Differences

This shows you the differences between two versions of the page.

--- infra:services:hacker-id [2025/08/01 18:40] – d404d_idp.hackeriet.no
+++ infra:services:hacker-id [2025/08/13 21:24] (current) – [System setup] d404d_idp.hackeriet.no
@@ Line 42: / Line 42: @@
 This includes the login name used for both the web portal, and any Unix accounts used on servers.
-Unless noted otherwise here, all services consuming Hacker-ID supports account renames.
 This can be done from the profile section of the self-service portal: https://idp.hackeriet.no/ui/profile
-You can also rename and update your account profile using the CLI:
+Unless noted otherwise here, all services consuming Hacker-ID supports account renames/email changes.
+<WRAP center round alert 60%>
+Mobilizon (events.hackeriet.no) uses your EMAIL for account bindings. It does not seem like we can change this.
+Please get someone to help you with updating your email in Mobilizon in order to avoid losing access to your account.
+When changing emails, you should keep your old primary email on-account as a secondary email.
+</WRAP>
+<WRAP center round important 60%>
+Note that some applications (e.g. Netbox and Wiki) will not automatically update your profile data (e.g. username/email), but they WILL give you the same account on logon through SSO after such IDP changes.
+</WRAP>
+You can also rename and update your account profile using the CLI:
   * Account name: <code>kanidm person update d404d --newname testlmao</code>
@@ Line 65: / Line 76: @@
 | ''service-dokuwiki-admins'' | ''hackeriet-styret'' | Administrative access to Dokuwiki |
 | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki |
+| ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad.hackeriet.no |
 | ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) |
-| ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad2.hackeriet.no |
+| ''service-librenms-users'' | ''nettlaug-operators'' | Logon rights to nms.hackeriet.no |
 | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox |
 | ''service-netbox-superusers'' | ''nettlaug-operators'' | Django superuser rights in Netbox |
@@ Line 145: / Line 157: @@
   * Located in ''/srv/kanidm''
     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
+    * [[https://ip.hackeriet.no/ipam/prefixes/48/prefixes/|Dedicated v6 subnet]] defined in compose and in /etc/docker/daemon.json in order for XFF mapping to work properly
     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening