forked from pub-solar/infra
Merge pull request 'centralize docs for SSH access' (#206) from update-docs into main
Reviewed-on: pub-solar/infra#206 Reviewed-by: b12f <b12f@noreply.git.pub.solar>
This commit is contained in:
commit
2a9686798f
|
@ -30,6 +30,18 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b
|
|||
1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
|
||||
2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
|
||||
|
||||
One can access our hosts using this domain scheme:
|
||||
|
||||
```
|
||||
ssh barkeeper@<hostname>.wg.pub.solar
|
||||
```
|
||||
|
||||
So, for example for `nachtigall`:
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.wg.pub.solar
|
||||
```
|
||||
|
||||
Example NixOS snippet for WireGuard client config
|
||||
|
||||
```
|
||||
|
|
|
@ -4,13 +4,13 @@
|
|||
|
||||
Required:
|
||||
|
||||
- auth.pub.solar ops user credentials
|
||||
- SSH access to host nachtigall
|
||||
- auth.pub.solar `admin-cli` service user credentials
|
||||
- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access)
|
||||
|
||||
Run each of the following after SSH'ing to `nachtigall`:
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
|
||||
sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
|
||||
sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --client admin-cli
|
||||
|
||||
# Take note of user id in response from following command
|
||||
sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar --query email=<email-address>
|
||||
|
@ -26,7 +26,6 @@ Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-us
|
|||
### Nextcloud
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
nextcloud-occ user:delete <username>
|
||||
```
|
||||
|
||||
|
@ -35,7 +34,6 @@ Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server
|
|||
### Mastodon
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
|
||||
```
|
||||
|
||||
|
@ -44,7 +42,6 @@ Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
|
|||
### Forgejo
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address>
|
||||
```
|
||||
|
||||
|
@ -53,7 +50,6 @@ Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
|
|||
### Matrix
|
||||
|
||||
```
|
||||
ssh bartender@matrix.pub.solar -p 2020
|
||||
curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
|
||||
```
|
||||
|
||||
|
|
79
docs/keycloak/delete-unverified-accounts.md
Normal file
79
docs/keycloak/delete-unverified-accounts.md
Normal file
|
@ -0,0 +1,79 @@
|
|||
# Delete accounts without verified email address
|
||||
|
||||
### Keycloak
|
||||
|
||||
Required:
|
||||
|
||||
- auth.pub.solar admin-cli service user credentials
|
||||
- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
|
||||
|
||||
Run following after SSH'ing to `nachtigall`.
|
||||
|
||||
Credentials for the following command are in keepass. Create a keycloak
|
||||
config/credentials file at `/tmp/kcadm.config`:
|
||||
|
||||
```
|
||||
sudo --user keycloak kcadm.sh config credentials \
|
||||
--config /tmp/kcadm.config \
|
||||
--server https://auth.pub.solar \
|
||||
--realm pub.solar \
|
||||
--client admin-cli
|
||||
```
|
||||
|
||||
Get list of accounts without a verified email address:
|
||||
|
||||
```
|
||||
sudo --user keycloak kcadm.sh get \
|
||||
--config /tmp/kcadm.config \
|
||||
users \
|
||||
--realm pub.solar \
|
||||
--query emailVerified=false \
|
||||
> /tmp/keycloak-unverified-accounts
|
||||
```
|
||||
|
||||
Review list of accounts, especially check `createdTimestamp` if any accounts
|
||||
were created in the past 2 days. If so, delete those from the
|
||||
`/tmp/keycloak-unverified-accounts` file.
|
||||
|
||||
```
|
||||
createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )
|
||||
|
||||
# timestamps are in nanoseconds since epoch, so we need to strip the last three digits
|
||||
for timestamp in ${createdTimestamps[@]}; do date --date="@${timestamp::-3}"; done
|
||||
|
||||
vim /tmp/keycloak-unverified-accounts
|
||||
```
|
||||
|
||||
Check how many accounts are going to be deleted:
|
||||
|
||||
```
|
||||
jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
|
||||
```
|
||||
|
||||
```
|
||||
jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
|
||||
```
|
||||
|
||||
Final check before deletion (dry-run):
|
||||
|
||||
```
|
||||
for id in $(cat /tmp/keycloak-unverified-account-ids)
|
||||
do
|
||||
echo sudo --user keycloak kcadm.sh delete \
|
||||
--config /tmp/kcadm.config \
|
||||
users/$id \
|
||||
--realm pub.solar
|
||||
done
|
||||
```
|
||||
|
||||
THIS WILL DELETE ACCOUNTS:
|
||||
|
||||
```
|
||||
for id in $(cat /tmp/keycloak-unverified-account-ids)
|
||||
do
|
||||
sudo --user keycloak kcadm.sh delete \
|
||||
--config /tmp/kcadm.config \
|
||||
users/$id \
|
||||
--realm pub.solar
|
||||
done
|
||||
```
|
|
@ -4,12 +4,12 @@
|
|||
|
||||
Required:
|
||||
|
||||
- auth.pub.solar ops user credentials
|
||||
- SSH access to host nachtigall
|
||||
- auth.pub.solar admin-cli service user credentials
|
||||
- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
|
||||
|
||||
Run following after SSH'ing to `nachtigall`:
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
|
||||
sudo --user keycloak kcadm.sh get users \
|
||||
-r pub.solar \
|
||||
--offset 0 \
|
||||
|
|
|
@ -4,15 +4,15 @@
|
|||
|
||||
Required:
|
||||
|
||||
- auth.pub.solar ops user credentials
|
||||
- SSH access to host nachtigall
|
||||
- auth.pub.solar admin-cli service user credentials
|
||||
- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
|
||||
|
||||
Run the following after SSH'ing to `nachtigall`:
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
|
||||
mkdir /tmp/keycloak-credential-reset
|
||||
|
||||
sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
|
||||
sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --client admin-cli
|
||||
|
||||
sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar | jq --raw-output '.[] | .id' > /tmp/keycloak-credential-reset/all-uuids
|
||||
|
||||
|
|
|
@ -4,12 +4,12 @@
|
|||
|
||||
Required:
|
||||
|
||||
- auth.pub.solar ops user credentials
|
||||
- SSH access to host nachtigall
|
||||
- auth.pub.solar admin-cli service user credentials
|
||||
- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
|
||||
|
||||
Run the following after SSH'ing to `nachtigall`:
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
|
||||
sudo -u keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm master --user admin
|
||||
|
||||
sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar
|
||||
|
|
|
@ -11,10 +11,9 @@ Next, push your changes to https://git.pub.solar and get them reviewed and
|
|||
approved.
|
||||
|
||||
After approval, create a fresh backup of the database and deploy the changes to
|
||||
`nachtigall`:
|
||||
`nachtigall`. Run the following after [SSH'ing to `nachtigall`](./administrative-access.md#ssh-access):
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
sudo -u postgres pg_dump --create -Fc mediawiki > mediawiki-db-$(date +%F).dump
|
||||
exit
|
||||
```
|
||||
|
@ -23,10 +22,9 @@ exit
|
|||
deploy --targets '.#nachtigall'
|
||||
```
|
||||
|
||||
Then, finalize the update by running the database migration script:
|
||||
Then, finalize the update by running the database migration script (in a [SSH](./administrative-access.md#ssh-access) shell on `nachtigall`):
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
docker exec -it mediawiki bash
|
||||
php maintenance/run.php update.php
|
||||
```
|
||||
|
|
Loading…
Reference in a new issue