- |
| Discourse | Yes | No | tbd | tbd |
| Bitwarden | Yes | Yes | tbd | tbd |
| Opnsense | Yes | Yes | tbd | tbd |

1
content/plan.knownelement.com/Processes/MoveToProduction.md Normal file
View File

@@ -0,0 +1 @@
# Processes - Move To Production

81
content/plan.knownelement.com/Processes/NewTeamMemberOnboarding.md Normal file
View File

@@ -0,0 +1,81 @@
# TSYS Group - IT Documentation - Processes - New Team Member Onboarding
- [TSYS Group - IT Documentation - Processes - New Team Member Onboarding](#tsys-group-it-documentation-processes-new-team-member-onboarding)
- [Introduction](#introduction)
- [Proces Overview](#proces-overview)
- [All users](#all-users)
- [R&D users](#r-d-users)
- [HR tasks](#hr-tasks)
- [Invite user to Discord](#invite-user-to-discord)
- [Inform TSYS point of contact of persons real name and Discord handle](#inform-tsys-point-of-contact-of-persons-real-name-and-discord-handle)
- [IT tasks](#it-tasks)
- [Application Access](#application-access)
- [System Access](#system-access)
- [Facillites Access](#facillites-access)
- [R&D access](#r-d-access)
- [Other tasks](#other-tasks)
- [Introduction](#introduction)
- [IT tasks](#it-tasks)
- [Application Access](#application-access)
- [System Access](#system-access)
- [Facillites Access](#facillites-access)
- [R&D access](#r-d-access)
- [HR tasks](#hr-tasks)
- [Other tasks](#other-tasks)# TSYS Group - IT Documentation - Processes - New Team Member Onboarding
## Introduction
On-boarding is an often overlooked and under documented aspect at companies ranging from startups to established multi national corporations.
We are starting things off right and are in the process of establishing a streamlined on-boarding process. More to come soon, as we work out the
final bugs!
## Proces Overview
### All users
* Invite user to Discord
* Create user account in UCS
* Send initial UCS username/ppassword via discord DM
* Have user change password at https://accounts.knownelement.com
* Once user has changed password, add them to appropriate UCS groups
### R&D users
* Create wireguard config with algo for any user systems
* Send user a discord DM with the algo config / QR
* Have user import TSYS Root CA certificate
## HR tasks
### Invite user to Discord
* Document process
### Inform TSYS point of contact of persons real name and Discord handle
* Document process (erpnext workflow)
## IT tasks
### Application Access
- LDAP Groups
- Application ACLs
### System Access
- Wireguard
- SSH key management
### Facillites Access
### R&D access
## Other tasks

125
content/plan.knownelement.com/Processes/PFVRunbook.md Normal file
View File

@@ -0,0 +1,125 @@
# TSYS Group - HQ data center documentation - runbook
- [TSYS Group - HQ data center documentation - runbook](#tsys-group-hq-data-center-documentation-runbook)
- [Introduction](#introduction)
- [Prerequisites and requirements](#prerequisites-and-requirements)
- [Scenarios](#scenarios)
- [Power lost and internet access isn't working after power is restored](#power-lost-and-internet-access-isn-t-working-after-power-is-restored)
- [UPS battery fails](#ups-battery-fails)
- [Air conditioning fails (E5 error)](#air-conditioning-fails-e5-error)
## Introduction
This book covers recovery scenarios for PFV. It is meant to be executed inside the PFV server room.
## Prerequisites and requirements
* Be in the PFV server room
* Have a headlamp so your hands are free
* Go slow and easyo
* Ask for help
* Lift up the cardboard on rack3 (bottom rack of the two half racks next to rack 5), so you can press buttons on the Keyboard/Video/Mouse (KVM) switcher
## Scenarios
### Power lost and internet access isn't working after power is restored
The Virtual machines are set to automatically start on boot of the virtual server hosts. However the virtual server hosts boot faster than the storage hosts.
So a manual intervention is needed to restore service.
Procedure:
Step 1)
Ensure that storage enclosures are at the login prompt. You'll be confirming two systems:
* pfv-stor1
* pfv-stor2
The buttons on the KVM switcher with the label
* s1
* s2
will show you the output from pfv-stor1/pfv-stor2 respectively (on the monitor sitting on top of the UPS rack)
* Press the button with the label s1
* Look at the monitor
* Ensure it's at a login prompt.
* Press the button with the label s2
* Look at the monitor
* Ensure it's at a login prompt.
Step 2)
Restart pfv-vm1
Procedure:
1) reboot the system labeled pfv-vm1:
* Press the button on the KVM switcher labeled v1
* quickly press and let go of the power button (just tap it and release). This will start a shutdown of the system.
* wait for power off and observe the output on the monitor . It will print out status as it shuts down.
* Press the power button and let go of the power button (just tape it and release). This will start the system back up.
* wait for power on and observe the output on the monitor . It will print out status as it starts up and will end at a login prompt.
* wait two minutes
* see if internet is working
2) start the guests by logging into the console of vm1 by typing at the login prompt
root
<password from the envelope in the safe>
Then type: qm start 120
This will start up the router
Then type: qm start 106
This will start up the virtual private network
You can use the command:
``` qm list ```
to get the current state
You may see additional systems other than those listed below, when you run qm list. They are not critical path for production and can be started by ops team once core critical path is operational.
* pfv-vmsrv-01
root@pfv-vm1:~# qm list
VMID NAME STATUS MEM(MB) BOOTDISK(GB) PID
120 pfv-core-rtr01 running 2048 20.00 3786 << this is the virtual router, if it's down, nothing else will work .
106 pfv-vpn running 2048 50.00 12814 << vpn server. No one will be able to access the network remotely if it's down
If the above two systems are functioning , then IT can start up the other systems remotely.
### UPS battery fails
Sometimes the UPS will continue to function, passing through utility power, with an active alarm.
Other times it will fail.
1) Report this to ops team as an incident, including
* which UPS (they are labeled front/back) is having an issue
* nature of the issue (total failure, alarm)
* include a picture of the front which will have some information
2) Replace the battery
* Access printed manual in the file cabinet in server room
* Follow battery replacement procedure
* Take pictures as you pull the battery pack out, to allow for easier re-wiring
* Go to batteries plus with the failed batteries (we replace whole packs at once) and they'll sell you replacements for the pack
* Wire pack and place into UPS
### Air conditioning fails (E5 error)
1) Shut down and unplug air conditioning unit
2) Take air conditioning unit outside (front porch)
3) Drain reservoir

0
content/plan.knownelement.com/Processes/VpnUser.md Normal file
View File

14
content/plan.knownelement.com/Processes/VulnerabilityManagmentNotes.md Normal file
View File

@@ -0,0 +1,14 @@
# Vulnerability management
* identify total asset base (use nmap and see if it matches librenms and resolve any discrepancies)
* perform scans of total asset base (using openvas/lynis/ossim)
* manage vulnerability ratings/scope
* notify/escalate to appropriate contacts
* address the vulns
* report metrics (i think the apps provide built in dashboards, may need some light modification)
i think ossim can do all the above ,also lynis/openvas (the three combined should provide complete coverage) (network scan/agent based combination)
librenms is our CMDB currently (for identifying assets/contacts). phpipam is our inventory.

30
content/plan.knownelement.com/README.md Normal file
View File

@@ -0,0 +1,30 @@
# TSYS Group - CIO Documentation
## Introduction
Welcome to the TSYS Group Handbook - CIO Documentation.
We strive to be as open, transparent and responsive as possible as we support the mission of the TSYS Group and it's component divisions.
We are glad you are here. :)
This manual serves as the sole source of documentation for all IT operations/systems/services of TSYS Group.
We strive to provide a complete suite of services utilizing an almost entirely FLO stack. The FLO exceptions are:
* Office 365 for e-mail
* Neat.com for expense receipt OCR
* Windows 10 workstations
* Apple IOS devices
The entirety of our servers are running Ubuntu 20.04 or later.
Other than the above exceptions, we utilize 100% FLO software to implement every single IT and Business service delivered to
the TSYS group. We hope our documentation helps you do the same.
Our business and IT service stack GIT Repository: <https://git.turnsys.com/TSGTechops/docs-techops>
## Todo list:
<https://git.turnsys.com/TSGTechops/docs-techops/issues>

0
content/plan.knownelement.com/Systems/Admin-AAA/Auditing.md Normal file
View File

17
content/plan.knownelement.com/Systems/Admin-AAA/Authentication.md Normal file
View File

@@ -0,0 +1,17 @@
# Authentication
## Password Management
### Shared Passwords
* We utilize bitwarden for shared password storage. For example for external vendors, social media etc. All external logins are 2fa.
### Privileged Access
* CEO/CFO have equivalent access in bitwarden, to absolutely everything.
* CIO has very limited access to shared passwords (just for pfv-stor until it's hooked into true command). Does not have access to domain admin or other shared passwords.
* CMO has access to all social media and all wordpress admin (but uses normal account for day to day use)
### VPN Endpoint Creation / Deletion
* Ansible recipe for algo (update users.yml and re-run ansible) (document more soon)

0
content/plan.knownelement.com/Systems/Admin-AAA/Authorization.md Normal file
View File

271
content/plan.knownelement.com/Systems/Admin-Application/AppsAndServices.md Normal file
View File

@@ -0,0 +1,271 @@
# TSYS / Redwood Group Applications and Services
The goal of this section is to document all applications and services utilized by TSYS Group.
Welcome to the future, welcome to the first open source conglomerate! We have broken the page up into a number of sections, to aid navigation.
To our knowledge, we are the only organization in the known universe to fully document our stack and to fully open source it. Enjoy!
Go forth and create your own conglomerates! Solve big problems!
- [TSYS / Redwood Group Applications and Services](#tsys--redwood-group--applications-and-services)
- [Web Properties](#web-properties)
- [Redwood Group Properties](#redwood-group-properties)
- [Non Profit Properties](#non-profit-properties)
- [For Profit Properties](#for-profit-properties)
- [Coop Properties](#coop-properties)
- [Misc Properties](#misc-properties)
- [Services](#services)
- [Externally provided services](#externally-provided-services)
- [Internally provided services](#internally-provided-services)
- [R&D Applications](#rd-applications)
## Web Properties
### Redwood Group Properties
The below table documents the not primarily for profit entities performing capital raising and management for TSYS Group entities and their members.
All sites below are proudly powered by the TSYS Wordpress platform.
| Entity | Description | Website |
| -------------------------------------------------- | ------------------------------------------------------------------------------------------------- | ------------------------ |
| Redwood Group LLC | Sibling organization to TSYS Group for all capital raising and management | <https://www.redwgr.com> |
| Redwood Springs Capital Partners Management Co LLC | management company of the various funds setup to finance TSYS Group operations | <https://www.rwscp.net> |
| Redwood Family Office LLC | Wealth management/healthcare/estate planning/tax advice broker for LLC members and their families | <https://www.redwfo.com> |
### Non Profit Properties
The below table documents the non profit entities performing the educational, advocacy, lobbying and legislative functions for TSYS Group.
All sites below are proudly powered by the TSYS Wordpress platform.
| Entity | Description | Website |
| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------- |
| Americans For A Better Network INC | A non profit (seeking 501c3 status) to educate americans about internet provider choices | <https://www.afabn.org> |
| Free Network Foundation INC | A defunct 501c3 (replaced by AFABN) | <https://www.thefnf.org> |
| Free Network Foundation INC | (wiki) comprehensive body of knowledge about community networking | <https://commons.thefnf.org> |
| Free Network Foundation INC | (static files) Assets (pdfs etc) linked from blog/wiki | <https://staticbits.thefnf.org> |
| Side Door (Solutions) Group INC | A non profit (seeking 501c4) / PAC to drive the necessary legislative and executive changes to enable internet for all | <https://www.sidedoorgroup.org> |
| TSYS Group Non Profit Portal | Landing page for non profits | <https://nonprofit.turnsys.com> |
### For Profit Properties
The below table documents the not primarily for profit entities performing the R&D and providing supporting services functions for TSYS Group.
All sites below are proudly powered by the TSYS Wordpress platform.
| Entity | Description | Website |
| ------------------------------------------ | ---------------------------------------------------------------------------------------------- | ------------------------------------ |
| Axios Heart Studios LLC | Art, 2d,3d and other fabrication services for TSYS Group | <https://www.axiosheartstudios.com> |
| Suborbital Systems Development Company LLC | Manufacturer of Morse product line - technical blog and information | <https://www.suborbital-systems.com> |
| Suborbital Systems Development Company LLC | Manufacturer of Morse product line - product page | <https://www.meetmorse.com> |
| RackRental LLC | network and lab equipment rental by the hour for training, config testing, competitive testing | <https://www.rackrental.net> |
| Team Rental LLC | HR/staffing of IT/dev professionals (2 million net new job goal by 2025) | <https://www.teamrental.net> |
| Known Element Enterprises LLC | IT/business back office services | <https://www.knownelement.com> |
| Your Dream Name Here LLC | Business in a box | <https://www.yourdreamnamehere.com> |
| The PeerNet LLC | Community, media, public relations / (live/time shifted) streaming/broadcast service | <https://www.thepeernet.com> |
| The PeerNet LLC | Software platform powering ThePeerNet.com service | <https://www.ezpodstack.org> |
### Coop Properties
The below table documents the fairshares cooperatives for financing, building, owning and operating community networks.
| Entity | Description | Website |
| ----------------------------------------- | -------------------------------------------------------- | -------------------------------- |
| High Flight Network Finance Company LLC | Financing network builds | <https://www.hfnfc.net> |
| High Flight Network Operating Company LLC | User owned/operated network backbone | <https://www.hfnoc.net> |
| KickFund.me LLC | Crowdfunding of network and other infrastructure builds | <https://www.kickfund.me> |
| The Campus Trading Co LLC | treasury/investment management/market and other research | <https://www.thecampustrade.com> |
### Misc Properties
| Entity | Description | Website |
| -------------------- | -------------------------------------- | -------------------------------- |
| CNWCO LLC | Charles Wyble blog | <https://www.reachableceo.com> |
| Turn Net Systems LLC | Overall entity for many subsidiary LLC | <https://www.turnsys.com> |
| Turn Net Systems LLC | Governance information for TSYS group | <https://governance.turnsys.com> |
## Services
### Externally provided services
The below table documents the handful of things TSYS Group has yet to vertically integrate and turn into a profit center.
These are not free/libre/open services, that are externally hosted and represent a cost center.
| Function | Vendor Link |
| ----------------------------------------------- | -------------------------------------------------------------------------------------- |
| Corporate email | <https://www.microsoft.com/en-us/microsoft-365/buy/compare-all-microsoft-365-products> |
| OCR for expense management | <https://www.neat.com/> |
| Payment processing | <https://www.paypal.com/> <https://squareup.com/us/en)/> <https://stripe.com/> |
| Payment, treasury operations, wealth management | <https://www.goamplify.com/>) |
| Tax prep/audit and other CPA services | (coming soon) |
| Domain Registrar , DNS, | <https://www.ovh.com/ca/en/>) |
| Live audio/video and text chat | <https://discord.com/>) |
### Internally provided services
These are hosted services (internally hosted by IT) and accessed via either a thick client application or a web browser.
They are provided by Known Element Enterprises LLC.
| Function | Vendor | Application Instance |
| ---------------------------------------------- | --------------------------------------------------------------- | -------------------------------------------------- |
| Storage Array for enterprise wide use | <https://www.freenas.org/> | <http://pfv-stor1.turnsys.net/> |
| Storage Array for RackRental use | <https://www.freenas.org/> | <http://pfv-stor2.turnsys.net/> |
| Ad blocking | <https://pi-hole.net/> | <http://pihole1.turnsys.net/admin> |
| Ad blocking | <https://pi-hole.net/> | <http://pihole2.turnsys.net/admin> |
| IAM | <https://www.gluu.org/> | <https://accounts.turnsys.com> |
| Artifact store | <https://archiva.apache.org/> | <https://artifacts.turnsys.com> |
| Zero trust,BeyondCorp | <https://www.trasa.io/docs/> | <https://beyondcorp.turnsys.com/> |
| Billing platform | <https://killbill.io/> | <https://billing.turnsys.com> |
| Shared Bookmarks | <https://github.com/shaarli/Shaarli> | <https://bookmarks.knownelement.com/> |
| Building Automation | <https://www.home-assistant.io/> | <https://buildauto.turnsys.net/> |
| CAD | <https://collabcad.gov.in/eCollabCAD/> | <https://cad.turnsys.com> |
| CI/CD | <https://www.jenkins.io/> | <https://ci.turnsys.com/> |
| Support forum/KB/general discussion | <https://www.discourse.org/> | <https://community.turnsys.com/> |
| Editing of audio | <https://github.com/Yahweasel/craig | <https://craig.thepeernet.com> |
| Customer data analytics and management | <https://github.com/rudderlabs> | <https://custdash.turnsys.com> |
| Database access | <https://www.metabase.com/> | <https://db.turnsys.com> |
| ERP | <https://erpnext.org/> | <https://erp.turnsys.com/> |
| WebForms | <https://easyforms.dev/> | <https://forms.turnsys.com> |
| Configuration management | <https://github.com/team-video/aviary.sh> | <https://git.turnsys.com/TSGTechops/ConfigMgmt> |
| Source code management | <https://gitea.io/en-us/> | <https://git.turnsys.com> |
| Docker registry | <https://goharbor.io/> | <https://docker-reg.turnsys.com> |
| Customer Helpdesk | <https://freescout.net/> | <https://support.turnsys.com> |
| Business logic/workflow execution | <https://github.com/huginn/huginn> | <https://huginn.turnsys.com> |
| Asset management/inventory | <https://glpi-project.org/> | <https://inventory.turnsys.com/> |
| Mobile Device Management | <https://www.flyve-mdm.com/> | <https://inventory.turnsys.com> |
| SSH Jump <audited,logged,2fa etc> | <https://www.bastillion.io/> | <https://jumpssh.turnsys.com/> |
| Code Notebook | <https://www.github.com/jupyter/enterprise_gateway> | <https://jupyter.turnsys.com> |
| Engineering Notebook | <https://www.elabftw.net/> | <https://labnotebook.turnsys.com> |
| Training/coursework | <https://www.instructure.com/canvas/> | <https://learn.turnsys.com> |
| Mail Archiving/retention/legal/regulatory hold | <https://www.mailpiler.org/wiki/start> | <https://legalhold.turnsys.com> |
| Email Discussion lists | Mailman | <https://mailman.turnsys.com> |
| Marketing Campaigns | <https://www.mautic.org/> | <https://marketing.iurnsys.com/> |
| Out of band system access | <https://www.meshcommander.com/meshcommander> | <https://meshoob.turnsys.net> |
| Budget/Finance analytics/modeling etc | <https://www.firefly-iii.org/> | <https://moneystuff.turnsys.com/> |
| Service Availability Monitoring | <https://www.librenms.org/> | <https://halfthefarm.turnsys.com/> |
| File sync/Groupware | <https://nextcloud.com/hub/> | <https://nextcloud.turnsys.com/> |
| Video surveillance | <https://shinobi.video/> | <https://nvr.turnsys.net> |
| Automated Security Auditing and reporting | <https://openvas.org/> | <https://openvas.turnsys.com/> |
| Pastebin | <https://github.com/claudehohl/Stikked> | <https://paste.turnsys.com> |
| IP Routing/firewalling/DHCP/IDS/IPS/Proxy etc | <https://opnsense.org/> | <https://pfv-core-rtr01.turnsys.net/> |
| IP Routing/firewalling/DHCP/IDS/IPS/Proxy etc | <https://opnsense.org/> | <https://pfv-core-rtr02.turnsys.net/> |
| Photo Management | <https://piwigo.org/> | <https://photos.turnsys.com/> |
| IP Address Management | <https://phpipam.net/> | <https://phpipam.turnsys.com/index.php?page=login> |
| Outbound Newsletters | <https://www.phplist.com/> | <https://phplist.turnsys.com/lists/admin/> |
| Password Management | <https://github.com/dani-garcia/bitwarden_rs> | <https://pwvault.turnsys.com> |
| Secrets Management | <https://github.com/envwarden/envwarden> | <https://pwvault.turnsys.com> |
| Read later | <https://wallabag.com>> | <https://readlater.turnsys.com> |
| Research archive management | <https://archivebox.io/> | <https://research.turnsys.com> |
| Document review/change tracking workflow | <https://www.reviewboard.org/> | <https://review.turnsys.com/> |
| RSS Feed Management | <https://www.freshrss.org/> | <https://rss.knownelement.com> |
| orchestration | <https://www.rundeck.com/open-source> | <https://rundeck.turnsys.net/> |
| Document Creation and management | <https://sandstorm.io/> | <https://sandstorm.turnsys.com> |
| Full text Search | <https://ambar.cloud/> | <https://search.turnsys.com> |
| Host IDS / SIEM | <https://wazuh.com/> | <https://siem.turnsys.com> |
| Streaming of live audio/video | <https://openstreamingplatform.com/> | <https://streaming.thepeernet.com/> |
| Backups | BareOS | <https://tsys-dc-01.turnsys.net/bareos-webui/> |
| Inbound PSTN voice communications | <https://www.sipwise.com/> | <https://voice.turnsys.com> |
| Voting | TBD | <https://voting.turnsys.com> |
| Web Analytics | <https://matomo.org/> | <https://webstats.turnsys.com/> |
| Shared whiteboard | <https://wbo.ophir.dev/> | <https://whiteboard.turnsys.com/> |
| 501c3 donor management/CRM | <https://civicrm.org/home> | <https://www.afabn.org/crm> |
| 501c4 donor management/CRM | <https://civicrm.org/home> | <https://www.sidedoorgroup.org/crm> |
| Streaming of time shifted audio/video | <https://git.turnsys.com/ThePeerNetwork/PodcastAsAServiceStack> | N/A |
| Serverless | <https://github.com/openfaas/faasd/> | N/A |
| Offline Root CA | <https://hohnstaedt.de/xca/> | N/A |
| On demand system provisioning | <https://maas.io/> | N/A |
| Internal CA | <https://github.com/cloudflare/cfssl> | N/A (API Driven) |
| Business Process Mapping | TBD | TBD |
| Computer aided dispatch | TBD | TBD |
| E-signature and contract management | TBD | TBD |
| Process mining | TBD | TBD |
>
## R&D Applications
These are thick client applications installed locally on a developer workstation.
This software has two modes of deployment:
- downloaded from the vendor and setup on your physical workstation (used for dev/testing/experimenting)
- downloaded from the /subo directory and ran on your physical workstation or run from the /subo directory on a virtual workstation you login to remotely
The software that is built/deployed in /subo is the only version approved for production use.
The exception to that is if it has an OTS notation next to it's name, in which case you can use the latest stable version from the vendor.
| Program | Used By | Link | Product Scope |
| -------------------- | ------------------ | ------------------------------------------------------------------------ | ------------------------------------------------- |
| android studio (OTS) | Team-SwEng | <https://developer.android.com/studio> | MorsePod |
| argouml (OTS) | All | <https://github.com/argouml-tigris-org/argouml> | All |
| bitwaden (OTS) | All | <https://bitwarden.com/> | N/A |
| Blender | Team-MechEng/HwEng | <https://www.blender.org/> | MorseFlyer, MorseSkynet |
| bonita (OTS) | All | <https://www.bonitasoft.com/> | All |
| calibre (OTS) | All | <https://calibre-ebook.com/> | N/a |
| camotics | Team-MechEng | <https://camotics.org/> | MorseFlyer (avionics), MorseSkynet |
| chisel | Team-HwEng | <https://www.chisel-lang.org/> | MorseSkynet |
| CodeAster | Team-MechEng | <https://www.code-aster.org/V2/spip.php?rubrique2> | MorseFlyer (envelope/parafoil/airframe) |
| Cubit Toolkit | Team-MechEng | <https://cubit.sandia.gov/> | MorseFlyer (envelope/parafoil/airframe) |
| CUDA SDK | Team-HwEng | <https://developer.nvidia.com/cuda-zone> | MorseFlyer (envelope/parafoil/airframe) |
| Cura | Team-MechEng | <https://ultimaker.com/software/ultimaker-cura> | MorseFlyer (envelope/parafoil/airframe) |
| DbEaver(OTS) | Team-SwEng | <https://dbeaver.io/> | MorseFlyer(avionics), RacKRental.net, HFNOC |
| docear (OTS) | All | <https://docear.org/> | N/A |
| Docker Desktop (OTS) | All | <https://www.docker.com/products/docker-desktop> | All |
| embitz (OTS) | Team-SwEng/HwEng | <https://www.embitz.org/> | MorseSkynet |
| Esim | Team-HwEng | <https://esim.fossee.in/> | MorseFlyer (avionics), MorseSkynet |
| Flora | Team-HwEng/SwEng | <https://flora.aalto.fi/> | MorseFlyer (avionics), MorseSkynet |
| Freecad | Team-MechEng/HwEng | <https://github.com/FreeCAD> | MorseFlyer, MorseSkynet |
| gerber2graphtec | Team-HwEng | <https://github.com/pmonta/gerber2graphtec> | MorseFlyer, MorseSkynet |
| gerber2graphtec | Team-HwEng | <https://github.com/colinoflynn/gerber2graphtec/>> | MorseFlyer, MorseSkynet |
| Gerby | Team-HwEng | <http://gerbv.geda-project.org/> | MorseFlyer (avionics), MorseSkynet |
| ghidra (OTS) | Team-SwEng | <https://ghidra-sre.org/> | ALl (SDLC) |
| gnuradio | Team-HwEng | <https://www.gnuradio.org/> | MorseSkynet |
| GprMax | Team-HwEng | <https://github.com/gprMax/gprMax> | MorseFlyer (avionics), MorseSkynet |
| grass gis (OTS) | Team-SwEng | <https://grass.osgeo.org/> | HFNOC |
| graywolf | Team-HwEng | <https://github.com/rubund/graywolf> | MorseSkynet |
| inkscape | Team-HwEng/MechEng | <https://inkscape.org/> | MorseFlyer, MorseSkynet |
| jxplorer (OTS) | Team-IT | <http://jxplorer.org/> | HFNOC/HFNFC |
| keybase | All | <https://keybase.io> | N/A |
| Kicad | Team-HwEng | <https://gitlab.com/kicad/code/kicad> | MorseFlyer (avionics), MorseSkynet |
| Librecad | Team-MechEng/HwEng | <https://librepcb.org/> | MorseFlyer, MorseSkynet |
| LibrePCB | Team-hwEng | <https://librepcb.org/> | MorseFlyer (avionics), MorseSkynet |
| metasploit | Team-SwEng | <https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers> | All (SDLC) |
| Microsoft R (OTS) | Team-HwEng | <https://mran.microsoft.com/open> | MorseFlyer (envelope/parafoil/airframe)(avionics) |
| NasaTran95 | Team_MechEng | <https://github.com/nasa/trick> | MorseFlyer (envelope/parafoil/airframe) |
| NasaTrick | Team_MechEng | <https://github.com/nasa/trick> | MorseFlyer (envelope/parafoil/airframe) |
| NgSpice | Team-HwEng | <http://ngspice.sourceforge.net/resources.html> | MorseFlyer (avionics), MorseSkynet |
| obs (OTS) | All | <https://obsproject.com/> | N/A |
| Octave | Team-MechEng | <https://hg.savannah.gnu.org/hgweb/octave> | MorseFlyer (envelope/parafoil/airframe) |
| OneLAB | Team-MechEng | <http://onelab.info/> | MorseFlyer (envelope/parafoil/airframe) |
| open 3d model viewer | Team-MechEng | <https://acgessler.github.io/open3mod/> | MorseFlyer (envelope/parafoil/airframe) |
| OpenGribs | Team-SwEng | <https://opengribs.org/en/> | HFNOC |
| openscap (OTS) | Team-IT | <https://www.open-scap.org/tools/scap-workbench/> | All (SDLC) |
| OpenVSP | Team-MechEng | <http://openvsp.org/> | MorseFlyer (envelope/parafoil/airframe) |
| OWASP Threat Dragon | Team-SwEng | <https://owasp.org/www-project-threat-dragon/> | All (SDLC) |
| Pandoc (OTS) | All | <https://pandoc.org/> | All |
| Paraview | Team-MechEng | <https://www.paraview.org/> | MorseFlyer (envelope/parafoil/airframe) |
| PHP runtime | Team-SwEng | <http://devilbox.org/> | RackRental |
| polar (OTS) | All | <https://getpolarized.io/> | N/a |
| postman (OTS) | Team-SwEng | <https://www.postman.com/> | RackRental/HFNOC |
| qgis (OTS) | Team-SwEng | <https://qgis.org/en/site/> | HFNOC |
| qrouter | Team-HwEng | <http://opencircuitdesign.com/qrouter/> | MorseFlyer (avionics), MorseSkynet |
| rstudio (OTS) | Team-HwEng | <https://www.rstudio.com/> | MorseFlyer (envelope/parafoil/airframe) |
| SciKit-RF | Team-HwEng | <https://scikit-rf.readthedocs.io/en/latest/> | MorseFlyer (avionics), MorseSkynet |
| SciLab | Team-MechEng | <https://www.scilab.org/> | MorseFlyer (envelope/parafoil/airframe) |
| sdrsharp | Team-HwEng | <https://www.rtl-sdr.com/tag/sdrsharp/> | MorseSkynet |
| Solvespace | Team-MechEng | <https://solvespace.com/index.pl> | MorseFlyer, MorseSkynet |
| sweethome3d (OTS) | Team-MechEng | <http://www.sweethome3d.com/> | MorseCollective |
| udig (OTS) | Team-SwEng | <http://udig.refractions.net/> | HFNOC |
| VirtualSatellite | Team_MechEng | <https://github.com/virtualsatellite> | MorseFlyer (envelope/parafoil/airframe) |
| vym (OTS) | All | <http://www.insilmaril.de/vym/> | All |
| Warp3d | Team_MechEng | <http://www.warp3d.net/> | MorseFlyer (envelope/parafoil/airframe) |
| worldwind (OTS) | Team-HwEng | <https://worldwind.arc.nasa.gov/> | HFNOC |
| xilinx | Team-HwEng | <https://www.xilinx.com/> | MorseSkynet |
| Xilinx | Team-HwEng | <https://www.xilinx.com/support/download.html> | MorseSkynet |
| YoSys | Team-HwEng | <http://www.clifford.at/yosys/> | MorseSkynet |
| Evolus Pencil | Team-Design | <https://pencil.evolus.vn/> | All |
| yEd | Team-Design | <https://www.yworks.com/products/yed> | All |
| oss-fuzz | Team-IT | <https://github.com/google/oss-fuzz> | All |
| cluster fuzz | Team-IT | <https://github.com/google/clusterfuzz> | All |

98
content/plan.knownelement.com/Systems/Admin-Application/RuntimeLayer.md Normal file
View File

@@ -0,0 +1,98 @@
# TSYS Group Web Application Runtime Layer
## Introduction
The TSYS Group needs a web application runtime layer for it's myriad of applications.
## Broad Requirements for runtime layer
* No single point of failure
* High availability/auto recovery for containers
* Distributed/replicated persistent storage for containers
## Major components of runtime environment
### storage
Replicated storage that fulfills the persistent volume claim of docker containers.
Deployed on www1,2,3 virtual machines (k3s worker nodes).
Deployed on subord virtual machine (k3s worker node for r&d).
Using longhorn
### container runtime, control plane, control panel
* Kubernetes load balancer , (metallb). Only TCP load balancing is used , as all intelligence (certs/layer 7 etc) is handled by Opnsense
* Kubernetes runtime environment (k3s from Rancher labs)
* workers
* control plane
* control panel
* Kubernetes runtime environment control panel
* Rancher
* authenticates to TSYS LDAP
Control plane is deployed on db1,2,3
Workers are deployed on www1,2,3
### Core container functionality (running as containers on the platform)
* docker registry
* IAM
* API gateway
* Jenkins
* all the above installed as containers running on the kubernetes runtime.
* all the above configured for LDAP authentication
* all the above no other configuration of the components would be in scope
### Applications to deploy/migrate on the runtime platform
### PAAS
* blue/green and other standard deployment methodologies
* able to auto deploy from ci/cd
* orchestrate all of the primitives (load balancer, port assignment etc) (docker-compose target? helm chart? is Rancher suitable?)
## General notes
## A suggested prescriptive technical stack / Work done so far
Followed some of this howto:
<https://rene.jochum.dev/rancher-k3s-with-galera/>
Enough to get k3s control plane and workers deployed:
```
root@db1:/var/log/maxscale# kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
db2 Ready control-plane,master 30d v1.20.4+k3s1 10.251.51.2 <none> Ubuntu 20.04.2 LTS 5.4.0-70-generic containerd://1.4.3-k3s3
db3 Ready control-plane,master 30d v1.20.4+k3s1 10.251.51.3 <none> Ubuntu 20.04.2 LTS 5.4.0-70-generic containerd://1.4.3-k3s3
db1 Ready control-plane,master 30d v1.20.4+k3s1 10.251.51.1 <none> Ubuntu 20.04.2 LTS 5.4.0-70-generic containerd://1.4.3-k3s3
www1 Ready <none> 30d v1.20.4+k3s1 10.251.50.1 <none> Ubuntu 20.04.2 LTS 5.4.0-70-generic containerd://1.4.3-k3s3
www2 Ready <none> 30d v1.20.4+k3s1 10.251.50.2 <none> Ubuntu 20.04.2 LTS 5.4.0-70-generic containerd://1.4.3-k3s3
root@db1:/var/log/maxscale#
```
and a bit of load balancing setup going:
```
fenixpi% kubectl get pods -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
metallb-system speaker-7nsvs 1/1 Running 10 30d 10.251.51.2 db2 <none> <none>
kube-system metrics-server-86cbb8457f-64ckz 1/1 Running 18 16d 10.42.2.23 db1 <none> <none>
kube-system local-path-provisioner-5ff76fc89d-kcg7k 1/1 Running 34 16d 10.42.2.22 db1 <none> <none>
metallb-system controller-fb659dc8-m2tlk 1/1 Running 12 30d 10.42.0.42 db3 <none> <none>
metallb-system speaker-vfh2p 1/1 Running 17 30d 10.251.51.3 db3 <none> <none>
kube-system coredns-854c77959c-59kpz 1/1 Running 13 30d 10.42.0.41 db3 <none> <none>
kube-system ingress-nginx-controller-7fc74cf778-qxdpr 1/1 Running 15 30d 10.42.0.40 db3 <none> <none>
metallb-system speaker-7bzlw 1/1 Running 3 30d 10.251.50.2 www2 <none> <none>
metallb-system speaker-hdwkm 0/1 CrashLoopBackOff 4633 30d 10.251.51.1 db1 <none> <none>
metallb-system speaker-nhzf6 0/1 CrashLoopBackOff 1458 30d 10.251.50.1 www1 <none> <none>
```
Beyond that, it's greenfield.

94
content/plan.knownelement.com/Systems/Admin-Application/WebServerSetupNotes.md Normal file
View File

@@ -0,0 +1,94 @@
# TSYS Group - IT Documentation - Applications - Web Server Setup
- [TSYS Group - IT Documentation - Applications - Web Server Setup](#tsys-group-it-documentation-applications-web-server-setup)
- [packages to install](#packages-to-install)
- [php modifications](#php-modifications)
- [memcache](#memcache)
- [php config changes](#php-config-changes)
- [apache](#apache)
- [apache configuration mods needed](#apache-configuration-mods-needed)
- [apache modules needed](#apache-modules-needed)
- [apache tweaks performed](#apache-tweaks-performed)
- [scripts to load](#scripts-to-load)
- [TSYS root ca and UCS DC root cert](#tsys-root-ca-and-ucs-dc-root-cert)
These notes capture actions taken to build the www vm around 9/15 to 10/1 2020.
## packages to install
* php stuff and other packages needed :
```console
sudo apt install memcached php7.4 php7.4-mysqli php7.4-fpm php7.4-mbstring php7.4-xml php7.4-imap php7.4-json php7.4-zip php7.4-gd php7.4-curl php7.4-ldap php7.4-gd php7.4-gmp php-par php-apcu jq unzip python3-pip —no-install-recommends
```
## php modifications
### memcache
root@www:/etc/php/7.4/fpm/conf.d# grep -v ^\; 20-memcache.ini
extension=memcache.so
[memcache]
memcache.allow_failover="1"
memcache.max_failover_attempts="20"
memcache.default_port="11211"
memcache.hash_strategy="consistent"
session.save_handler="memcache"
session.save_path = 'tcp://10.251.51.1:11211,tcp://10.251.51.2:11211,tcp://10.251.51.3:11211'
memcache.redundancy=1
memcache.session_redundancy=4
### php config changes
Timezone
## apache
### apache configuration mods needed
-- alter site config for fpm socket to php7.4-fpm (from 7.3) (socket path)
### apache modules needed
* headers
* deflate
* rewrite
* proxy
* proxy_http
* proxy_fcgi
* cache_disk
### apache tweaks performed
* 1153 sudo a2dismod mpm_prefork
* 1154 sudo a2enmod mpm_event
* 1155 sudo apt install libapache2-mod-fcgid
* 1156 sudo a2enconf php7.2-fpm
* 1157 sudo a2enconf php7.-fpm
* 1158 sudo a2enconf php7.4-fpm
## scripts to load
```console
sandstorm-cert.sh
certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.sandstorm.turnsys.com' -d sandstorm.turnsys.com
```
## TSYS root ca and UCS DC root cert
Without having the domain root cert present, none of the apps will be able to validate teh domain controller certificate presented during authentication.
```console
root@www:/usr/local/share/ca-certificates# ls -l
total 12
drwxr-xr-x 2 root root 4096 Sep 28 20:43 extra
lrwxrwxrwx 1 root root 13 Sep 28 20:44 tsys-root.crt -> tsys-root.pem
-r--r--r-- 1 root root 822 Sep 28 20:43 tsys-root.pem
lrwxrwxrwx 1 root root 12 Sep 28 20:44 ucs-root.crt -> ucs-root.pem
-rw-r--r-- 1 root root 2094 Sep 28 20:43 ucs-root.pem
root@www:/usr/local/share/ca-certificates#
```

50
content/plan.knownelement.com/Systems/Admin-DataCenter/cooling/PFVCooling2021.md Normal file
View File

@@ -0,0 +1,50 @@
# TSYS Group - HQ data center documentation - cooling
## Introduction
Cooling is a critical component of any data center. It is often the dominate consumer of energy.
We keep our data center at about 70 degrees F.
## Make / model
We have a
* HiSense Portable Air Conditioner (standalone) the manual lists several possible models, unsure which exact one we have. It was about 700.00 at Lowes with a multiple year replacement warranty.
which is rated for:
* 15,000 BTU
It draws about 7 amps when the compressor is running.
With our heat load, the compressor does cycle on/off ,so it keeps cool pretty efficiently from an energy perspective.
## Tips/tricks
* Extended exhaust house
We moved the air conditioner to the front of the racks (cold aisle) and extended the exhaust
hose todo so.
* Heat barrier
We deployed a cardboard heat barrier above the racks, to keep hot air behind the racks. We also have a vent duct (made of cardboard) to a panel we removed above the doorway.
* Insulation
* Insulate the exhaust hose!
* Air movers
* We have a tower fan in the hot row (back), pushing the heat towards the duct.
* We have two small blowers in the cold row (front) helping "kick back" the air blowing from the HiSense.
## Instrumentation
We use:
* temper usb probe
* lm-sensors
* DRAC
all consumed via SNMP by librenms to monitor/alert on temperature.This lets us find hot/cold spots across the racks and make any necessary adjustments.

80
content/plan.knownelement.com/Systems/Admin-DataCenter/hypervisor/HighPerformanceSetting.md Normal file
View File

@@ -0,0 +1,80 @@
pfv-servers - performance
## vm 1-3 (optiplex)
### Commands to run
* cpupower frequency-set --governor performance
### links to reference
https://itectec.com/ubuntu/ubuntu-how-to-set-performance-instead-of-powersave-as-default/
https://www.cult-of-tech.net/2018/08/linux-ubuntu-cpu-power-frequency-scaling/
https://askubuntu.com/questions/1021748/set-cpu-governor-to-performance-in-18-04
https://metebalci.com/blog/a-minimum-complete-tutorial-of-cpu-power-management-c-states-and-p-states/
## vm 4/6 (xeon poweredge)
Appears to only run at the full frequency (which is what I want)
## Keep the NIC awake
notes taken on 03/20/2021 at 18:28
vm1/2/3 use intel nic
https://downloadcenter.intel.com/download/15817 is the driver (e1000e)
### vm1
root@pfv-vm1:/usr/local/bin# ethtool -i eno1
driver: e1000e
version: 3.2.6-k
firmware-version: 0.13-4
expansion-rom-version:
bus-info: 0000:00:19.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection I217-LM (rev 04)
### vm2
00:19.0 Ethernet controller: Intel Corporation 82579LM Gigabit Network Connection (rev 04)
root@pfv-vmsrv-02:~# ethtool -i enp0s25
driver: e1000e
version: 3.2.6-k
firmware-version: 0.13-3
expansion-rom-version:
bus-info: 0000:00:19.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
### vm3
00:19.0 Ethernet controller: Intel Corporation 82579LM Gigabit Network Connection (rev 04)
ethtool -i enp0s25
driver: e1000e
version: 3.2.6-k
firmware-version: 0.13-4
expansion-rom-version:
bus-info: 0000:00:19.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no

10
content/plan.knownelement.com/Systems/Admin-DataCenter/hypervisor/code/fixcpuperf.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
#Script to set performance.
cpufreq-set -r -g performance
cpupower frequency-set --governor performance

59
content/plan.knownelement.com/Systems/Admin-DataCenter/hypervisor/code/newsrv.sh Normal file
View File

@@ -0,0 +1,59 @@
#!/bin/bash
#Setup a new server base
#curl -s http://dl.turnsys.net/newSrv.sh|/bin/bash
apt-get -y --purge remove nano
apt-get -y install ntp ntpdate
systemctl stop ntp
ntpdate 10.251.37.5
apt-get update
apt-get -y full-upgrade
apt-get -y install glances htop dstat snmpd screen lldpd lsb-release net-tools sudo gpg molly-guard lshw
rm -rf /usr/local/librenms-agent
curl -s http://dl.turnsys.net/librenms-agent/distro > /usr/local/bin/distro
chmod +x /usr/local/bin/distro
curl -s http://dl.turnsys.net/librenms.tar.gz > /usr/local/librenms.tar.gz
cd /usr/local ; tar xfs librenms.tar.gz
systemctl stop snmpd ; curl -s http://dl.turnsys.net/snmpd.conf > /etc/snmp/snmpd.conf
sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service
systemctl daemon-reload
systemctl restart snmpd
/etc/init.d/rsyslog stop
cat <<EOF> /etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
*.* @10.251.30.1:514
EOF
/etc/init.d/rsyslog start
logger "hi hi from $(hostname)"
bash <(curl -Ss https://my-netdata.io/kickstart.sh) --dont-wait
echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list
wget -q -O- http://www.webmin.com/jcameron-key.asc | sudo apt-key add
sudo apt update
sudo apt-get -y install webmin

36
content/plan.knownelement.com/Systems/Admin-DataCenter/hypervisor/code/omsa.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
#install dell omsa
#curl -s http://dl.turnsys.net/omsa.sh|/bin/bash
gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-key 1285491434D8786F
gpg -a --export 1285491434D8786F | apt-key add -
echo "deb http://linux.dell.com/repo/community/openmanage/930/bionic bionic main" > /etc/apt/sources.list.d/linux.dell.com.sources.list
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman-curl-client-transport1_2.6.5-0ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman-client4_2.6.5-0ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman1_2.6.5-0ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman-server1_2.6.5-0ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/s/sblim-sfcc/libcimcclient0_2.2.8-0ubuntu2_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/openwsman_2.6.5-0ubuntu3_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/multiverse/c/cim-schema/cim-schema_2.48.0-0ubuntu1_all.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/s/sblim-sfc-common/libsfcutil0_1.0.1-0ubuntu4_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/multiverse/s/sblim-sfcb/sfcb_1.4.9-0ubuntu5_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/s/sblim-cmpi-devel/libcmpicppimpl0_2.0.3-0ubuntu2_amd64.deb
dpkg -i libwsman-curl-client-transport1_2.6.5-0ubuntu3_amd64.deb
dpkg -i libwsman-client4_2.6.5-0ubuntu3_amd64.deb
dpkg -i libwsman1_2.6.5-0ubuntu3_amd64.deb
dpkg -i libwsman-server1_2.6.5-0ubuntu3_amd64.deb
dpkg -i libcimcclient0_2.2.8-0ubuntu2_amd64.deb
dpkg -i openwsman_2.6.5-0ubuntu3_amd64.deb
dpkg -i cim-schema_2.48.0-0ubuntu1_all.deb
dpkg -i libsfcutil0_1.0.1-0ubuntu4_amd64.deb
dpkg -i sfcb_1.4.9-0ubuntu5_amd64.deb
dpkg -i libcmpicppimpl0_2.0.3-0ubuntu2_amd64.deb
apt update
#apt -y install srvadmin-all
touch /opt/dell/srvadmin/lib64/openmanage/IGNORE_GENERATION
#logout,login, then run
# srvadmin-services.sh enable && srvadmin-services.sh start

12
content/plan.knownelement.com/Systems/Admin-DataCenter/hypervisor/code/prox.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
#Make a proxmox server
rm -f /etc/apt/sources.list.d/*
echo "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list
wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
chmod +r /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg # optional, if you have a non-default umask
apt update && apt -y full-upgrade
apt-get -y install ifupdown2 ipmitool ethtool net-tools lshw
curl -s http://dl.turnsys.net/newSrv.sh|/bin/bash

17
content/plan.knownelement.com/Systems/Admin-DataCenter/networking/PFV-LAN.md Normal file
View File

@@ -0,0 +1,17 @@
# PFV Local Area Network
- [PFV Local Area Network](#pfv-local-area-network)
- [Introduction](#introduction)
- [Subnets](#subnets)
- [Diagram](#diagram)
- [Security considerations](#security-considerations)
## Introduction
## Subnets
- 10.251.0.0/16 (See phpipam for all the particulars)
## Diagram
## Security considerations

62
content/plan.knownelement.com/Systems/Admin-DataCenter/networking/PFV-WAN.md Normal file
View File

@@ -0,0 +1,62 @@
# PFV WAN
- [PFV WAN](#pfv-wan)
- [Introduction](#introduction)
- [Provider](#provider)
- [IP Allocation](#ip-allocation)
- [Diagram](#diagram)
- [Security considerations](#security-considerations)
- [Availaiblity considerations](#availaiblity-considerations)
## Introduction
The HQ data center provides both corporate network and WAN services. We utilize AT&T Uverse Busienss CLass VDSL service for IP transit.
### Provider
- AT&T Uverse
- Business DSL (fiber overbuild is projected for late 2021)
- 60 down/20 up is what I see in speed tests
## IP Allocation
- Static IP setup : <https://forums.att.com/conversations/att-internet-features/how-do-i-setup-an-att-internet-static-ip/5defee02bad5f2f606ea4054>
```text
Broadband Connection Up
Broadband Network Type Lightspeed
Broadband IPv4 Address 107.140.191.0
Gateway IPv4 Address 107.140.188.1
MAC Address 84:bb:69:e1:b1:e1
Primary DNS 68.94.156.9
Secondary DNS 68.94.157.9
Primary DNS Name
Secondary DNS Name
```
```text
Address: 104.182.29.16 01101000.10110110.00011101.00010 000
Netmask: 255.255.255.248 = 29 11111111.11111111.11111111.11111 000
Wildcard: 0.0.0.7 00000000.00000000.00000000.00000 111
=>
Network: 104.182.29.16/29 01101000.10110110.00011101.00010 000 (Class A)
Broadcast: 104.182.29.23 01101000.10110110.00011101.00010 111
HostMin: 104.182.29.17 01101000.10110110.00011101.00010 001
HostMax: 104.182.29.22 01101000.10110110.00011101.00010 110
Hosts/Net: 6
```
- 104.182.29.16 (network address)
- 104.182.29.17 rtr1
- 104.182.29.18 rtr2
- 104.182.29.19 float
- 104.182.29.20 FNFMail
- 104.182.29.21 WWW testing
- 104.182.29.22 (gateway)
- 104.182.29.23 (broadcast)
## Diagram
## Security considerations
## Availaiblity considerations

23
content/plan.knownelement.com/Systems/Admin-DataCenter/networking/code/fixeth.sh Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
#https://forum.proxmox.com/threads/e1000-driver-hang.58284/
#https://serverfault.com/questions/616485/e1000e-reset-adapter-unexpectedly-detected-hardware-unit-hang
#magic to detect main int
echo "Determining management interface..."
#export MAIN_INT=$(brctl show $(netstat -rn|grep 0.0.0.0|head -n1|awk '{print $NF}') | awk '{print $NF}'|tail -1|awk -F '.' '{print $1}')
export MAIN_INT=$(brctl show|grep vmbr0|awk '{print $NF}'|awk -F '.' '{print $1}')
echo "Management interface is: $MAIN_INT"
#fix the issue
echo "Fixing management interface..."
ethtool -K $MAIN_INT tso off
ethtool -K $MAIN_INT gro off
ethtool -K $MAIN_INT gso off
#https://forum.proxmox.com/threads/e1000-driver-hang.58284/
#https://serverfault.com/questions/616485/e1000e-reset-adapter-unexpectedly-detected-hardware-unit-hang

107
content/plan.knownelement.com/Systems/Admin-DataCenter/power/PFVPower2021Prod.md Normal file
View File

@@ -0,0 +1,107 @@
# TSYS Group - HQ data center documentation - power
- [TSYS Group - HQ data center documentation - power](#tsys-group-hq-data-center-documentation-power)
- [Introduction](#introduction)
- [Circuits](#circuits)
- [Outlets](#outlets)
- [Surge Protectors](#surge-protectors)
- [Extension cords](#extension-cords)
- [UPS units](#ups-units)
- [Prod](#prod)
- [UPS5](#ups5)
- [UPS7](#ups7)
- [R&D](#r-d)
- [UPS1](#ups1)
- [UPS3](#ups3)
- [UPS4](#ups4)
- [UPS6](#ups6)
- [PDU](#pdu)
- [Unmanaged PDUs](#unmanaged-pdus)
- [Managed PDUs](#managed-pdus)
## Introduction
This article covers the electrical power setup for the HQ data center. We've grown it over time, bringing online more and more protected capacity as we got good deals on UPS/batteries etc and have added additional load.
## Circuits
The server room is fed by two 20amp circuits:
* Circuit 8a serving:
* dedicated air conditioner (see our cooling article for details on that)
* vm(1-3) servers
* network equipment
* overhead and led lighting
* Circuit (xx) serving:
* pfv-stor1/stor2 enclosures and drive arrays
* vm(4-6)
(future plan)
* Connect a new outlet to the 20 amp circuit currently serving front porch outlet (which shares a wall with the server room).
* This would provide sustained 15 amps for the RackRental.net rentable inventory.
## Outlets
We have upgraded the standard 15amp outlets that serve the server room, to 20amp outlets. This allows us to run a full 15amps sustained load (on 20amp circuits)
## Surge Protectors
We utilize GE surge protectors , rated for 15amps. They are about $50.00 apiece. These are placed upstream of the UPS units (between the wall outlet and the UPS extension cord).
## Extension cords
We do not have outlets close to the UPS stack. We utilize 15amp rated extension cords (from the surge protectors) to feed the UPS inputs.
## UPS units
### Prod
* UPS2
* Make/Model: Dell UPS Rack 1000W LV
* PDU served:
* UMPDU1
* Protected load:
* pfv-stor1/pfv-stor2 (Dell PowerEdge 2950s)
* backup USB drives and USB hub
* external scratch/backup arrays
* Protected Load Runtime: 12 minutes
### UPS5
* CyberPower UPS (details tbd)
* PDU served:
* UMPDU4
* BenchPDU
* Cameras
* Protected load:
* pfv-vm1/2/3
* pfv-time1
* pfv-labsw*
* pfv-core-ap01
* pfv-coresw-01
* pfv-labsw*
* Protected Load Runtime: 12 minutes
### UPS7
* PDUs served: n/a
* Monitoring server: n/a (un-monitored ups)
* Protected load: locking relay for server room
## R&D
### UPS1
### UPS3
### UPS4
### UPS6
# PDU
### Unmanaged PDUs
### Managed PDUs

95
content/plan.knownelement.com/Systems/Admin-DataCenter/security/PhysicalSecurity.md Normal file
View File

@@ -0,0 +1,95 @@
# TSYS Group - HQ data center documentation - security
- [TSYS Group - HQ data center documentation - security](#tsys-group-hq-data-center-documentation-security)
- [Introduction](#introduction)
- [Badge reader](#badge-reader)
- [Hardware Components](#hardware-components)
- [Software Components](#software-components)
- [Cameras](#cameras)
- [Physical Keys/Badges](#physical-keys-badges)
- [Front Door (physical key)](#front-door-physical-key)
- [Server Room (rfid badge)](#server-room-rfid-badge)
- [Keybox in server room (physical key)](#keybox-in-server-room-physical-key)
- [Gates/Machine Room/Storage](#gates-machine-room-storage)
- [Critical Physical Assets](#critical-physical-assets)
- [server room](#server-room)
- [R&D Shop](#r-d-shop)
- [Amplify Credit Union](#amplify-credit-union)
## Introduction
This article covers the physical security setup for the HQ data center.
## Badge reader
### Hardware Components
- Raspberry Pi 3
- USB relay
- automated door action
- Belkin UPS for the relay
### Software Components
Coming soon
## Cameras
Internal facing
- <http://cam2.pfv.turnsys.net/> (door/rack front cam)
- <http://cam3.pfv.turnsys.net> (rack back cam)
- <http://cam1.pfv.turnsys.net/> (external camera)
## Physical Keys/Badges
### Front Door (physical key)
Charles Wyble
Patti Wyble
Michael Almaraz
### Server Room (rfid badge)
Charles Wyble
Patti Wyble
Michael Almaraz
### Keybox in server room (physical key)
Access to this box means you would have full physical access to all TSYS assets. Access is heavily restricted and granting of access grant requires approval of CEO/CFOO
and Board of Directors.
- Charles Wyble
- Patti Wyble
- Michael Almaraz
### Gates/Machine Room/Storage
- Charles Wyble
- Patti Wyble
- Michael Almaraz
## Critical Physical Assets
### server room
- racks
- air conditioner
- UPS systems
- Digital Information Processing Equipment (servers/drives/network)
- Sentry combination safe (on site cold storage for backup hard drives)
- PKI Safe
- Firebox for important paper records (Patti durable personal/corporate PoA, legal hold records)
- File cabinet (axios customer original contracts)
### R&D Shop
- lab area (tools/prototypes under development etc)
- tool storage and tools
- component storage and components
### Amplify Credit Union
- safety deposit box (off site cold storage for backup hard drives )
- Paper records
- safety deposit box (Patti durable PoA, legal hold records)

12
content/plan.knownelement.com/Systems/Admin-DataCenter/storage/PFVStorage2021.md Normal file
View File

@@ -0,0 +1,12 @@
# TSYS Group Storage
## Enclosures
## Arrays
## Block Storage
## Application Object Storage
## Container Object Storage

50
content/plan.knownelement.com/Systems/Admin-Network/WAN-HQ-routable.md Normal file
View File

@@ -0,0 +1,50 @@
- [WAN Network - HQ - Public Routed Space](#wan-network---hq---public-routed-space)
- [Proxmox/opnsense interface / layer 2 info](#proxmoxopnsense-interface--layer-2-info)
- [AT&T Small business fiber network information](#att-small-business-fiber-network-information)
# WAN Network - HQ - Public Routed Space
## Proxmox/opnsense interface / layer 2 info
net1 5c:74 vmbr1000 wan 5c:74
net17 3a:bc vmbr1000 uversebiz vtnet17 3a:bc
## AT&T Small business fiber network information
- Address: 99.91.198.81 01100011.01011011.11000110.01010 001
- Netmask: 255.255.255.248 = 29 11111111.11111111.11111111.11111 000
- Wildcard: 0.0.0.7 00000000.00000000.00000000.00000 111
- Network: 99.91.198.80/29 01100011.01011011.11000110.01010 000 (Class A)
- Broadcast: 99.91.198.87 01100011.01011011.11000110.01010 111
- HostMin: 99.91.198.81 01100011.01011011.11000110.01010 001
- HostMax: 99.91.198.86 01100011.01011011.11000110.01010 110
- Hosts/Net: 6
- WAN Rtr 1 IP: 99.91.198.81
- WAN Rtr 2 IP: 99.91.198.82
- wireguard vpn, WAN Float, SIP, other services not on 80/443 IP: 99.91.198.83
- Cloudron IP: 99.91.198.84
- Conost IP: 99.91.198.85
- GW IP: 99.91.198.86
```shell
dig @8.8.8.8 -x 99.91.198.81 +short
tsyshq-corertr-01.knownelement.com.
dig @8.8.8.8 -x 99.91.198.82 +short
tsyshq-corertr-02.knownelement.com.
dig @8.8.8.8 -x 99.91.198.83 +short
tsyshq-wanfloat.knownelement.com.
dig @8.8.8.8 -x 99.91.198.84 +short
my.knownelement.com.
dig @8.8.8.8 -x 99.91.198.85 +short
app02.knownelement.com.
```

28
content/plan.knownelement.com/Systems/Admin-Platform/DigitialSecurity.md Normal file
View File

@@ -0,0 +1,28 @@
#IT Security
## Logging
Currently into librenms central store
rsyslog configured to forward
## Monitoring
nedata for high fidelity metrics (push)
librenms for up/down (pull)
## Secrets
### Passwords (user secrets)
bitwarden
### Server secrets
envwarden
#### certs/keys
* Public facing (lets encrypt)
We use HTTP challenge via Opnsense LE/HA Proxy . All public facing certs live in OpnSense.
## IDS/IPS
## RBAC

35
content/plan.knownelement.com/Systems/Admin-Platform/OAM.md Normal file
View File

@@ -0,0 +1,35 @@
# Operations Administration Management Infrastructure at TSYS Group
## Introduction
(following is copied from our systems overview document)
This is the back office IT bits.
* Functions
* librenms (monitoring/alerting/long term metrics)
* netdata (central dashboard)
* upsd (central dashboard)
* rundeck (internal orchestration only)
* sshaudit
* lynis
* crash dump server
* openvas
* etc
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pfv-toolbox|121|vm3|stor2|tier2vm|
### The origin of the name toolbox
I can't take credit for coming up with naming a utility server toolbox. That credit goes to
the Big Gator. Back when we could freely roam, they let us s (when we could s, before I uncovered a massive federal felony and we had to take drastic action to avoid a consent decree...., I digress, this isn't that story (buy the book!)) to toolbox. It had many fun things.
So at every employer since, I've established at least one system called toolbox. It's fitting that my startup have the same , no?
### monitoring/alerting/metrics
### orchestration
### security auditing

261
content/plan.knownelement.com/Systems/Admin-Platform/TSYS-Systems.md Normal file
View File

@@ -0,0 +1,261 @@
# TSYS Systems
This article covers the (high level) systems architecture that supports TSYS/Redwood Group.
Other articles will go more in depth on specific systems. This article provides a general overview.
The architecture was designed to :
* meet the highest levels of information assurance and reliability (at a single site)
* support (up to) Top Secret workloads for R&D (SBIR/OTA) (non production) contract work
(by US Citizens only) being done for the United States Department of Defense/Energy/State
by various components of TSYS Group.
## Virtual Machines: Redundant (mix of active/passive active/active)
We are (with exception of R&D product development (being a hardware/IOT product) 99.9%) virtualized :
Exceptions to virtualized infrastructure:
* raspberry pi providing stratum0 (via hat) and server room badge reader functionality (via usb badge reader and lock relay)
* intermediate CA HSM passed through to a VM on vm3
* UPS units connected to vm3 via usb/serial
Any further exceptions to virtual infra require CEO/board approval and extensive justification.
### Networking
* Functions
* TFTP server
* DHCP server
* HaProxy (443 terminates here)
* Dev/qa/prod Core routing/firewall
* (multi provider) WAN edge routing/firewall
* Static/dynamic routing
* inbound/outbound SMTP handling
* Caching/scanning (via ClamAV)Web proxy
* Suricata IDS/IPS
All the above is provided on an active/passive basis via CARP IP with sub 2ms failover.
* Machines
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|---|
|pfv-core-rtr01|120|vm1|stor2|tier2vm|
|pfv-core-rtr02|xx|vm3|stor1|s1-wwwdb|
### DNS/NTP (user/server facing)
We do not expose the core domain controllers (dc2/3) directly to users or servers. Everything flows through pihole. We allow DNS (via firewall rules) to ONLY pihole 1,2 no other DNS is allowed. pihole 1,2 is only allowed to realy to the core dc, then the dc are allowed to relay to the internet (8.8.8.8).
This blocks the vast majority of spyware/trackerware/malware/c2c etc (using the pihole blacklists). DNS filtering is the first line of defense against attackers and far less false positives when doing log review.
* Functions
* DNS (with ad filtering) (pihole)
* NTP
* Machines
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pihole1|101|vm3|stor1|s1-wwwdb|
|pihole2|103|vm1|stor2|tier2vm|
### Database layer
All the data for all the things. Everything is clustered, shared service model.
* Functions
* Mysql (galera)
* Postgresql (patroni)
* ETcd
* MQTT Brok
* Rabbitmq
* Elasticsearch
* Longhorn
* K3s control plane
* Machines
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|db1|125|vm4|stor1|s1-wwwdb|
|db2|126|vm5|stor2|tier2vm|
|db3|127|vm1|stor2|tier2vm|
### Web/bizops/IT control plane application layer
All the websites for TSYS/Redwood Group live on this infra. It's served up via HAProxy (active/passive on r1/42) in an active/active setup (each node running 50% of workload, capable of 100% for handling node maintenace)
* Functions
* All brand properties
* Data repository (discourse)
* IT Control plane (job clustering/monitoring/alerting/siem etc)
* Business operations (marketing/sales/finance/etc)
* Apache server (for non dockerized applications)
* k3s worker nodes (we are moving all workloads to docker containers with longhorn PVC)
* Machines
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|www1|123|vm5|stor2|tier2vm|
|www2|124|vm4|stor1|s1-wwwdb|
### Line of business Application layer
* Functions
* Guacamole (serving up rackrental customer workloads, also developer workstations)
* Webmail (for a number of our domains, we don't use Office 365)
* Machines
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|tsys-dc-02|129|vm5|stor2|tier2vm|
|tsys-dc-03|130|vm4|stor1|s1-wwwdb|
## Network Security Monitoring
We will be using security onion in some fashion. Looking into that with OpenVAS/Lynis/Graylog as a SIEM/scanner. More to follow soon. It will be a distributed, highly available setup.
## Virtual Machines: Non Redundant
### VPN
You'll notice VPN missing from the redundant networking list. A few comments on that:
* We employ a zero trust access model for vast majority of systems
* We heavily utilize web interfaces/APIs for just about all systems/functionality and secure acces via 2fa/Univention Corporate Server ("AD") and a zero trust model.
* We do have our R&D systems behind the VPN for direct SSH access (as opposed to through various abstraction layers)
* We utilize WIreguard (via the ansible setup provided by algo trailofbits). We don't have a redundant Wireguard setup, just a single small Ubuntu VM. It's worked incredibly well and the occasional 90 seconds or so of downtime for kernel patching is acceaptable.
* Due to ITAR and other regulations, we utilize a VPN for access control. We may in the future, upon appropriate review and approval, setup haproxy with SSH SNI certifcates to route connections to R&D systems directly.
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pfv-vpn|106|vm3|stor2|tier2vm|
### Physical Surveilance
We can take 90 seconds of downtime for occasional kernel patching and not be processing the surveilance feeds for a bit. Everyone knows that criminals just loop the footage anyway....
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pfv-nvr|104|vm5|stor2|tier2vm|
### Building automation
We can take 90 seconds of downtime for occasional kernel patching and wait to turn on a light or whatever.
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|HomeAssistant|116|vm3|stor2|tier2vm|
### Sipwise
We can take 90 seconds of downtime for occasional kernel patching, and have the phones "stop ringing" for that long.
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|sipwise|105|vm4|stor1|s1-wwwdb|
### Online CA (Intermeidate to offline root)
We can take 90 seconds of downtime for occasional kernel patching.
We serve the CRL and other "always on" SSL related bits via cloudflare ssl toolkit in docker using
the web/app layer over HTTP(S) and it's fully redundant.
This VM is only used occasionally to issue long lived certs or perform needed maintenance.
It could be down for weeks/months without issue.
It's using XCA for administration and talking to the db cluster. It is locked to vm3, because
we pass through a Nitrokey HSM, works wonderully.
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pfv-ca|131|vm3|stor1|s1-wwwdb|
### Operations/administration/management (OAM)
This is the back office IT bits.
* Functions
* librenms (monitoring/alerting/long term metrics)
* netdata (central dashboard)
* upsd (central dashboard)
* rundeck (internal orchestration only)
* sshaudit
* lynis
* crash dump server
* openvas
* etc
|VM Name | VM ID | Vm Host | Storage Enclosure| Storage Array |
|---|---|---|---|--|
|pfv-toolbox|121|vm3|stor2|tier2vm|
## Storage Infrastructure
* We keep it very simple and utilize TrueNAS Core on Dell PowerEdge 2950 with 32gb ram.
* We run zero plugins.
* We have a variety of pools setup and served out over NFS to the 10.251.30.0/24 network
* No samba, just NFS
* Utilize built in snapshots/replication for retention/backup
## Virtualization Infrastructure
* We keep it very simple and utilize Proxmox on a mix of :
* Dell Optiplex (i3/i7) (all with 32gb ram)
* Dell PowerEdge (dual socket, quad core xeon) (all with 32gb ram)
* Dell Precision system (i7) (16gb ram) (with nvida quadaro card passed through to kvm guest (either windows 10 or Ubuntu Server 20.04 depending on what we need todo)
* We run the nodes with single power supply and single OS drive.
Vm node failure is expected (we keep the likelihood low with use of thumb drives with syslog set to
only log to the virtualized logging infra), and we handle the downtime via the redundancy we
outlined above (by using virtual machines spread across hypervisors / arrays / enclosures ) and redundancy happens
at the application level).
Restoring a vritual server node would take maybe 30 minutes
(plug a new thumb drive, re-install, join cluster).
In the meantime the vm has auto migrated to another node using proxmox HA functionality (if it's an SPOF VM).
## Overall system move to production status
| Hostname | OSSEC | Rundeck | Netdata | librenms mon | librenms log | DNS | (x)DP | NTP | Slack | Lyris | SCAP | Auditd | OpenVAS | oxidized |
| -------------- | ----- | ------- | ------- | ------------ | ------------ | --- | ----- | --- | ----- | ----- | ---- | ------ | ------- | -------- |
| Pfv-vmsrv-01 | Y | Y | Y | Y | Y | Y | Y | Y | | | | | | N/A |
| Pfv-vmsrv-02 | Y | Y | Y | Y | Y | Y | Y | Y | | | | | | N/A |
| Pfv-vmsrv-03 | Y | Y | Y | Y | Y | Y | Y | Y | | | | | | N/A |
| Pfv-vmsrv-04 | Y | Y | Y | Y | Y | Y | Y | Y | | | | | | N/A |
| Pfv-vmsrv-06 | Y | Y | Y | Y | Y | Y | Y | Y | | | | | | N/A |
| Pfv-time1 | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| Pfv-stor1 | N/A | N/A | N/A | Y | | Y | Y | x | | | N/A | N/A | | N/A |
| Pfv-stor2 | N/A | N/A | N/A | Y | | Y | Y | x | | | N/A | N/A | | N/A |
| Pfv-consrv01 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | N/A | N/A | | N/A |
| Pfv-core-sw01 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | N/A | N/A | | |
| Pfv-core-ap01 | N/A | N/A | N/A | Y | N/A | Y | Y | x | | | N/A | N/A | | |
| Pfv-lab-sw01 | N/A | N/A | N/A | Y | | Y | Y | x | | | | | | |
| Pfv-lab-sw02 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | | | | |
| Pfv-lab-sw03 | N/A | N/A | N/A | Y | | Y | Y | x | | | | | | |
| Pfv-lab-sw04 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | | | | |
| 3dpsrv | Y | Y | Y | Y | Y | Y | N/A | Y | | | | | | N/A |
| Pfv-core-rtr01 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | N/A | N/A | | |
| Pfv-core-rtr02 | N/A | N/A | N/A | Y | Y | Y | Y | x | | | N/A | N/A | | |
| tsys-dc-01 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| tsys-dc-02 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| tsys-dc-03 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| Tsys-dc-04 | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| pihole1 | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| pihole2 | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| pfv-toolbox | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| ca | Y | Y | Y | Y | Y | Y | Y | | | | | | | N/A |
| www1 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| www2 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| www3 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| db1 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| db2 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |
| db3 | Y | Y | Y | Y | Y | Y | Y | | | | | | | |

440
content/plan.knownelement.com/Systems/Admin-RandD/EngWorkstationBuildGuide.md Normal file
View File

@@ -0,0 +1,440 @@
# TSYS Group - IT Documentation - R&D - Workstation Build Guide
- [TSYS Group - IT Documentation - R&D - Workstation Build Guide](#tsys-group---it-documentation---rd---workstation-build-guide)
- [Introduction](#introduction)
- [Workstation details - RPI4 8Gb](#workstation-details---rpi4-8gb)
- [Out of box tweaks and basic setup](#out-of-box-tweaks-and-basic-setup)
- [Software Packages To Install](#software-packages-to-install)
- [magic mouse 2 driver](#magic-mouse-2-driver)
- [Nodejs](#nodejs)
- [Rust](#rust)
- [go](#go)
- [mdbook](#mdbook)
- [Recoll (local search)](#recoll-local-search)
- [Bitwarden CLI](#bitwarden-cli)
- [Krita](#krita)
- [Backslide](#backslide)
- [Docker](#docker)
- [RedNotebook (install from source, it just runs in place)](#rednotebook-install-from-source-it-just-runs-in-place)
- [OpenWebRx](#openwebrx)
- [csv2md](#csv2md)
- [helm](#helm)
- [kubectl / k3s](#kubectl--k3s)
- [docker](#docker-1)
- [docker-compose](#docker-compose)
- [metasploit](#metasploit)
- [scap workbench](#scap-workbench)
- [Bitscope](#bitscope)
- [docker based dev environment/pipeline](#docker-based-dev-environmentpipeline)
- [Mainline repo packages](#mainline-repo-packages)
- [Configuration Tweaks](#configuration-tweaks)
- [chrome setup](#chrome-setup)
- [passwords/bitwarden](#passwordsbitwarden)
- [web apps](#web-apps)
- [zsh](#zsh)
- [konsole setup](#konsole-setup)
- [xfce tweaks](#xfce-tweaks)
- [VsCode](#vscode)
- [CTO Stuff](#cto-stuff)
- [Upstream vendor software to checkout](#upstream-vendor-software-to-checkout)
- [Projects](#projects)
- [Special considerations for upstream](#special-considerations-for-upstream)
- [Workstation details - x86-64 vm](#workstation-details---x86-64-vm)
- [Workstation details - iPAD](#workstation-details---ipad)
- [Remaining projects](#remaining-projects)
- [SSH / GPT private key HSM](#ssh--gpt-private-key-hsm)
- [TurboVNC (3d accelerated) on rpi as client](#turbovnc-3d-accelerated-on-rpi-as-client)
- [Select an Investigative notebook](#select-an-investigative-notebook)
- [Research source material organization](#research-source-material-organization)
- [activitywatch](#activitywatch)
- [Get photo processing workflow setup](#get-photo-processing-workflow-setup)
- [switch mail from (just) thunderbird to thunderbird/(neo)mutt/notmuch/task warrior](#switch-mail-from-just-thunderbird-to-thunderbirdneomuttnotmuchtask-warrior)
## Introduction
In 01/2021 , Charles purchased a Raspberry Pi 4 as his daily driver with the intent of evaluating it for use as the standard issue equipment for TSYS personnel. This document is the results of his
experiments with it from 01/2021 to (as of time of writing) August 1st 2021.
Charles is the founder, CEO and acting CTO of TSYS Group. In his role, he does everything from business ops, to system administration to software/hardware engineering tasks. As such he was best
positioned to evaluate the rPI for all workloads.
The RPi4 has been approved as one of the standard/supported workstation for TSYS personnel across all teams/products.
The software mentioned in this document is a long list, reflecting the myriad of tasks/projects Charles may engage with on a daily basis. Most likely, you'll only need a subset of these tools,
don't despair! Feel free to install all of them or a subset as you wish based on your mission objectives.
We hope this document is useful to everyone at TSYS who wants to maximize their productivity. TSYS fully supports Debian/Ubuntu GNU Linux for workstation use, both on rPI4 and x86 virtual/physical
systems.
We do occasionally test Mac OSX and Windows 10, but they aren't officially supported.
Our experiments and daily use show that 85% or more of TSYS daily driver/workstation use (email/coding/research/browsing/document creation/discord/media editing/etc) can be done on an rPI4.
The few gaps can be done via an RDP session to an x86 system for the few things that have x86 dependencies or need 64bit os (64bit on pi isn't yet fully ready in our opinion as of August 2021).
## Charles Workstation details - RPI4 8Gb
- Operating System: RaspberryPi Os
- Hardware:
- Raspberry Pi 4 with 8gb RAM
- Accessories :
- Case : Argone One case <https://www.argon40.com/argon-one-m-2-case-for-raspberry-pi-4.html>
- Monitors: Dual Dell 24" monitors (IPS) <https://www.dell.com/support/home/en-us/product-support/product/dell-st2421l/overview>0
- Chair: Ikea MARKUS Office Chair: <https://www.ikea.com/us/en/p/markus-office-chair-vissle-dark-gray-90289172/>
- Keyboard: Matias Backlight Keyboard <https://www.matias.ca/aluminum/backlit/>
- Mouse: Apple Magic Mouse 2 Black
- Tablet: iPad Mini 5th Gen (see iPAD section for more)
- Headphones: JBL Over Ear (<https://www.jbl.com.au/TUNE750BTNC.html>)
- Tp-link 7 port USB 3.0 Powered Hub (for plugging in thumb drives, data acquisition devices / other random usb bits) <https://www.tp-link.com/us/home-networking/usb-hub/uh700/>
- IOGear card reader <https://www.iogear.com/product/GFR281/>
- Security Dongle: Yubikey 4 OTP+U2F+CCID
### Out of box tweaks and basic setup
1) Put Rasberry Pi 4 into Argone One Case (running it without case will cause it to overheat quickly)
2) Flash latest stable Raspbian 32bit to SD card and boot pi
3) connect usb keyboard and mouse
4) Run through first boot setup wizard
5) Setup pin+yubi long string for password for the pi user
6) Connect to wifi
5) Pair and trust Matias Backlight Keyboard
6) Pair and trust Apple Magic Mouse
7) fix date/time via ntpdate (ntpdate 10.251.37.5)
8) apt-get update ; apt-get -y full-upgrade
9) add vi mode to /etc/profile (heathens by default!)
10) clone dotfiles repo
11) enable i2c access via raspi-config
12) setup fan daemon <https://gitlab.com/DarkElvenAngel/argononed.git>
13) setup virtual desktops
- Desktop 1: Browsing/Editing/Shell (chrome / VsCode / Konsole / Remmina )
- Desktop 2: Comms (discourse/discord/irc etc/thunderbird/mutt)
- Desktop 3: Long Running: (calibre/recol/etc)
14) (coming soon) run curl htp://dl.turnsys.net/buildFullWorkstation.sh
### Software Packages To Install
#### magic mouse 2 driver
https://github.com/rohitpid/Linux-Magic-Trackpad-2-Driver
#### Nodejs
```console
curl -sL https://deb.nodesource.com/setup_15.x | sudo -E bash -
curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/yarnkey.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sud apt-get -y install nodejs
sudo apt-get update && sudo apt-get install yarn
```
#### Rust
```console
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
```
#### go
<https://pimylifeup.com/raspberry-pi-golang/>
#### mdbook
```console
cargo install mdbook
```
#### Recoll (local search)
```console
cat recoll-rbuster.list
deb [signed-by=/usr/share/keyrings/lesbonscomptes.gpg] http://www.lesbonscomptes.com/recoll/raspbian/ buster main
deb-src [signed-by=/usr/share/keyrings/lesbonscomptes.gpg] http://www.lesbonscomptes.com/recoll/raspbian/ buster main
```
#### Bitwarden CLI
```console
sudo npm install -g @bitwarden/cli
```
#### Krita
```console
sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
sudo flatpak -y install flathub org.kde.krita
```
#### Backslide
```console
sudo npm install -g backslide
sudo npm i -g decktape
sudo add chrome-aws-lambda
```
#### RedNotebook (install from source, it just runs in place)
<https://rednotebook.sourceforge.io/downloads.html>
<https://www.linuxlinks.com/raspberry-pi-4-chronicling-desktop-experience-dear-diary/>
#### OpenWebRx
on pi:
wget -O - <https://repo.openwebrx.de/debian/key.gpg.txt> | apt-key add
echo "deb <https://repo.openwebrx.de/debian/> buster main" > /etc/apt/sources.list.d/openwebrx.list
apt-get update
apt-get install openwebrx
or (on x86)
wget -O - https://repo.openwebrx.de/debian/key.gpg.txt | apt-key add
echo "deb https://repo.openwebrx.de/ubuntu/ hirsute main" > /etc/apt/sources.list.d/openwebrx.list
apt-get update
apt-get install openwebrx
#### csv2md
```console
npm install -g csv2md
```
#### metasploit
```console
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
sudo gem install wirble sqlite3 bundler nokogiri bundle
bundle install
```
#### scap workbench
Follow the readme
#### Bitscope
on pi
```console
wget http://bitscope.com/download/files/bitscope-dso_2.8.FE22H_armhf.deb
wget http://bitscope.com/download/files/bitscope-logic_1.2.FC20C_armhf.deb
wget http://bitscope.com/download/files/bitscope-meter_2.0.FK22G_armhf.deb
wget http://bitscope.com/download/files/bitscope-chart_2.0.FK22M_armhf.deb
wget http://bitscope.com/download/files/bitscope-proto_0.9.FG13B_armhf.deb
wget http://bitscope.com/download/files/bitscope-console_1.0.FK29A_armhf.deb
wget http://bitscope.com/download/files/bitscope-display_1.0.EC17A_armhf.deb
wget http://bitscope.com/download/files/bitscope-server_1.0.FK26A_armhf.deb
sudo dpkg -i *.deb
sudo apt-get -y -f install
```
on x86
TBD
#### docker based dev environment/pipeline
##### docker
```console
curl -sSL https://get.docker.com | sh
```
##### helm
```console
sudo snap install helm --classic
```
##### kubectl / k3s
```console
curl -sfL https://get.k3s.io | sh -
```
##### docker-compose
##### Todo
- local k0s (for gitops testing)
- (container) local docker reg
- (container) local jenkins
- (container) local all the apps for developing
#### Mainline repo packages
```console
apt-get -y install \
kicad librecad freecad gimp blender shellcheck jq net-tools\
ruby-full offlineimap zsh vim thunderbird enigmail highlight\
kleopatra zsh-autosuggestions zsh-syntax-highlighting screen \
mtr cifs-utils grass cubicsdr arduino jupyter-notebook \
dia basket vym code wings3d flatpak wireguard gnuplot \
pandoc python3-blockdiag texlive-fonts-extra clang \
spice-client-gtk spice-html5 virt-viewer gnome-system-monitor \
glances htop dstat apt-file kleopatra konsole telnet clang \
ripgrep recoll poppler-utils abiword wv antiword unrtf \
libimage-exiftool-perl xsltproc davmail kphotoalbum opensc \
yubikey-manager yubikey-personalization yubikey-personalization-gui \
openshot kdenlive pitivi inkscape scribus scdaemon seafile-gui qgis \
octave nodejs libreoffice calligra netbeans sigrok \
nodejs audacity wireshark nmap tcpdump ndiff etherape ghostscript \
lepton-eda ngspice graphicsmagick codeblocks scilab calibre paraview \
gnuradio build-essential libimobiledevice-utils libimobiledevice-dev \
libgpod-dev python3-numpy python3-pandas python3-matplotlib \
curl git make binutils bison gcc build-essential openjdk-11-jre-headless \
debootstrap cutecom minicom ser2net conman xsane gocr tesseract-ocr \
fonts-powerline build-essential zlib1g zlib1g-dev libxml2 libxml2-dev \
libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev \
libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget postgresql \
postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev ruby-dev \
openvas git-core postgresql curl nmap gem libsqlite3-dev cmake ninja-build libopenscap-dev \
qt5-default libqt5widgets5 libqt5widgets5 libqwt-headers libqt5xmlpatterns5-dev asciidoc \
lmms virt-manager gqrx-sdr multimon-ng rtl-sdr fldigi grads cdo xygrib xygrib-maps evince \
openwebrx xscreensaver blueman bluetooth pulseaudio-module-bluetooth blueman texlive-fonts-extra \
texlive-fonts-recommended
```
### Configuration Tweaks
#### zsh
- Use oh-my-zsh
- Use powerlevel10k
#### konsole setup
- settings -> edit current profile ->
- apperance (set to dark pastels)
- font (set to noto mono)
- mouse
- copy/paste
- copy on select
- paste from clipboard (default is paste from selection)
- un-set copy text as html
- settings - configure shortcuts
- next tab ctrl+tab
- previous ctrl+shift+tab
#### xfce tweaks
- Set focus follows mouse (settings/window manager/focus)
- (dark mode)? (only works for gtk apps)
- need to set other apps individually to dark mode
#### VsCode
fenix appears to include it in the default image, but it doesn't launch from the menu and shell says code not found. Search for code and it will pull up an entry with VsCode logo labeled as Text Editor. Use that.
to see how I set it up VsCode for a myriad of tasks, see the VsCode guide for tsys at:
<https://git.turnsys.com/TSGTechops/docs-techops/src/branch/master/src/Systems/Admin-RandD/TSYS-DevEnv-VsCode.md>
### CTO Stuff
#### mbed studio
#### eclipse
#### android studio
#### dbeaver
#### postman
#### sweethome3d
#### ghidra
#### Upstream vendor software to checkout
This is a massive work in progress , is mostly for Charles own notes only, really only applicable for large upstream packages that TSYS needs to support
long term/sync regularly with upstream, or part of a broader protfolio initiative etc.
Unless you have been specfically directed todo so in your roject readme, you don't need todo the below. In almost all cases , the work below is abstracted
for/from you into our artifact repository and build process.
##### Projects
- openwrt
- openmct
- raspi kernel
- FreeRTOS
- freedombox
- serval
- genode
- balena
##### Special considerations for upstream
## Workstation details - iPAD
- Operating System: iPAD OS
- Hardware: iPAD Mini 5th Generation
- Accessories:
- Lightining to USB3
- Lightining to HDMI
- I use same KB/Mouse that I do with the rPI
- Key Applications
- Working Copy
- Buffer Text Editor
- Blink.sh
- Jump remote Desktop
- GitJournal
- Microsoft Todo
- Neat
- Discourse
- FreeScout
- ErpNext
### Remaining projects
These items remain todo and document. They are listed in decreasing order of importance.
#### SSH / GPT private key HSM
- kleopatra
- yubikey ssh key
- yubikey gpg key
(not strictly related but in same family)
- xca (build from source)
#### TurboVNC (3d accelerated) on rpi as client
#### Select an Investigative notebook
- <https://github.com/kpcyrd/sn0int>
- <https://www.spiderfoot.net/>
- <https://github.com/smicallef/spiderfoot?ref=d>
- modelio <https://www.modelio.org/>
- <https://gephi.org/>
#### Research source material organization
- zotero
- docear <https://opensource.com/life/16/8/organize-your-scholarly-research-docear>
#### activitywatch
Effortless self instrumentation. Performed initial attempts/exploration. It builds (I think)
#### Get photo processing workflow setup
- currently exploring kphotoablbum
- Browser based Sharing / browsing via Photoprism (or perhaps piwgio ultimately, with photoprism as part of a processing work flow)?
- need something to sync to "cloud" with auto capture from phone
- reference material:
- <https://photoprism.app/>
- <https://kn100.me/declouding-replacing-google-photos-part-1/>
- <https://willem.com/blog/2020-08-31_free-from-the-icloud-escaping-apple-photos/>
#### switch mail from (just) thunderbird to thunderbird/(neo)mutt/notmuch/task warrior
This has been an ongoing on-again/off-again adventure....

302
content/plan.knownelement.com/Systems/Admin-RandD/VsCodeConfigGuide.md Normal file
View File

@@ -0,0 +1,302 @@
# TSYS Group - Engineering Documentation - Visual Studio Code Environment Setup Guide
- [TSYS Group - Engineering Documentation - Visual Studio Code Environment Setup Guide](#tsys-group---engineering-documentation---visual-studio-code-environment-setup-guide)
- [Introduction](#introduction)
- [Environmental considerations/assumptions](#environmental-considerationsassumptions)
- [External Software Programs/Services Used](#external-software-programsservices-used)
- [Short version](#short-version)
- [Requirements and dependencies](#requirements-and-dependencies)
- [Languages Used](#languages-used)
- [Deployment Targets](#deployment-targets)
- [General setup](#general-setup)
- [Plugins - Team-*](#plugins---team-)
- [General Tooling](#general-tooling)
- [Docker / k8s](#docker--k8s)
- [Git](#git)
- [(Cross) Compile / (Remote) Debug / (Remote) development](#cross-compile--remote-debug--remote-development)
- [Markdown (and documentation in )](#markdown-and-documentation-in-)
- [Data](#data)
- [Bash](#bash)
- [Plugins - Team-SWEng](#plugins---team-sweng)
- [API (rest) development](#api-rest-development)
- [Web App development](#web-app-development)
- [YAML](#yaml)
- [Rust](#rust)
- [C/C++](#cc)
- [Arduino/Seeduino](#arduinoseeduino)
- [CUDA](#cuda)
- [Java](#java)
- [PHP](#php)
- [Python](#python)
- [Plugins - Team-MechEng](#plugins---team-mecheng)
- [Octave](#octave)
- [R](#r)
- [Jupyter](#jupyter)
- [STL](#stl)
- [G-code](#g-code)
- [Gerber](#gerber)
## Introduction
This is the TSYS Visual Studio Code setup guide. It covers how to setup VsCode for all aspects of TSSY Group.
We have a very complex total stack, but don't despair, you will only need a small subset of this.
Which subset of course depends on what part of the TSYS mission you are supporting!
### Environmental considerations/assumptions
- Charles setup is the most comprehensive, as he is the co-founder and (as of Q3 2021) (acting) CTO and needs to develop for all pieces of the stack/products.
- Do not just blindly follow this guide! Pick the pieces you need for your work. If you have any questions, ask in Discord or post to Discourse.
- Working against a remote server/container/k8s cluster over SSH via VsCode Remote
- VsCode Remote Dev is heavily utilized (almost if not exclusively)
- Source code resides in home directory on the server farm, but is edited "locally" on your workstation with VsCode (Remote)
- Using TSYS self hosted Gitea git instance
- Using TSYS self hosted Jenkins CI
- docker/kubectl commands are present and configured to run against the cluster (and you are connected to the VPN)
- Developing in Windows 10/Mac OSX/Linux with a GUI environment running native VsCode (CNW daily driver is a raspberry pi 4 with 8gb ram to help ensure lowest common denominator support/good performance)
- Using Chrome web browser (firefox/safari may work, but are not supported at all)
- Developing primarily at the "git push, magic happens" abstraction layer
- Need to occasionally inspect/debug the magic at various stages of the pipeline
- Need to frequently debug running code on a variety of targets (pi/arduino etc)
- All text documentation is written in Markdown and is posted to Git/Discourse as Markdown
- (tbd soon, actively experimenting)
- All diagrams are created via text language
- All diagrams are produced using
- (blockdiag?
- uml?
- markdown extensions?
- all (or some mix) of the above?
- what extension(s)to use?)
### External Software Programs/Services Used
You'll need to setup some external tools and services to support the TSYS mission (in addition to VsCode).
Setup of external tools/services is outside the scope of this document. For guidance on tool/service selection and setup, please see the following links:
- <https://git.turnsys.com/TSGTechops/docs-techops/src/branch/master/src/Systems/Admin-Application/AppsAndServices.md>
- <https://git.turnsys.com/TSGTechops/docs-techops/src/branch/master/src/Systems/Admin-RandD/EngineeringWorkstatioNBuildBuide.md>
Once you've setup your needed external tools and services , return to this document and continue with setup of VsCode as needed to work with the tooling you installed.
### Short version
very soon (june 2021) you'll have two options for EZ stack deployment for your product development environment :
1) docker pull TSYSVSC and use with <https://code.visualstudio.com/docs/remote/containers>
2) Login to <https://desktop.turnsys.com> and get a full engineering stack for whatever product you are working on.
Read on to understand the pieces and particulars in case you want to build your own setup.
## Requirements and dependencies
Here is the tool and language requirements of all the TSYS engineering projects/programs/products.
### Languages Used
| Language | Used By | Product Scope |
|----------------------------------|--------------|------------------------------------|
| bash | TSYS wide | All |
| c/c++ | Team-SwEng | MorseFlyer |
| CUDA | Team MechEng | MorseFlyer (envelope/airframe) |
| dockerfile/docker compose | TSYS wide | All |
| geo spatial data | Team SwEng | MorseFlyer (avionics) |
| Gerber | Team HwEng | MorseSkynet, MorseFlyer (avionics) |
| Go | Team-SwEng | HFNOC/HFNFC/RackRental |
| helm charts | TSYS wide | All |
| Java | Team SwEng | MorseTrackerHUD,MorseTracker |
| javascript | Team SwEng | MorseTrackerHUD |
| Markdown | TSYS wide | All |
| octave | Team MechEng | MorseFlyer (envelope/airframe) |
| OpenFAAS | Team-SwEng | RackRental.net |
| PHP | TEam-SwEng | RackRental.net , HFNOC/HFNFC |
| python (Jupyter and stand alone) | Team MechEng | MorseFlyer (envelope/airframe) |
| R | Team MechEng | MorseFlyer (envelope/airframe) |
| Ruby | Team-SwEng | All (as part of SDLC testing) |
| Rust | Team-SwEng | HFNOC/HFNFC/RackRental |
| tcl/tk | Team HwEng | MorseSkynet |
| Xilinx | Team HwEng | MorseSkynet |
| YAML | TSYS wide | All |
### Deployment Targets
| Target | Used By | Product Scope |
|-----------------------------------------------------|-------------|------------------------------------|
| Arduino (cross compiled) | Team-SwEng | MorseFlyer (Avionics) |
| FreeRTOS (cross compiled) | Team-SwEng | MorseFlyer (Avionics) |
| Jenkins build pipelines | All teams | All |
| OpenMCT farm (java/micro services) | Team-SwEng | MorseTracker/MorseTrackerHUD |
| Raspberry Pi (cross compiled) | Team-SwEng | MorseFlyer (Avionics) |
| Subo pi farm (multi arch) Docker / k3s (and balena) | Team-SwEng | MorseFlyer (Avionics), MorseSkynet |
| TSYS K3S sandbox/dev/prod clusters | All teams | All |
| TSYS Web Farm (lots of PHP (wordpress etc)) | Team-WebEng | RackRental.net, HFNOC, HFNFC |
## General setup
These are steps you need to take before starting development in earnest.
Linux (or at least a mostly linux (WSL/mobaxterm)) environment is presumed for all the below.
You may well find GUI replacements and use them, especially on Windows/MACOSX. They are not supported in any way.
- Setup gitea
- Login once to <https://git.turnsys.com> so you can be added to the appropriate repos/teams/orgs.
- Customize any profile etc settings that you wish.
- Obtain API key to use with gitea-issues plugin
- Setup SSH
- Setup SSH key
- Add SSH public key to gitea
- Setup git
- For all git users:
- $ git config --global user.name "John Doe"
- $ git config --global user.email johndoe@example.com
- Setup git lg : git config --global alias.lg "log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit"
- for zsh users (and you really should use zsh/oh-my-zsh :)
- git config --add oh-my-zsh.hide-status 1
- git config --add oh-my-zsh.hide-dirty 1
## Plugins - Team-*
The plugins documented here are known to work, and are in active/frequent use by Charles as CTO as he hacks on the stack.
Other options exist for almost all the below. If you find something that works better for you, use it!
Consider the below as a suggested/supported baseline.
### General Tooling
- Code Spell Checker <https://marketplace.visualstudio.com/items?itemName=streetsidesoftware.code-spell-checker>
- Vim <https://marketplace.visualstudio.com/items?itemName=vscodevim.vim>
### Docker / k8s
- Docker:
- <https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-docker>
- <https://code.visualstudio.com/docs/containers/overview>
- Bridge to K8s <https://marketplace.visualstudio.com/items?itemName=mindaro.mindaro> <https://code.visualstudio.com/docs/containers/bridge-to-kubernetes>
### Git
- Git Extension Pack <https://marketplace.visualstudio.com/items?itemName=donjayamanne.git-extension-pack>
- Git Tree Compare <https://marketplace.visualstudio.com/items?itemName=letmaik.git-tree-compare>
- Git Tags <https://marketplace.visualstudio.com/items?itemName=howardzuo.vscode-git-tags>
- Gitea-VsCode <https://marketplace.visualstudio.com/items?itemName=ijustdev.gitea-vscode>
### (Cross) Compile / (Remote) Debug / (Remote) development
This section is a work in progress. Below is the current guides/plugins that are being tested. Roughly in decreasing order of confirmed stability/active usage.
YMMV, DD , Buyer Beware etc etc etc.
- <https://code.visualstudio.com/docs/remote/remote-overview>
- <https://code.visualstudio.com/docs/remote/ssh>
- <https://dimamoroz.com/2021/03/09/intel-nuc-for-development/>
- <https://github.com/Ed-Yang/rpidebug>
- <https://enes-ozturk.medium.com/remote-debugging-with-gdb-b4b0ca45b8c1>
- <https://enes-ozturk.medium.com/cross-compiling-with-cmake-and-vscode-9ca4976fdd1>
- <https://gist.github.com/aakashpk/e90d4651b074248b4823f6d2dc3373a0>
- <https://marketplace.visualstudio.com/items?itemName=webfreak.debug>
- <https://code.visualstudio.com/docs/cpp/config-linux>
### Markdown (and documentation in )
- Markdown All in One <https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-oneoo>
- Markdown Preview Enhanced <https://marketplace.visualstudio.com/items?itemName=shd101wyy.markdown-preview-enhanced>
- markdownlint <https://marketplace.visualstudio.com/items?itemName=DavidAnson.vscode-markdownlint>
- Excel to markdown table <https://marketplace.visualstudio.com/items?itemName=csholmq.excel-to-markdown-table>
- MdTableEditor < <https://marketplace.visualstudio.com/items?itemName=clover.md-table-editor>>
- Markdown Table Formatter https://marketplace.visualstudio.com/items?itemName=fcrespo82.markdown-table-formatter
- Gitdoc <https://marketplace.visualstudio.com/items?itemName=vsls-contrib.gitdoc>
- Draw.io integration <https://marketplace.visualstudio.com/items?itemName=hediet.vscode-drawio>
- PlantUML
- <https://marketplace.visualstudio.com/items?itemName=jebbs.plantuml>
- <https://www.freecodecamp.org/news/inserting-uml-in-markdown-using-vscode/>
- Latex Workshop <https://marketplace.visualstudio.com/items?itemName=James-Yu.latex-workshop>
### Data
- <https://marketplace.visualstudio.com/items?itemName=mtxr.sqltools>
- <https://marketplace.visualstudio.com/items?itemName=RandomFractalsInc.vscode-data-preview>
- <https://marketplace.visualstudio.com/items?itemName=RandomFractalsInc.geo-data-viewer>
- <https://marketplace.visualstudio.com/items?itemName=mechatroner.rainbow-csv>
### Bash
- <https://marketplace.visualstudio.com/items?itemName=mads-hartmann.bash-ide-vscode>
## Plugins - Team-SWEng
### API (rest) development
- <https://marketplace.visualstudio.com/items?itemName=humao.rest-client>
### Web App development
- <https://marketplace.visualstudio.com/items?itemName=iceworks-team.iceworks>
### YAML
- <https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml>
### Rust
- <https://marketplace.visualstudio.com/items?itemName=rust-lang.rust>
### C/C++
- <https://ludwiguer.medium.com/configure-visual-studio-code-to-compile-and-run-c-c-3cef24b4f690>
- <https://marketplace.visualstudio.com/items?itemName=ms-vscode.cpptools-extension-pack0>
- <https://marketplace.visualstudio.com/items?itemName=formulahendry.code-runner>
#### Arduino/Seeduino
-_<https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.vscode-arduino>
#### CUDA
TBD. Pull requests welcome.
### Java
- <https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-java-pack>
### PHP
- <https://github.com/cytopia/devilbox/blob/50ab236ea9780e6c3ba35d357a451d48aba9a5d2/docs/intermediate/configure-php-xdebug/linux/vscode.rst>
### Python
- <https://marketplace.visualstudio.com/items?itemName=ms-python.python>
## Plugins - Team-MechEng
### Octave
TBD. Pull requests welcome.
### R
TBD. Pull requests welcome.
### Jupyter
- <https://marketplace.visualstudio.com/items?itemName=ms-toolsai.jupyter>
### STL
- <https://marketplace.visualstudio.com/items?itemName=xdan.stlint-vscode-plugin>
- <https://marketplace.visualstudio.com/items?itemName=md2perpe.vscode-3dviewer>
- <https://marketplace.visualstudio.com/items?itemName=slevesque.vscode-3dviewer>
### G-code
TBD. Pull requests welcome.
### Gerber
TBD. Pull requests welcome.

1
content/plan.knownelement.com/Systems/TSYS-Systems.md Normal file
View File

@@ -0,0 +1 @@
# TSYS Systems Overview

38
content/plan.knownelement.com/Systems/code/ListAllSystems.sh Normal file
View File

@@ -0,0 +1,38 @@
host buildbox
host ca
host canonmfc
host db1
host db2
host db2
host nvr
host pfv-consrv01
host pfv-core-ap01
host pfv-core-rtr01
host pfv-core-sw01
host pfv-lab-sw01
host pfv-lab-sw02
host pfv-lab-sw03
host pfv-stor1
host pfv-stor1-oob
host pfv-stor2
host pfv-stor2-oob
host pfv-time1
host pfv-toolbox
host pfv-vmsrv-01
host pfv-vmsrv-02
host pfv-vmsrv-03
host pfv-vmsrv-04
host pfv-vmsrv-06
host pihole1
host pihole2
host sipwise
host subodev
host suboqa
host suboprod
host tsys-dc-01
host tsys-dc-02
host tsys-dc-03
host tsys-dc-04
host www1
host www2
host 3dpsrv

27
content/plan.knownelement.com/ThingsToDocument.md Normal file
View File

@@ -0,0 +1,27 @@
- [Things to document](#things-to-document)
- [System Admin](#system-admin)
- [Facilities](#facilities)
- [Network](#network)
- [Hypervisor](#hypervisor)
- [Storage](#storage)
- [Authentication](#authentication)
- [SRE](#sre)
# Things to document
## System Admin
### Facilities
### Network
VPN user addition to algo (opnsense soon)
### Hypervisor
### Storage
### Authentication
## SRE

7
content/plan.knownelement.com/dev.sh Normal file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
mdbook \
serve \
. \
-p 3001 \
-d book \

22
content/plan.knownelement.com/pages/01.home/default.md Normal file
View File

@@ -0,0 +1,22 @@
---
title: 'Known Element Enterprises (KNEL) - Business/Product/Operations Plan - Introduction
'
menu: 'Known Element Enterprises (KNEL) - Business/Product/Operations Plan - Introduction
'
---
# Known Element Enterprises (KNEL) - Business/Product/Operations Plan - Introduction
## Executive Summary of Known Element Enterprises
Known Element Enterprises (KNEL) is the management company of Turnkey Network Systems LLC (established when the operating agreement of Turnkey Network Systems LLC was adopted).
It handles the operation/administration/maintenance etc of all TSYS Group IT/business systems.
KNEL is the domain of the TSYS Group Chief Operations Officer, supported by Turnkey Network Systems LLC AI and human staff and officers.
## Reduction to practice
- [GIT Organization](https://git.knownelement.com/KNEL)
- [IT Discourse Category](https://community.turnsys.com/c/chiefoperationsandfinanceofficer/vptechnicaloperations/20)
- [IT Projects](https://projects.knownelement.com/projects/technicaloperations)

20
content/plan.knownelement.com/pages/02.internal-price-book/default.md Normal file
View File

@@ -0,0 +1,20 @@
---
title: 'KNEL — Internal Price Book (Draft)'
menu: 'KNEL — Internal Price Book (Draft)'
---
# KNEL — Internal Price Book (Draft)
Intent
- Nominal, simple rates; accountability over precision; revisit after CPA review and revenue.
Model (proposed)
- Base infra absorbed by KNEL initially; perLLC flat recharge starts only when revenue is material (TBD).
SKUs (initial)
- CLD-APP-SLOT — Cloudron app slot (per deployed app)
- OIDC-IDP — OIDC identity provider (per LLC)
- GIT-ORG — Gitea organization
- MAT-PROP — Matomo property (site ID)
- DOC-SEAT — Documenso seats (bundle)
- RED-PROJ — Redmine project (per LLC)

20
content/plan.knownelement.com/pages/03.questions/default.md Normal file
View File

@@ -0,0 +1,20 @@
---
title: 'KNEL — Shared Services Questions (STEP0)'
menu: 'KNEL — Shared Services Questions (STEP0)'
---
# KNEL — Shared Services Questions (STEP0)
Context (confirmed)
- OIDC single sign-on for all Cloudron apps.
- Matomo portfolio roll-up desired.
- CPA engaged; policies to be reviewed.
- Infra base cost ≈ $100/month; keep accounting lightweight.
Questions (answer inline as ready)
- Historical investments: which LLCs have balances to recover (e.g., RackRental/Suborbital)?
- Pricing stance: keep base recharges at $0 until revenue, then nominal flat recharge? Any threshold?
- Access: any OIDC group/role gaps to fix now across Gitea/Redmine/Matomo/Documenso?
- Matomo portfolio KPIs to show (visits, conversions, goals, revenue proxy)?
- Documenso templates to prioritize (JV, Intercompany, SOW, NDA)?
- DR/SLOs: confirm targets by tier and quarterly restore cadence.

8
content/plan.knownelement.com/pages/04.overview/default.md Normal file
View File

@@ -0,0 +1,8 @@
---
title: 'KNEL — Overview (STEP0 import)'
menu: 'KNEL — Overview (STEP0 import)'
---
# KNEL — Overview (STEP0 import)
This section captures shared-services planning content for KNEL imported from the IBP STEP0 phase. Content is additive and public.

27
content/plan.knownelement.com/pages/05.policies/default.md Normal file
View File

@@ -0,0 +1,27 @@
---
title: 'KNEL — Policy Drafts (STEP0)'
menu: 'KNEL — Policy Drafts (STEP0)'
---
# KNEL — Policy Drafts (STEP0)
Intercompany Recharge Policy (Draft)
- Purpose: keep internal billing simple; prioritize shipping.
- Base infra (~$100/mo) absorbed by KNEL until businesses have revenue; then nominal flat recharge may begin (to be confirmed with CPA).
- Monthly invoicing via Dolibarr; $0 allowed when below threshold.
Investment Recovery Policy (Draft)
- Track larger historical balances (e.g., RackRental/Suborbital) as intercompany loans; repay before distributions.
- Initial interest 0% unless CPA advises otherwise.
Access and Identity Policy (Draft)
- OIDC SSO is authoritative; no local accounts. Quarterly access reviews.
Backup/DR Policy (Draft)
- Tiers and RPO/RTO targets to be confirmed; quarterly restore tests.
Matomo Analytics Policy (Draft)
- Per-business site IDs; portfolio roll-up dashboard; 1224 month retention.
Documenso Templates Policy (Draft)
- Templates: JV, Intercompany Agreement, SOW, NDA (prioritization pending).

49
content/plan.knownelement.com/pages/06.proposal-draft/default.md Normal file
View File

@@ -0,0 +1,49 @@
---
title: 'KNEL — Shared Services Proposal (Draft)'
menu: 'KNEL — Shared Services Proposal (Draft)'
---
# KNEL — Shared Services Proposal (Draft)
Purpose
- Establish KNEL as the shared-services backbone across all LLCs with simple, auditable intercompany practices, minimal overhead, and portfolio-level visibility.
Scope (current)
- Identity/Access: OIDC SSO for all Cloudron apps (Gitea, Redmine, Matomo, Documenso, others).
- ERP/CRM: Dolibarr per-LLC, plus KNEL, Board, and Family Office instances.
- Infra: Cloudron automation for DNS/SSL/backups/upgrades; infra base cost ≈ $100/month.
Architecture and Operating Model
- Tenancy: Keep Dolibarr single-tenant per LLC. KNEL provides shared services to each LLC.
- Roles: Standardize groups/roles: Owner, Operator, Contributor, Viewer. Map these to OIDC groups.
- Inventory: Maintain a simple CMDB list of Cloudron apps with tags: `biz=<slug>`, `env=prod|staging`, `slo=tier-1|2|3`, `cost_center=KNEL:<sku>`.
- Backups/DR: Define RPO/RTO by tier (suggested: Tier1 RPO 6h, RTO 4h; Tier2 RPO 24h, RTO 1d; Tier3 best effort). Quarterly restore tests.
Intercompany Accounting (Lightweight)
- Historical investments: Track RackRental/Suborbital large balances as intercompany loans to be repaid before any distributions. For small/legacy domain fees, waive or treat as immaterial.
- Base infra cost ($100/mo): Keep at KNEL until a business generates revenue above a defined threshold; then begin simple recharges. Example threshold: revenue ≥ $500/mo → recharge a flat $10$20/mo.
- Price book: Publish a KNEL internal price list (flat rates) for common services (e.g., “Cloudron app slot,” “Matomo property,” “Gitea org,” “Documenso seats”). Keep rates nominal; objective is accountability, not profit.
- Dolibarr: KNEL is Supplier; each LLC is Customer. Use one recurring invoice per LLC per month (may be $0 if below threshold) plus adhoc for exceptional items.
- Approvals/Aging: 1step approval; monthly statement pack; soft remediation (freeze noncritical services after 60 days, with manual override).
Cloudron/Infra Practices
- App tagging and nightly inventory export (CSV/JSON) for reconciliation. Manual mapping acceptable initially.
- Change mgmt: Simple maintenance window and Markdown change log with Git tags.
- Monitoring: Monthly uptime report by tier; backup success rates.
Analytics and Documents
- Matomo: Perbusiness site IDs with a portfolio rollup dashboard (visits, conversions, goal completions, top referrers). 1224 month retention.
- Documenso: Template library for JV, Intercompany Agreement, SOW, NDA (prioritize later). Standardize signer roles.
- Redmine: Single instance with perLLC projects. Standard issue types; optional time-tracking for KNEL billable support if needed.
Governance and Review
- CPA review: Have CPA review intercompany policy and price book prior to significant revenue.
- Security: OIDC is the single source of truth. Quarterly access reviews of groups/roles per LLC.
- Policy docs: Versioned in IBP (public) with links out to canonical legal repos.
Open Decisions (for you)
- Accounting basis (cash vs accrual) and CPA preferences.
- Revenue threshold and flat recharge amounts per LLC.
- Exact RPO/RTO by tier and which apps are Tier1.
- Documenso template prioritization order.
- Redmine time-tracking usage for KNEL support.

20
content/plan.knownelement.com/pages/07.inventory-template/default.md Normal file
View File

@@ -0,0 +1,20 @@
---
title: 'KNEL — Inventory Template (STEP0)'
menu: 'KNEL — Inventory Template (STEP0)'
---
# KNEL — Inventory Template (STEP0)
CSV headers (example)
```
app_id,app_name,biz,env,slo,cost_center,url,notes
12345,gitea,merchants-of-hope,prod,tier-2,KNEL:GIT-ORG,https://gitea.example.com/org/...,primary code hosting
12346,matomo,your-dream-name-here,prod,tier-2,KNEL:MAT-PROP,https://matomo.example.com/#idSite=...,analytics
12347,documenso,sol-calc,prod,tier-2,KNEL:DOC-SEAT,https://sign.example.com,contracts
12348,redmine,rackrental,prod,tier-3,KNEL:RED-PROJ,https://pm.example.com,project tracking
```
Notes
- Export nightly (CSV/JSON) from Cloudron inventory or maintain manually to start.
- Tags: `biz`, `env`, `slo`, `cost_center` support lightweight reconciliation to Dolibarr.