diff --git a/docs/automated-account-deletion.md b/docs/automated-account-deletion.md new file mode 100644 index 0000000..b7c2cb7 --- /dev/null +++ b/docs/automated-account-deletion.md @@ -0,0 +1,14 @@ +# Automated account deletion + +Per GDPR legislation, accounts should be automatically deleted after a period of inactivity. We discern between two different types of accounts: + +1. Without verified email: should be deleted after 30 days without being activated +2. With verified email: should be deleted after 2 years of inactivity + +Some services hold on to a session for a very long time. We'll have to query their APIs to see if the account is still in use: + +* Matrix via the admin api: https://matrix-org.github.io/synapse/v1.48/admin_api/user_admin_api.html#query-current-sessions-for-a-user +* Mastodon via the admin api: https://docs.joinmastodon.org/methods/admin/accounts/#200-ok +* Nextcloud only gives the last login, not the last active time like a sync via `nextcloud-occ user:lastseen` +* Keycloak +* We can ignore Forgejo, since the sessions there are valid for a maximum of one year, regardless of how they got created diff --git a/flake.lock b/flake.lock index c7304f3..536e3eb 100644 --- a/flake.lock +++ b/flake.lock @@ -52,6 +52,25 @@ "devshell": { "inputs": { "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1713532798, + "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=", + "owner": "numtide", + "repo": "devshell", + "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, + "devshell_2": { + "inputs": { + "flake-utils": "flake-utils_2", "nixpkgs": [ "keycloak-theme-pub-solar", "nixpkgs" @@ -122,6 +141,24 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_3" @@ -144,6 +181,24 @@ "inputs": { "systems": "systems_4" }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_5" + }, "locked": { "lastModified": 1705309234, "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", @@ -158,7 +213,7 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "locked": { "lastModified": 1653893745, "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", @@ -194,10 +249,33 @@ "type": "github" } }, - "keycloak-theme-pub-solar": { + "keycloak-event-listener": { "inputs": { "devshell": "devshell", - "flake-utils": "flake-utils_2", + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "unstable" + ] + }, + "locked": { + "lastModified": 1714263025, + "narHash": "sha256-Uesrz49RwbG7sHgiHkkb5o364BN9WbuwroWxVXdcfvo=", + "ref": "main", + "rev": "fb569f474698b5711c208fd5b4b5880d64863587", + "revCount": 2, + "type": "git", + "url": "https://git.pub.solar/pub-solar/keycloak-event-listener" + }, + "original": { + "ref": "main", + "type": "git", + "url": "https://git.pub.solar/pub-solar/keycloak-event-listener" + } + }, + "keycloak-theme-pub-solar": { + "inputs": { + "devshell": "devshell_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] @@ -255,16 +333,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1713995372, - "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=", - "owner": "nixos", + "lastModified": 1704161960, + "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8", + "rev": "63143ac2c9186be6d9da6035fa22620018c85932", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-23.11", + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -303,6 +381,40 @@ "type": "github" } }, + "nixpkgs-lib_2": { + "locked": { + "dir": "lib", + "lastModified": 1711703276, + "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1713995372, + "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -310,10 +422,11 @@ "element-themes": "element-themes", "flake-parts": "flake-parts", "home-manager": "home-manager", + "keycloak-event-listener": "keycloak-event-listener", "keycloak-theme-pub-solar": "keycloak-theme-pub-solar", "nix-darwin": "nix-darwin", "nixos-flake": "nixos-flake", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-2205": "nixpkgs-2205", "triton-vmtools": "triton-vmtools", "unstable": "unstable" @@ -379,9 +492,24 @@ "type": "github" } }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "triton-vmtools": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ] diff --git a/flake.nix b/flake.nix index 32e9c60..712fe99 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,9 @@ keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main"; keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs"; + keycloak-event-listener.url = "git+https://git.pub.solar/pub-solar/keycloak-event-listener?ref=main"; + keycloak-event-listener.inputs.nixpkgs.follows = "unstable"; + triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra-vintage?ref=main&dir=vmtools"; triton-vmtools.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/nachtigall/apps/keycloak.nix b/hosts/nachtigall/apps/keycloak.nix index 81b46ec..413041f 100644 --- a/hosts/nachtigall/apps/keycloak.nix +++ b/hosts/nachtigall/apps/keycloak.nix @@ -44,6 +44,9 @@ themes = { "pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar; }; + plugins = [ + flake.inputs.keycloak-event-listener.packages.${pkgs.system}.keycloak-event-listener + ]; }; services.restic.backups.keycloak-droppie = {