From ead70c9ef340fd494e581073caf89ca5d06d4cbf Mon Sep 17 00:00:00 2001 From: "tom.jampen" Date: Tue, 21 Oct 2025 14:43:39 +0000 Subject: [PATCH 1/3] chore: Adding meeting attendees and background info --- infrastructure/acme.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/infrastructure/acme.md b/infrastructure/acme.md index 929f431..ef8357f 100644 --- a/infrastructure/acme.md +++ b/infrastructure/acme.md @@ -10,6 +10,18 @@ We agreed to use **ACME DNS-01 challenges** for issuing certificates for **both - Keep **low TTLs** (e.g., 60-120s) on both CNAME and TXT records to speed up renewals. - Restrict write access to the challenge zone to the ACME automation only. +## Meetings +- 05.08.2025: Bert-Jan Fikse, Tobias Schaller, Tobias Wüst, Tom Jampen (inital version) + +## Background +The following article explains how DNS-01 challenges can be effectively used to issue Let's Encrypt certificates for servers with internal IP addresses: + +- https://lists.bfh.science/pipermail/bfh-linux-announce/2021-September/000134.html + +The following manpage explains important implementation details for correctly handling DNS-01 challenges: + +- https://sources.debian.org/src/open-infrastructure-service-tools/20250626-2/dehydrated/share/man/dehydrated-nsupdate.1.rst#L20 + ## Reference Design **Dedicated zone:** `_acme.digitalboard.ch` From 4d5a1bc5ea018619d5f23a89f1020c38cfd2773b Mon Sep 17 00:00:00 2001 From: "tom.jampen" Date: Thu, 11 Dec 2025 14:25:40 +0000 Subject: [PATCH 2/3] Update infrastructure/ipv6.md --- infrastructure/ipv6.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/ipv6.md b/infrastructure/ipv6.md index ef58ac9..1c80bd9 100644 --- a/infrastructure/ipv6.md +++ b/infrastructure/ipv6.md @@ -6,7 +6,7 @@ We agreed to setup dual stack by default as IPv6 is essential for modern IT infr ## Decisions - Use **Dual Stack** (IPv4 and IPv6 addresses) - Rely on **DNS names instead of raw IP addresses** -- **Each school is responsible for its DNS records** and must them for IPv4/IPv6 (including CNAME records for ACME) +- **Each school is responsible for its DNS records** and must manage them for IPv4/IPv6 (including CNAME records for ACME) - The Digitalboard provides an optional service (dynamic DNS zone for acme challenge responses) as described in the [ACME documentation](./acme.md) - The Digitalboard might act as a RIPE customer and provide a `/32` or `/48` IPv6 network for interested schools From 1d4709efa9ec1b011fe4c131231d8759734427fc Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 6 Mar 2026 11:38:38 +0100 Subject: [PATCH 3/3] chore: document file locking problem in nextcloud with possible solution Signed-off-by: Bert-Jan Fikse --- README.md | 9 ++++++-- troubleshooting/nextcloud-file-locking.md | 26 +++++++++++++++++++++++ 2 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 troubleshooting/nextcloud-file-locking.md diff --git a/README.md b/README.md index 188322f..6a5b32e 100644 --- a/README.md +++ b/README.md @@ -23,8 +23,13 @@ This repository contains documentation, guides, and reference material. - [Integrate MS Entra in Keycloak as IDP](./keycloak/idp-ms-entra.md) Step-by-step instructions for integrating MS Entra as identity-provider. -- **[Microsoft Entra](./ms-entra/)** +- **[Microsoft Entra](./ms-entra/)** Documentation and guides related to Microsft Entra configuration and best practices. - - [Enterprise App Integration with Keycloak](./ms-entra/enterprise-app-keycloak.md) + - [Enterprise App Integration with Keycloak](./ms-entra/enterprise-app-keycloak.md) Step-by-step instructions for creating an Enterprise Application in Microsoft Entra (Azure AD) as an identity provider for Keycloak. +- **[Troubleshooting](./troubleshooting/)** + Encountered & solved problems. + - [Nextcloud File Locking](./troubleshooting/nextcloud-file-locking.md) + Preventing sync conflicts when multiple users edit the same file via the Nextcloud desktop client. + diff --git a/troubleshooting/nextcloud-file-locking.md b/troubleshooting/nextcloud-file-locking.md new file mode 100644 index 0000000..9e6cc18 --- /dev/null +++ b/troubleshooting/nextcloud-file-locking.md @@ -0,0 +1,26 @@ +# Nextcloud File Locking + +## Problem + +When two users open the same file simultaneously via the desktop sync client, both can write to it, resulting in sync conflicts. + +## Solution + +Two plugins work together to prevent this: + +- [**files_lock**](https://apps.nextcloud.com/apps/files_lock) — implements WebDAV locking (RFC 4918). When a user opens a file via the desktop client, a lock is acquired server-side. Other clients see the file as locked and cannot write to it. +- [**notify_push**](https://apps.nextcloud.com/apps/notify_push) — pushes lock state changes to clients in real time, so they don't have to wait for the next poll cycle to discover a lock. + +## Installation + +```bash +docker exec -u www-data php occ app:install files_lock +docker exec -u www-data php occ app:install notify_push +``` + +Follow the `notify_push` setup guide to expose the push daemon via Traefik. + +## Limitations + +- Conflicts are theoretically still possible, but the chances are minimized. +- Locks are per-session; if a client crashes without releasing the lock, the file may appear locked until the lock expires (default: 30 minutes, can be configured).