Kanthaus wiki - User contributions [en]

Positions and evaluations

2026-01-14T15:23:26Z

Timber1: /* After evaluation */ Add information on evaluation notes

{{Warning|This appears to be a duplicate of a page on the website https://kanthaus.online/en/governance/positionsandevaluations Consider deleting one or the other.}}

👍️ This document is meant to give an overview about the structure of social hierarchy at Kanthaus.

== Positions ==

There are 3 positions at Kanthaus, in ascending level of responsibility ''and'' power they are: Visitor, Volunteer and Member. These Positions reflect and regulate the actual responsibility and power people hold. People move between Positions based on '''evaluation.'''

== Evaluation ==

Everyone at Kanthaus gets evaluated—it’s normal! Evaluation is a formal opportunity for you and the rest of the Kanthaus community to honestly inspect how that relationship is going and which Position suits you at this time: the whole thing lasts for ~1,5 hours. This document is a more human-readable version of the formal agreements located in the [https://kanthaus.online/governance/constitution Constitution].

=== 1. Meeting with Kanthaus Volunteers and Members (~75 minutes) ===

When it is time for your evaluation, a meeting will be arranged with you in which you and existing Kanthaus Members and Volunteers are invited. This will probably be done during a Coordination Meeting. No official notes will be taken, although you are welcome to take notes if you want, and an informal summary will be shared with the other Volunteers and Members afterwards. The only question that needs to be answered is whether you want to apply to continue at your current Position (e.g. Visitor) or progress to the next Position (e.g. Volunteer); aside from that the discussion is open and you are warmly invited to ask anything you want an answer to. Questions to consider include—

* What project-work are you doing for Kanthaus, Wurzen or elsewhere?
* Where do you see your role in Kanthaus?
* What do you see as your strengths/allowable weaknesses?
* What have you enjoyed/disliked about your time so far?
* How do you prefer to receive critical feedback?
* Do you have any outstanding conflicts with people involved at Kanthaus?
* Do you have allergies, dietary requirements or medical conditions you want to tell us about?
* What are your plans for the future?

=== 2. Kanthaus Members and Volunteers meet privately (~15 minutes) ===

After meeting with you, the Kanthaus Members and Volunteers will meet without you to decide which Position they find appropriate for you at this time. This meeting has three stages—

'''2.1. ‘Mock’ vote''' Before any discussion takes place, the question will be asked, ''“Do you support, accept or oppose (your name) becoming/remaining as a (Position you applied for) at this point in time?”'' The participants will vote anonymously and see the predictive result.

'''2.2. Discussion''' The participants will talk personally about the result and any personal opinions they have. There is no particular format.

'''2.3. Vote''' Again the question will be asked, ''“Do you support, accept or oppose (your name) becoming/remaining as a (Position you applied for) at this point in time?”'' and again the participants will vote anonymously. A successful outcome occurs when there are 3 or more times as many ‘support’ votes to ‘oppose’ votes (e.g. 4 ‘support’, 2 ‘accept’ and 1 ‘oppose’.) If unsuccessful, the procedure will be repeated at the lower position, for example: if you requested to become Volunteer and it was unsuccessful, the process would be repeated as if you’d applied to remain as a Visitor. Only the result of the vote, not the individual votes, are recorded.

=== 3. Position outcome and feedback (~5 minutes) ===

You will receive feedback immediately regarding which Position you are offered and further feedback if you weren’t offered the Position you applied for.

== After evaluation ==
The facilitator should fill out the [[evaluation record]] and write a summary (either post it to the [https://chat.kanthaus.online/kanthaus/channels/evaluation-checkin-notes ~evaluation-checkIn-notes] [[Mattermost]] channel or print and hang it. Delete / destroy it after one month).
[[Category:Social]]
[[Category:test]]
[[Category:Meeting]]

Evaluation record

2026-01-14T15:20:10Z

Timber1: Update outdated information and add reference to evaluation recorder

📝 In the evaluation record, we record a summary of the [[Positions and evaluations|evaluations required by our positions system]]. [https://git.kanthaus.online/kanthaus/kanthaus-private/src/branch/main/evaluationRecord.yml The file] is stored in [https://git.kanthaus.online/kanthaus/kanthaus-private kanthaus-private] (a [[Git|git repository]]). At the end of an evaluation, the facilitator is expected to record the evaluation in this file. This can also be done using [https://kanthaus-server/evaluation-recorder/ the Evaluation Recorder]; this is only reachable within the <code>kanthaus</code> [[Wifi]] and has a self signed certificate, so accept the risk if your browser warns you about it. In case you have a custom DNS server configured, use this link instead: https://192.168.100.2/evaluation-recorder/.

== Structure ==
The evaluation record is a file (written in YAML format), containing for each evaluation the following fields:

* Date
* Person being evaluated
* Position before the evaluation
* Position applied for
* New position
* People who got to vote on the position
* Other non-voting people present at the evaluation

Note that it doesn't contain notes anymore; those are instead posted to a dedicated [[Mattermost]] channel or printed on a sheet of paper and destroyed after one month.

== Uses ==
This file is used to determine automatically who is due for evaluation before each [[CoMe]].

Occasionally, this file is analyzed to gather statistics about our position system or attendance of evaluations.

Occasionally old entries are deleted to adhere to our privacy concept.
[[Category:Social]]
[[Category:Digital]]

Powerhour

2025-11-21T14:42:32Z

Timber1: Fix typo

✨ The weekly communal cleaning session.

== Time and place ==
'''Mondays immediately after [[CoMe]]''' (or at 11 am when there's no CoMe) we stay in the same room to distribute tasks. Then K20 and K22 will be cleaned for a maximum of 2 hours.

== Initial meeting ==
[[File:PowerHourTaskList2024.png|thumb|Power Hour Task List]]
There is a Power Hour Task List for the most relevant tasks.

The facilitator decides how to assign tasks to people.

Usually, it goes something like this:

The facilitator goes through the tasks briefly to find out which ones are of priority this week. Visitors are given tasks first so that they can be paired with more experienced Kanthausians easily. Then there is a round in which people can grab their preferred task. The facilitator makes sure that no important task is left and that everybody has something to do in the end.

This meeting should not take more than 10 minutes.

== General Info ==
Most cleaning supplies are stored in the [[Intermediate|Intermediate Storage Room]].

If the layout of the house is not clear to you, please refer to the [https://kanthaus.gitlab.io/expfloorer/ expfloorer].

If you can’t clean immediately after the Power Hour meeting, please do it in the next 2-3 days.

== History ==
In November 2015, during the pre-[[History|history of Kanthaus]] (yunity), several people stayed at the [https://sensor-magazin.de/so-wohnt-mainz-das-liebermenschhaus/ Liebermenschhaus] ("Lovely-people-house") in Mainz. This was a living collective formed by some people of the Livingutopia network. They organized a weekly "Putzparty" ("Cleaning party") which was horribly early on a Thursday (if memory correct) since it was the only time that all the residents where able to make. They would split tasks and clean for an hour or two as their main cleaning action of the week.

Many other experiences were made during the pre-history period, none of which seemed as good. The "Powerhour" was pretty much directly copied from the "Putzparty" and included in the Collective Agreements at the founding of Kanthaus, at 10:00 on Thursdays.

In mid-2023, the time of Powerhour was [https://git.kanthaus.online/kanthaus/kanthaus-governance/commit/75e0172d5c5096681e1268fb872c8b531c0a0564 changed] to after [[CoMe]] (i.e. 11:00 on Mondays) in an effort to "concentrate" Kanthaus activities, to leave people more time to focus on non-Kanthaus things.

== Analysis ==
The topic of communal cleaning is evergreen and there are many systems. The Powerhour has some advantages:

* simplicity: meet at a given time, get task, clean for an hour, done
* regularity: you can plan with/around it (i.e. when Powerhour happens & when house cleanest!)
* mutual-monitoring: everyone is there, everyone sees who gets what task
* reliability: people less likely to forget
* community: doing something together in time can be bonding

== Detailed description of tasks ==

=== [[Power Hour/Main Kitchen|Main Kitchen]] ===
=== [[Power hour/Snack Kitchen|Snack Kitchen]] ===
=== [[Power hour/Bathrooms K20|Bathrooms K20]] ===
=== [[Power hour/Bathrooms K22|Bathrooms K22]] ===
=== Vacuuming Central Rooms ===
* get a vacuum cleaner from the [[Intermediate|Intermediate Storage Room]]
* vacuum all of K20-1 and K22-1 except the staircases

=== Vacuuming Staircase K20 Plus ===
* get a vacuum cleaner from the [[Intermediate|Intermediate Storage Room]]
* vacuum the K20 staircase and whatever needs vacuuming in K20-0, K20-2 and/or K20-3
* skip the basement

=== Vacuuming Staircase K22 Plus ===
* get a vacuum cleaner from the [[2nd bathroom|2nd Bathroom]]
* vacuum the K22 staircase and whatever needs vacuuming in K22-0 and/or K22-2
* skip the basement and workshops

=== [[The Vortex|Vortex Shifting]] ===
=== [[Power hour/Indoor Plant Care|Indoor Plant Care]] ===

=== [[Power hour/Bin Emptying|Bin Emptying]] ===
=== [[Power Hour/Incoming Food Care|Incoming Food Care]] ===
=== [[Power hour/Existing food care|Existing Food Care]] ===
=== Communal Closet Sorting ===
* sort the clean communal clothes into the fitting spots in the closet
* mind the sizes!
* sort out ripped or torn clothes
* fold towels and put them into the closet in the Main Bathroom
* fold tea towels, put them in extra basket together with other kitchen things
* fold duvet covers inside out and in a way that one can read the size written on the bottom
* bring bed cloths, kitchen textiles, clean butt towels and sorted-out clothes to [[Intermediate storage|Intermediate Storage Room]]. Place them in designated boxes.

=== [[Power hour/Basic Workshop Clean-Up|Basic Workshop Clean-Up]] ===
=== Mopping Central Rooms + Main Bathroom ===
* wait for the vacuuming to be finished
* then get a mop and bucket from the [[Intermediate|Intermediate Storage Room]]
* mop the Main Kitchen, the Snack Kitchen, the Dining Room, the Elephant Room, the Main Bathroom
* mop where you think it should be mopped

=== Deep Clean Room of Choice ===
* name one room and give it all your love
* this includes moving furniture to clean underneath, dusting book shelves or anything that’s rarely done

=== [[Power hour/Glass and Pfand|Sort and Return Glass and Pfand]] ===
=== [[Power hour/Clean Sidewalks|Clean Sidewalks]] K18, K20, K22 ===
[[Category:Social]]
[[Category:Regular]]
[[Category:Maintenance]]
[[Category:Meeting]]
[[Category:Repro]]

Server

2025-11-18T16:50:59Z

Timber1: Remove tor relay

⭐️ We have a server running locally that provides a few services to residents as well as guests.

== File sharing services ==

The server provides the possibility to store and exchange data. Some services are publicly available (e.g. connecting with an anonymous user), for others you need a user account with some privileges. All file services are only available in the <code>full</code> [[Wifi|network]] and served via [[wikipedia:Samba_(software)|Samba]]. Use your computers file manager to browse the available network computers and locate the server as <code>KANTHAUS-SERVER</code>. If this doesn’t show up in your file manager or the link is broken, you can try entering <code>smb://kanthaus-server/</code> directly into your file managers address bar. This should work on most Linux environments.

=== Getting a user account ===
To get a user account, speak to an admin (e.g. Antonin or Tilmann). The admin will add you to the Ansible user configuration and ask you to set a temporary password using your account. You can change the password yourself, e.g. via <code>smbpasswd -r kanthaus-server -U yourusername</code>.

Actually, you have two passwords:

* System user account: Used for local access and SSH access. Change password using <code>passwd</code> when logged in
* Samba account: Used for accessing the samba network shares. Change password using command above remotely or using <code>smbpasswd</code> when logged in.

==== Kanthaus cloud copy ====
* The share <code>kanthaus-public</code> offers an anonymously usable read only copy of the public part of the kanthaus cloud.
* The share <code>cloud.kanthaus.online</code> offers a read only copy of the whole kanthaus cloud. You need to have a user with the permissions class <code>kanthaus</code>.

The cloud copy is synchronized from the Kanthaus cloud once every minute.

==== Internal cloud ====
The share <code>internalcloud</code> stores some data which should only be available from inside Kanthaus (e.g. financial data) and is only available to users with the permissions class <code>internal</code>. Please make sure to only put security sensitive stuff in here and also make sure to not leak your user credentials or the contents of this folder, when you have access to it.

This folder is part of the daily backup.

==== Home folder ====
Every user account also has their personal <code>home</code> folder available as the <code>homes</code> storage. All data you put here is only available to yourself. Inside the home folder, there is a directory called <code>storage</code>. This folder lies on an easily expandable, cheap hard-disk storage. It is slower to access but suitable to store lots of data (e.g. backups of your computer).

Your home folder is part of a daily backup. Please put files called <code>.nobackup</code> into folders that you don’t want to be backed up (e.g. to save storage space). The <code>storage</code> folder is '''not''' part of the backup, but the hard-disks have a raid configuration to tolerate the loss of one hard-disk.

== Shell access ==

When you have a user account, you can also use SSH to connect to the server and use it for computing tasks. To set an initial password, ask an admin. When you already have file sharing access, you can add your SSH public key to the <code>homes/.ssh/authorized_keys</code> and use that for logging in. Same as above: In your home directory there is a symlinked folder called <code>storage</code> which is on spinning disks, whereby the rest of your home folder is on limited SSD space.

== Limiting crawlers ==
Our web services all run through an NGINX reverse proxy web server. The recent intensification of crawling for LLM training was significantly affecting our Forgejo instance, with periodic spikes over 100% greater than baseline. To diagnose the issue, <code>ngxtop</code> was installed and can be ran with <code>/opt/kh-services/ngxtop/bin/ngxtop --group-by remote_addr -n 50 -l /data/services/data/nginx-logs/forgejo-access.log</code> this provides a "top-like" overview the HTTP responses the web server sends them back to (bucketed) IPs. Additionally, <code>tail -f /data/services/data/nginx-logs/<service>-access.log</code> provides a more detailed, chronological view of HTTP responses.

At the time of writing, for countermeasures we have

* an <code>nginx</code> rate limiting of 15 requests / second in addition to some burst allowances
* a <code>robots.txt</code> that forbids all robots entry
* an <code>nginx</code> blocklist that blocks all AI robots user agents
* <code>go-away</code> that blocks requests based on some non-javascript challenges, based on the [https://git.gammaspectra.live/git/go-away/src/branch/master/examples/forgejo.yml default example for forgejo] (with the only differences that <code>js-refresh</code> is replaced by <code>header-refresh</code> and the final <code>js-pow-sha256</code> challenge is removed)
Stats of <code>go-away</code> are available on [https://grafana.yunity.org/d/f7bd6db8-b503-48b3-8a4d-fd1011aac8e0/go-away grafana].

== SFTP Access ==

You can use software like FileZilla to access your home folder through <code>sftp://kanthaus-server</code> providing your username. See the Shell Access section above for other details.

=== How to unlock the encrypted <code>kanthaus-server</code> via network ===
* be in <code>kh-admin</code>
* <code>ssh -p 2222 root@192.168.178.249</code>
** your key must be stored on the server in <code>/etc/dropbear-initramfs/authorized_keys</code> -> <code>update-initramfs -u</code>
** ED25519 key fingerprint: <code>SHA256:mvCVYx8D/Fv/qYq+a/H4MoRAcfExAUsAFW3L2NVHnD0</code>
* enter password (stored in keepass -> Server)

== System specs ==

* System is designed to save power but still have some computing resources.
* CPU: Intel Core i5-2500K (4x 3.3 GHz)
* Ram: 16 GB DDR3L
* SSD: 1 TB Samsung 860 Evo as root file system
* HDD: BTRFS pool with 2 disks. Current usable size 3 TB

== Backups ==

Backups are done using Borgmatic. The backup target is the local hard-disk storage, so it does not safe us against fire or theft of the computer. We might think about adding a remote backup as well.

== Other services ==

* Foodsharing Gitlab which CI runner (dockerized)
* House bus services
** local Web interface (dockerized)
** Logging daemon to externally hosted influxdb
* Virtual machines (kvm/libvirt)
[[Category:Technical]]
[[Category:Digital]]

Brotagonist

2025-11-02T13:59:13Z

Timber1: Create brotagonist instructions

We have a corporation with [https://www.brotagonist.de/ Wendl, the Brotagonist], where we get bread (rolls) every two weeks.

=== How to pick up Bread ===
It's very similar to Foodsharing. Here's detailed instructions though:

* Look at the schedule. We pick up bread (rolls) every two weeks, the dates are entered in the [https://cloud.kanthaus.online/apps/calendar/timeGridWeek/now# calendar]. Pick up times are during the opening hours of the store, so between 6am and 3pm
* Sign up for the pick up in [[CoMe]] one week before the pickup
* Take a lot of space. We typically get up to 5 bakery boxes of bread (rolls). You will need a big backpack, big bike bags and potentially up to three Ikea bags. Take big plastic / bread bags for inside the other bags. It's easier if you don't go alone
* Take the S-Train to ''Völkerschlachtdenkmal'', then cycle the rest of the way to Apelsteinallee 4, 04416 Markkleeberg
* Take at least two of the big plastic / bread bags inside the store
* Be friendly! Tell them you're from ''Wandel Würzen e.V.'' for the biweekly pickup (preferably in German)
* Take everything they give you and don't complain
* Travel back with hopefully lots of bread (rolls)
* Freeze everything we can't immediately use or put bread (rolls) that don't fit into the freezers in the Fairteiler
* That's it! Thank you for your bread service :)

Bread

2025-11-02T13:47:31Z

Timber1: Add bread source

We eat a lot of bread in Kanthaus.

== Where to find bread ==
Unfrozen bread is typically stored in the [[Snack kitchen]], in the box under the bread cutting board. Frozen bread is in one of the [[Freezer|freezers]].

== Obtaining new bread ==
There are two main options for obtaining new bread: [[Saving food|Saving]] (either dumpster diving, from [[Brotagonist]] or foodsharing) or making it yourself, e.g. with the help of the [[Bread machine]].
[[Category:Practicalities]]

Peanut Butter

2025-09-23T14:48:33Z

Timber1: Correct amount of trays

We make peanut butter ourselves. This is the current process that seems to work best:

* Roast two trays of peanuts for about 45 minutes at 150°C (circulating air) in the oven. Make sure to utilize solar power!
* Let the peanuts cool down a bit
* Put most of them into the manual food processor
* Put on the custom lid with a hole
* Put in the following parts in the electric '''brushless''' drill: [[File:Drill bits.jpg|alt=3 parts that go into the electric drill and fit the manual part with the spinning knives|none|thumb|Drill bits]]
* Put the bits into the manual part with the spinning blades
* Process them for about 5 minutes on the highest setting or until the consistency is nice and creamy
* Possibly add some rapeseed oil (try without!)
* Add the rest of the peanuts
* Process them for another 1 minute or until the added peanuts are small enough
* Done!

Peanut Butter

2025-09-23T14:48:15Z

Timber1: Update process to utilize electricity

We make peanut butter ourselves. This is the current process that seems to work best:

* Roast one tray of peanuts for about 45 minutes at 150°C (circulating air) in the oven. Make sure to utilize solar power!
* Let the peanuts cool down a bit
* Put most of them into the manual food processor
* Put on the custom lid with a hole
* Put in the following parts in the electric '''brushless''' drill: [[File:Drill bits.jpg|alt=3 parts that go into the electric drill and fit the manual part with the spinning knives|none|thumb|Drill bits]]
* Put the bits into the manual part with the spinning blades
* Process them for about 5 minutes on the highest setting or until the consistency is nice and creamy
* Possibly add some rapeseed oil (try without!)
* Add the rest of the peanuts
* Process them for another 1 minute or until the added peanuts are small enough
* Done!

File:Drill bits.jpg

2025-09-23T14:44:59Z

Timber1:

3 parts that go into the drill to fit the manual part with the rotating knives

Peanut Butter

2025-08-26T14:55:26Z

Timber1: Add peanut butter

We make peanut butter ourselves. This is the current process that seems to work best:

* Roast one tray of peanuts for about 60 minutes at 150°C (top and bottom heat) in the oven. Make sure to utilize solar power!
* Let the peanuts cool down a bit
* Put them into the manual food processor
* Process them for about 20 minutes
* Add some rapeseed oil
* Process them for another 10 minutes
* Done!

This is a great example of work we do in Kanthaus that technically saves us money, but only if we don't value our time that much. The peanuts cost 2€/kg, but factoring in 15€/h, the peanut butter costs about 20€/kg. With a bigger / better / electrical food processor, the time necessary could be greatly reduced, but already it has the advantage of highlighting the value and ''speciallness'' of peanut butter.

Server

2025-08-20T15:06:37Z

Timber1: Add link to grafana.

⭐️ We have a server running locally that provides a few services to residents as well as guests.

== File sharing services ==

The server provides the possibility to store and exchange data. Some services are publicly available (e.g. connecting with an anonymous user), for others you need a user account with some privileges. All file services are only available in the <code>full</code> [[Wifi|network]] and served via [[wikipedia:Samba_(software)|Samba]]. Use your computers file manager to browse the available network computers and locate the server as <code>KANTHAUS-SERVER</code>. If this doesn’t show up in your file manager or the link is broken, you can try entering <code>smb://kanthaus-server/</code> directly into your file managers address bar. This should work on most Linux environments.

=== Getting a user account ===
To get a user account, speak to an admin (e.g. Antonin or Tilmann). The admin will add you to the Ansible user configuration and ask you to set a temporary password using your account. You can change the password yourself, e.g. via <code>smbpasswd -r kanthaus-server -U yourusername</code>.

Actually, you have two passwords:

* System user account: Used for local access and SSH access. Change password using <code>passwd</code> when logged in
* Samba account: Used for accessing the samba network shares. Change password using command above remotely or using <code>smbpasswd</code> when logged in.

==== Kanthaus cloud copy ====
* The share <code>kanthaus-public</code> offers an anonymously usable read only copy of the public part of the kanthaus cloud.
* The share <code>cloud.kanthaus.online</code> offers a read only copy of the whole kanthaus cloud. You need to have a user with the permissions class <code>kanthaus</code>.

The cloud copy is synchronized from the Kanthaus cloud once every minute.

==== Internal cloud ====
The share <code>internalcloud</code> stores some data which should only be available from inside Kanthaus (e.g. financial data) and is only available to users with the permissions class <code>internal</code>. Please make sure to only put security sensitive stuff in here and also make sure to not leak your user credentials or the contents of this folder, when you have access to it.

This folder is part of the daily backup.

==== Home folder ====
Every user account also has their personal <code>home</code> folder available as the <code>homes</code> storage. All data you put here is only available to yourself. Inside the home folder, there is a directory called <code>storage</code>. This folder lies on an easily expandable, cheap hard-disk storage. It is slower to access but suitable to store lots of data (e.g. backups of your computer).

Your home folder is part of a daily backup. Please put files called <code>.nobackup</code> into folders that you don’t want to be backed up (e.g. to save storage space). The <code>storage</code> folder is '''not''' part of the backup, but the hard-disks have a raid configuration to tolerate the loss of one hard-disk.

== Shell access ==

When you have a user account, you can also use SSH to connect to the server and use it for computing tasks. To set an initial password, ask an admin. When you already have file sharing access, you can add your SSH public key to the <code>homes/.ssh/authorized_keys</code> and use that for logging in. Same as above: In your home directory there is a symlinked folder called <code>storage</code> which is on spinning disks, whereby the rest of your home folder is on limited SSD space.

== Limiting crawlers ==
Our web services all run through an NGINX reverse proxy web server. The recent intensification of crawling for LLM training was significantly affecting our Forgejo instance, with periodic spikes over 100% greater than baseline. To diagnose the issue, <code>ngxtop</code> was installed and can be ran with <code>/opt/kh-services/ngxtop/bin/ngxtop --group-by remote_addr -n 50 -l /data/services/data/nginx-logs/forgejo-access.log</code> this provides a "top-like" overview the HTTP responses the web server sends them back to (bucketed) IPs. Additionally, <code>tail -f /data/services/data/nginx-logs/<service>-access.log</code> provides a more detailed, chronological view of HTTP responses.

At the time of writing, for countermeasures we have

* an <code>nginx</code> rate limiting of 15 requests / second in addition to some burst allowances
* a <code>robots.txt</code> that forbids all robots entry
* an <code>nginx</code> blocklist that blocks all AI robots user agents
* <code>go-away</code> that blocks requests based on some non-javascript challenges, based on the [https://git.gammaspectra.live/git/go-away/src/branch/master/examples/forgejo.yml default example for forgejo] (with the only differences that <code>js-refresh</code> is replaced by <code>header-refresh</code> and the final <code>js-pow-sha256</code> challenge is removed)
Stats of <code>go-away</code> are available on [https://grafana.yunity.org/d/f7bd6db8-b503-48b3-8a4d-fd1011aac8e0/go-away grafana].

== SFTP Access ==

You can use software like FileZilla to access your home folder through <code>sftp://kanthaus-server</code> providing your username. See the Shell Access section above for other details.

=== How to unlock the encrypted <code>kanthaus-server</code> via network ===
* be in <code>kh-admin</code>
* <code>ssh -p 2222 root@192.168.178.249</code>
** your key must be stored on the server in <code>/etc/dropbear-initramfs/authorized_keys</code> -> <code>update-initramfs -u</code>
** ED25519 key fingerprint: <code>SHA256:mvCVYx8D/Fv/qYq+a/H4MoRAcfExAUsAFW3L2NVHnD0</code>
* enter password (stored in keepass -> Server)

== System specs ==

* System is designed to save power but still have some computing resources.
* CPU: Intel Core i5-2500K (4x 3.3 GHz)
* Ram: 16 GB DDR3L
* SSD: 1 TB Samsung 860 Evo as root file system
* HDD: BTRFS pool with 2 disks. Current usable size 3 TB

== Backups ==

Backups are done using Borgmatic. The backup target is the local hard-disk storage, so it does not safe us against fire or theft of the computer. We might think about adding a remote backup as well.

== Tor Relay ==
We run a [https://metrics.torproject.org/rs.html#details/DB35C03124D5EC03BCFE2754078A48366133EE05 Tor middle/guard relay]. It was set up according to [https://community.torproject.org/relay/setup/guard/debian-ubuntu/ those instructions]. You can check its status with
sudo systemctl status tor@default
It (re)started successfully if the following line (with a different IP) appears in the journal (<code>sudo journalctl -xeu tor@default</code>):
Self-testing indicates your ORPort 84.184.31.103:9001 is reachable from the outside. Excellent. Publishing server descriptor.
However, you don't need to worry too much about it, since [https://chat.kanthaus.online/kanthaus/messages/@timber Timber] will get notified within 5 minutes of the Tor relay being down.

Also note that the Tor relay restarts every night something past 5 since our IP address changes around that time. This is expected behavior and nothing to worry about.

If you're very curious and want to see what happens on the server, you can check out <code>sudo nyx</code>, though be mindful to [https://community.torproject.org/relay/setup/post-install/ not share this data publicly], since it can endanger the anonymity of our users.

The keys of the relay lie in <code>/var/lib/tor/keys</code> and are included in <code>/opt/kh-services/configs/borgmatic.yml</code>, which ''should'' mean that they're being backed up.

== Other services ==

* Foodsharing Gitlab which CI runner (dockerized)
* House bus services
** local Web interface (dockerized)
** Logging daemon to externally hosted influxdb
* Virtual machines (kvm/libvirt)
[[Category:Technical]]
[[Category:Digital]]

Server

2025-08-20T12:03:00Z

Timber1: Describe crawler countermeasures

⭐️ We have a server running locally that provides a few services to residents as well as guests.

== File sharing services ==

The server provides the possibility to store and exchange data. Some services are publicly available (e.g. connecting with an anonymous user), for others you need a user account with some privileges. All file services are only available in the <code>full</code> [[Wifi|network]] and served via [[wikipedia:Samba_(software)|Samba]]. Use your computers file manager to browse the available network computers and locate the server as <code>KANTHAUS-SERVER</code>. If this doesn’t show up in your file manager or the link is broken, you can try entering <code>smb://kanthaus-server/</code> directly into your file managers address bar. This should work on most Linux environments.

=== Getting a user account ===
To get a user account, speak to an admin (e.g. Antonin or Tilmann). The admin will add you to the Ansible user configuration and ask you to set a temporary password using your account. You can change the password yourself, e.g. via <code>smbpasswd -r kanthaus-server -U yourusername</code>.

Actually, you have two passwords:

* System user account: Used for local access and SSH access. Change password using <code>passwd</code> when logged in
* Samba account: Used for accessing the samba network shares. Change password using command above remotely or using <code>smbpasswd</code> when logged in.

==== Kanthaus cloud copy ====
* The share <code>kanthaus-public</code> offers an anonymously usable read only copy of the public part of the kanthaus cloud.
* The share <code>cloud.kanthaus.online</code> offers a read only copy of the whole kanthaus cloud. You need to have a user with the permissions class <code>kanthaus</code>.

The cloud copy is synchronized from the Kanthaus cloud once every minute.

==== Internal cloud ====
The share <code>internalcloud</code> stores some data which should only be available from inside Kanthaus (e.g. financial data) and is only available to users with the permissions class <code>internal</code>. Please make sure to only put security sensitive stuff in here and also make sure to not leak your user credentials or the contents of this folder, when you have access to it.

This folder is part of the daily backup.

==== Home folder ====
Every user account also has their personal <code>home</code> folder available as the <code>homes</code> storage. All data you put here is only available to yourself. Inside the home folder, there is a directory called <code>storage</code>. This folder lies on an easily expandable, cheap hard-disk storage. It is slower to access but suitable to store lots of data (e.g. backups of your computer).

Your home folder is part of a daily backup. Please put files called <code>.nobackup</code> into folders that you don’t want to be backed up (e.g. to save storage space). The <code>storage</code> folder is '''not''' part of the backup, but the hard-disks have a raid configuration to tolerate the loss of one hard-disk.

== Shell access ==

When you have a user account, you can also use SSH to connect to the server and use it for computing tasks. To set an initial password, ask an admin. When you already have file sharing access, you can add your SSH public key to the <code>homes/.ssh/authorized_keys</code> and use that for logging in. Same as above: In your home directory there is a symlinked folder called <code>storage</code> which is on spinning disks, whereby the rest of your home folder is on limited SSD space.

== Limiting crawlers ==
Our web services all run through an NGINX reverse proxy web server. The recent intensification of crawling for LLM training was significantly affecting our Forgejo instance, with periodic spikes over 100% greater than baseline. To diagnose the issue, <code>ngxtop</code> was installed and can be ran with <code>/opt/kh-services/ngxtop/bin/ngxtop --group-by remote_addr -n 50 -l /data/services/data/nginx-logs/forgejo-access.log</code> this provides a "top-like" overview the HTTP responses the web server sends them back to (bucketed) IPs. Additionally, <code>tail -f /data/services/data/nginx-logs/<service>-access.log</code> provides a more detailed, chronological view of HTTP responses.

At the time of writing, for countermeasures we have

* an <code>nginx</code> rate limiting of 15 requests / second in addition to some burst allowances
* a <code>robots.txt</code> that forbids all robots entry
* an <code>nginx</code> blocklist that blocks all AI robots user agents
* <code>go-away</code> that blocks requests based on some non-javascript challenges, based on the [https://git.gammaspectra.live/git/go-away/src/branch/master/examples/forgejo.yml default example for forgejo] (with the only differences that <code>js-refresh</code> is replaced by <code>header-refresh</code> and the final <code>js-pow-sha256</code> challenge is removed)

== SFTP Access ==

You can use software like FileZilla to access your home folder through <code>sftp://kanthaus-server</code> providing your username. See the Shell Access section above for other details.

=== How to unlock the encrypted <code>kanthaus-server</code> via network ===
* be in <code>kh-admin</code>
* <code>ssh -p 2222 root@192.168.178.249</code>
** your key must be stored on the server in <code>/etc/dropbear-initramfs/authorized_keys</code> -> <code>update-initramfs -u</code>
** ED25519 key fingerprint: <code>SHA256:mvCVYx8D/Fv/qYq+a/H4MoRAcfExAUsAFW3L2NVHnD0</code>
* enter password (stored in keepass -> Server)

== System specs ==

* System is designed to save power but still have some computing resources.
* CPU: Intel Core i5-2500K (4x 3.3 GHz)
* Ram: 16 GB DDR3L
* SSD: 1 TB Samsung 860 Evo as root file system
* HDD: BTRFS pool with 2 disks. Current usable size 3 TB

== Backups ==

Backups are done using Borgmatic. The backup target is the local hard-disk storage, so it does not safe us against fire or theft of the computer. We might think about adding a remote backup as well.

== Tor Relay ==
We run a [https://metrics.torproject.org/rs.html#details/DB35C03124D5EC03BCFE2754078A48366133EE05 Tor middle/guard relay]. It was set up according to [https://community.torproject.org/relay/setup/guard/debian-ubuntu/ those instructions]. You can check its status with
sudo systemctl status tor@default
It (re)started successfully if the following line (with a different IP) appears in the journal (<code>sudo journalctl -xeu tor@default</code>):
Self-testing indicates your ORPort 84.184.31.103:9001 is reachable from the outside. Excellent. Publishing server descriptor.
However, you don't need to worry too much about it, since [https://chat.kanthaus.online/kanthaus/messages/@timber Timber] will get notified within 5 minutes of the Tor relay being down.

Also note that the Tor relay restarts every night something past 5 since our IP address changes around that time. This is expected behavior and nothing to worry about.

If you're very curious and want to see what happens on the server, you can check out <code>sudo nyx</code>, though be mindful to [https://community.torproject.org/relay/setup/post-install/ not share this data publicly], since it can endanger the anonymity of our users.

The keys of the relay lie in <code>/var/lib/tor/keys</code> and are included in <code>/opt/kh-services/configs/borgmatic.yml</code>, which ''should'' mean that they're being backed up.

== Other services ==

* Foodsharing Gitlab which CI runner (dockerized)
* House bus services
** local Web interface (dockerized)
** Logging daemon to externally hosted influxdb
* Virtual machines (kvm/libvirt)
[[Category:Technical]]
[[Category:Digital]]

Network

2025-07-12T00:13:25Z

Timber1: Update location

👻 This page should document some bits of the network infrastructure of Kanthaus. Please maintain so people with a bit of network knowledge can understand and maintain the network. See also [[Server]].

== Overview ==
[[File:Network topology 2024-10-18 .png|none|thumb]]

== ISP ==
We currently use Telekom as our internet provider. They have a [https://www.telekom.de/hilfe/hilfe-bei-stoerungen/leitungspruefung help page] for diagnosing internet issues from their side: good idea to check this first if the wifi networks are still up, but not connected to the internet.

== TRUNK network ==

the backbone of our network, connecting all Access Points and the central firewall, carries all the different networks via VLAN:

{| class="wikitable"
!align="right" width="17%"| VLAN-ID
!width="33%"| IP Range
!width="26%"| Name
!width="22%"| Purpose / Devices
|-
|align="right"| untagged
| 192.168.178.x
| ADMIN
| configuration tnterfaces of all AP’s & Switches
|-
|align="right"| 4
| 192.168.4.x
| PRINTER
| connection between print server (kanthaus-server) and printer
|-
|align="right"| 5
| 192.168.5.x
| IOT ''(former SMA)''
| only access to kanthaus-server and potentially whitelisted internet IP’s + isolated clients¹
|-
|align="right"| 100
| 192.168.100.x
| RESTRICTED
| normal internet access + isolated clients¹
|-
|align="right"| 101
| 192.168.101.x
| VPN
| tunneled to VPN (currently NL)
|-
|align="right"| 102
| 192.168.102.x
| UNSECURE
| normal internet access
|}

¹ client isolation does not work between LAN <-> LAN clients

== Wifis ==

{| class="wikitable"
! SSID
! Network
!align="center"| Encrypt.
!align="center"| 802.11r
!align="center"| 802.11w
!align="center"| Isolation
! Comment
|-
| <code>kanthaus</code>
| RESTRICTED
|align="center"| WPA3
|align="center"| -¹
|align="center"| required
|align="center"| on
|
|-
| <code>kanthaus-insecure</code>
| INSECURE
|align="center"| WPA2
|align="center"| -
|align="center"| -
|align="center"| -
| unsupported drivers, LAN parties, etc.
|-
| <code>kanthaus-gast</code>
| VPN
|align="center"| -
|align="center"| -
|align="center"| -
|align="center"| on
|
|-
| <code>kh-admin</code>
| ADMIN
|align="center"| WPA3
|align="center"| -
|align="center"| required
|align="center"| -
|
|-
| <code>kh-iot</code>
| IOT
|align="center"| WPA2
|align="center"| -
|align="center"| -
|align="center"| on
|
|}

'''802.11r:''' Fast Roaming '''802.11w''': Management Frame Protection

¹ would be cool to have it on, but eventually led to issues. let’s reevaluate in a few months

== Device list ==

{| class="wikitable"
!width="15%"| Type
!width="18%"| Name
!width="19%"| Admin-IP
!width="18%"| Location
!width="20%"| Hardware
!width="8%"| Comments
|-
| Router
| <code>fritz.box</code>
| 192.168.200.1
| K20-1 hallway
| FritzBox 7530
| DSL termination (on main network), telephone
|-
| Router
| <code>firewall</code>
| 192.168.178.1
| K20-B rack
|
| central router / firewall
|-
| AP
| <code>dragon-k20-0</code>
| 192.168.178.207
| K20-0 hallway
| Archer C5 v1.2
|switch with servers
|-
| AP
| <code>dragon-k20-1</code>
| 192.168.178.201
| K20-1 hallway
| Archer C5 v1.2
|maybe overloaded
|-
| AP
| <code>dragon-k20-3</code>
| 192.168.178.208
| K20-3 center
| Archer C5 v1.2
|
|-
| AP
| <code>dragon-k20-B</code>
| 192.168.178.206
| K20-B water room
| Archer C5 v1.2
|for IoT devices
|-
| <s>AP</s>
| <code><s>dragon-k22-0</s></code>
| <s>192.168.178.204</s>
| <s>K22-0 side hallway</s>
| <s>Archer C5 v1.2</s>
|usually unplugged
|-
| AP
| <code><s>dragon-k22-1</s></code> ?
| <s>192.168.178.202</s> 192.168.178.217
| in front of baby bathroom [TODO: What is the name for this?]
| Archer C5 v1.2
|Timber installed the "normal" firmware, now it has a separate wifi (see [https://chat.kanthaus.online/kanthaus/pl/px368istkib7xdf4ekae76oqze Mattermost])
|-
| AP
| <code>dragon-k22-2</code>
| 192.168.178.203
| K22-2 hallway
| Archer C5 v1.2
|maybe overloaded
|-
| <s>AP</s>
| <code><s>dragon-k20-outside</s></code>
| <s>192.168.178.205</s>
| <s>K20-0-2 window</s>
| <s>Archer C5 v1.2</s>
| broken?
|-
| Managed Switch
| k20 firewall switch
| 192.168.178.9
| K20-B rack
| TL-SG108E
|
|-
| Managed Switch
| k22 trunk switch
| 192.168.178.10
| K22-B stairs
| GS108E v3
|
|-
| Switch
| k20 trunk switch
| -
| K20-B Rack
|
| provides PoE for some AP’s in K20
|-
| Server
| <code>kanthaus-server</code>
| 192.168.*.2
| K20-0 hallway
| Server, i5-2500K, 16GB Ram
| file storage, nextcloud, foodsharing gitlab CI Server, housebus logging & time/sunset provider (see [https://git.kanthaus.online/kanthaus/kanthaus-server-services/ Repo])
|-
| Main water meter reader
| <code>mainwatermeter</code>
| 192.168.5.37
| K20 basement (former heating room)
| ESP32-CAM
| see [[./water.html|Water usage tracking]]
|-
| Warm water meter reader
| <code>warmwatermeter</code>
| 192.168.5.38
| K20 basement (rainwater room)
| ESP32-CAM
| see [[./water.html|Water usage tracking]]
|-
| Ventilation watcher
| <code>ventilation</code>
| 192.168.5.39
| K20 attic
| ESP32-WROOM
| see [https://git.kanthaus.online/kanthaus/ventilation-watcher docs]
|-
| K20 door
| <code>k20-door</code>
| 192.168.5.40
| K20 hallway
| ESP32-CAM
| see [https://git.kanthaus.online/kanthaus/door-esp32 docs]
|}

== Firewall / Router ==

Central point of all subnets, routes between them

* runs OPNSense
* due to lack of ports on firewall, a VLAN switch added, bound to the firewall, also connecting to the fritz!box
* Features:
** VPN client
** DNS Server
** DHCP Server

== Access Points ==

* see Device list
* so far all Archer C5 v1.2
* centrally configured by OpenWISP: https://openwisp.im.kanthaus.online (only reachable inside the <code>ADMIN</code> net)
* starting point for other ethernet cables on that floor
* in K20 all powered by PoE (802.3af) from the switch in the basement

== Printer (Canon C2025i) ==

* Printer is in its own subnet together with the kanthaus-server
* On the kanthaus-server, there is ''CUPS'' running with printer sharing and auto discovery in the networks via avahi-daemon
* In <code>RESTRICTED</code> and <code>UNSECURE</code> the printer is also reachable directly via 192.168.4.153:9100

== kanthaus-server ==

* Most of the services are running inside a docker-compose setup
** Repo: https://git.kanthaus.online/kanthaus/kanthaus-server-services
** in <code>/opt/kh-services</code>
** checking state: <code>docker-compose ps</code>
** starting everything: <code>docker-compose up -d</code>
** logs: <code>docker-compose logs -f --tail=20</code>
* BTRFS raid for HDD’s under <code>/data</code>

== Random notes ==

=== Building customized OpenWRT for Archer C5 ===
<pre>
ssh kanthaus-server
sudo -iu openwrt-builder
cd openwrt
make
ls -l bin/targets/ath79/generic/
</pre>

==== included changes ====
* root password
* default IP <code>192.168.178.200</code> in ADMIN range
* switch: all ports in ADMIN net
* disabled DNS rebind protection
* wireless interface names
* additional packages
** openwisp-config
** prometheus-node-exporter-lu
** luci-ssl (for https)
** ebtables (for [https://blog.matthias-larisch.de/openwrt_client_isolation/ effective client isolation])
** tcpdump (for easier debugging)

=== Upgrading customized OpenWRT ===

Documentation: https://openwrt.org/docs/guide-developer/toolchain/use-buildsystem
ssh kanthaus-server
sudo -iu openwrt-builder
cd openwrt
git pull
git checkout v23.05.2
Edit <code>feeds.conf</code> to change the branch for each feed to the new version, e.g. <code>...;openwrt-23.05</code>
./scripts/feeds update -a
./scripts/feeds install -a
make -j4 defconfig download clean world
ls -l bin/targets/ath79/generic/
Errors during <code>make world</code> are to be expected, usually the set of default packages changed and dependency conflicts are happening. Investigate generated the <code>.config</code> file and compare with the official ones at https://downloads.openwrt.org/releases/23.05.2/targets/ath79/generic/config.buildinfo

=== How to update OPNsense ===

There is a short downtime involved during the two reboots, usually 2 minutes each.

# Join the <code>kanthaus-admin</code> wifi network and log in to 192.168.178.1 (user <code>root</code>, password in keepass). Export the configuration to make a backup.
# Check if updates are available (System->Firmware->Updates)
# In case of minor updates, just use the button to perform
# If there is a major update (2x per year), download the newest version from https://opnsense.org/download/, unzip and flash to any USB stick
# Take a VGA monitor, a USB keyboard and the USB stick to the K20 basement big room, open the rack box and connect the devices to the small computer (HP)
# Log in with the USB keyboard (same credentials as above) and trigger a reboot. It should now boot from the USB stick.
# Press any key when it prompts to run the “Importer”. Now it will boot up a live environment and read the configuration file. If successful, network services should run as before.
# If all looks good, it’s time to install to disk. Run <code>opnsense-installer</code> from the shell (either on local keyboard or via ssh), choose ZFS and let the installer do its job.
# Remove the USB stick and reboot again.
# Check if the system came up good.
# Perform any last updates from the web UI.
# Delete the configuration backup again, it can contain secrets.

=== Pitfalls ===

* We use 802.1q VLAN tagging. All switches everywhere need to have at least passive passthrough support, otherwise the Vlans disappear at that switch. I don’t know of any gigabit switch that does not support this.
* Again Vlan: Managed switches normally need to have all VLANs that should be forwarded (also tagged -> tagged forward) defined in them.
* Again Vlan: Some Access Points like WDR841 v7/v8 cannot handle tagged and untagged vlan on the same port at the same time. So far, we don’t have any equipment like that and likely we will never have, but just to know…
* Again Vlan: fritz boxes have their switch in managed vlan mode and don’t forward any tagged vlan

Network

2025-07-11T20:46:17Z

Timber1: Update Piano Room AP information

👻 This page should document some bits of the network infrastructure of Kanthaus. Please maintain so people with a bit of network knowledge can understand and maintain the network. See also [[Server]].

== Overview ==
[[File:Network topology 2024-10-18 .png|none|thumb]]

== ISP ==
We currently use Telekom as our internet provider. They have a [https://www.telekom.de/hilfe/hilfe-bei-stoerungen/leitungspruefung help page] for diagnosing internet issues from their side: good idea to check this first if the wifi networks are still up, but not connected to the internet.

== TRUNK network ==

the backbone of our network, connecting all Access Points and the central firewall, carries all the different networks via VLAN:

{| class="wikitable"
!align="right" width="17%"| VLAN-ID
!width="33%"| IP Range
!width="26%"| Name
!width="22%"| Purpose / Devices
|-
|align="right"| untagged
| 192.168.178.x
| ADMIN
| configuration tnterfaces of all AP’s & Switches
|-
|align="right"| 4
| 192.168.4.x
| PRINTER
| connection between print server (kanthaus-server) and printer
|-
|align="right"| 5
| 192.168.5.x
| IOT ''(former SMA)''
| only access to kanthaus-server and potentially whitelisted internet IP’s + isolated clients¹
|-
|align="right"| 100
| 192.168.100.x
| RESTRICTED
| normal internet access + isolated clients¹
|-
|align="right"| 101
| 192.168.101.x
| VPN
| tunneled to VPN (currently NL)
|-
|align="right"| 102
| 192.168.102.x
| UNSECURE
| normal internet access
|}

¹ client isolation does not work between LAN <-> LAN clients

== Wifis ==

{| class="wikitable"
! SSID
! Network
!align="center"| Encrypt.
!align="center"| 802.11r
!align="center"| 802.11w
!align="center"| Isolation
! Comment
|-
| <code>kanthaus</code>
| RESTRICTED
|align="center"| WPA3
|align="center"| -¹
|align="center"| required
|align="center"| on
|
|-
| <code>kanthaus-insecure</code>
| INSECURE
|align="center"| WPA2
|align="center"| -
|align="center"| -
|align="center"| -
| unsupported drivers, LAN parties, etc.
|-
| <code>kanthaus-gast</code>
| VPN
|align="center"| -
|align="center"| -
|align="center"| -
|align="center"| on
|
|-
| <code>kh-admin</code>
| ADMIN
|align="center"| WPA3
|align="center"| -
|align="center"| required
|align="center"| -
|
|-
| <code>kh-iot</code>
| IOT
|align="center"| WPA2
|align="center"| -
|align="center"| -
|align="center"| on
|
|}

'''802.11r:''' Fast Roaming '''802.11w''': Management Frame Protection

¹ would be cool to have it on, but eventually led to issues. let’s reevaluate in a few months

== Device list ==

{| class="wikitable"
!width="15%"| Type
!width="18%"| Name
!width="19%"| Admin-IP
!width="18%"| Location
!width="20%"| Hardware
!width="8%"| Comments
|-
| Router
| <code>fritz.box</code>
| 192.168.200.1
| K20-1 hallway
| FritzBox 7530
| DSL termination (on main network), telephone
|-
| Router
| <code>firewall</code>
| 192.168.178.1
| K20-B rack
|
| central router / firewall
|-
| AP
| <code>dragon-k20-0</code>
| 192.168.178.207
| K20-0 hallway
| Archer C5 v1.2
|switch with servers
|-
| AP
| <code>dragon-k20-1</code>
| 192.168.178.201
| K20-1 hallway
| Archer C5 v1.2
|maybe overloaded
|-
| AP
| <code>dragon-k20-3</code>
| 192.168.178.208
| K20-3 center
| Archer C5 v1.2
|
|-
| AP
| <code>dragon-k20-B</code>
| 192.168.178.206
| K20-B water room
| Archer C5 v1.2
|for IoT devices
|-
| <s>AP</s>
| <code><s>dragon-k22-0</s></code>
| <s>192.168.178.204</s>
| <s>K22-0 side hallway</s>
| <s>Archer C5 v1.2</s>
|usually unplugged
|-
| AP
| <code><s>dragon-k22-1</s></code> ?
| <s>192.168.178.202</s> 192.168.178.217
| K22-1-4 piano room
| Archer C5 v1.2
|Timber installed the "normal" firmware, now it has a separate wifi (see [https://chat.kanthaus.online/kanthaus/pl/px368istkib7xdf4ekae76oqze Mattermost])
|-
| AP
| <code>dragon-k22-2</code>
| 192.168.178.203
| K22-2 hallway
| Archer C5 v1.2
|maybe overloaded
|-
| <s>AP</s>
| <code><s>dragon-k20-outside</s></code>
| <s>192.168.178.205</s>
| <s>K20-0-2 window</s>
| <s>Archer C5 v1.2</s>
| broken?
|-
| Managed Switch
| k20 firewall switch
| 192.168.178.9
| K20-B rack
| TL-SG108E
|
|-
| Managed Switch
| k22 trunk switch
| 192.168.178.10
| K22-B stairs
| GS108E v3
|
|-
| Switch
| k20 trunk switch
| -
| K20-B Rack
|
| provides PoE for some AP’s in K20
|-
| Server
| <code>kanthaus-server</code>
| 192.168.*.2
| K20-0 hallway
| Server, i5-2500K, 16GB Ram
| file storage, nextcloud, foodsharing gitlab CI Server, housebus logging & time/sunset provider (see [https://git.kanthaus.online/kanthaus/kanthaus-server-services/ Repo])
|-
| Main water meter reader
| <code>mainwatermeter</code>
| 192.168.5.37
| K20 basement (former heating room)
| ESP32-CAM
| see [[./water.html|Water usage tracking]]
|-
| Warm water meter reader
| <code>warmwatermeter</code>
| 192.168.5.38
| K20 basement (rainwater room)
| ESP32-CAM
| see [[./water.html|Water usage tracking]]
|-
| Ventilation watcher
| <code>ventilation</code>
| 192.168.5.39
| K20 attic
| ESP32-WROOM
| see [https://git.kanthaus.online/kanthaus/ventilation-watcher docs]
|-
| K20 door
| <code>k20-door</code>
| 192.168.5.40
| K20 hallway
| ESP32-CAM
| see [https://git.kanthaus.online/kanthaus/door-esp32 docs]
|}

== Firewall / Router ==

Central point of all subnets, routes between them

* runs OPNSense
* due to lack of ports on firewall, a VLAN switch added, bound to the firewall, also connecting to the fritz!box
* Features:
** VPN client
** DNS Server
** DHCP Server

== Access Points ==

* see Device list
* so far all Archer C5 v1.2
* centrally configured by OpenWISP: https://openwisp.im.kanthaus.online (only reachable inside the <code>ADMIN</code> net)
* starting point for other ethernet cables on that floor
* in K20 all powered by PoE (802.3af) from the switch in the basement

== Printer (Canon C2025i) ==

* Printer is in its own subnet together with the kanthaus-server
* On the kanthaus-server, there is ''CUPS'' running with printer sharing and auto discovery in the networks via avahi-daemon
* In <code>RESTRICTED</code> and <code>UNSECURE</code> the printer is also reachable directly via 192.168.4.153:9100

== kanthaus-server ==

* Most of the services are running inside a docker-compose setup
** Repo: https://git.kanthaus.online/kanthaus/kanthaus-server-services
** in <code>/opt/kh-services</code>
** checking state: <code>docker-compose ps</code>
** starting everything: <code>docker-compose up -d</code>
** logs: <code>docker-compose logs -f --tail=20</code>
* BTRFS raid for HDD’s under <code>/data</code>

== Random notes ==

=== Building customized OpenWRT for Archer C5 ===
<pre>
ssh kanthaus-server
sudo -iu openwrt-builder
cd openwrt
make
ls -l bin/targets/ath79/generic/
</pre>

==== included changes ====
* root password
* default IP <code>192.168.178.200</code> in ADMIN range
* switch: all ports in ADMIN net
* disabled DNS rebind protection
* wireless interface names
* additional packages
** openwisp-config
** prometheus-node-exporter-lu
** luci-ssl (for https)
** ebtables (for [https://blog.matthias-larisch.de/openwrt_client_isolation/ effective client isolation])
** tcpdump (for easier debugging)

=== Upgrading customized OpenWRT ===

Documentation: https://openwrt.org/docs/guide-developer/toolchain/use-buildsystem
ssh kanthaus-server
sudo -iu openwrt-builder
cd openwrt
git pull
git checkout v23.05.2
Edit <code>feeds.conf</code> to change the branch for each feed to the new version, e.g. <code>...;openwrt-23.05</code>
./scripts/feeds update -a
./scripts/feeds install -a
make -j4 defconfig download clean world
ls -l bin/targets/ath79/generic/
Errors during <code>make world</code> are to be expected, usually the set of default packages changed and dependency conflicts are happening. Investigate generated the <code>.config</code> file and compare with the official ones at https://downloads.openwrt.org/releases/23.05.2/targets/ath79/generic/config.buildinfo

=== How to update OPNsense ===

There is a short downtime involved during the two reboots, usually 2 minutes each.

# Join the <code>kanthaus-admin</code> wifi network and log in to 192.168.178.1 (user <code>root</code>, password in keepass). Export the configuration to make a backup.
# Check if updates are available (System->Firmware->Updates)
# In case of minor updates, just use the button to perform
# If there is a major update (2x per year), download the newest version from https://opnsense.org/download/, unzip and flash to any USB stick
# Take a VGA monitor, a USB keyboard and the USB stick to the K20 basement big room, open the rack box and connect the devices to the small computer (HP)
# Log in with the USB keyboard (same credentials as above) and trigger a reboot. It should now boot from the USB stick.
# Press any key when it prompts to run the “Importer”. Now it will boot up a live environment and read the configuration file. If successful, network services should run as before.
# If all looks good, it’s time to install to disk. Run <code>opnsense-installer</code> from the shell (either on local keyboard or via ssh), choose ZFS and let the installer do its job.
# Remove the USB stick and reboot again.
# Check if the system came up good.
# Perform any last updates from the web UI.
# Delete the configuration backup again, it can contain secrets.

=== Pitfalls ===

* We use 802.1q VLAN tagging. All switches everywhere need to have at least passive passthrough support, otherwise the Vlans disappear at that switch. I don’t know of any gigabit switch that does not support this.
* Again Vlan: Managed switches normally need to have all VLANs that should be forwarded (also tagged -> tagged forward) defined in them.
* Again Vlan: Some Access Points like WDR841 v7/v8 cannot handle tagged and untagged vlan on the same port at the same time. So far, we don’t have any equipment like that and likely we will never have, but just to know…
* Again Vlan: fritz boxes have their switch in managed vlan mode and don’t forward any tagged vlan

User:Timber1/PrivacyProposal

2025-07-01T08:58:51Z

Timber1: Link note

Moved to a [https://cloud.kanthaus.online/f/922122 private note].

User:Timber1

2025-06-30T14:47:54Z

Timber1: Create page

I'm Timber, I'm a member of Kanthaus.

Mattermost

2025-05-27T19:10:57Z

Timber1: /* Creating a personal account */

👪️ We use Mattermost to organize ourselves, at https://chat.kanthaus.online/

== Creating a personal account ==
You can get an account by asking someone with admin privileges, e.g. a member.

== Channels ==
Our main channel is <code>#kanthaus</code>. Many channels we use have been historically prefixed by <code>#kanthaus-</code> because they were in a Slack instance shared with other people.

Some of those channels are private, because they contain private or sensitive information. Those are reserved to Volunteers and Members.

== Known issues ==

This lists the issues we have encountered when switching from Slack to Mattermost:
* No email integration. We have built the [https://codeberg.org/mailmirror/mailmirror MailMirror plugin] for that, which could still be [https://codeberg.org/mailmirror/mailmirror/issues improved in many ways]
* No support for reminders of events (for instance stored in an ICS file)
* Not possible to fully rename the "Town Square" channel (the id will stay `~town-square`)
[[Category:Digital]]
[[Category:Social]]

Rat trap

2025-04-30T18:37:58Z

Timber1: Create the rat trap page

[[Category:Technical]]
We have a somewhat elaborate rat trap in the basement. The code is in [https://git.kanthaus.online/timber/rattrap git].
[[File:Freeing.png|alt=The rat is leaving the trap in the wild|thumb|The rat leaving the trap in the wild.|none]]

== Operating the trap ==

=== Setting it up ===
To set up the trap, first make sure all cables are connected properly and the two light sensors sit well on the holes in the case. Open the gate and put bait at the very end of the inside of the trap. Put the slit of the gate on the arm of the motor, so that the arm can move freely when retreating to close the gate (the arm will move in the direction where it takes the least amount of distance to close the gate). Put the second magnet under the trap, exactly under the position the magnet of the gate will be when the gate is closed. Plug everything in.

If the trap is within [[Wifi|WiFi]] range (of kanthaus-gast) and nothing is broken, a message should be sent to the [[Mattermost]] channel [https://chat.kanthaus.online/kanthaus/channels/rat-trap Rat Trap].

=== Catching the rodent ===
When something caused the trap to close (e.g. a rat), again a message is sent on Mattermost. Also you can observe that it went off by the closed gate. Note that sometimes other things / people cause the gate to close without it going off; sometimes the trap also thinks there was something without that being the case.

=== Freeing the rodent ===
It's a tricky question where to put the rat. The problem is that we don't want it coming back, but we also don't want to kill it. For it not to come back, it should be safe to bring it about 3km away. For it not to die it needs it's family though; so for it to find its way back it should not be brought away more than 100m. So far we made the decision in favor of the rat not coming back.

To '''open the trap''', first remove the magnet from under the trap, by sliding it to the front. Not doing this will likely break the gate. Then you can pull the gate up. Be careful not to get bitten by the rat!

Afterwards you can clean the trap and set it up again following the steps from the ''Setting it up'' section. Make sure not to damage the electronics when cleaning the trap!

File:Freeing.png

2025-04-30T18:22:29Z

Timber1:

The rat leaving the trap in the wild

Bread

2025-03-06T22:24:56Z

Timber1: Clarify that the bread machine is just one way to create bread

We eat a lot of bread in Kanthaus.

== Where to find bread ==
Unfrozen bread is typically stored in the [[Snack kitchen]], in the box under the bread cutting board. Frozen bread is in one of the [[Freezer|freezers]].

== Obtaining new bread ==
There are two main options for obtaining new bread: [[Saving food|Saving]] (either dumpster diving or foodsharing) or making it yourself, e.g. with the help of the [[Bread machine]].

Bread machine

2025-03-06T22:24:08Z

Timber1: Link other pages

This page is about the [https://manuall.de/ambiano-bm21-08631-brotbackautomat/ Aldi Ambiano Brotbackautomat], which is (currently) the main machine used for making [[bread]].

== Recipe ==
The most tested recipe is the ''Brot-Grundrezept'', so basic bread recipe. For this we use (slightly different to the original recipe):

* 320ml water (= 320g)
* 4tbs oil (= 52g, typically sunflower seed oil)
* 2tsp salt (= 12g)
* 2.5tbs sugar (= 35g)
* 500g flour (typically a mixture of 405 and non-405 wheat flour)
* 1.75tsp yeast (= 5.25g)

== Device operation ==

* Remove the bread container (number 1 in the manual) from the machine
* Make sure the dough hook (number 2 in the manual) is inserted correctly in the bread container
* Put the ingredients in the bread container, using a scale if necessary. For measuring tsp / tbs we have a special spoon in the [[Kitchen|main kitchen]] (number 5 in the manual). Make sure the yeast is not getting wet in case you later increase the time
* Insert the bread container in the machine. You will need to insert it a bit diagonally and then twist it until it locks in
* Close the lid
* Plug in the bread machine
* The display should display a 1 to the left of the estimated time, indicating the first program (''GRUNDPROGRAMM''). If this is not the program you want, push the ''MENÜ'' button (number 14 in the manual) repeatedly. If you follow the basic recipe, leave it at 1
* Push the ''GEWICHT'' button (number 13 in the manual) until the little arrow points at ''1000g''
* Push the ''BRÄUNUNGSGRAD'' button (number 9 in the manual) until the little arrow points at ''DUNKEL''
* ''Optional'': If you want the device to be done later, e.g. because you want it to utilize solar energy and still be done at 7am in the morning, push the time button (number 12 / 11 in the manual) repeatedly until the time displayed is to your liking. The time displayed is the time the machine takes until the machine is done
* Wait until the time has passed and the machine is done
* Take out the bread container. Try not to burn your hands: It's very hot!
* Flip the bread container onto a plate, kicking the bread out of it
* Carefully remove the hook from the bread, utilizing a knife and/or another hook (number 6 in the manual)
* Let the bread cool down for some time
* Eat the bread

Bread machine

2025-03-06T22:22:02Z

Timber1: Create bread machine page

This page is about the [https://manuall.de/ambiano-bm21-08631-brotbackautomat/ Aldi Ambiano Brotbackautomat], which is (currently) the main machine used for making bread.

== Recipe ==
The most tested recipe is the ''Brot-Grundrezept'', so basic bread recipe. For this we use (slightly different to the original recipe):

* 320ml water (= 320g)
* 4tbs oil (= 52g, typically sunflower seed oil)
* 2tsp salt (= 12g)
* 2.5tbs sugar (= 35g)
* 500g flour (typically a mixture of 405 and non-405 wheat flour)
* 1.75tsp yeast (= 5.25g)

== Device operation ==

* Remove the bread container (number 1 in the manual) from the machine
* Make sure the dough hook (number 2 in the manual) is inserted correctly in the bread container
* Put the ingredients in the bread container, using a scale if necessary. For measuring tsp / tbs we have a special spoon in the main kitchen (number 5 in the manual). Make sure the yeast is not getting wet in case you later increase the time
* Insert the bread container in the machine. You will need to insert it a bit diagonally and then twist it until it locks in
* Close the lid
* Plug in the bread machine
* The display should display a 1 to the left of the estimated time, indicating the first program (''GRUNDPROGRAMM''). If this is not the program you want, push the ''MENÜ'' button (number 14 in the manual) repeatedly. If you follow the basic recipe, leave it at 1
* Push the ''GEWICHT'' button (number 13 in the manual) until the little arrow points at ''1000g''
* Push the ''BRÄUNUNGSGRAD'' button (number 9 in the manual) until the little arrow points at ''DUNKEL''
* ''Optional'': If you want the device to be done later, e.g. because you want it to utilize solar energy and still be done at 7am in the morning, push the time button (number 12 / 11 in the manual) repeatedly until the time displayed is to your liking. The time displayed is the time the machine takes until the machine is done
* Wait until the time has passed and the machine is done
* Take out the bread container. Try not to burn your hands: It's very hot!
* Flip the bread container onto a plate, kicking the bread out of it
* Carefully remove the hook from the bread, utilizing a knife and/or another hook (number 6 in the manual)
* Let the bread cool down for some time
* Eat the bread

Bread

2025-03-06T21:57:35Z

Timber1: Create bread page

We eat a lot of bread in Kanthaus.

== Where to find bread ==
Unfrozen bread is typically stored in the [[Snack kitchen]], in the box under the bread cutting board. Frozen bread is in one of the [[Freezer|freezers]].

== Obtaining new bread ==
There are two main options for obtaining new bread: [[Saving food|Saving]] (either dumpster diving or foodsharing) or making it yourself, with the help of the [[Bread machine]].

Snack kitchen

2025-03-06T21:47:48Z

Timber1: Link bread article

🥖 The place to find quick snacks and drinks.

Space code: K20-1-1

== Purposes ==
* prepare [[bread]], oats, convenience food
* make tea or coffee
* [[Dish washing|use the dishwasher]]

== Specials ==
* the fridge

== 77mm jar norm ==
[[File:JarNorm.jpeg|thumb]]
We have standardized on the 77mm jar: the most commonly found wide-mouth jar in these parts. This makes finding jar-lid pairs much easier!

Exceptions are made for larger jars, since the 77mm jars have a maximum volume of ~750 mL. Such jars are stored with matching lids lightly screwed on.

== Files ==
<gallery>
File:Snack kitchen tea and coffee labels .svg
</gallery>
[[Category:Rooms]]

Server

2024-12-05T11:42:01Z

Timber1: Add section about Tor Relay

⭐️ We have a server running locally that provides a few services to residents as well as guests.

== File sharing services ==

The server provides the possibility to store and exchange data. Some services are publicly available (e.g. connecting with an anonymous user), for others you need a user account with some privileges. All file services are only available in the <code>full</code> [[Wifi|network]] and served via [[wikipedia:Samba_(software)|Samba]]. Use your computers file manager to browse the available network computers and locate the server as <code>KANTHAUS-SERVER</code>. If this doesn’t show up in your file manager or the link is broken, you can try entering <code>smb://kanthaus-server/</code> directly into your file managers address bar. This should work on most Linux environments.

=== Getting a user account ===
To get a user account, speak to an admin (e.g. Antonin or Tilmann). The admin will add you to the Ansible user configuration and ask you to set a temporary password using your account. You can change the password yourself, e.g. via <code>smbpasswd -r kanthaus-server -U yourusername</code>.

Actually, you have two passwords:

* System user account: Used for local access and SSH access. Change password using <code>passwd</code> when logged in
* Samba account: Used for accessing the samba network shares. Change password using command above remotely or using <code>smbpasswd</code> when logged in.

==== Kanthaus cloud copy ====
* The share <code>kanthaus-public</code> offers an anonymously usable read only copy of the public part of the kanthaus cloud.
* The share <code>cloud.kanthaus.online</code> offers a read only copy of the whole kanthaus cloud. You need to have a user with the permissions class <code>kanthaus</code>.

The cloud copy is synchronized from the Kanthaus cloud once every minute.

==== Internal cloud ====
The share <code>internalcloud</code> stores some data which should only be available from inside Kanthaus (e.g. financial data) and is only available to users with the permissions class <code>internal</code>. Please make sure to only put security sensitive stuff in here and also make sure to not leak your user credentials or the contents of this folder, when you have access to it.

This folder is part of the daily backup.

==== Home folder ====
Every user account also has their personal <code>home</code> folder available as the <code>homes</code> storage. All data you put here is only available to yourself. Inside the home folder, there is a directory called <code>storage</code>. This folder lies on an easily expandable, cheap hard-disk storage. It is slower to access but suitable to store lots of data (e.g. backups of your computer).

Your home folder is part of a daily backup. Please put files called <code>.nobackup</code> into folders that you don’t want to be backed up (e.g. to save storage space). The <code>storage</code> folder is '''not''' part of the backup, but the hard-disks have a raid configuration to tolerate the loss of one hard-disk.

== Shell access ==

When you have a user account, you can also use SSH to connect to the server and use it for computing tasks. To set an initial password, ask an admin. When you already have file sharing access, you can add your SSH public key to the <code>homes/.ssh/authorized_keys</code> and use that for logging in. Same as above: In your home directory there is a symlinked folder called <code>storage</code> which is on spinning disks, whereby the rest of your home folder is on limited SSD space.

== SFTP Access ==

You can use software like FileZilla to access your home folder through <code>sftp://kanthaus-server</code> providing your username. See the Shell Access section above for other details.

=== How to unlock the encrypted <code>kanthaus-server</code> via network ===
* be in <code>kh-admin</code>
* <code>ssh -p 2222 root@192.168.178.249</code>
** your key must be stored on the server in <code>/etc/dropbear-initramfs/authorized_keys</code> -> <code>update-initramfs -u</code>
** ED25519 key fingerprint: <code>SHA256:mvCVYx8D/Fv/qYq+a/H4MoRAcfExAUsAFW3L2NVHnD0</code>
* enter password (stored in keepass -> Server)

== System specs ==

* System is designed to save power but still have some computing resources.
* CPU: Intel Core i5-2500K (4x 3.3 GHz)
* Ram: 16 GB DDR3L
* SSD: 1 TB Samsung 860 Evo as root file system
* HDD: BTRFS pool with 2 disks. Current usable size 3 TB

== Backups ==

Backups are done using Borgmatic. The backup target is the local hard-disk storage, so it does not safe us against fire or theft of the computer. We might think about adding a remote backup as well.

== Tor Relay ==
We run a [https://metrics.torproject.org/rs.html#details/DB35C03124D5EC03BCFE2754078A48366133EE05 Tor middle/guard relay]. It was set up according to [https://community.torproject.org/relay/setup/guard/debian-ubuntu/ those instructions]. You can check its status with
sudo systemctl status tor@default
It (re)started successfully if the following line (with a different IP) appears in the journal (<code>sudo journalctl -xeu tor@default</code>):
Self-testing indicates your ORPort 84.184.31.103:9001 is reachable from the outside. Excellent. Publishing server descriptor.
However, you don't need to worry too much about it, since [https://chat.kanthaus.online/kanthaus/messages/@timber Timber] will get notified within 5 minutes of the Tor relay being down.

Also note that the Tor relay restarts every night something past 5 since our IP address changes around that time. This is expected behavior and nothing to worry about.

If you're very curious and want to see what happens on the server, you can check out <code>sudo nyx</code>, though be mindful to [https://community.torproject.org/relay/setup/post-install/ not share this data publicly], since it can endanger the anonymity of our users.

The keys of the relay lie in <code>/var/lib/tor/keys</code> and are included in <code>/opt/kh-services/configs/borgmatic.yml</code>, which ''should'' mean that they're being backed up.

== Other services ==

* Foodsharing Gitlab which CI runner (dockerized)
* House bus services
** local Web interface (dockerized)
** Logging daemon to externally hosted influxdb
* Virtual machines (kvm/libvirt)

Volunteer induction

2024-11-27T23:10:46Z

Timber1: Correct mattermost introductory message. Group names are prefixed with a ~ instead of # in mattermost. Some groups I don't know the name of, the prefix kanthaus- might have been removed.

🔰 This page lists knowledge and accesses we give to new [[Positions and evaluations|Volunteers]]. It is formatted as Markdown to make it easier to copy into a pad and tick boxes as the steps get done.

Evaluation facilitators don’t need to do all this work by themselves, they can share the pad with the group to spread the load.

<pre>### Immediately after evaluation
_to be done by the evaluation facilitator_
- [ ] invite to #kh_vol_and_mem and #kanthaus-mails
- [ ] invite to the Signal group
- [ ] send them the introductory message (see below)
- [ ] update the website (at https://git.kanthaus.online/kanthaus/kanthaus.online/src/branch/master/user/data/kanthausians.yaml)

### In the next days
- [ ] explain the hosting duties
- [ ] invite to Nextcloud (create their account at https://cloud.kanthaus.online/settings/users and add them to the "Kanthaus" group)
- [ ] show the cloud calendar and file system (see https://wiki.kanthaus.online/Nextcloud)
- [ ] show KeePassXC
- [ ] explain CoMe facilitation and mention git, CoMe script and records
- [ ] explain the email setup, offer access to hello@ and creation of personal kanthaus address (see https://wiki.kanthaus.online/Email)
- [ ] show the wiki (at https://wiki.kanthaus.online)
- [ ] explain the collective agreements changes with ukuvota
- [ ] share link collection
- [ ] give a door tag

### Eventually
- [ ] introduce to git with kanthaus.online to upload CoMe minutes
- [ ] introduce to git with kanthaus-private to update evaluation record

### By request or obvious interest
- [ ] show grafana (https://grafana.yunity.org)
- [ ] show the overview of kanthaus repositories on git (https://git.kanthaus.online)
- [ ] introduce to editing kanthaus.online
- [ ] introduce to editing the wiki
- [ ] introduce to any more complex house task (sysadmin, finances, you name it)</pre>
== Link collection ==

* https://kanthaus.online/public
* https://cloud.kanthaus.online
* https://handbook.kanthaus.online
* https://pad.kanthaus.online/groupHosting#
* https://git.kanthaus.online/
* https://premiumize.me

== Template for introductory message ==

<pre>Congratulations on becoming a Volunteer 🙂

(This message is copy-pasted from https://wiki.kanthaus.online/Volunteer_induction )

I have invited you to the private Mattermost channels
~vol_and_mem (the channel for volunteers and members only) and
~kanthaus-mails (where all mails to hello@kanthaus.online get forwarded to), but there are other channels you could be invited to if you wanted, mostly automatically fed ones like:

* ~kanthaus-konto-wawü that prints the charitable association's bank account activity
* ~kanthaus-konto-hkw that prints the house owner association's bank account activity
* ~residence that prints the results of the weekly script that is used for CoMe
* ~kanthaus-git that prints activity on kanthaus-private and kanthaus.online git repositories
* ~kanthaus-finances that is mainly (but rarely) used by the finances team

There also is a Signal group that serves as the only encrypted group communication for Kanthaus volunteers and members. I can add you there if you give me your phone number.</pre>
Feel free to point them to the pad where the other induction tasks are listed, so that they can prod other Volunteers and Members if they are interested in getting a specific access or knowledge.