Differences

This shows you the differences between two versions of the page.

--- infra:services:hacker-id [2025/08/02 04:10] – [Changing account name/display name/email] d404d_idp.hackeriet.no
+++ infra:services:hacker-id [2026/04/11 17:41] (current) – d404d_idp.hackeriet.no
@@ Line 5: / Line 5: @@
 Hacker-ID is a member-initiated service to provide a simple-to-use and universal base for implementing SSO services at Hackeriet.
-<WRAP center round important 60%>
-This is a proof-of-concept to see how one could reasonably deploy IDP in a simple yet flexible way with few moving parts.
-Ask if you have any questions, need help, need an account, or want to integrate something.
-Regards, 404'd
-</WRAP>
 A simple self-service portal on https://idp.hackeriet.no provides basic account management features, together with a list of any Hacker-ID web applications you have access to.
@@ Line 25: / Line 18: @@
 All services enrolled into Hacker-ID are documented using tags in Netbox:
   * [[https://ip.hackeriet.no/extras/tags/10/|Hacker-ID: LDAP]] -- Not currently implemented
-  * [[https://ip.hackeriet.no/extras/tags/8/|Hacker-ID: RADIUS]] -- Not currently implemented
+  * [[https://ip.hackeriet.no/extras/tags/8/|Hacker-ID: RADIUS]] -- Select Nettlauget infrastructure
   * [[https://ip.hackeriet.no/extras/tags/6/|Hacker-ID: SSH]] -- SSH daemon reads authorized keys from Hacker-ID
   * [[https://ip.hackeriet.no/extras/tags/7/|Hacker-ID: SSO]] -- OpenID/OAuth2 authentication flow
@@ Line 47: / Line 40: @@
 <WRAP center round alert 60%>
-Note that some applications (e.g. Netbox and Wiki) will not automatically update your profile data (e.g. username/email), but they WILL give you the same account on logon through SSO after such IDP changes.
+Mobilizon (events.hackeriet.no) uses your EMAIL for account bindings. It does not seem like we can change this.
+Please get someone to help you with updating your email in Mobilizon in order to avoid losing access to your account.
+When changing emails, you should keep your old primary email on-account as a secondary email.
 </WRAP>
+<WRAP center round important 60%>
+Note that some applications (e.g. Netbox and Wiki) will not automatically update your profile data (e.g. username/email), but they WILL give you the same account on logon through SSO after such IDP changes.
+</WRAP>
 You can also rename and update your account profile using the CLI:
@@ Line 69: / Line 69: @@
 | ''service-dokuwiki-admins'' | ''hackeriet-styret'' | Administrative access to Dokuwiki |
 | ''service-dokuwiki-users'' | ''hackeriet-styret'' | Login as regular users to Dokuwiki |
-| ''service-idp-sysops'' | ''d404d@idp.hackeriet.no'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) |
+| ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad.hackeriet.no |
-| ''service-hedgedoc-users'' | ''nettlaug-operators'' | Logon rights to pad2.hackeriet.no |
+| ''service-idp-sysops'' | ''service-idp-sysops'' | Administrative privileges to Hacker-ID (Kanidm, SSH, sudo, and docker) |
+| ''service-librenms-users'' | ''nettlaug-operators'' | Logon rights to nms.hackeriet.no |
 | ''service-netbox-staff'' | ''nettlaug-operators'' | Django staff rights in Netbox |
 | ''service-netbox-superusers'' | ''nettlaug-operators'' | Django superuser rights in Netbox |
@@ Line 120: / Line 121: @@
 ===== Administrative actions =====
+Slideset from admin workshop:
+{{ :infra:services:main.pdf |}}
 ==== Onboarding users through the CLI ====
 If for some reason a user needs to be onboarded through the CLI, use the following sequence of commands:
@@ Line 149: / Line 152: @@
   * Located in ''/srv/kanidm''
     * One docker compose stack with Traefik (for certificate issuance as LE needs this in-line) and Kanidm
+    * [[https://ip.hackeriet.no/ipam/prefixes/48/prefixes/|Dedicated v6 subnet]] defined in compose and in /etc/docker/daemon.json in order for XFF mapping to work properly
     * Communication between the two are encrypted using a self-signed certificate (Kanidm requires last-hop encryption)
     * Created user and group "kanidm" in the host, which will represent the kanidm container's resources. Rights configured according to https://kanidm.github.io/kanidm/stable/security_hardening.html#security-hardening