From bc3752683b5bfb3e7140a3cebf47f7b1375a4cfd Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Mon, 10 Jun 2024 20:00:45 +0200
Subject: [PATCH] keycloak: add docs how to delete unverified accounts

---
 docs/keycloak/delete-unverified-accounts.md | 82 +++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 docs/keycloak/delete-unverified-accounts.md

diff --git a/docs/keycloak/delete-unverified-accounts.md b/docs/keycloak/delete-unverified-accounts.md
new file mode 100644
index 0000000..031abc0
--- /dev/null
+++ b/docs/keycloak/delete-unverified-accounts.md
@@ -0,0 +1,82 @@
+# Delete accounts without verified email address
+
+### Keycloak
+
+Required:
+
+- auth.pub.solar admin-cli service user credentials
+- SSH access to host nachtigall
+
+```
+ssh barkeeper@nachtigall.wg.pub.solar
+```
+
+Credentials for the following command are in keepass.
+
+Create keycloak config/credentials file at `/tmp/kcadm.config`:
+
+```
+sudo --user keycloak kcadm.sh config credentials \
+  --config /tmp/kcadm.config \
+  --server https://auth.pub.solar \
+  --realm pub.solar \
+  --client admin-cli
+```
+
+Get list of accounts without a verified email address:
+
+```
+sudo --user keycloak kcadm.sh get \
+  --config /tmp/kcadm.config \
+  users \
+  --realm pub.solar \
+  --query emailVerified=false \
+  > /tmp/keycloak-unverified-accounts
+```
+
+Review list of accounts, especially check `createdTimestamp` if any accounts
+were created in the past 2 days. If so, delete those from the
+`/tmp/keycloak-unverified-accounts` file.
+
+```
+createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )
+
+# timestamps are in nanoseconds since epoch, so we need to strip the last three digits
+for timestamp in ${createdTimestamps[@]}; do date --date="@${timestamp::-3}"; done
+
+vim /tmp/keycloak-unverified-accounts
+```
+
+Check how many accounts are going to be deleted:
+
+```
+jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
+```
+
+```
+jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
+```
+
+Final check before deletion (dry-run):
+
+```
+for id in $(cat /tmp/keycloak-unverified-account-ids)
+  do
+    echo sudo --user keycloak kcadm.sh delete \
+      --config /tmp/kcadm.config \
+      users/$id \
+      --realm pub.solar
+  done
+```
+
+THIS WILL DELETE ACCOUNTS:
+
+```
+for id in $(cat /tmp/keycloak-unverified-account-ids)
+  do
+    sudo --user keycloak kcadm.sh delete \
+      --config /tmp/kcadm.config \
+      users/$id \
+      --realm pub.solar
+  done
+```