diff --git a/docs/automated-account-deletion.md b/docs/automated-account-deletion.md
new file mode 100644
index 0000000..b7c2cb7
--- /dev/null
+++ b/docs/automated-account-deletion.md
@@ -0,0 +1,14 @@
+# Automated account deletion
+
+Per GDPR legislation, accounts should be automatically deleted after a period of inactivity. We discern between two different types of accounts:
+
+1. Without verified email: should be deleted after 30 days without being activated
+2. With verified email: should be deleted after 2 years of inactivity
+
+Some services hold on to a session for a very long time. We'll have to query their APIs to see if the account is still in use:
+
+* Matrix via the admin api: https://matrix-org.github.io/synapse/v1.48/admin_api/user_admin_api.html#query-current-sessions-for-a-user
+* Mastodon via the admin api: https://docs.joinmastodon.org/methods/admin/accounts/#200-ok
+* Nextcloud only gives the last login, not the last active time like a sync via `nextcloud-occ user:lastseen`
+* Keycloak
+* We can ignore Forgejo, since the sessions there are valid for a maximum of one year, regardless of how they got created
diff --git a/flake.lock b/flake.lock
index c7304f3..536e3eb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -52,6 +52,25 @@
"devshell": {
"inputs": {
"flake-utils": "flake-utils",
+ "nixpkgs": "nixpkgs"
+ },
+ "locked": {
+ "lastModified": 1713532798,
+ "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
+ "owner": "numtide",
+ "repo": "devshell",
+ "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "devshell",
+ "type": "github"
+ }
+ },
+ "devshell_2": {
+ "inputs": {
+ "flake-utils": "flake-utils_2",
"nixpkgs": [
"keycloak-theme-pub-solar",
"nixpkgs"
@@ -122,6 +141,24 @@
"type": "github"
}
},
+ "flake-parts_2": {
+ "inputs": {
+ "nixpkgs-lib": "nixpkgs-lib_2"
+ },
+ "locked": {
+ "lastModified": 1712014858,
+ "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "flake-parts",
+ "type": "github"
+ }
+ },
"flake-utils": {
"inputs": {
"systems": "systems_3"
@@ -144,6 +181,24 @@
"inputs": {
"systems": "systems_4"
},
+ "locked": {
+ "lastModified": 1701680307,
+ "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "flake-utils",
+ "type": "github"
+ }
+ },
+ "flake-utils_3": {
+ "inputs": {
+ "systems": "systems_5"
+ },
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
@@ -158,7 +213,7 @@
"type": "github"
}
},
- "flake-utils_3": {
+ "flake-utils_4": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
@@ -194,10 +249,33 @@
"type": "github"
}
},
- "keycloak-theme-pub-solar": {
+ "keycloak-event-listener": {
"inputs": {
"devshell": "devshell",
- "flake-utils": "flake-utils_2",
+ "flake-parts": "flake-parts_2",
+ "nixpkgs": [
+ "unstable"
+ ]
+ },
+ "locked": {
+ "lastModified": 1714263025,
+ "narHash": "sha256-Uesrz49RwbG7sHgiHkkb5o364BN9WbuwroWxVXdcfvo=",
+ "ref": "main",
+ "rev": "fb569f474698b5711c208fd5b4b5880d64863587",
+ "revCount": 2,
+ "type": "git",
+ "url": "https://git.pub.solar/pub-solar/keycloak-event-listener"
+ },
+ "original": {
+ "ref": "main",
+ "type": "git",
+ "url": "https://git.pub.solar/pub-solar/keycloak-event-listener"
+ }
+ },
+ "keycloak-theme-pub-solar": {
+ "inputs": {
+ "devshell": "devshell_2",
+ "flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
]
@@ -255,16 +333,16 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1713995372,
- "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
- "owner": "nixos",
+ "lastModified": 1704161960,
+ "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=",
+ "owner": "NixOS",
"repo": "nixpkgs",
- "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
+ "rev": "63143ac2c9186be6d9da6035fa22620018c85932",
"type": "github"
},
"original": {
- "owner": "nixos",
- "ref": "nixos-23.11",
+ "owner": "NixOS",
+ "ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
@@ -303,6 +381,40 @@
"type": "github"
}
},
+ "nixpkgs-lib_2": {
+ "locked": {
+ "dir": "lib",
+ "lastModified": 1711703276,
+ "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+ "type": "github"
+ },
+ "original": {
+ "dir": "lib",
+ "owner": "NixOS",
+ "ref": "nixos-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_2": {
+ "locked": {
+ "lastModified": 1713995372,
+ "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
+ "owner": "nixos",
+ "repo": "nixpkgs",
+ "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixos",
+ "ref": "nixos-23.11",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
"root": {
"inputs": {
"agenix": "agenix",
@@ -310,10 +422,11 @@
"element-themes": "element-themes",
"flake-parts": "flake-parts",
"home-manager": "home-manager",
+ "keycloak-event-listener": "keycloak-event-listener",
"keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
"nix-darwin": "nix-darwin",
"nixos-flake": "nixos-flake",
- "nixpkgs": "nixpkgs",
+ "nixpkgs": "nixpkgs_2",
"nixpkgs-2205": "nixpkgs-2205",
"triton-vmtools": "triton-vmtools",
"unstable": "unstable"
@@ -379,9 +492,24 @@
"type": "github"
}
},
+ "systems_5": {
+ "locked": {
+ "lastModified": 1681028828,
+ "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+ "owner": "nix-systems",
+ "repo": "default",
+ "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-systems",
+ "repo": "default",
+ "type": "github"
+ }
+ },
"triton-vmtools": {
"inputs": {
- "flake-utils": "flake-utils_3",
+ "flake-utils": "flake-utils_4",
"nixpkgs": [
"nixpkgs"
]
diff --git a/flake.nix b/flake.nix
index 32e9c60..712fe99 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,6 +26,9 @@
keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main";
keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs";
+ keycloak-event-listener.url = "git+https://git.pub.solar/pub-solar/keycloak-event-listener?ref=main";
+ keycloak-event-listener.inputs.nixpkgs.follows = "unstable";
+
triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra-vintage?ref=main&dir=vmtools";
triton-vmtools.inputs.nixpkgs.follows = "nixpkgs";
diff --git a/hosts/nachtigall/apps/keycloak.nix b/hosts/nachtigall/apps/keycloak.nix
index 81b46ec..413041f 100644
--- a/hosts/nachtigall/apps/keycloak.nix
+++ b/hosts/nachtigall/apps/keycloak.nix
@@ -44,6 +44,9 @@
themes = {
"pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
};
+ plugins = [
+ flake.inputs.keycloak-event-listener.packages.${pkgs.system}.keycloak-event-listener
+ ];
};
services.restic.backups.keycloak-droppie = {