Merge pull request 'feat: add docs for deletion requests and keycloak tasks' (#60) from feat/keycloak-and-deletion-docs into main

Reviewed-on: pub-solar/infra#60
Reviewed-by: b12f <b12f@noreply.git.pub.solar>

docs/deletion-request.md

@@ -0,0 +1,61 @@
+# Process for handling a deletion request
+
+### Keycloak
+Required:
+- auth.pub.solar ops user credentials
+- SSH access to host nachtigall
+```
+ssh barkeeper@nachtigall.pub.solar
+
+sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
+
+# Take note of user id in response from following command
+sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar --query email=<email-address>
+
+# To avoid impersonification, we deactivate the account by resetting the password and email address
+# Use user id from previous command, for example
+sudo --user keycloak kcadm.sh update --config /tmp/kcadm.config users/2ec6f173-3c10-4b82-9808-e2f2d393ff11/reset-password --realm pub.solar --set type=password --set value=<random-password> --no-merge
+sudo --user keycloak kcadm.sh update --config /tmp/kcadm.config users/2ec6f173-3c10-4b82-9808-e2f2d393ff11 --realm pub.solar --set email=<username>@deactivated.pub.solar
+```
+
+Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-user
+
+
+### Nextcloud
+```
+ssh barkeeper@nachtigall.pub.solar
+nextcloud-occ user:delete <username>
+```
+
+Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#user-commands-label
+
+
+### Mastodon
+```
+ssh barkeeper@nachtigall.pub.solar
+sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
+```
+
+Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
+
+
+### Forgejo
+```
+ssh barkeeper@nachtigall.pub.solar
+sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address>
+```
+
+Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
+
+
+### Matrix
+```
+ssh bartender@matrix.pub.solar -p 2020
+curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
+```
+
+Docs: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account
+
+
+### OpenBikeSensor
+Not implemented, see: https://github.com/openbikesensor/portal/issues/95

docs/keycloak/keycloak-email-list.md

@@ -0,0 +1,22 @@
+# Process for getting a list of email addresses of all keycloak users
+
+### Keycloak
+Required:
+- auth.pub.solar ops user credentials
+- SSH access to host nachtigall
+```
+ssh barkeeper@nachtigall.pub.solar
+
+sudo --user keycloak kcadm.sh get users \
+  -r pub.solar \
+  --offset 0 \
+  --limit 1000 \
+  --no-config \
+  --server http://localhost:8080 \
+  --realm master \
+  --user admin \
+  --password <admin password> \
+  > keycloak-user-list.json
+
+jq -r '.[].email' < keycloak-user-list.json
+```

docs/keycloak/keycloak-reset-user-password.md

@@ -0,0 +1,33 @@
+# Process for resetting keycloak user passwords
+
+### Keycloak
+Required:
+- auth.pub.solar ops user credentials
+- SSH access to host nachtigall
+```
+ssh barkeeper@nachtigall.pub.solar
+
+mkdir /tmp/keycloak-credential-reset
+
+sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
+
+sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar | jq --raw-output '.[] | .id' > /tmp/keycloak-credential-reset/all-uuids
+
+for UUID in $(cat /tmp/keycloak-credential-reset/all-uuids); do
+  sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users/$UUID/credentials --realm pub.solar > /tmp/keycloak-credential-reset/$UUID
+done
+
+mkdir /tmp/keycloak-credential-reset/accounts-with-creds
+
+find /tmp/keycloak-credential-reset -type f -size +3c -exec mv '{}' /tmp/keycloak-credential-reset/accounts-with-creds/ \;
+
+rm -r /tmp/keycloak-credential-reset/accounts-with-creds/
+
+find /tmp/keycloak-credential-reset/ -type f -exec basename '{}' \; > /tmp/keycloak-credential-reset/accounts-without-credentials
+
+vim /tmp/keycloak-credential-reset/accounts-without-credentials
+
+for UUID in $(cat /tmp/keycloak-credential-reset/accounts-without-credentials); do
+  sudo --user keycloak kcadm.sh update --config /tmp/kcadm.config users/$UUID/reset-password --target-realm pub.solar --set type=password --set value=$(< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-32};echo;) --set temporary=true --no-merge
+done
+```

docs/keycloak/keycloak-update-realm.md

@@ -0,0 +1,19 @@
+# Process for updating a keycloak realm via CLI
+
+### Keycloak
+Required:
+- auth.pub.solar ops user credentials
+- SSH access to host nachtigall
+```
+ssh barkeeper@nachtigall.pub.solar
+
+sudo -u keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm master --user admin
+
+sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar
+
+sudo -u keycloak kcadm.sh update --config /tmp/kcadm.config realms/pub.solar -s browserFlow='Webauthn Browser'
+
+sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar
+```
+
+Source: https://keycloak.ch/keycloak-tutorials/tutorial-webauthn/