Differences

This shows you the differences between two versions of the page.

--- infra:services:hacker-id [2025/07/26 17:01] – d404d_idp.hackeriet.no
+++ infra:services:hacker-id [2025/08/13 21:24] (current) – [System setup] d404d_idp.hackeriet.no
@@ Line 12: / Line 12: @@
 Regards, 404'd
 </WRAP>
 A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to.
 Access control is currently managed through the Kanidm CLI. [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|See the official docs for further details.]] Administrative UI for groups etc. will be added at a later date, either through Kanidm upgrades or using a separate companion service (like Hula).
+===== Onboarding =====
+Hackeriet members can begin onboarding by visiting the Hacker-ID section in Hula:
+https://hackeriet.no/hula/idp/
 ===== Hacker-ID capable services =====
@@ Line 34: / Line 38: @@
 Implementation of Hacker-ID onboarding is discussed in this Github ticket: https://github.com/hackeriet/hackerhula/pull/43
-==== Changing account name ====
+==== Changing account name/display name/email ====
-All users are able to change their own account name.
+All users are able to change their personal information.
+This includes the login name used for both the web portal, and any Unix accounts used on servers.
+This can be done from the profile section of the self-service portal: https://idp.hackeriet.no/ui/profile
+Unless noted otherwise here, all services consuming Hacker-ID supports account renames/email changes.
+<WRAP center round alert 60%>
+Mobilizon (events.hackeriet.no) uses your EMAIL for account bindings. It does not seem like we can change this.
-This is the login name used for both the web portal, and any Unix accounts used on servers.
+Please get someone to help you with updating your email in Mobilizon in order to avoid losing access to your account.
-Unless noted otherwise here, all services consuming Hacker-ID supports account renames.
-You can rename your account using the CLI. The following example renames the account ''d404d'' to ''testlmao'':
+When changing emails, you should keep your old primary email on-account as a secondary email.
+</WRAP>
-<code>kanidm person update d404d --newname testlmao</code>
+<WRAP center round important 60%>
+Note that some applications (e.g. Netbox and Wiki) will not automatically update your profile data (e.g. username/email), but they WILL give you the same account on logon through SSO after such IDP changes.
+</WRAP>
+You can also rename and update your account profile using the CLI:
+  * Account name: <code>kanidm person update d404d --newname testlmao</code>
+  * Display name: <code>kanidm person update d404d --displayname "Epic New Hacker Name"</code>
+  * Email: <code>kanidm person update d404d --email "<somehandle>@hackeriet.no"</code>
 ===== ACL structure =====
 During the draft phase, the following groups have been configured:
 ^ Name ^ Entry manager ^ Description ^
-| ''hackeriet-members'' | ''hackeriet-styret'' | All currently active members |
+| ''hackeriet-members'' | ''svc-hackerhula'' | All currently active members |
-| ''hackeriet-styret'' | ''hackeriet-styret'' | Current board members |
+| ''hackeriet-styret'' | ''svc-hackerhula'' | Current board members |
-| ''hackeriet-alumni'' | ''hackeriet-styret'' | Members who are no longer active |
+| ''hackeriet-alumni'' | ''svc-hackerhula'' | Members who are no longer active |
-| ''nettlaug-tenants'' | ''nettlaug-operators'' | People renting space/resources within nettlauget's infrastructure |
+| ''nettlaug-tenants'' | ''svc-hackerhula'' | People renting space/resources within nettlauget's infrastructure |
-| ''nettlaug-operators'' | ''nettlaug-operators'' | Core networking group, for infrastructure, switches, routing etc. |
+| ''nettlaug-operators'' | ''svc-hackerhula'' | Core networking group, for infrastructure, switches, routing etc. |
 | ''project-hackradio'' | ''d404d@idp.hackeriet.no'' | SSH + sudo for the AzuraCast test host (which currently does not run AzuraCast) |
 | ''service-apphost-sysops'' | ''kfh@idp.hackeriet.no'' | SSH + sudo + docker for ''app-01'' |
 | ''service-dokuwiki-admins'' | ''hackeriet-styret'' | Administrative access to Dokuwiki |
 | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki |
+| ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad.hackeriet.no |
 | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) |
+| ''service-librenms-users'' | ''nettlaug-operators'' | Logon rights to nms.hackeriet.no |
 | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox |
 | ''service-netbox-superusers'' | ''nettlaug-operators'' | Django superuser rights in Netbox |
 | ''service-netbox-users'' | ''nettlaug-operators'' | Login, view and edit data in Netbox |
+| ''service-webingress-sysops'' | ''kfh@idp.hackeriet.no'' | SSH + sudo + docker for ''ingress'' |
 IDP admins may always step in to assist, shall any of the groups be orphaned (no active/reachable members).
@@ Line 136: / Line 157: @@
   * Located in ''/srv/kanidm''
     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
+    * [[https://ip.hackeriet.no/ipam/prefixes/48/prefixes/|Dedicated v6 subnet]] defined in compose and in /etc/docker/daemon.json in order for XFF mapping to work properly
     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening