docs: centralize SSH access docs

2024-06-10 20:26:20 +02:00 · 2024-06-10 20:26:20 +02:00 · b687997390
parent bc3752683b
commit b687997390
7 changed files with 31 additions and 27 deletions
--- a/docs/administrative-access.md
+++ b/docs/administrative-access.md
@ -30,6 +30,18 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b
 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
 One can access our hosts using this domain scheme:
 ```
 ssh barkeeper@<hostname>.wg.pub.solar
 ```
 So, for example for `nachtigall`:
 ```
 ssh barkeeper@nachtigall.wg.pub.solar
 ```
 Example NixOS snippet for WireGuard client config
 ```
--- a/docs/deletion-request.md
+++ b/docs/deletion-request.md
@ -5,11 +5,11 @@
 Required:
 - auth.pub.solar ops user credentials
- SSH access to host nachtigall
+- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access)
 Run each of the following after SSH'ing to `nachtigall`:
 ```
 ssh barkeeper@nachtigall.pub.solar
 sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
 # Take note of user id in response from following command
@ -26,7 +26,6 @@ Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-us
 ### Nextcloud
 ```
 ssh barkeeper@nachtigall.pub.solar
 nextcloud-occ user:delete <username>
 ```
@ -35,7 +34,6 @@ Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server
 ### Mastodon
 ```
 ssh barkeeper@nachtigall.pub.solar
 sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
 ```
@ -44,7 +42,6 @@ Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
 ### Forgejo
 ```
 ssh barkeeper@nachtigall.pub.solar
 sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address>
 ```
@ -53,7 +50,6 @@ Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
 ### Matrix
 ```
 ssh bartender@matrix.pub.solar -p 2020
 curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
 ```
--- a/docs/keycloak/delete-unverified-accounts.md
+++ b/docs/keycloak/delete-unverified-accounts.md
@ -5,15 +5,12 @@
 Required:
 - auth.pub.solar admin-cli service user credentials
- SSH access to host nachtigall
+- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
-```
+Run following after SSH'ing to `nachtigall`.
 ssh barkeeper@nachtigall.wg.pub.solar
 ```
-Credentials for the following command are in keepass.
+Credentials for the following command are in keepass. Create a keycloak
-
+config/credentials file at `/tmp/kcadm.config`:
 Create keycloak config/credentials file at `/tmp/kcadm.config`:
 ```
 sudo --user keycloak kcadm.sh config credentials \
--- a/docs/keycloak/keycloak-email-list.md
+++ b/docs/keycloak/keycloak-email-list.md
@ -5,11 +5,12 @@
 Required:
 - auth.pub.solar ops user credentials
- SSH access to host nachtigall
+- auth.pub.solar admin-cli service user credentials
 - [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
 Run following after SSH'ing to `nachtigall`:
 ```
 ssh barkeeper@nachtigall.pub.solar
 sudo --user keycloak kcadm.sh get users \
  -r pub.solar \
  --offset 0 \
--- a/docs/keycloak/keycloak-reset-user-password.md
+++ b/docs/keycloak/keycloak-reset-user-password.md
@ -5,11 +5,11 @@
 Required:
 - auth.pub.solar ops user credentials
- SSH access to host nachtigall
+- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
 Run the following after SSH'ing to `nachtigall`:
 ```
 ssh barkeeper@nachtigall.pub.solar
 mkdir /tmp/keycloak-credential-reset
 sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
--- a/docs/keycloak/keycloak-update-realm.md
+++ b/docs/keycloak/keycloak-update-realm.md
@ -5,11 +5,11 @@
 Required:
 - auth.pub.solar ops user credentials
- SSH access to host nachtigall
+- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
 Run the following after SSH'ing to `nachtigall`:
 ```
 ssh barkeeper@nachtigall.pub.solar
 sudo -u keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm master --user admin
 sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar
--- a/docs/mediawiki-updates.md
+++ b/docs/mediawiki-updates.md
@ -11,10 +11,9 @@ Next, push your changes to https://git.pub.solar and get them reviewed and
 approved.
 After approval, create a fresh backup of the database and deploy the changes to
-`nachtigall`:
+`nachtigall`. Run the following after [SSH'ing to `nachtigall`](./administrative-access.md#ssh-access):
 ```
 ssh barkeeper@nachtigall.pub.solar
 sudo -u postgres pg_dump --create -Fc mediawiki > mediawiki-db-$(date +%F).dump
 exit
 ```
@ -23,10 +22,9 @@ exit
 deploy --targets '.#nachtigall'
 ```
-Then, finalize the update by running the database migration script:
+Then, finalize the update by running the database migration script (in a [SSH](./administrative-access.md#ssh-access) shell on `nachtigall`):
 ```
 ssh barkeeper@nachtigall.pub.solar
 docker exec -it mediawiki bash
 php maintenance/run.php update.php
 ```