From 47c2e94e91700c6abe17012a82f72bbe1f69df46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Sun, 28 Apr 2024 02:44:14 +0200 Subject: [PATCH] auth: add last login to keycloak, add docs --- docs/automated-account-deletion.md | 14 +++ flake.lock | 158 ++++++++++++++++++++++++++--- flake.nix | 3 + modules/keycloak/default.nix | 3 + 4 files changed, 163 insertions(+), 15 deletions(-) create mode 100644 docs/automated-account-deletion.md diff --git a/docs/automated-account-deletion.md b/docs/automated-account-deletion.md new file mode 100644 index 0000000..b7c2cb7 --- /dev/null +++ b/docs/automated-account-deletion.md @@ -0,0 +1,14 @@ +# Automated account deletion + +Per GDPR legislation, accounts should be automatically deleted after a period of inactivity. We discern between two different types of accounts: + +1. Without verified email: should be deleted after 30 days without being activated +2. With verified email: should be deleted after 2 years of inactivity + +Some services hold on to a session for a very long time. We'll have to query their APIs to see if the account is still in use: + +* Matrix via the admin api: https://matrix-org.github.io/synapse/v1.48/admin_api/user_admin_api.html#query-current-sessions-for-a-user +* Mastodon via the admin api: https://docs.joinmastodon.org/methods/admin/accounts/#200-ok +* Nextcloud only gives the last login, not the last active time like a sync via `nextcloud-occ user:lastseen` +* Keycloak +* We can ignore Forgejo, since the sessions there are valid for a maximum of one year, regardless of how they got created diff --git a/flake.lock b/flake.lock index 44c855a..1f71268 100644 --- a/flake.lock +++ b/flake.lock @@ -68,6 +68,25 @@ "devshell": { "inputs": { "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1713532798, + "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=", + "owner": "numtide", + "repo": "devshell", + "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, + "devshell_2": { + "inputs": { + "flake-utils": "flake-utils_2", "nixpkgs": [ "keycloak-theme-pub-solar", "nixpkgs" @@ -178,6 +197,24 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_3" @@ -200,6 +237,24 @@ "inputs": { "systems": "systems_4" }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_5" + }, "locked": { "lastModified": 1705309234, "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", @@ -214,7 +269,7 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "locked": { "lastModified": 1653893745, "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", @@ -250,10 +305,33 @@ "type": "github" } }, - "keycloak-theme-pub-solar": { + "keycloak-event-listener": { "inputs": { "devshell": "devshell", - "flake-utils": "flake-utils_2", + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "unstable" + ] + }, + "locked": { + "lastModified": 1714263025, + "narHash": "sha256-Uesrz49RwbG7sHgiHkkb5o364BN9WbuwroWxVXdcfvo=", + "ref": "main", + "rev": "fb569f474698b5711c208fd5b4b5880d64863587", + "revCount": 2, + "type": "git", + "url": "https://git.pub.solar/pub-solar/keycloak-event-listener" + }, + "original": { + "ref": "main", + "type": "git", + "url": "https://git.pub.solar/pub-solar/keycloak-event-listener" + } + }, + "keycloak-theme-pub-solar": { + "inputs": { + "devshell": "devshell_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] @@ -299,11 +377,11 @@ ] }, "locked": { - "lastModified": 1724299755, - "narHash": "sha256-P5zMA17kD9tqiqMuNXwupkM7buM3gMNtoZ1VuJTRDE4=", + "lastModified": 1724561770, + "narHash": "sha256-zv8C9RNa86CIpyHwPIVO/k+5TfM8ZbjGwOOpTe1grls=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "a8968d88e5a537b0491f68ce910749cd870bdbef", + "rev": "ac5694a0b855a981e81b4d9f14052e3ff46ca39e", "type": "github" }, "original": { @@ -330,16 +408,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1724242322, - "narHash": "sha256-HMpK7hNjhEk4z5SFg5UtxEio9OWFocHdaQzCfW1pE7w=", - "owner": "nixos", + "lastModified": 1704161960, + "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "224042e9a3039291f22f4f2ded12af95a616cca0", + "rev": "63143ac2c9186be6d9da6035fa22620018c85932", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-24.05", + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -372,6 +450,40 @@ "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" } }, + "nixpkgs-lib_2": { + "locked": { + "dir": "lib", + "lastModified": 1711703276, + "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -380,11 +492,12 @@ "element-themes": "element-themes", "flake-parts": "flake-parts", "home-manager": "home-manager", + "keycloak-event-listener": "keycloak-event-listener", "keycloak-theme-pub-solar": "keycloak-theme-pub-solar", "maunium-stickerpicker": "maunium-stickerpicker", "nix-darwin": "nix-darwin", "nixos-flake": "nixos-flake", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-2205": "nixpkgs-2205", "simple-nixos-mailserver": "simple-nixos-mailserver", "triton-vmtools": "triton-vmtools", @@ -493,9 +606,24 @@ "type": "github" } }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "triton-vmtools": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ] @@ -553,7 +681,7 @@ }, "utils_2": { "inputs": { - "systems": "systems_5" + "systems": "systems_6" }, "locked": { "lastModified": 1709126324, diff --git a/flake.nix b/flake.nix index a86c7a9..4ac9e41 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,9 @@ keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main"; keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs"; + keycloak-event-listener.url = "git+https://git.pub.solar/pub-solar/keycloak-event-listener?ref=main"; + keycloak-event-listener.inputs.nixpkgs.follows = "unstable"; + triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra-vintage?ref=main&dir=vmtools"; triton-vmtools.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/keycloak/default.nix b/modules/keycloak/default.nix index 59d924b..b567f59 100644 --- a/modules/keycloak/default.nix +++ b/modules/keycloak/default.nix @@ -56,6 +56,9 @@ "pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar; }; + plugins = [ + flake.inputs.keycloak-event-listener.packages.${pkgs.system}.keycloak-event-listener + ]; }; pub-solar-os.backups.backups.keycloak = {