diff --git a/docs/administrative-access.md b/docs/administrative-access.md index f22ed08e..5c58e791 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -30,6 +30,18 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`. 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6./32` `fd00:fae:fae:fae:fae:::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair). +One can access our hosts using this domain scheme: + +``` +ssh barkeeper@.wg.pub.solar +``` + +So, for example for `nachtigall`: + +``` +ssh barkeeper@nachtigall.wg.pub.solar +``` + Example NixOS snippet for WireGuard client config ``` diff --git a/docs/deletion-request.md b/docs/deletion-request.md index d7640109..54f85aff 100644 --- a/docs/deletion-request.md +++ b/docs/deletion-request.md @@ -4,13 +4,13 @@ Required: -- auth.pub.solar ops user credentials -- SSH access to host nachtigall +- auth.pub.solar `admin-cli` service user credentials +- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access) + +Run each of the following after SSH'ing to `nachtigall`: ``` -ssh barkeeper@nachtigall.pub.solar - -sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops +sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --client admin-cli # Take note of user id in response from following command sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar --query email= @@ -26,7 +26,6 @@ Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-us ### Nextcloud ``` -ssh barkeeper@nachtigall.pub.solar nextcloud-occ user:delete ``` @@ -35,7 +34,6 @@ Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server ### Mastodon ``` -ssh barkeeper@nachtigall.pub.solar sudo -u mastodon mastodon-tootctl accounts delete --email ``` @@ -44,7 +42,6 @@ Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete ### Forgejo ``` -ssh barkeeper@nachtigall.pub.solar sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email ``` @@ -53,7 +50,6 @@ Docs: https://forgejo.org/docs/latest/admin/command-line/#delete ### Matrix ``` -ssh bartender@matrix.pub.solar -p 2020 curl --header "Authorization: Bearer " --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@:pub.solar --data '{"erase": true}' ``` diff --git a/docs/keycloak/delete-unverified-accounts.md b/docs/keycloak/delete-unverified-accounts.md new file mode 100644 index 00000000..cb1ff0c4 --- /dev/null +++ b/docs/keycloak/delete-unverified-accounts.md @@ -0,0 +1,79 @@ +# Delete accounts without verified email address + +### Keycloak + +Required: + +- auth.pub.solar admin-cli service user credentials +- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) + +Run following after SSH'ing to `nachtigall`. + +Credentials for the following command are in keepass. Create a keycloak +config/credentials file at `/tmp/kcadm.config`: + +``` +sudo --user keycloak kcadm.sh config credentials \ + --config /tmp/kcadm.config \ + --server https://auth.pub.solar \ + --realm pub.solar \ + --client admin-cli +``` + +Get list of accounts without a verified email address: + +``` +sudo --user keycloak kcadm.sh get \ + --config /tmp/kcadm.config \ + users \ + --realm pub.solar \ + --query emailVerified=false \ + > /tmp/keycloak-unverified-accounts +``` + +Review list of accounts, especially check `createdTimestamp` if any accounts +were created in the past 2 days. If so, delete those from the +`/tmp/keycloak-unverified-accounts` file. + +``` +createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) ) + +# timestamps are in nanoseconds since epoch, so we need to strip the last three digits +for timestamp in ${createdTimestamps[@]}; do date --date="@${timestamp::-3}"; done + +vim /tmp/keycloak-unverified-accounts +``` + +Check how many accounts are going to be deleted: + +``` +jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l +``` + +``` +jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids +``` + +Final check before deletion (dry-run): + +``` +for id in $(cat /tmp/keycloak-unverified-account-ids) + do + echo sudo --user keycloak kcadm.sh delete \ + --config /tmp/kcadm.config \ + users/$id \ + --realm pub.solar + done +``` + +THIS WILL DELETE ACCOUNTS: + +``` +for id in $(cat /tmp/keycloak-unverified-account-ids) + do + sudo --user keycloak kcadm.sh delete \ + --config /tmp/kcadm.config \ + users/$id \ + --realm pub.solar + done +``` diff --git a/docs/keycloak/keycloak-email-list.md b/docs/keycloak/keycloak-email-list.md index c92c05dd..6331f4d2 100644 --- a/docs/keycloak/keycloak-email-list.md +++ b/docs/keycloak/keycloak-email-list.md @@ -4,12 +4,12 @@ Required: -- auth.pub.solar ops user credentials -- SSH access to host nachtigall +- auth.pub.solar admin-cli service user credentials +- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) + +Run following after SSH'ing to `nachtigall`: ``` -ssh barkeeper@nachtigall.pub.solar - sudo --user keycloak kcadm.sh get users \ -r pub.solar \ --offset 0 \ diff --git a/docs/keycloak/keycloak-reset-user-password.md b/docs/keycloak/keycloak-reset-user-password.md index b905d408..4fc00bee 100644 --- a/docs/keycloak/keycloak-reset-user-password.md +++ b/docs/keycloak/keycloak-reset-user-password.md @@ -4,15 +4,15 @@ Required: -- auth.pub.solar ops user credentials -- SSH access to host nachtigall +- auth.pub.solar admin-cli service user credentials +- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) + +Run the following after SSH'ing to `nachtigall`: ``` -ssh barkeeper@nachtigall.pub.solar - mkdir /tmp/keycloak-credential-reset -sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops +sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --client admin-cli sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar | jq --raw-output '.[] | .id' > /tmp/keycloak-credential-reset/all-uuids diff --git a/docs/keycloak/keycloak-update-realm.md b/docs/keycloak/keycloak-update-realm.md index 68390172..b924c2e1 100644 --- a/docs/keycloak/keycloak-update-realm.md +++ b/docs/keycloak/keycloak-update-realm.md @@ -4,12 +4,12 @@ Required: -- auth.pub.solar ops user credentials -- SSH access to host nachtigall +- auth.pub.solar admin-cli service user credentials +- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) + +Run the following after SSH'ing to `nachtigall`: ``` -ssh barkeeper@nachtigall.pub.solar - sudo -u keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm master --user admin sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar diff --git a/docs/mediawiki-updates.md b/docs/mediawiki-updates.md index fe30e7d3..7d3f5007 100644 --- a/docs/mediawiki-updates.md +++ b/docs/mediawiki-updates.md @@ -11,10 +11,9 @@ Next, push your changes to https://git.pub.solar and get them reviewed and approved. After approval, create a fresh backup of the database and deploy the changes to -`nachtigall`: +`nachtigall`. Run the following after [SSH'ing to `nachtigall`](./administrative-access.md#ssh-access): ``` -ssh barkeeper@nachtigall.pub.solar sudo -u postgres pg_dump --create -Fc mediawiki > mediawiki-db-$(date +%F).dump exit ``` @@ -23,10 +22,9 @@ exit deploy --targets '.#nachtigall' ``` -Then, finalize the update by running the database migration script: +Then, finalize the update by running the database migration script (in a [SSH](./administrative-access.md#ssh-access) shell on `nachtigall`): ``` -ssh barkeeper@nachtigall.pub.solar docker exec -it mediawiki bash php maintenance/run.php update.php ```