Hackeriet

User Tools

Site Tools

You are here: start » infra » services » hacker-id
infra:services:hacker-id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infra:services:hacker-id [2025/08/01 08:05] – [Changing account name] d404d_idp.hackeriet.noinfra:services:hacker-id [2025/08/13 21:24] (current) – [System setup] d404d_idp.hackeriet.no
Line 12: Line 12:
 Regards, 404'd Regards, 404'd
 </WRAP> </WRAP>
- 
  
 A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to. A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to.
  
 Access control is currently managed through the Kanidm CLI. [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|See the official docs for further details.]] Administrative UI for groups etc. will be added at a later date, either through Kanidm upgrades or using a separate companion service (like Hula). Access control is currently managed through the Kanidm CLI. [[https://kanidm.github.io/kanidm/stable/installing_client_tools.html|See the official docs for further details.]] Administrative UI for groups etc. will be added at a later date, either through Kanidm upgrades or using a separate companion service (like Hula).
 +
 +===== Onboarding =====
 +Hackeriet members can begin onboarding by visiting the Hacker-ID section in Hula:
 +
 +https://hackeriet.no/hula/idp/
  
 ===== Hacker-ID capable services ===== ===== Hacker-ID capable services =====
Line 38: Line 42:
  
 This includes the login name used for both the web portal, and any Unix accounts used on servers. This includes the login name used for both the web portal, and any Unix accounts used on servers.
-Unless noted otherwise here, all services consuming Hacker-ID supports account renames. 
- 
 This can be done from the profile section of the self-service portal: https://idp.hackeriet.no/ui/profile This can be done from the profile section of the self-service portal: https://idp.hackeriet.no/ui/profile
  
-You can also rename your account using the CLIThe following example renames the account ''d404d'' to ''testlmao'':+Unless noted otherwise here, all services consuming Hacker-ID supports account renames/email changes. 
 + 
 +<WRAP center round alert 60%> 
 +Mobilizon (events.hackeriet.no) uses your EMAIL for account bindings. It does not seem like we can change this. 
 + 
 +Please get someone to help you with updating your email in Mobilizon in order to avoid losing access to your account. 
 + 
 +When changing emails, you should keep your old primary email on-account as a secondary email. 
 +</WRAP>
  
-<code>kanidm person update d404d --newname testlmao</code>+<WRAP center round important 60%> 
 +Note that some applications (e.g. Netbox and Wiki) will not automatically update your profile data (e.g. username/email), but they WILL give you the same account on logon through SSO after such IDP changes. 
 +</WRAP>
  
 +You can also rename and update your account profile using the CLI:
  
 +  * Account name: <code>kanidm person update d404d --newname testlmao</code>
 +  * Display name: <code>kanidm person update d404d --displayname "Epic New Hacker Name"</code>
 +  * Email: <code>kanidm person update d404d --email "<somehandle>@hackeriet.no"</code>
 ===== ACL structure ===== ===== ACL structure =====
 During the draft phase, the following groups have been configured: During the draft phase, the following groups have been configured:
Line 60: Line 76:
 | ''service-dokuwiki-admins'' | ''hackeriet-styret'' | Administrative access to Dokuwiki | | ''service-dokuwiki-admins'' | ''hackeriet-styret'' | Administrative access to Dokuwiki |
 | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki | | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki |
 +| ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad.hackeriet.no |
 | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) | | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) |
-| ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad2.hackeriet.no |+| ''service-librenms-users'' | ''nettlaug-operators'' | Logon rights to nms.hackeriet.no |
 | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox | | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox |
 | ''service-netbox-superusers'' | ''nettlaug-operators'' | Django superuser rights in Netbox | | ''service-netbox-superusers'' | ''nettlaug-operators'' | Django superuser rights in Netbox |
Line 140: Line 157:
   * Located in ''/srv/kanidm''   * Located in ''/srv/kanidm''
     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
 +    * [[https://ip.hackeriet.no/ipam/prefixes/48/prefixes/|Dedicated v6 subnet]] defined in compose and in /etc/docker/daemon.json in order for XFF mapping to work properly
     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening
/srv/hackeriet-wiki/dokuwiki/data/attic/infra/services/hacker-id.1754035551.txt.gz · Last modified: by d404d_idp.hackeriet.no