Compare commits

...

4 commits

Author SHA1 Message Date
teutat3s 2a9686798f
Merge pull request 'centralize docs for SSH access' (#206) from update-docs into main
Reviewed-on: #206
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2024-06-13 15:38:41 +00:00
teutat3s c18a9da4e9
keycloak: update docs to use admin-cli client
All checks were successful
Flake checks / Check (pull_request) Successful in 3m29s
instead of ops user
2024-06-10 20:35:40 +02:00
teutat3s b687997390
docs: centralize SSH access docs 2024-06-10 20:35:40 +02:00
teutat3s bc3752683b
keycloak: add docs how to delete unverified accounts 2024-06-10 20:35:36 +02:00
7 changed files with 111 additions and 26 deletions

View file

@ -30,6 +30,18 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b
1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
One can access our hosts using this domain scheme:
```
ssh barkeeper@<hostname>.wg.pub.solar
```
So, for example for `nachtigall`:
```
ssh barkeeper@nachtigall.wg.pub.solar
```
Example NixOS snippet for WireGuard client config
```

View file

@ -4,13 +4,13 @@
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
- auth.pub.solar `admin-cli` service user credentials
- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access)
Run each of the following after SSH'ing to `nachtigall`:
```
ssh barkeeper@nachtigall.pub.solar
sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --client admin-cli
# Take note of user id in response from following command
sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar --query email=<email-address>
@ -26,7 +26,6 @@ Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-us
### Nextcloud
```
ssh barkeeper@nachtigall.pub.solar
nextcloud-occ user:delete <username>
```
@ -35,7 +34,6 @@ Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server
### Mastodon
```
ssh barkeeper@nachtigall.pub.solar
sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
```
@ -44,7 +42,6 @@ Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
### Forgejo
```
ssh barkeeper@nachtigall.pub.solar
sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address>
```
@ -53,7 +50,6 @@ Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
### Matrix
```
ssh bartender@matrix.pub.solar -p 2020
curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
```

View file

@ -0,0 +1,79 @@
# Delete accounts without verified email address
### Keycloak
Required:
- auth.pub.solar admin-cli service user credentials
- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
Run following after SSH'ing to `nachtigall`.
Credentials for the following command are in keepass. Create a keycloak
config/credentials file at `/tmp/kcadm.config`:
```
sudo --user keycloak kcadm.sh config credentials \
--config /tmp/kcadm.config \
--server https://auth.pub.solar \
--realm pub.solar \
--client admin-cli
```
Get list of accounts without a verified email address:
```
sudo --user keycloak kcadm.sh get \
--config /tmp/kcadm.config \
users \
--realm pub.solar \
--query emailVerified=false \
> /tmp/keycloak-unverified-accounts
```
Review list of accounts, especially check `createdTimestamp` if any accounts
were created in the past 2 days. If so, delete those from the
`/tmp/keycloak-unverified-accounts` file.
```
createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )
# timestamps are in nanoseconds since epoch, so we need to strip the last three digits
for timestamp in ${createdTimestamps[@]}; do date --date="@${timestamp::-3}"; done
vim /tmp/keycloak-unverified-accounts
```
Check how many accounts are going to be deleted:
```
jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
```
```
jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
```
Final check before deletion (dry-run):
```
for id in $(cat /tmp/keycloak-unverified-account-ids)
do
echo sudo --user keycloak kcadm.sh delete \
--config /tmp/kcadm.config \
users/$id \
--realm pub.solar
done
```
THIS WILL DELETE ACCOUNTS:
```
for id in $(cat /tmp/keycloak-unverified-account-ids)
do
sudo --user keycloak kcadm.sh delete \
--config /tmp/kcadm.config \
users/$id \
--realm pub.solar
done
```

View file

@ -4,12 +4,12 @@
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
- auth.pub.solar admin-cli service user credentials
- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
Run following after SSH'ing to `nachtigall`:
```
ssh barkeeper@nachtigall.pub.solar
sudo --user keycloak kcadm.sh get users \
-r pub.solar \
--offset 0 \

View file

@ -4,15 +4,15 @@
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
- auth.pub.solar admin-cli service user credentials
- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
Run the following after SSH'ing to `nachtigall`:
```
ssh barkeeper@nachtigall.pub.solar
mkdir /tmp/keycloak-credential-reset
sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --user ops
sudo --user keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm pub.solar --client admin-cli
sudo --user keycloak kcadm.sh get --config /tmp/kcadm.config users --realm pub.solar | jq --raw-output '.[] | .id' > /tmp/keycloak-credential-reset/all-uuids

View file

@ -4,12 +4,12 @@
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
- auth.pub.solar admin-cli service user credentials
- [SSH access to host `nachtigall`](../administrative-access.md#ssh-access)
Run the following after SSH'ing to `nachtigall`:
```
ssh barkeeper@nachtigall.pub.solar
sudo -u keycloak kcadm.sh config credentials --config /tmp/kcadm.config --server http://localhost:8080 --realm master --user admin
sudo -u keycloak kcadm.sh get --config /tmp/kcadm.config realms/pub.solar

View file

@ -11,10 +11,9 @@ Next, push your changes to https://git.pub.solar and get them reviewed and
approved.
After approval, create a fresh backup of the database and deploy the changes to
`nachtigall`:
`nachtigall`. Run the following after [SSH'ing to `nachtigall`](./administrative-access.md#ssh-access):
```
ssh barkeeper@nachtigall.pub.solar
sudo -u postgres pg_dump --create -Fc mediawiki > mediawiki-db-$(date +%F).dump
exit
```
@ -23,10 +22,9 @@ exit
deploy --targets '.#nachtigall'
```
Then, finalize the update by running the database migration script:
Then, finalize the update by running the database migration script (in a [SSH](./administrative-access.md#ssh-access) shell on `nachtigall`):
```
ssh barkeeper@nachtigall.pub.solar
docker exec -it mediawiki bash
php maintenance/run.php update.php
```