Added Artikel_Finden_Um_Zu_Kaufen and Kischdle_server-setup

Added Circuit_Simulations
Added Git prompts in Linux-Servers.md
2026-04-10 08:22:41 +02:00 · 2026-04-10 08:20:26 +02:00 · 2026-04-01 11:25:02 +02:00 · 2026-03-27 10:18:29 +01:00 · 2026-03-22 13:40:15 +01:00 · 2026-03-22 09:29:41 +01:00
7 changed files with 806 additions and 252 deletions
--- a/Artikel_Finden_Um_Zu_Kaufen.md
+++ b/Artikel_Finden_Um_Zu_Kaufen.md
@@ -0,0 +1,57 @@
 # Mechanischer Zähler
 ## Anforderungen
 Anforderungen für den mechanische Zähler:
 1. Maximale Breite 82 mm, wenn Höhe und Tiefe kleiner sind
 2. 3-stellig oder 4-stellig oder 5-stellig; je weniger Stellen, umso besser
 3. Reset mit einem Knopfdruck (an einem Drehknopf so lange drehen, bis 0 erscheint, ist inakzeptabel)
 4. Für mechanische Befestigung, z.B. in einer Maschine
 5. Lieferzeit nach Deutschland maximal eine Woche
 6. Gesamtpreis mit Lieferkosten maximal 25 Euro
 ## Amazon
 Ich habe Amazon prime und kaufe gern bei Amazon.
 ## Beispiel 1
 Hier ist Beispiel 1, was alle Anforderungen bis auf 3. erfüllt:
 https://www.amazon.de/Mechanischer-Ballenz%C3%A4hler-Ballenpresse-R%C3%BCcksetzbarer-Handzug-Z%C3%A4hler/dp/B0CCHVCFT2/ref=pd_lpo_d_sccl_3/262-0148432-6918821?psc=1
 ## Deine Aufgabe
 - Stelle mir zwischen zwei und fünf Fragen, um die Situation und deine Aufgaben vollständig zu verstehen.
 - Suche in Online-Shops nach mechanischen Zählern, die alle Anforderungen erfüllen, lege sie in den Warenkorb und merke dir die URL der Produkt-Webseite.
 - Sobald du mindestens fünf Zähler gefunden und in Warenkörbe gelegt hast, erstelle eine Ergebnisliste, die für jeden Zähler diese Angaben enthält:
    - Produktfoto
    - Produktbezeichnung
    - Gesamtpreis inklusive Lieferkosten
    - Lieferzeit
    - Gültige URL zur Produktseite des Online-Shops
 - Weil bei früheren Ergebnissen dieser Art oft die URLs nicht funktioniert haben, überprüfe alle URLs der Ergebnisliste. Ersetze jede nicht funktionierende URL durch die korrekte, funktionierende URL für das Produkt.
 1. Reset-Mechanismus: Anforderung 3 besagt, dass ein Reset per Knopfdruck möglich sein muss. Ist ein seitlicher Druckknopf (Push-Button) am Zähler akzeptabel, oder bevorzugen Sie eine bestimmte Art von Reset (z.B. Hebel, separater Knopf an der Front)?
 2. Zählrichtung und Auslösung: Soll der Zähler mechanisch ausgelöst werden (z.B. durch einen Hebel/Stempel, der bei jedem Zählvorgang gedrückt wird), oder sind auch elektrisch betätigte mechanische Zähler akzeptabel?
 3. Befestigung: Welche Art von mechanischer Befestigung ist gewünscht? Zum Beispiel Frontplatteneinbau (mit Muttern), Schraubbefestigung von hinten, oder eine andere Montageart?
 4. Stückzahl: Wie viele Zähler benötigen Sie? Das beeinflusst, ob Versandkosten auf ein oder mehrere Stücke verteilt werden.
 5. Zählbereich: Gibt es Anforderungen an den maximalen Zählwert (z.B. mindestens bis 999 oder bis 9999), oder reicht ein Standard-Zählbereich?
 Zu 1.: Alle Arten eines Druckknopfs oder Hebels sind OK.
 Zu 2.: Der Zähler soll mechanisch ausgelöst werden (z.B. durch einen Hebel).
 Zu 3.: Befestigung zum Aufschrauben auf eine Platte. Kein Frontplatteneinbau erforderlich.
 Zu 4.: 1 Stück.
 Zu 5.: Keine Anforderungen an den maximalen Zählwert.
--- a/Circuit_Simulations.md
+++ b/Circuit_Simulations.md
@@ -0,0 +1,50 @@
 # Analog circuit simulation: V_BAT change amplifier
 ## Parts
 The circuit parts:
 - PNP Transistor T1: BC557C
 - Zener diode D1: BZX85/5.6
 - Resistor R_Z: 1 Kohms
 - Resistor R_E: 240 Ohms
 - Resistor R_C: 1 Kohms
 ## Schematic
 The schematic:
 - Node V_BAT (battery voltage) connected to R_Z, R_E
 - Node GND (ground, 0 V) connected to D1 anode, R_C
 - Node V_OUT connected to R_C, T1 collector
 - T1 collector connected to V_OUT, R_C
 - T1 base connected to D1 cathode, R_Z
 - T1 emitter connected to R_E
 - R_2 connected to V_BAT, T1 base
 - D1 anode connected to GND
 - D1 cathode connected to R_Z, T1 base
 - R_E connected to T1 emitter, V_BAT
 - R_C connected to V_OUT, GND
 ## Simulation
 The simulation is a DC simulation which takes the analog behavior of
 the circuit parts into account. Use the Ebers-Moll model for T1 and
 a model which accurately calculates the zener behavior of D1.
 Sweep V_BAT from 5.8 V to 7.8 V in 0.1 V steps.
 Simulate T1 base current, T1 collector current, T1 power dissipation,
 D1 current, V_OUT voltage.
 ## Your tasks
 First use your ask user questions tool to fully understand the requirements
 and your tasks.
 Then get the models for T1 and D1.
 Afterwards create a Jupyter notebook which runs the circuit simulation and
 displays the simulated values in graphs.
--- a/Kischdle_server-setup.md
+++ b/Kischdle_server-setup.md
@@ -0,0 +1,64 @@
 # Kischdle setup for microservices
 ## Motivation
 This introduces the product "Kischdle" and the basic Kischdle server setup
 to you so that you can store the information to the corresponding files in
 the Claude environment. This empowers you to generate content for Kischdle
 in the future when Kischdle topics come up.
 ## Product "Kischdle"
 The product "Kischdle" is in the early proof-of-concept implementation phase.
 A Kischdle is an on-premise system with server hardware
 including a local AI GPU and a suite of software apps optimized for
 small and medium sized enterprises.
 ## Basic server setup
 ### Hardware
 The server hardware used for the proof-of-concept implementation:
 - GPU: NVIDIA RTX5070Ti 16GB VRAM
 - CPU: AMD Ryzen 9 9900X (12x 4.4GHz / 5.6GHz Turbo)
 - Mainboard: MSI PRO X870-P Wifi, PCIe 5.0 x16
 - System RAM: 64GB (2x32GB) DDR5 AMD/Intel 6000MHz Kingston Fury Beast CL30
 - NVMEs: Two devices in Software RAID-1, 2TB SAMSUNG 990 PRO 2TB M.2 PCIe 4.0 x4 NVME (Read 7450MB/s ; Write 6900MB/s)
 ### OS
 The OS is Debian Linux version 12 (Bookworm).
 ### Microservices
 The software apps are running separated from each other and from the system
 level. Software apps of each area is running in a rootless Podman Pod by
 a dedicated user. The currently existing users, area and apps are:
 - 'trf': Routes ingress and egress traffic; Traefik
 - 'wbg': Provides a Web GUI for AI; Open WebUI
 - 'llm': Provides AI LLM services internally; PyTorch and custom app
 - 'pln': Provides planning services; AFFiNE
 Some others exist but are not relevant. Others will be added as
 implementation proceeds; e.g., crm for CRM and dms for DMS.
 Each microservice is started by executing shell scripts which generate
 the Podman Pod and start a systemd service.
 It is important that you know how the shell scripts are structured
 and which naming is used - creating shell scripts for coming microservices
 will be one of your future tasks.
 Please examine these three examples of such shell scripts:
@~/tmp/create_pod_openwebui.sh
@~/tmp/create_pod_affine.sh
@~/tmp/create_pod_traefik.sh
 ## Your tasks
 1. Use your your ask user questions tool to completely understand the
   situation, the basic server setup and the shell script structure.
 2. Ask me before proceeding with task 3.
 3. Store the knowledge which you gained in this session to the
   appropriate Claude files.
--- a/Licenses.md
+++ b/Licenses.md
@@ -0,0 +1,40 @@
 # AFFiNE license
 ## Motivation
 Find out which are the FOSS parts of AFFiNE and whether a self-hosted
 AFFiNE service can be used and modified without license costs.
 ## GitHub licenses
 In GitHub two license pages exist:
 - [License](https://github.com/toeverything/AFFiNE?tab=License-1-ov-file)
 - [MIT license](https://github.com/toeverything/AFFiNE?tab=MIT-2-ov-file)
 It seems that AFFiNE is not completely FOSS but only some parts of it.
 It is not very straight forward which parts are FOSS.
 ## Your tasks
 ### FOSS parts of AFFiNE
 Find out which are the FOSS parts of AFFiNE and which parts are not FOSS.
 Explain it in an easy to understand description.
 ### Self-hosted AFFiNE service free of costs?
 Determine whether a self-hosted AFFiNE service can be used free
 of license costs
 and which conditions have to be met so that it is free.
 The attached shell script creates a Podman Pod which
 runs an AFFiNE service. Check whether this service is free of license costs.
 ### AFFiNE modifications allowed?
 Find out whether modifications of AFFiNE for running a
 self-hosted AFFiNE-like service are allowed.
 Concrete Use-Case: Place a Man-in-the-Middle software between the
 AFFiNE Web-GUI and the AFFiNE database which adds functionality.
--- a/Linux-Servers.md
+++ b/Linux-Servers.md
@@ -108,316 +108,406 @@ Change the SSL certificate setup so that future renewals will work.
 If not already done by completing the task before, repair the SSL connection so that "kipurchat.creature-go.com" can be used again.
 ---
 # Podman shell script for AFFiNE service
 ## Motivation
 A Podman Pod is needed on a Linux server which provides an AFFiNE service.
 This Podman Pod needs to be created and started with a shell script which needs to be designed.
 The AFFiNE service will be used by humans and by AI agents; it will also be part of a design environment for designing a special MCP server for AFFiNE.
 ## Shell script requirements
 Requirements for the shell script:
 - Must use a container image with a Pinned Tag (for exact consistency) which points to the AFFiNE version 0.26.3. The name likely is something like "ghcr.io/toeverything/affine:0.26.3".
 - Must provide the AFFiNE web user interface at port 8092.
 - Must provide the GraphQL API. Background: The AFFiNE web and desktop apps use an internal GraphQL API to communicate with the backend. There is a /graphql endpoint but it is not documented for third-party use.
 - Must be in folder /home/pln/bin.
 - Must have the name create_pod_affine.sh
 The shell script shall be run by user pln which has permissions to run rootless pods.
 ## Shell script style
 The needed shell script must have the same style as other shell scripts on the server.
 These files are examples:
 /home/lwc/bin/create_pod_langflow.sh
 /home/krt/bin/create_pod_qdrant.sh
 ## Your tasks
 ### Ask first
 Before starting to design the shell script, ask between two and five questions to fully understand the situation, your tasks and the objectives.
 ### Identify the container image
 Find the container image with Pinned Tag pointing to AFFiNE version 0.26.3.
 ### Write the shell script
 Write the shell script.
 ### Test the shell script
 Run the shell script and test it.
 ### Redesign if necessary
 If the test failed, understand the problem, improve the shell script and go back to Test the shell script.
 Repeat this in a loop up to five times.
 ## Your objectives
 Your objectives are:
 - All requirements are fulfilled.
 - AFFiNE web user interface shows up at 127.0.0.1:8092.
 - The AFFiNE GraphQL API shows up under 127.0.0.1:8092 at /graphql or another link.
 ## Your behaviour
 If it is not possible to achieve your objectives, interrupt and ask me.
 Complete all your tasks without asking in between if you can achieve your objectives.
 ---
 # New Traefik route
 ## Motivation
 A new service runs on the server and needs to be provided to the internet by installing a new Traefik route.
 ## Traefik service
 Traefik runs as a systemd service in a Podman Pod.
 To end the service and Pod, run `/home/trf/bin/remove_pod_systemd_services.sh`.
 To start the Pod and the service, run `create_pod_traefik.sh`.
 ## Traefik configuration
 The Traefik configuration directory is `/home/trf/.local/share/traefik/`.
 The main configuration file is `/home/trf/.local/share/traefik/traefik.yml`.
 In the directory `/home/trf/.local/share/traefik/dynamic` are the .yml files for the individual routings.
 ## New service
 The new service for which the new Traefik route is needed:
 - Name is "affine"
 - Provided at 127.0.0.1:8092
 ## Your tasks
 Your tasks are:
 - Ask questions if necessary to understand the situation and the tasks below.
 - Create the necessary file in `/home/trf/.local/share/traefik/dynamic`.
 - Update `/home/trf/.local/share/traefik/traefik.yml`. 
-## Updates
+---
-Okay, updates were done long ago because this is just an experimental server.
+# Apache reverse proxy forwarding to another host
 Good idea to run updates first.
-I am running Terminal commands as root and I prefer "apt" instead of "apt-get".
+## Setup
 Snap is not acceptable and will not be installed on the server.
-Both Debian linux and Virtualmin are outdated. Which one to update first?
+The setup comprises two servers which are connected via WireGuard.
-Please provide the Terminal commands again taking into account these preferences.
+### Linux server sv005.destengs.com
 - In a data center
 - Managed using Virtualmin
 - Two Virtual Servers:
    - kipurchat.creature-go.com
    - affine.creature-go.com
 - Uses Apache reverse proxy
 - WireGuard IP address 10.8.0.1
 ### Linux server DesTEngSsv006
 - Local server
 - Uses Traefik to route ingest traffic to microservices
 - WireGuard IP address 10.8.0.6
 - Provides the AFFiNE microservice
    - Internal at 127.0.0.1:8092
 ## Previous problems
 In the past I often faced problems with the Apache directives.
 ### SSL certificate renewal failed
 The Virtual Server kipurchat.creature-go.com was set up using Virtualmin some monthes ago. Then a forward was installed which routed the traffic of kipurchat.creature-go.com from sv005.destengs.com to DesTEngSsv006. When the automated SSL certificate renewal was triggered the renewal failed. The Apache directives file needed to be fixed so that the ACME check could succeed.
 ## Assistance for affine.creature-go.com forwarding
 I just created the Virtual Server affine.creature-go.com . https://affine.creature-go.com/ works, has a valid SSL certificate and shows the expected Virtualmin Welcome-Page.
 I would like to have your assistance to set up the forwarding for affine.creature-go.com to get a bullet-proof Apache directives file which also will allow the SSL certificate renewal in some weeks.
 ## Your tasks
 ### Interview
 Interview me to
 - Fully understand the situation
 - Clarify the objective
 - Obtain all files you need
 ### Update DesTEngSsv006 configuration
 Help me to update the DesTEngSsv006 configuration so that affine.creature-go.com forwarding works as expected and SSL certificate renewal will succeed.
 ## What I did to update and certificate renewal attempt
-I did to these steps to update:
+1. The Apache VHost Config: Could you share the current contents of the Apache configuration file for affine.creature-go.com on sv005? (Usually found in /etc/apache2/sites-available/ or managed via Virtualmin's "Edit Directives" section).
-### Update Debian packages
+2. Traefik's Entrypoint: On DesTEngSsv006, is Traefik listening for incoming traffic on port 80/443 over the WireGuard interface (10.8.0.6)?
-In a terminal I did run
+3. Traefik Configuration: Have you already set up a router and service in Traefik for affine.creature-go.com? If so, could you share that snippet (labels in Docker or your YAML/TOML config)?
 4. SSL Strategy: Is sv005 the only place where you want SSL to be terminated, or are you also trying to use Let's Encrypt on the Traefik side? (Standard practice here is to terminate at sv005 and send plain HTTP or "pseudo-HTTPS" over the tunnel).
 ## Interview answers
 1. Attached is affine.creature-go.com.conf
 2. Traefik is listening on 10.8.0.6:8080
 3. Attached is the main Traefik config file traefik.yml from the DesTEngSsv006 directory /home/trf/.local/share/traefik and the three .yml config files {affine.yml, dashboard.yml, openwebui.yml} from the DesTEngSsv006 directory /home/trf/.local/share/traefik/dynamic/
 4. Terminate SSL at sv005 and send plain HTTP over the tunnel
 What about the already existing RewriteCond lines in the Apache config file?
 I would appreciate if you would update the complete affine.creature-go.com.conf file instead of giving me snippets which I have to insert at the hopefully correct position.
 Questions about both sections <VirtualHost ...:80> and <VirtualHost ...:443>:
 - You did remove <Directory /home/affine/cgi-bin> but you did leave
  <Directory /home/affine/public_html> in - why didn't you take out both
  directories because they are not used? Any objections if I would remove the <Directory /home/affine/public_html>?
 - There is no mail support at affine.creature-go.com so I plan to remove
  RewriteCond and RewriteRule for Webmail - any objections?
 Questions about <VirtualHost ...:443> section:
 - Why did you relocate the SSL Configuration block?
 ---
 # Wireguard problem
 Please help troubleshooting and repairing a Wireguard connection.
 ## Setup
 WireGuard IP-Addresses:
 10.8.0.1 DesTEngSsv005
 10.8.0.6 DesTEngSsv006
 10.8.0.3 DesTEngSnb003
 ### DesTEngSsv005
 DesTEngSsv005 is a datacenter Linux server
 with public IP-address 65.108.193.31 .
 In the Wireguard setup the server is the bridge between an office server
 and a notebook.
 I am the system administrator and have root access.
 ### DesTEngSsv006
 DesTEngSsv006 is an office Linux server with a dynamic IP-address for 
 Internet access.
 ### DesTEngSnb003
 DesTEngSnb003 is my personal Windows notebook with a dynamic IP-address for 
 Internet access.
 ## Symptoms
 Today I noticed that from DesTEngSnb003 the Wireguard connection to
 DesTEngSsv006 is not working anymore: The connection could not be established.
 I can ping DesTEngSsv005 from DesTEngSnb003.
 The latest handshake with 10.8.0.6 happened 21 hours ago:
 ```
-apt update
+root@sv005 ~ # wg show
-apt upgrade
+interface: wg0
  public key: Fww9ON7EvuRom7M9BN97bRpxduIM4V54z/Ij6eunrgo=
  private key: (hidden)
  listening port: 51820
 peer: YUOO8IHL218cmeaS1c/VH9STQRGryrlWk0oXvtCbqFY=
  endpoint: 87.152.118.183:49669
  allowed ips: 10.8.0.3/32
  latest handshake: 4 seconds ago
  transfer: 21.22 MiB received, 633.64 MiB sent
 peer: XTC0cB4R3hurXh9NTIhPfDlam3ahrau21F/ezJUJSRs=
  endpoint: 89.244.105.89:49166
  allowed ips: 10.8.0.6/32
  latest handshake: 21 hours, 32 minutes, 20 seconds ago
  transfer: 1.13 GiB received, 115.96 MiB sent
 ```
-I do not want to upgrade the full distribution because it is Debian 12
+The Wireguard connection was working well before, I am the only admin of
-which is really good enough. Any distro upgrade is a risk so when unnecessary
+all three machines and I have not intentionally changed any firewall
-I won't do it. Therefore, I did not run the other Terminal commands you proposed.
+settings or FORWARD chains.
-I did see that webmin was upgraded during apt upgrade, too.
+```traceroute 10.8.0.6``` does not work on my notebook in a CMD window;
-After rebooting the server, a previously warning in Virtualmin that the
+likely because the notebook has Windows and not Linux.
 Virtualmin version is outdated was not showing up anymore.
 Therefore, I skipped Phase 2: Update Virtualmin.
-### Certificate repair attempt
+On the weekend I'm not in the office; therefore, I cannot check anything
 on DesTEngSsv006 now. Are there any helpful and promising checks I could
 do right now with my access limited to DesTEngSsv005 and DesTEngSnb003?
 First I tried the renewal via the Virtualmin page but it failed:
 "
 Web-based validation failed :
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Renewing an existing certificate for kipurchat.creature-go.com
 An unexpected error occurred:
 AttributeError: can't set attribute
 Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
   DNS-based validation failed :
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Renewing an existing certificate for kipurchat.creature-go.com
 An unexpected error occurred:
 AttributeError: can't set attribute
 Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
 "
 Then I tried in a terminal, I did run this without success (likely because not waiting a moment after the previous attempt):
 The notebook can reach the hub:
 ```
-root@sv005 ~ # certbot renew --force-renewal --cert-name kipurchat.creature-go.com
+C:\Users\tlg>tracert -d 10.8.0.6
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Routenverfolgung zu 10.8.0.6 über maximal 30 Hops
 Processing /etc/letsencrypt/renewal/kipurchat.creature-go.com.conf
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Renewing an existing certificate for kipurchat.creature-go.com
 Failed to renew certificate kipurchat.creature-go.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Your account is temporarily prevented from requesting certificates for kipurchat.creature-go.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJTRkUgVW5wYXVzZSIsImV4cCI6MTc3NDcwMTE1OCwiaWF0IjoxNzczNDkxNTU4LCJpZGVudGlmaWVycyI6ImtpcHVyY2hhdC5jcmVhdHVyZS1nby5jb20iLCJpc3MiOiJXRkUiLCJzdWIiOiIyMjc5MDc3MTg2IiwidmVyc2lvbiI6InYxIn0.0bSnk4-HuXVnUWJb-ck7aVJCPo9UaZf1xCMsQ9791ZU
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+  1    50 ms    49 ms    49 ms  10.8.0.1
-All renewals failed. The following certificates could not be renewed:
+  2     *        *        *     Zeitüberschreitung der Anforderung.
-  /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem (failure)
+  3     *        *        *     Zeitüberschreitung der Anforderung.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+  4     *        *        *     Zeitüberschreitung der Anforderung.
-1 renew failure(s), 0 parse failure(s)
+  5     *     ^C
 Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
 root@sv005 ~ # 
 ```
-So looks like we still have the "AttributeError: can't set attribute" problem.
+I started this:
 ## Certbot version
 My certbot version is too old, I have bookworm-backports enabled but the apt install did not work:
 ```
-root@sv005 ~ # certbot --version
+root@sv005 ~ # ping 89.244.105.89
-certbot 2.1.0
+PING 89.244.105.89 (89.244.105.89) 56(84) bytes of data.
 root@sv005 ~ # grep -r "backports" /etc/apt/sources.list /etc/apt/sources.list.d/
 /etc/apt/sources.list:# deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware
 /etc/apt/sources.list:# deb-src http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware
 root@sv005 ~ # apt install -t bookworm-backports certbot python3-certbot python3-acme   
 Reading package lists... Done
 E: The value 'bookworm-backports' is invalid for APT::Default-Release as such a release is not available in the sources
 ```
 For more than one minute no answer arrived.
 So likely the office Internet connection is down.
-What should I do now?
+Thank you, I will proceed troubleshooting on Monday in the office.
 ---
-Enabled backports but certbot version cannot be updated:
+# New Git repository on DesTEngS Git server
 ```
 root@sv005 ~ # apt install -t bookworm-backports certbot python3-certbot python3-acme
 Reading package lists... Done
 Building dependency tree... Done
 Reading state information... Done
 certbot is already the newest version (2.1.0-4).
 certbot set to manually installed.
 python3-certbot is already the newest version (2.1.0-4).
 python3-certbot set to manually installed.
 python3-acme is already the newest version (2.1.0-1).
 python3-acme set to manually installed.
 The following packages were automatically installed and are no longer required:
  libclamav11 linux-image-6.1.0-35-amd64
 Use 'apt autoremove' to remove them.
 0 upgraded, 0 newly installed, 0 to remove and 54 not upgraded.
 ```
 Please help with setting up a new Git repository on a Git server
 and in a Linux folder.
-Enough - I will update to Trixie.
+## DesTEngS Git server
 The DesTEngS Git server is at
 `git.destengs.com` and can be accessed via SSH
 with the `git` user and port `8085`.
 Example:
 The user pln did add a remote connection with
 `git remote add origin ssh://git@git.destengs.com:8085/pln/bin.git`.
-While performing "apt full-upgrade" the connection was lost.
+I have an account and my user name is 'tlg'.
 After a while I rebooted the server and tried to run
 "apt full-upgrade" again. I had to fix an issue but now there are errors:
-```
+The Git server SW is Gitea.
 root@sv005 ~ # apt full-upgrade
 E: dpkg was interrupted, you must manually run 'dpkg --configure -a' to correct the problem.
 root@sv005 ~ # dpkg --configure -a
 Setting up libc-l10n (2.41-12+deb13u2) ...
 dpkg: dependency problems prevent configuration of locales:
 locales depends on libc-bin (>> 2.41); however:
  Version of libc-bin on system is 2.36-9+deb12u13.
-dpkg: error processing package locales (--configure):
+Gitea push-to-create is intentionally not enabled; therefore,
- dependency problems - leaving unconfigured
+new repositories were created via the Git server web interface
-Setting up libc6:amd64 (2.41-12+deb13u2) ...
+up to now.
 Checking for services that may need to be restarted...
 Checking init scripts...
-Restarting services possibly affected by the upgrade:
+## The new Git repository
  webmin: restarting...done.
  saslauthd: restarting...done.
  postfix: restarting...done.
  ssh: restarting...done.
  cron: restarting...done.
  atd: restarting...done.
-Services restarted successfully.
+The new Git repo will be used for my SW design topics, shall have
-Setting up libc-dev-bin (2.41-12+deb13u2) ...
+the name DesTEngSsv006_swd and shall use SHA-256.
 Setting up libc-devtools (2.41-12+deb13u2) ...
 Processing triggers for man-db (2.11.2-2) ...
 dpkg: dependency problems prevent processing triggers for libc-bin:
 libc-bin depends on libc6 (<< 2.37); however:
  Version of libc6:amd64 on system is 2.41-12+deb13u2.
-dpkg: error processing package libc-bin (--configure):
+I also want to use the Git repo for things which are common on GitHub
- dependency problems - leaving triggers unprocessed
+repositories (like bug tracking and actions); however, the new
-Errors were encountered while processing:
+repo will only be used by me and AI agents like you.
 locales
 libc-bin
 root@sv005 ~ #
 ```
-How to proceed?
+On my Linux server DesTEngSsv006 my user name is 'tlg'.
 I created a folder /home/tlg/swd which shall become a Git repo which
 will be synced with the Git server repo; therefore, I want a
 SSH remote connection which would be created with
 `git remote add origin ssh://git@git.destengs.com:8085/tlg/DesTEngSsv006_swd.git`.
 ## Questions
-1. did not trigger an error but asks me this:
+- Use your ask user questions tool to completely understand the
-```
+  situation and my requirements.
-root@sv005 ~ # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com
+- Do I have to manually set up the repo on the Git server first?
-Saving debug log to /var/log/letsencrypt/letsencrypt.log
+- How should I set up bug tracking, actions and similar things?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+---
 An RSA certificate named kipurchat.creature-go.com already exists. Do you want
 to update its key type to ECDSA?
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 (U)pdate key type/(K)eep existing key type: 
 ```
 # Local Git repository setup
-I unpaused on Let's Encrypt page and retried but got an error:
+Please help with setting up a local Git repository in a Linux folder
-```
+and synchronizing it with a Git repository on a remote Git server.
 root@sv005 ~ # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+## Remote Git server
 An RSA certificate named kipurchat.creature-go.com already exists. Do you want
 to update its key type to ECDSA?
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 (U)pdate key type/(K)eep existing key type: U
 Renewing an existing certificate for kipurchat.creature-go.com
-Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
+The remote Git server is at
-  Domain: kipurchat.creature-go.com
+`git.destengs.com` and can be accessed via SSH
-  Type:   unauthorized
+with the `git` user and port `8085`.
  Detail: 65.108.193.31: Invalid response from https://kipurchat.creature-go.com/.well-known/acme-challenge/51dsdhWws4UEpTuZGIyeFXbYU8J2DpeKFQuACHvcTzA: 503
-Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
+Example:
 The user pln did add a remote connection with
 `git remote add origin ssh://git@git.destengs.com:8085/pln/bin.git`.
-Some challenges have failed.
+I have an account and my user name is 'wbg'.
 Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
 ```
-On the Virtualmin page it failed, too. But certificate type still was RSA.
+The Git server SW is Gitea.
 I changed to ECC and requested a new certificate but it failed:
 "
 Request Certificate
 In domain kipurchat.creature-go.com
 Requesting a certificate for kipurchat.creature-go.com from Let's Encrypt ..
 .. request failed : Web-based validation failed :
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Renewing an existing certificate for kipurchat.creature-go.com
-Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
+## New Git repository on remote Git server
  Domain: kipurchat.creature-go.com
  Type:   unauthorized
  Detail: 65.108.193.31: Invalid response from https://kipurchat.creature-go.com/.well-known/acme-challenge/-c7GdKxe8NtwulzVb8gYjF0WoMc9TVomdqJi_RA8ILU: 503
-Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
+Gitea push-to-create is intentionally not enabled; therefore,
 I created the desired new repository via the Git server web interface:
 - Name 'destengssv006_bin'
 - Issue Label Default
 - Object format sha256
-Some challenges have failed.
+I also created a new Token for access to wbg account via Gitea-API:
-Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
+- Token-name destengssv006
-   DNS-based validation failed :
+- Access: All (public, private and restricted)
-Saving debug log to /var/log/letsencrypt/letsencrypt.log
+- │ API route    │ Access                                    
-Renewing an existing certificate for kipurchat.creature-go.com
+  │ activitypub  │ no access      
  │ issue        │ read and write
  │ misc         │ read
  │ notification │ read
  │ organization │ no access
  │ package      │ no access
  │ repository   │ read and write
  │ user         │ read
 - Stored it on this server in /home/wbg/.gitea-token
-Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
+## Local Git repository
  Domain: kipurchat.creature-go.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.kipurchat.creature-go.com - check that a DNS record exists for this domain
-Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.
+The folder /home/wbg/bin shall become a Git repo which
 must be synced with the remote Git server repository.
-Some challenges have failed.
+SSH keys have been generated and the public used to communicate with the
-Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
+remote Git server via SSH without entering credentials.
 "
 ## Your tasks
-
+1. Initialize the local Git repository in the /home/wbg/bin
-The Step 1 test does not work:
+   with sha256, branch 'main'. Set
-```
+   global user name to 'wbg' and
-root@sv005 ~ # mkdir -p /home/admincg/domains/kipurchat.creature-go.com/public_html/.well-known/acme-challenge/
+   global user email to 'Thomas.Langer@destengs.com'.
-root@sv005 ~ # echo "Success" > /home/admincg/domains/kipurchat.creature-go.com/public_html/.well-known/acme-challenge/test
+2. Setup the SSH remote connection with
-root@sv005 ~ # ls
+   `git remote add origin ssh://git@git.destengs.com:8085/wbg/destengssv006_bin.git`.   
-Maildir  backups  virtualmin-install.log  virtualmin-install.log.1  work
+3. Make an initial commit with a reasonable .gitignore to test it.
 root@sv005 ~ # cd work
 root@sv005 ~/work # ls -alhrt
 total 12K
 drwxr-xr-x  3 root root 4.0K Oct 24 16:05 .
 drwxr-xr-x  2 root root 4.0K Oct 24 19:21 wireguard-setup
 drwx------ 11 root root 4.0K Jan  9 14:49 ..
 root@sv005 ~/work # curl -IL http://kipurchat.creature-go.com/.well-known/acme-challenge/test
 HTTP/1.1 301 Moved Permanently
 Date: Sat, 14 Mar 2026 20:58:36 GMT
 Server: Apache
 Location: https://kipurchat.creature-go.com/.well-known/acme-challenge/test
 Content-Type: text/html; charset=iso-8859-1
 curl: (60) SSL certificate problem: certificate has expired
 More details here: https://curl.se/docs/sslcerts.html
 curl failed to verify the legitimacy of the server and therefore could not
 establish a secure connection to it. To learn more about this situation and
 how to fix it, please visit the webpage mentioned above.
 ```
 Okay, after modifying
 /etc/apache2/sites-available/kipurchat.creature-go.com.conf
 according your instructions and restarting Apache
 the certbot repair was successful:
 ```
 root@sv005 ~/work # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 An RSA certificate named kipurchat.creature-go.com already exists. Do you want
 to update its key type to ECDSA?
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 (U)pdate key type/(K)eep existing key type: U
 Renewing an existing certificate for kipurchat.creature-go.com
 Successfully received certificate.
 Certificate is saved at: /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem
 Key is saved at:         /etc/letsencrypt/live/kipurchat.creature-go.com/privkey.pem
 This certificate expires on 2026-06-12.
 These files will be updated when the certificate renews.
 Certbot has set up a scheduled task to automatically renew this certificate in the background.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 ```
 But the webpage at kipurchat.creature-go.com still shows the same error and
 Virtualmin still shows a not-working SSL Certificate. How to fix this?
 Step 1 fails, I get the Error "Failed to install certificate : Certificate file /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem must be under the virtual server's home directory".
 Instead of running terminal commands and pointing Virtualmin to uncommon directories, wouldn't it be better to go the standard Virtualmin way: On tab "SSL Providers" Request Certificate ?
 If this way would be better, which Certificate hash type should I select,
 RSA or ECC?
 Okay, after requesting a new certificate with ECC hash type the
 kipurchat.creature-go.com has a valid certificate for https:// now.
--- a/Steuererklärungen.md
+++ b/Steuererklärungen.md
@@ -0,0 +1,228 @@
 # Steuererklärung 2024 Dr. Thomas Langer und Janina Langer
 ## Besonderheiten und Fragen
 - Am 24. Mai 2024 geheiratet.
 - Die neue Steuernummer von Janina ist 139/486/02304.
 - Janina arbeitet hauptsächlich im Homeoffice in einem dafür vorgesehenen Büroraum.
 - Der bisher nicht steuerlich geltend gemachte Telekom DSL Anschluss wird nicht für Telefonate genutzt, sondern ausschließlich für
    - Homeoffice Arbeit Janina
    - Homeoffice Arbeit Thomas
    - Freizeit Entertainment
 - Zukünftige Steuererklärungen ohne Papierbelege, mit Übersendung der Dokumente auf elektronischem Weg oder Bereitstellung in einer Cloud?
 - Welche Datev Module sind bei Heiß im Einsatz?
 ## Belege
 - Belege im Aktenordner "Steuererklärung 2024" sind mit ✅ gekennzeichnet.
 - Die am Anfang mit 🔲 gekennzeichneten Belege werden noch hinzugefügt oder versendet.
 - Für mit ❌ gekennzeichnete Themen sind keine Belege zur Verfügung gestellt worden, weil die steuerliche Relevanz unklar ist.
 - Bei 📄 sind die Buchungen oder Belege an aderer Stelle vorhanden und nicht im Aktenordner "Steuererklärung 2024" abgelegt.
 - Die mit 📧 gekennzeichneten Daten wurden per E-Mail versendet.
 ### 1 Banken und andere Quellen von Kapitalerträgen
 #### Bank of Scotland (Rücklagenkonto Thomas)
 ✅ Steuerbescheinigung
 ✅ Kontoauszug
 #### Deutsche Kreditbank (privates Girokonto Thomas)
 ✅  Berichtigte Steuerbescheinigung vom 24.09.2025
 ✅  Erträgnisaufstellung
 📧 Kontoauszüge: Privates_Konto_DKB_Kontoauszüge_2024.zip <sup>1)</sup>
 #### Consors Thomas (privates Anlagekonto)
 ✅ Steuerbescheinigung
 ✅ Erträgnisaufstellung
 #### Volksbank Ulm-Biberach (Geschäftskonto DesTEngS)
 ✅ Steuerbescheinigung
 ✅ Dividende
 ✅ Kontoauszüge der ersten beiden Monate des Folgejahres
 📄 Alle Kontoauszüge und Kreditkartenabrechnungen (Im Ordner DesTEngS 2024 Belege)
 #### Bausparkasse BHW (Thomas)
 ✅ Steuerbescheinigung
 #### Green Planet Energy eG
 ✅ Steuerbescheinigung
 #### Hypovereinsbank (privates Girokonto Janina)
 ✅ Steuerbescheinigung
 #### Consors Janina (privates Anlagekonto)
 ✅ Steuerbescheinigung
 ✅ Erträgnisaufstellung
 ### 2 Versicherungen
 #### Thomas
 ✅ Krankenkasse Barmenia
 ❌ Rentenversicherung Allianz (keine Rührup) AL-1321511998: Keine Belege
 ✅ Unfall, Haftpflicht, Hausrat Versicherung Janitos 5000076942:
 - Nachtrag Nr. 42 vom November 2023
 - Nachtrag Nr. 43 vom 01.10.2024
 - Nachtrag Nr. 44 vom November 2024
 - Nachtrag Nr. 45 vom 10.12.2024
 ❌ Heidelberger Lebensversicherung 01474329-01 und 01474329-04: Keine Belege
 ❌ Kapital- und BU-Versicherung Entis 1835932: Keine Belege
 📄 Rechtsschutz KS Auxilia: 405,18 €
 - Zahlung 487,54 €, s. DKB Kontoauszug 7/2024 (2024-07-05_Kontoauszug_7_2024_vom_05.07.2024_zu_Konto_11675808.pdf), Buchung vom 17.06.2024)
 - Erstattung 82,36 €, s. DKB Kontoauszug 8/2024 (2024-08-05_Kontoauszug_8_2024_vom_05.08.2024_zu_Konto_11675808.pdf), Buchung vom 25.07.2024)
 #### Janina
 ✅ Haftpflichtversicherung Allianz AS-6325516192
 &emsp; &emsp; Monatlich Januar - August 2024 31,75 €, ab September jährlich 76,65 €
 ✅ HUK24 KFZ-Versicherung für Kennzeichen MB-WL 915
 ❌ Unfallversicherung Ergo
 &emsp; &emsp; Januar – Juni 43,99 €, Juli – September 46,44 €
 #### Arthur Langer (Sohn von Thomas)
 ❌ WWK Lebensversicherung 25 045 985
 #### Vanessa Jäntsch (Tochter von Janina)
 ❌ Unfallversicherung Ergo
 &emsp; &emsp; Januar – März 18.12 €, April – Dezember 19,19 €
 ### 3 Sonstiges
 #### Janina
 ✅ Mitteilung über neue Steuernummer
 #### Studium Richard
 ✅ Immatrikulationsbescheinigung
 ✅ Bescheinigung über gezahlte Beiträge und Gebühren
 #### Ausbildung Arthur
 ✅ Merckle GmbH / teva Entgeltabrechnung für September 2024
 ### 4 Steuerbescheide des Vorjahres
 #### Thomas
 ✅ Bescheid über Einkommensteuer und Soli
 ✅ Bescheid über Kirchensteuer
 #### Janina
 ✅ Bescheid über Einkommensteuer und Soli
 ### 5 Einkünfte von Thomas durch freiberufliche Tätigkeit mit Ingenieurbüro DesTEngS
 ✅ Fahrtenbücher
 - "22. Mai 2024 bis 2. Dez. 2024"
 - "4. Dez. 2024 bis 11. Juli 2025"
 📄 Aktenordner "DesTEngS 2024 Belege"
 📄 Corona Überbrückungshilfe Zahlung 65,82 €, s. DKB Kontoauszug 12/2024 (2024-12-05_Kontoauszug_12_2024_vom_05.12.2024_zu_Konto_11675808-1.pdf), Buchung vom 26.11.2024)
 📧 Buchhaltung Summen und Salden Liste: DesTEngS_2024_Summen-Und-Salden.xlsx <sup>1)</sup>
 📧 Buchhaltung Sachkonten: DesTEngS_2024_Sachkonten.pdf <sup>1)</sup>
 📧 Buchhaltungsdaten im DATEV Format ASCII csv: DesTEngS_2024_Datev-Export.csv <sup>1)</sup>
 ### 6 Einkünfte von Janina durch Angestelltenverhältnis bei Münchner Rück
 ✅ Ausdruck der elektronischen Lohnsteuerbescheinigung
 ✅ Aufstellung der Anwesenheitstage im Münchner Rück Büro und Entfernung zwischen Wohnung und Arbeitsstätte
 ### 7 Belege zur Hochzeit
 ✅ Diverse Belege zur Hochzeit
 ### Kirchensteuer Zahlung und Erstattungen
 📄 Kirchgeld Zahlung 120,00 €, s. VR-Bank Kontoauszug 7/2024 (BA07002 im Aktenordner "DesTEngS 2024 Belege"), Buchung vom 03.07.2024)
 📄 Erstattungen 1.830,71 €
 - Erstattung 981,44 €, s. DKB Kontoauszug 9/2024 (2024-09-05_Kontoauszug_9_2024_vom_05.09.2024_zu_Konto_11675808.pdf), Buchung vom 27.08.2024)
 - Erstattung 551,51 €, s. DKB Kontoauszug 11/2024 (2024-11-05_Kontoauszug_11_2024_vom_05.11.2024_zu_Konto_11675808.pdf), Buchung vom 15.10.2024)
 - Erstattung 297,76 €, s. DKB Kontoauszug 13/2024 (2025-01-06_Kontoauszug_13_2024_vom_06.01.2025_zu_Konto_11675808-1.pdf), Buchung vom 17.12.2024)
 ### Abos
 📄 Computerzeitschrift c't (Heise Medien): 184,95 €, s. ER08004 bzw. VR-Bank Kto-Auszug BA08002 Buchung vom 16.08.2024 im Aktenordner "DesTEngS 2024 Belege")
 ### Mitgliedsbeiträge
 Mitgliedsbeiträge zu gemeinnützigen Vereinen:
 📄 Sauerlacher Bogenschützen e.V.: 250,00 €
 - 150,00 €, s. DKB Kontoauszug 3/2024 (2024-03-05_Kontoauszug_3_2024_vom_05.03.2024_zu_Konto_11675808.pdf), Buchung vom 14.02.2024)
 - 100,00 €, s. DKB Kontoauszug 11/2024 (2024-11-05_Kontoauszug_11_2024_vom_05.11.2024_zu_Konto_11675808.pdf), Buchung vom 28.11.2024)
 📄 SG E.ON Ostbayern e.V.: 71,00 €, s. DKB Kontoauszug 4/2024 (2024-04-05_Kontoauszug_4_2024_vom_05.04.2024_zu_Konto_11675808.pdf), zwei Buchungen vom 15.03.2024)
 📄 Förderverein Spitalhof Gemeinschaft: 40,00 €, s. DKB Kontoauszug 5/2024 (2024-05-06_Kontoauszug_5_2024_vom_06.05.2024_zu_Konto_11675808.pdf), Buchung vom 25.04.2024)
 ---
 <sup>1)</sup> Am 23. März 2026 per E-Mail gesendet in Thomas_Langer_2026-03-23.zip
 ---
 Runde 1 – die größten typischen Lücken
 1. Habt ihr 2024 Spenden, Parteispenden oder Kirchensteuer-Nachzahlungen/-Erstattungen gehabt, die noch nicht in der Liste stehen? ELSTER führt diese ausdrücklich unter Sonderausgaben.
 2. Gab es 2024 haushaltsnahe Dienstleistungen oder Handwerkerleistungen für eure Wohnung/euer Haus, also z. B. Reinigung, Garten, Winterdienst, Fenster, Reparaturen, Renovierung, Bad/Küche, Wartung etc.? Dafür wären typischerweise Rechnungen und unbare Zahlung wichtig. In deiner Liste sehe ich diesen Block bisher nicht ausdrücklich.
 3. Hattet ihr 2024 außergewöhnliche Belastungen, vor allem Krankheits-, Pflege-, Behinderungs- oder Bestattungskosten, die noch nicht auftauchen? Diese sind ein eigener Bereich in ELSTER.
 4. Gibt es bei Janina als Arbeitnehmerin noch weitere Werbungskosten außer Büro-/Anwesenheitstagen, etwa Arbeitsmittel, Fortbildung, Bewerbungen, Umzug, Arbeitskleidung oder häusliches Arbeitszimmer? ELSTER nennt diese Punkte ausdrücklich bei Anlage N. Wegen eures Hinweises zum Homeoffice und DSL ist das besonders prüfenswert.
 5. Für die Kinder: Gab es 2024 zusätzlich Kinderbetreuungskosten, Schulgeld oder Kranken-/Pflegeversicherungsbeiträge fürs Kind, die in der Liste noch fehlen? In deiner Liste sehe ich bisher nur Studium Richard und Ausbildung Arthur, aber nicht diese typischen Kind-bezogenen Unterlagen.
 6. Hattet ihr 2024 noch weitere Einkunftsarten, die in der Liste nicht erscheinen, z. B. Vermietung, ausländische Einkünfte, private Veräußerungsgeschäfte oder Verkäufe/Transaktionen mit Krypto/Token? ELSTER führt diese als eigene prüfungsrelevante Bereiche.
 Zu 1.: Ja.
 - Wir haben Mitgliedsbeiträge zu gemeinnützigen Vereinen gezahlt.
 - Kirchensteuer Zahlung und Erstattung habe ich hinzugefügt.
 Zu 2.: Nein, hatten wir nicht.
 Zu 3.: Wir haben geheiratet, können wir dafür etwas steuerlich geltend machen?
 Zu 4.: Es gibt ein häusliches Arbeitszimmer, wir wissen aber nicht, ob das den Ansprüchen genügt, um steuerlich geltend gemacht werden zu können. Sonst hatte Janina keine weiteren Werbungskosten.
 Zu 5.: Thomas hat für Arthur und Richard Unterhalt gezahlt, weil seine Söhne aus einer geschiedenen Ehe stammen. Thomas hat monatlich 149 € für Nachhilfe-Unterricht für Arthur bezahlt.
 Zu 6.: Nein, weitere Einkunftsarten hatten wir nicht.
 Anbei eine aktualisierte Steuererklärungen.md Auflistung.
 1. Wie alt waren Arthur und Richard im Jahr 2024 bzw. was sind ihre Geburtsjahre?
 2. Waren Arthur und/oder Richard 2024 in Ausbildung/Studium über das ganze Jahr oder nur in einzelnen Monaten?
 3. Für wen bestand 2024 noch Kindergeldanspruch und wer hat das Kindergeld tatsächlich erhalten?
 4. Wo haben Arthur und Richard 2024 gelebt: bei der Mutter, eigener Haushalt, teilweise bei euch?
 5. Zu Thomas’ Zahlungen: Gibt es dafür Unterhaltstitel, Scheidungsvereinbarung, Jugendamtsurkunde oder wenigstens Kontoauszüge/Daueraufträge?
 6. Zur Nachhilfe Arthur: Gibt es Rechnungen oder Verträge für die 149 € monatlich und lief das per Überweisung?
 7. Zum Arbeitszimmer Janina: Ist das ein abgeschlossener, nahezu ausschließlich beruflich genutzter Raum?
 8. Falls ja: Habt ihr die Unterlagen zu den Wohnkosten 2024 griffbereit, also z. B. Miete, Nebenkosten, Strom, Wohnfläche der Wohnung und Fläche des Arbeitszimmers?
 Zu 1.: Richard wurde im Juli 2000 geboren. Arthur wurde im Oktober 2006 geboren.
 Zu 2.: Richard das ganze Jahr über im Studium. Arthur bis Sommer 2024 in der Schule, danach in einer Ausbildung.
 Zu 3.: Für beide bestand Kindergeldanspruch, die Kindesmutter Astrid hat das Kindergeld erhalten.
 Zu 4.: Richard in eigener Wohnung. Arthur bei der Kindesmutter.
 Zu 5.: Es gibt Kontoauszüge.
 Zu 6.: Ja, Vertrag und Überweisungen.
 Zu 7.: Ja.
 Zu 8.: Müsste ich erst raussuchen.
--- a/Traefik.md
+++ b/Traefik.md
@@ -0,0 +1,25 @@
 # Situation
 I have a datacenter (DC) server hosted on Hetzner that forwards incoming web traffic via a WireGuard tunnel to a local office server. On the local server, Traefik runs as a reverse proxy inside a rootless Podman container. 
 My known, valid services are hosted on two specific subdomains `affine.creature-go.com` and `openwebui.creature-go.com`.
 # Problem
 Bots and script kiddies are scanning my Hetzner IP directly or guessing random subdomains. Traefik is currently returning standard `404 Not Found` errors for these unmatched requests (which show up in my logs as `"-" "-"`). This is wasting my WireGuard tunnel bandwidth and consuming local server resources.
 # Strategy: A Traefik "Black Hole"
 To discourage bots and save resources, I want to implement a "Black Hole" catch-all router in Traefik. The goal is to intercept any request that does *not* explicitly match my valid subdomains and immediately reject it with a `403 Forbidden`, preventing Traefik from wasting time looking for a backend.
 The planned architecture for this is:
 1. **Rule:** A catch-all matching all hosts: `HostRegexp('{any:.*}')`
 2. **Priority:** The lowest possible priority (e.g., `priority: 1`) so my valid domains are always evaluated first.
 3. **Middleware:** An `ipAllowList` middleware restricted to an impossible source like `127.0.0.1/32`. This forces a 403 for all external traffic hitting the rule.
 4. **Service:** Routed to Traefik's built-in `noop@internal` dummy service.
 # Your Task
 Please act as a Traefik and Podman expert and provide the following:
 1. **The dynamic YAML configuration** needed to create this Black Hole router and middleware.
 2. **Verification steps:** How can I ensure my existing valid routers Affine and OpenWebUI have the correct priority to avoid getting swallowed by this new Black Hole?
 # Current Traefik configuration files
 My current Traefik configuration files are attached.
Author	SHA1	Message	Date
tlg	f004d00c28	Added Artikel_Finden_Um_Zu_Kaufen and Kischdle_server-setup	2026-04-10 08:22:41 +02:00
tlg	702b473967	Added Circuit_Simulations	2026-04-10 08:20:26 +02:00
tlg	aca4454bca	Added Git prompts in Linux-Servers.md	2026-04-01 11:25:02 +02:00
tlg	e4d5c3b6f1	New: Licenses.md, Traefik.md; Updated Steuererklärungen.md	2026-03-27 10:18:29 +01:00
tlg	dee950a802	Steuererklärungen 2024 digital fertig vor KI Optimierung	2026-03-22 13:40:15 +01:00
tlg	d8a7244ea1	Zwischenversion	2026-03-22 09:29:41 +01:00
tlg	95f16edeef	Linux-Servers.md: Wireguard problem hinzugefügt; Neu: Steuererklärungen.md	2026-03-21 22:10:19 +01:00
tlg	52ea2b6528	Linux-Servers.md: Added Apache reverse proxy forwarding to another host	2026-03-16 17:16:10 +01:00
tlg	c78083d1cc	Added "New Traefik route" in Linux-Servers.md	2026-03-16 09:24:52 +01:00
tlg	0ffab74638	Cleaned up Linux-Servers.md	2026-03-15 13:44:31 +01:00