From bc3752683b5bfb3e7140a3cebf47f7b1375a4cfd Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 10 Jun 2024 20:00:45 +0200 Subject: [PATCH 1/3] keycloak: add docs how to delete unverified accounts --- docs/keycloak/delete-unverified-accounts.md | 82 +++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 docs/keycloak/delete-unverified-accounts.md diff --git a/docs/keycloak/delete-unverified-accounts.md b/docs/keycloak/delete-unverified-accounts.md new file mode 100644 index 00000000..031abc08 --- /dev/null +++ b/docs/keycloak/delete-unverified-accounts.md @@ -0,0 +1,82 @@ +# Delete accounts without verified email address + +### Keycloak + +Required: + +- auth.pub.solar admin-cli service user credentials +- SSH access to host nachtigall + +``` +ssh barkeeper@nachtigall.wg.pub.solar +``` + +Credentials for the following command are in keepass. + +Create keycloak config/credentials file at `/tmp/kcadm.config`: + +``` +sudo --user keycloak kcadm.sh config credentials \ + --config /tmp/kcadm.config \ + --server https://auth.pub.solar \ + --realm pub.solar \ + --client admin-cli +``` + +Get list of accounts without a verified email address: + +``` +sudo --user keycloak kcadm.sh get \ + --config /tmp/kcadm.config \ + users \ + --realm pub.solar \ + --query emailVerified=false \ + > /tmp/keycloak-unverified-accounts +``` + +Review list of accounts, especially check `createdTimestamp` if any accounts +were created in the past 2 days. If so, delete those from the +`/tmp/keycloak-unverified-accounts` file. + +``` +createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) ) + +# timestamps are in nanoseconds since epoch, so we need to strip the last three digits +for timestamp in ${createdTimestamps[@]}; do date --date="@${timestamp::-3}"; done + +vim /tmp/keycloak-unverified-accounts +``` + +Check how many accounts are going to be deleted: + +``` +jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l +``` + +``` +jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids +``` + +Final check before deletion (dry-run): + +``` +for id in $(cat /tmp/keycloak-unverified-account-ids) + do + echo sudo --user keycloak kcadm.sh delete \ + --config /tmp/kcadm.config \ + users/$id \ + --realm pub.solar + done +``` + +THIS WILL DELETE ACCOUNTS: + +``` +for id in $(cat /tmp/keycloak-unverified-account-ids) + do + sudo --user keycloak kcadm.sh delete \ + --config /tmp/kcadm.config \ + users/$id \ + --realm pub.solar + done +``` From b687997390db5e627decbeeb0dbcaa53147dfa0c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 10 Jun 2024 20:26:20 +0200 Subject: [PATCH 2/3] docs: centralize SSH access docs --- docs/administrative-access.md | 12 ++++++++++++ docs/deletion-request.md | 10 +++------- docs/keycloak/delete-unverified-accounts.md | 11 ++++------- docs/keycloak/keycloak-email-list.md | 7 ++++--- docs/keycloak/keycloak-reset-user-password.md | 6 +++--- docs/keycloak/keycloak-update-realm.md | 6 +++--- docs/mediawiki-updates.md | 6 ++---- 7 files changed, 31 insertions(+), 27 deletions(-) diff --git a/docs/administrative-access.md b/docs/administrative-access.md index f22ed08e..5c58e791 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -30,6 +30,18 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`. 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6./32` `fd00:fae:fae:fae:fae:::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair). +One can access our hosts using this domain scheme: + +``` +ssh barkeeper@.wg.pub.solar +``` + +So, for example for `nachtigall`: + +``` +ssh barkeeper@nachtigall.wg.pub.solar +``` + Example NixOS snippet for WireGuard client config ``` diff --git a/docs/deletion-request.md b/docs/deletion-request.md index d7640109..c0aa2644 100644 --- a/docs/deletion-request.md +++ b/docs/deletion-request.md @@ -5,11 +5,11 @@ Required: - auth.pub.solar ops user credentials -- SSH access to host nachtigall +- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access) + +Run each of the following after SSH'ing to `nachtigall`: ``` -ssh barkeeper@nachtigall.pub.solar - sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops # Take note of user id in response from following command @@ -26,7 +26,6 @@ Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-us ### Nextcloud ``` -ssh barkeeper@nachtigall.pub.solar nextcloud-occ user:delete ``` @@ -35,7 +34,6 @@ Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server ### Mastodon ``` -ssh barkeeper@nachtigall.pub.solar sudo -u mastodon mastodon-tootctl accounts delete --email ``` @@ -44,7 +42,6 @@ Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete ### Forgejo ``` -ssh barkeeper@nachtigall.pub.solar sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email ``` @@ -53,7 +50,6 @@ Docs: https://forgejo.org/docs/latest/admin/command-line/#delete ### Matrix ``` -ssh bartender@matrix.pub.solar -p 2020 curl --header "Authorization: Bearer " --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@:pub.solar --data '{"erase": true}' ``` diff --git a/docs/keycloak/delete-unverified-accounts.md b/docs/keycloak/delete-unverified-accounts.md index 031abc08..cb1ff0c4 100644 --- a/docs/keycloak/delete-unverified-accounts.md +++ b/docs/keycloak/delete-unverified-accounts.md @@ -5,15 +5,12 @@ Required: - auth.pub.solar admin-cli service user credentials -- SSH access to host nachtigall +- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) -``` -ssh barkeeper@nachtigall.wg.pub.solar -``` +Run following after SSH'ing to `nachtigall`. -Credentials for the following command are in keepass. - -Create keycloak config/credentials file at `/tmp/kcadm.config`: +Credentials for the following command are in keepass. Create a keycloak +config/credentials file at `/tmp/kcadm.config`: ``` sudo --user keycloak kcadm.sh config credentials \ diff --git a/docs/keycloak/keycloak-email-list.md b/docs/keycloak/keycloak-email-list.md index c92c05dd..37769c90 100644 --- a/docs/keycloak/keycloak-email-list.md +++ b/docs/keycloak/keycloak-email-list.md @@ -5,11 +5,12 @@ Required: - auth.pub.solar ops user credentials -- SSH access to host nachtigall +- auth.pub.solar admin-cli service user credentials +- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) + +Run following after SSH'ing to `nachtigall`: ``` -ssh barkeeper@nachtigall.pub.solar - sudo --user keycloak kcadm.sh get users \ -r pub.solar \ --offset 0 \ diff --git a/docs/keycloak/keycloak-reset-user-password.md b/docs/keycloak/keycloak-reset-user-password.md index b905d408..e10b9a51 100644 --- a/docs/keycloak/keycloak-reset-user-password.md +++ b/docs/keycloak/keycloak-reset-user-password.md @@ -5,11 +5,11 @@ Required: - auth.pub.solar ops user credentials -- SSH access to host nachtigall +- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) + +Run the following after SSH'ing to `nachtigall`: ``` -ssh barkeeper@nachtigall.pub.solar - mkdir /tmp/keycloak-credential-reset sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops diff --git a/docs/keycloak/keycloak-update-realm.md b/docs/keycloak/keycloak-update-realm.md index 68390172..fe729781 100644 --- a/docs/keycloak/keycloak-update-realm.md +++ b/docs/keycloak/keycloak-update-realm.md @@ -5,11 +5,11 @@ Required: - auth.pub.solar ops user credentials -- SSH access to host nachtigall +- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) + +Run the following after SSH'ing to `nachtigall`: ``` -ssh barkeeper@nachtigall.pub.solar - sudo -u keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm master --user admin sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar diff --git a/docs/mediawiki-updates.md b/docs/mediawiki-updates.md index fe30e7d3..7d3f5007 100644 --- a/docs/mediawiki-updates.md +++ b/docs/mediawiki-updates.md @@ -11,10 +11,9 @@ Next, push your changes to https://git.pub.solar and get them reviewed and approved. After approval, create a fresh backup of the database and deploy the changes to -`nachtigall`: +`nachtigall`. Run the following after [SSH'ing to `nachtigall`](./administrative-access.md#ssh-access): ``` -ssh barkeeper@nachtigall.pub.solar sudo -u postgres pg_dump --create -Fc mediawiki > mediawiki-db-$(date +%F).dump exit ``` @@ -23,10 +22,9 @@ exit deploy --targets '.#nachtigall' ``` -Then, finalize the update by running the database migration script: +Then, finalize the update by running the database migration script (in a [SSH](./administrative-access.md#ssh-access) shell on `nachtigall`): ``` -ssh barkeeper@nachtigall.pub.solar docker exec -it mediawiki bash php maintenance/run.php update.php ``` From c18a9da4e93d1141ac64f2e9720dd80bd17271a3 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 10 Jun 2024 20:27:19 +0200 Subject: [PATCH 3/3] keycloak: update docs to use admin-cli client instead of ops user --- docs/deletion-request.md | 4 ++-- docs/keycloak/keycloak-email-list.md | 1 - docs/keycloak/keycloak-reset-user-password.md | 4 ++-- docs/keycloak/keycloak-update-realm.md | 2 +- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/deletion-request.md b/docs/deletion-request.md index c0aa2644..54f85aff 100644 --- a/docs/deletion-request.md +++ b/docs/deletion-request.md @@ -4,13 +4,13 @@ Required: -- auth.pub.solar ops user credentials +- auth.pub.solar `admin-cli` service user credentials - [SSH access to host `nachtigall`](./administrative-access.md#ssh-access) Run each of the following after SSH'ing to `nachtigall`: ``` -sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops +sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --client admin-cli # Take note of user id in response from following command sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar --query email= diff --git a/docs/keycloak/keycloak-email-list.md b/docs/keycloak/keycloak-email-list.md index 37769c90..6331f4d2 100644 --- a/docs/keycloak/keycloak-email-list.md +++ b/docs/keycloak/keycloak-email-list.md @@ -4,7 +4,6 @@ Required: -- auth.pub.solar ops user credentials - auth.pub.solar admin-cli service user credentials - [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) diff --git a/docs/keycloak/keycloak-reset-user-password.md b/docs/keycloak/keycloak-reset-user-password.md index e10b9a51..4fc00bee 100644 --- a/docs/keycloak/keycloak-reset-user-password.md +++ b/docs/keycloak/keycloak-reset-user-password.md @@ -4,7 +4,7 @@ Required: -- auth.pub.solar ops user credentials +- auth.pub.solar admin-cli service user credentials - [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) Run the following after SSH'ing to `nachtigall`: @@ -12,7 +12,7 @@ Run the following after SSH'ing to `nachtigall`: ``` mkdir /tmp/keycloak-credential-reset -sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops +sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --client admin-cli sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar | jq --raw-output '.[] | .id' > /tmp/keycloak-credential-reset/all-uuids diff --git a/docs/keycloak/keycloak-update-realm.md b/docs/keycloak/keycloak-update-realm.md index fe729781..b924c2e1 100644 --- a/docs/keycloak/keycloak-update-realm.md +++ b/docs/keycloak/keycloak-update-realm.md @@ -4,7 +4,7 @@ Required: -- auth.pub.solar ops user credentials +- auth.pub.solar admin-cli service user credentials - [SSH access to host `nachtigall`](../administrative-access.md#ssh-access) Run the following after SSH'ing to `nachtigall`: