Local changes before sync

server-backups/server_backup_20250628_171705/configs/.env

@@ -0,0 +1,70 @@
+# PostgreSQL-Datenbank
+POSTGRES_DB=meinedatenbank
+POSTGRES_USER=adminuser
+POSTGRES_PASSWORD=supergeheimespasswort
+
+# Admin-Panel Zugangsdaten
+ADMIN1_USERNAME=rac00n
+ADMIN1_PASSWORD=1248163264
+ADMIN2_USERNAME=w@rh@mm3r
+ADMIN2_PASSWORD=Warhammer123!
+
+# Lizenzserver API Key für Authentifizierung
+
+
+# Domains (können von der App ausgewertet werden, z. B. für Links oder CORS)
+API_DOMAIN=api-software-undso.intelsight.de
+ADMIN_PANEL_DOMAIN=admin-panel-undso.intelsight.de
+
+# ===================== OPTIONALE VARIABLEN =====================
+
+# JWT für API-Auth (WICHTIG: Für sichere Token-Verschlüsselung!)
+JWT_SECRET=xY9ZmK2pL7nQ4wF6jH8vB3tG5aZ1dE7fR9hT2kM4nP6qS8uW0xC3yA5bD7eF9gH2jK4
+
+# E-Mail Konfiguration (z. B. bei Ablaufwarnungen)
+# MAIL_SERVER=smtp.meinedomain.de
+# MAIL_PORT=587
+# MAIL_USERNAME=deinemail
+# MAIL_PASSWORD=geheim
+# MAIL_FROM=no-reply@meinedomain.de
+
+# Logging
+# LOG_LEVEL=info
+
+# Erlaubte CORS-Domains (für Web-Frontend)
+# ALLOWED_ORIGINS=https://admin.meinedomain.de
+
+# ===================== VERSION =====================
+
+# Serverseitig gepflegte aktuelle Software-Version
+# Diese wird vom Lizenzserver genutzt, um die Kundenversion zu vergleichen
+LATEST_CLIENT_VERSION=1.0.0
+
+# ===================== BACKUP KONFIGURATION =====================
+
+# E-Mail für Backup-Benachrichtigungen
+EMAIL_ENABLED=false
+
+# Backup-Verschlüsselung (optional, wird automatisch generiert wenn leer)
+# BACKUP_ENCRYPTION_KEY=
+
+# ===================== CAPTCHA KONFIGURATION =====================
+
+# Google reCAPTCHA v2 Keys (https://www.google.com/recaptcha/admin)
+# Für PoC-Phase auskommentiert - CAPTCHA wird übersprungen wenn Keys fehlen
+# RECAPTCHA_SITE_KEY=your-site-key-here
+# RECAPTCHA_SECRET_KEY=your-secret-key-here
+
+# ===================== MONITORING KONFIGURATION =====================
+
+# Grafana Admin Credentials
+GRAFANA_USER=admin
+GRAFANA_PASSWORD=admin
+
+# SMTP Settings for Alertmanager (optional)
+# SMTP_USERNAME=your-email@gmail.com
+# SMTP_PASSWORD=your-app-password
+
+# Webhook URLs for critical alerts (optional)
+# WEBHOOK_CRITICAL=https://your-webhook-url/critical
+# WEBHOOK_SECURITY=https://your-webhook-url/security

server-backups/server_backup_20250628_171705/configs/docker-compose.yaml

@@ -0,0 +1,164 @@
+services:
+  postgres:
+    build:
+      context: ../v2_postgres
+    container_name: db
+    restart: always
+    env_file: .env
+    environment:
+      POSTGRES_HOST: postgres
+      POSTGRES_INITDB_ARGS: '--encoding=UTF8 --locale=de_DE.UTF-8'
+      POSTGRES_COLLATE: 'de_DE.UTF-8'
+      POSTGRES_CTYPE: 'de_DE.UTF-8'
+      TZ: Europe/Berlin
+      PGTZ: Europe/Berlin
+    volumes:
+      # Persistente Speicherung der Datenbank auf dem Windows-Host
+      - postgres_data:/var/lib/postgresql/data
+      # Init-Skript für Tabellen
+      - ../v2_adminpanel/init.sql:/docker-entrypoint-initdb.d/init.sql
+    networks:
+      - internal_net
+    deploy:
+      resources:
+        limits:
+          cpus: '2'
+          memory: 4g
+
+  license-server:
+    build:
+      context: ../v2_lizenzserver
+    container_name: license-server
+    restart: always
+    # Port-Mapping entfernt - nur noch über Nginx erreichbar
+    env_file: .env
+    environment:
+      TZ: Europe/Berlin
+    depends_on:
+      - postgres
+    networks:
+      - internal_net
+    deploy:
+      resources:
+        limits:
+          cpus: '2'
+          memory: 4g
+
+  # auth-service:
+  #   build:
+  #     context: ../lizenzserver/services/auth
+  #   container_name: auth-service
+  #   restart: always
+  #   # Port 5001 - nur intern erreichbar
+  #   env_file: .env
+  #   environment:
+  #     TZ: Europe/Berlin
+  #     DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/v2_adminpanel
+  #     REDIS_URL: redis://redis:6379/1
+  #     JWT_SECRET: ${JWT_SECRET}
+  #     FLASK_ENV: production
+  #   depends_on:
+  #     - postgres
+  #     - redis
+  #   networks:
+  #     - internal_net
+  #   deploy:
+  #     resources:
+  #       limits:
+  #         cpus: '1'
+  #         memory: 1g
+
+  # analytics-service:
+  #   build:
+  #     context: ../lizenzserver/services/analytics
+  #   container_name: analytics-service
+  #   restart: always
+  #   # Port 5003 - nur intern erreichbar
+  #   env_file: .env
+  #   environment:
+  #     TZ: Europe/Berlin
+  #     DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/v2_adminpanel
+  #     REDIS_URL: redis://redis:6379/2
+  #     JWT_SECRET: ${JWT_SECRET}
+  #     FLASK_ENV: production
+  #   depends_on:
+  #     - postgres
+  #     - redis
+  #     - rabbitmq
+  #   networks:
+  #     - internal_net
+  #   deploy:
+  #     resources:
+  #       limits:
+  #         cpus: '1'
+  #         memory: 2g
+
+  # admin-api-service:
+  #   build:
+  #     context: ../lizenzserver/services/admin_api
+  #   container_name: admin-api-service
+  #   restart: always
+  #   # Port 5004 - nur intern erreichbar
+  #   env_file: .env
+  #   environment:
+  #     TZ: Europe/Berlin
+  #     DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/v2_adminpanel
+  #     REDIS_URL: redis://redis:6379/3
+  #     JWT_SECRET: ${JWT_SECRET}
+  #     FLASK_ENV: production
+  #   depends_on:
+  #     - postgres
+  #     - redis
+  #     - rabbitmq
+  #   networks:
+  #     - internal_net
+  #   deploy:
+  #     resources:
+  #       limits:
+  #         cpus: '1'
+  #         memory: 2g
+
+  admin-panel:
+    build:
+      context: ../v2_adminpanel
+    container_name: admin-panel
+    restart: always
+    # Port-Mapping entfernt - nur über nginx erreichbar
+    env_file: .env
+    environment:
+      TZ: Europe/Berlin
+    depends_on:
+      - postgres
+    networks:
+      - internal_net
+    volumes:
+      # Backup-Verzeichnis
+      - ../backups:/app/backups
+    deploy:
+      resources:
+        limits:
+          cpus: '2'
+          memory: 4g
+
+  nginx:
+    build:
+      context: ../v2_nginx
+    container_name: nginx-proxy
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+    environment:
+      TZ: Europe/Berlin
+    depends_on:
+      - admin-panel
+      - license-server
+    networks:
+      - internal_net
+
+networks:
+  internal_net:
+    driver: bridge
+
+volumes:
+  postgres_data:

server-backups/server_backup_20250628_171705/configs/nginx.conf

@@ -0,0 +1,122 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    # Enable nginx status page for monitoring
+    server {
+        listen 8080;
+        server_name localhost;
+        
+        location /nginx_status {
+            stub_status on;
+            access_log off;
+            allow 127.0.0.1;
+            allow 172.16.0.0/12;  # Docker networks
+            deny all;
+        }
+    }
+    # Moderne SSL-Einstellungen für maximale Sicherheit
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+    
+    # SSL Session Einstellungen
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+    
+    # OCSP Stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+    
+    # DH parameters für Perfect Forward Secrecy
+    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    # Admin Panel
+    server {
+        listen 80;
+        server_name admin-panel-undso.intelsight.de;
+        
+        # Redirect HTTP to HTTPS
+        return 301 https://$server_name$request_uri;
+    }
+
+    server {
+        listen 443 ssl;
+        server_name admin-panel-undso.intelsight.de;
+
+        # SSL-Zertifikate (echte Zertifikate)
+        ssl_certificate /etc/nginx/ssl/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+        # Security Headers
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+        # Proxy-Einstellungen
+        location / {
+            proxy_pass http://admin-panel:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            # WebSocket support (falls benötigt)
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+        
+        # Auth Service API (internal only) - temporarily disabled
+        # location /api/v1/auth/ {
+        #     proxy_pass http://auth-service:5001/api/v1/auth/;
+        #     proxy_set_header Host $host;
+        #     proxy_set_header X-Real-IP $remote_addr;
+        #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        #     proxy_set_header X-Forwarded-Proto $scheme;
+        #     proxy_set_header Authorization $http_authorization;
+        # }
+    }
+
+    # API Server (für später)
+    server {
+        listen 80;
+        server_name api-software-undso.intelsight.de;
+        
+        return 301 https://$server_name$request_uri;
+    }
+
+    server {
+        listen 443 ssl;
+        server_name api-software-undso.intelsight.de;
+
+        ssl_certificate /etc/nginx/ssl/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+        # Security Headers
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+        location / {
+            proxy_pass http://license-server:8443;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            # WebSocket support (falls benötigt)
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+    }
+}

server-backups/server_backup_20250628_171705/configs/ssl/.gitignore

@@ -0,0 +1,10 @@
+# Ignore all SSL certificates
+*.pem
+*.crt
+*.key
+*.p12
+*.pfx
+
+# But keep the README
+!README.md
+!.gitignore

server-backups/server_backup_20250628_171705/configs/ssl/README.md

@@ -0,0 +1,29 @@
+# SSL Certificate Directory
+
+This directory should contain the following files for SSL to work:
+
+1. **fullchain.pem** - The full certificate chain
+2. **privkey.pem** - The private key (keep this secure!)
+3. **dhparam.pem** - Diffie-Hellman parameters for enhanced security
+
+## For intelsight.de deployment:
+
+Copy your SSL certificates here:
+```bash
+cp /path/to/fullchain.pem ./
+cp /path/to/privkey.pem ./
+```
+
+Generate dhparam.pem if not exists:
+```bash
+openssl dhparam -out dhparam.pem 2048
+```
+
+## File Permissions:
+```bash
+chmod 644 fullchain.pem
+chmod 600 privkey.pem
+chmod 644 dhparam.pem
+```
+
+**IMPORTANT**: Never commit actual SSL certificates to the repository!