diff --git a/README.md b/README.md index 6a5b32e..188322f 100644 --- a/README.md +++ b/README.md @@ -23,13 +23,8 @@ This repository contains documentation, guides, and reference material. - [Integrate MS Entra in Keycloak as IDP](./keycloak/idp-ms-entra.md) Step-by-step instructions for integrating MS Entra as identity-provider. -- **[Microsoft Entra](./ms-entra/)** +- **[Microsoft Entra](./ms-entra/)** Documentation and guides related to Microsft Entra configuration and best practices. - - [Enterprise App Integration with Keycloak](./ms-entra/enterprise-app-keycloak.md) + - [Enterprise App Integration with Keycloak](./ms-entra/enterprise-app-keycloak.md) Step-by-step instructions for creating an Enterprise Application in Microsoft Entra (Azure AD) as an identity provider for Keycloak. -- **[Troubleshooting](./troubleshooting/)** - Encountered & solved problems. - - [Nextcloud File Locking](./troubleshooting/nextcloud-file-locking.md) - Preventing sync conflicts when multiple users edit the same file via the Nextcloud desktop client. - diff --git a/infrastructure/acme.md b/infrastructure/acme.md index ef8357f..929f431 100644 --- a/infrastructure/acme.md +++ b/infrastructure/acme.md @@ -10,18 +10,6 @@ We agreed to use **ACME DNS-01 challenges** for issuing certificates for **both - Keep **low TTLs** (e.g., 60-120s) on both CNAME and TXT records to speed up renewals. - Restrict write access to the challenge zone to the ACME automation only. -## Meetings -- 05.08.2025: Bert-Jan Fikse, Tobias Schaller, Tobias Wüst, Tom Jampen (inital version) - -## Background -The following article explains how DNS-01 challenges can be effectively used to issue Let's Encrypt certificates for servers with internal IP addresses: - -- https://lists.bfh.science/pipermail/bfh-linux-announce/2021-September/000134.html - -The following manpage explains important implementation details for correctly handling DNS-01 challenges: - -- https://sources.debian.org/src/open-infrastructure-service-tools/20250626-2/dehydrated/share/man/dehydrated-nsupdate.1.rst#L20 - ## Reference Design **Dedicated zone:** `_acme.digitalboard.ch` diff --git a/infrastructure/ipv6.md b/infrastructure/ipv6.md index 1c80bd9..ef58ac9 100644 --- a/infrastructure/ipv6.md +++ b/infrastructure/ipv6.md @@ -6,7 +6,7 @@ We agreed to setup dual stack by default as IPv6 is essential for modern IT infr ## Decisions - Use **Dual Stack** (IPv4 and IPv6 addresses) - Rely on **DNS names instead of raw IP addresses** -- **Each school is responsible for its DNS records** and must manage them for IPv4/IPv6 (including CNAME records for ACME) +- **Each school is responsible for its DNS records** and must them for IPv4/IPv6 (including CNAME records for ACME) - The Digitalboard provides an optional service (dynamic DNS zone for acme challenge responses) as described in the [ACME documentation](./acme.md) - The Digitalboard might act as a RIPE customer and provide a `/32` or `/48` IPv6 network for interested schools diff --git a/troubleshooting/nextcloud-file-locking.md b/troubleshooting/nextcloud-file-locking.md deleted file mode 100644 index 9e6cc18..0000000 --- a/troubleshooting/nextcloud-file-locking.md +++ /dev/null @@ -1,26 +0,0 @@ -# Nextcloud File Locking - -## Problem - -When two users open the same file simultaneously via the desktop sync client, both can write to it, resulting in sync conflicts. - -## Solution - -Two plugins work together to prevent this: - -- [**files_lock**](https://apps.nextcloud.com/apps/files_lock) — implements WebDAV locking (RFC 4918). When a user opens a file via the desktop client, a lock is acquired server-side. Other clients see the file as locked and cannot write to it. -- [**notify_push**](https://apps.nextcloud.com/apps/notify_push) — pushes lock state changes to clients in real time, so they don't have to wait for the next poll cycle to discover a lock. - -## Installation - -```bash -docker exec -u www-data php occ app:install files_lock -docker exec -u www-data php occ app:install notify_push -``` - -Follow the `notify_push` setup guide to expose the push daemon via Traefik. - -## Limitations - -- Conflicts are theoretically still possible, but the chances are minimized. -- Locks are per-session; if a client crashes without releasing the lock, the file may appear locked until the lock expires (default: 30 minutes, can be configured).