Merge pull request 'centralize docs for SSH access' (#206) from update-docs into main

Reviewed-on: #206
Reviewed-by: b12f <b12f@noreply.git.pub.solar>

docs/administrative-access.md

@@ -30,6 +30,18 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b
 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
 
+One can access our hosts using this domain scheme:
+
+```
+ssh barkeeper@<hostname>.wg.pub.solar
+```
+
+So, for example for `nachtigall`:
+
+```
+ssh barkeeper@nachtigall.wg.pub.solar
+```
+
 Example NixOS snippet for WireGuard client config
 
 ```

docs/deletion-request.md

@@ -4,13 +4,13 @@
 
 Required:
 
-- auth.pub.solar ops user credentials
-- SSH access to host nachtigall
+- auth.pub.solar `admin-cli` service user credentials
+- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access)
+
+Run each of the following after SSH'ing to `nachtigall`:
 
 ```
-ssh barkeeper@nachtigall.pub.solar
-
-sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
+sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --client admin-cli
 
 # Take note of user id in response from following command
 sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar --query email=<email-address>
@@ -26,7 +26,6 @@ Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-us
 ### Nextcloud
 
 ```
-ssh barkeeper@nachtigall.pub.solar
 nextcloud-occ user:delete <username>
 ```
 
@@ -35,7 +34,6 @@ Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server
 ### Mastodon
 
 ```
-ssh barkeeper@nachtigall.pub.solar
 sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
 ```
 
@@ -44,7 +42,6 @@ Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
 ### Forgejo
 
 ```
-ssh barkeeper@nachtigall.pub.solar
 sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address>
 ```
 
@@ -53,7 +50,6 @@ Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
 ### Matrix
 
 ```
-ssh bartender@matrix.pub.solar -p 2020
 curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
 ```
 

docs/keycloak/delete-unverified-accounts.md

@@ -0,0 +1,79 @@
+# Delete accounts without verified email address
+
+### Keycloak
+
+Required:
+
+- auth.pub.solar admin-cli service user credentials
+- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
+
+Run following after SSH'ing to `nachtigall`.
+
+Credentials for the following command are in keepass. Create a keycloak
+config/credentials file at `/tmp/kcadm.config`:
+
+```
+sudo --user keycloak kcadm.sh config credentials \
+  --config /tmp/kcadm.config \
+  --server https://auth.pub.solar \
+  --realm pub.solar \
+  --client admin-cli
+```
+
+Get list of accounts without a verified email address:
+
+```
+sudo --user keycloak kcadm.sh get \
+  --config /tmp/kcadm.config \
+  users \
+  --realm pub.solar \
+  --query emailVerified=false \
+  > /tmp/keycloak-unverified-accounts
+```
+
+Review list of accounts, especially check `createdTimestamp` if any accounts
+were created in the past 2 days. If so, delete those from the
+`/tmp/keycloak-unverified-accounts` file.
+
+```
+createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )
+
+# timestamps are in nanoseconds since epoch, so we need to strip the last three digits
+for timestamp in ${createdTimestamps[@]}; do date --date="@${timestamp::-3}"; done
+
+vim /tmp/keycloak-unverified-accounts
+```
+
+Check how many accounts are going to be deleted:
+
+```
+jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
+```
+
+```
+jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
+```
+
+Final check before deletion (dry-run):
+
+```
+for id in $(cat /tmp/keycloak-unverified-account-ids)
+  do
+    echo sudo --user keycloak kcadm.sh delete \
+      --config /tmp/kcadm.config \
+      users/$id \
+      --realm pub.solar
+  done
+```
+
+THIS WILL DELETE ACCOUNTS:
+
+```
+for id in $(cat /tmp/keycloak-unverified-account-ids)
+  do
+    sudo --user keycloak kcadm.sh delete \
+      --config /tmp/kcadm.config \
+      users/$id \
+      --realm pub.solar
+  done
+```

docs/keycloak/keycloak-email-list.md

@@ -4,12 +4,12 @@
 
 Required:
 
-- auth.pub.solar ops user credentials
-- SSH access to host nachtigall
+- auth.pub.solar admin-cli service user credentials
+- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
+
+Run following after SSH'ing to `nachtigall`:
 
 ```
-ssh barkeeper@nachtigall.pub.solar
-
 sudo --user keycloak kcadm.sh get users \
   -r pub.solar \
   --offset 0 \

docs/keycloak/keycloak-reset-user-password.md

@@ -4,15 +4,15 @@
 
 Required:
 
-- auth.pub.solar ops user credentials
-- SSH access to host nachtigall
+- auth.pub.solar admin-cli service user credentials
+- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
+
+Run the following after SSH'ing to `nachtigall`:
 
 ```
-ssh barkeeper@nachtigall.pub.solar
-
 mkdir /tmp/keycloak-credential-reset
 
-sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
+sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --client admin-cli
 
 sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar | jq --raw-output '.[] | .id' > /tmp/keycloak-credential-reset/all-uuids
 

docs/keycloak/keycloak-update-realm.md

@@ -4,12 +4,12 @@
 
 Required:
 
-- auth.pub.solar ops user credentials
-- SSH access to host nachtigall
+- auth.pub.solar admin-cli service user credentials
+- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
+
+Run the following after SSH'ing to `nachtigall`:
 
 ```
-ssh barkeeper@nachtigall.pub.solar
-
 sudo -u keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm master --user admin
 
 sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar

docs/mediawiki-updates.md

@@ -11,10 +11,9 @@ Next, push your changes to https://git.pub.solar and get them reviewed and
 approved.
 
 After approval, create a fresh backup of the database and deploy the changes to
-`nachtigall`:
+`nachtigall`. Run the following after [SSH'ing to `nachtigall`](./administrative-access.md#ssh-access):
 
 ```
-ssh barkeeper@nachtigall.pub.solar
 sudo -u postgres pg_dump --create -Fc mediawiki > mediawiki-db-$(date +%F).dump
 exit
 ```
@@ -23,10 +22,9 @@ exit
 deploy --targets '.#nachtigall'
 ```
 
-Then, finalize the update by running the database migration script:
+Then, finalize the update by running the database migration script (in a [SSH](./administrative-access.md#ssh-access) shell on `nachtigall`):
 
 ```
-ssh barkeeper@nachtigall.pub.solar
 docker exec -it mediawiki bash
 php maintenance/run.php update.php
 ```