8 changed files with 3 additions and 161 deletions
--- a/README.md
+++ b/README.md
@ -23,13 +23,8 @@ This repository contains documentation, guides, and reference material.
  - [Integrate MS Entra in Keycloak as IDP](./keycloak/idp-ms-entra.md)
    Step-by-step instructions for integrating MS Entra as identity-provider.
- **[Microsoft Entra](./ms-entra/)**
+- **[Microsoft Entra](./ms-entra/)**  
  Documentation and guides related to Microsft Entra configuration and best practices.
-  - [Enterprise App Integration with Keycloak](./ms-entra/enterprise-app-keycloak.md)
+  - [Enterprise App Integration with Keycloak](./ms-entra/enterprise-app-keycloak.md)  
    Step-by-step instructions for creating an Enterprise Application in Microsoft Entra (Azure AD) as an identity provider for Keycloak.
 - **[Troubleshooting](./troubleshooting/)**
  Encountered & solved problems.
  - [Nextcloud File Locking](./troubleshooting/nextcloud-file-locking.md)
    Preventing sync conflicts when multiple users edit the same file via the Nextcloud desktop client.
--- a/infrastructure/acme.md
+++ b/infrastructure/acme.md
@ -10,18 +10,6 @@ We agreed to use **ACME DNS-01 challenges** for issuing certificates for **both
 - Keep **low TTLs** (e.g., 60-120s) on both CNAME and TXT records to speed up renewals.
 - Restrict write access to the challenge zone to the ACME automation only.
 ## Meetings
 - 05.08.2025: Bert-Jan Fikse, Tobias Schaller, Tobias Wüst, Tom Jampen (inital version)
 ## Background
 The following article explains how DNS-01 challenges can be effectively used to issue Let's Encrypt certificates for servers with internal IP addresses:
 - https://lists.bfh.science/pipermail/bfh-linux-announce/2021-September/000134.html
 The following manpage explains important implementation details for correctly handling DNS-01 challenges:
 - https://sources.debian.org/src/open-infrastructure-service-tools/20250626-2/dehydrated/share/man/dehydrated-nsupdate.1.rst#L20
 ## Reference Design
 **Dedicated zone:**
 `_acme.digitalboard.ch`
--- a/infrastructure/ipv6.md
+++ b/infrastructure/ipv6.md
@ -6,7 +6,7 @@ We agreed to setup dual stack by default as IPv6 is essential for modern IT infr
 ## Decisions
 - Use **Dual Stack** (IPv4 and IPv6 addresses)
 - Rely on **DNS names instead of raw IP addresses**
- **Each school is responsible for its DNS records** and must manage them for IPv4/IPv6 (including CNAME records for ACME)
+- **Each school is responsible for its DNS records** and must them for IPv4/IPv6 (including CNAME records for ACME)
 - The Digitalboard provides an optional service (dynamic DNS zone for acme challenge responses) as described in the [ACME documentation](./acme.md)
 - The Digitalboard might act as a RIPE customer and provide a `/32` or `/48` IPv6 network for interested schools
--- a/keycloak/account-linking.md
+++ b/keycloak/account-linking.md
@ -1,115 +0,0 @@
 # Switch Your Digitalboard Login to Your Home Tenant
 > **Goal:** If you have been signing in to a Digitalboard service as a **guest user** of another organization's tenant, and your **own (home) tenant** is now connected to Digitalboard, this guide walks you through linking your home tenant login to your existing Digitalboard account ? so you keep your data and switch to signing in through your own organization.
 ---
 ## When you need this guide
 You should follow these steps if **all** of the following apply:
 - You have used a Digitalboard service before, signed in via a **guest invitation** in another organization's tenant.
 - Your **own organization's tenant** has just been connected to Digitalboard, **or** you have been authorized to sign in through your own tenant.
 - You want to keep using the same Digitalboard account, but sign in through your home organization from now on.
 > The email address used in your home tenant must match the email address that was used for the guest invitation. If they differ, contact your administrator before continuing.
 ---
 ## What will happen
 1. You sign out of any existing Digitalboard session.
 2. You sign in the **new way** ? through your home tenant.
 3. Digitalboard recognizes that an account with your email address already exists and offers to **link** the new login method to it.
 4. You confirm the link by clicking a link in a verification email.
 5. From that point on, you use your home tenant to sign in. Your existing data, settings, and history remain intact.
 > **No data is lost.** Linking only adds a second login method to your existing Digitalboard account; it does not create a new account or delete the old one.
 ---
 ## Prerequisites
 - Working access to **both** login methods:
  - The original guest login (other organization's tenant).
  - The new login through your home tenant.
 - Access to your **email inbox** for the address used in both tenants. You will need to click a confirmation link.
 - A modern browser. Using a **private/incognito window** is recommended so existing sessions do not interfere.
 ---
 ## Step 1 Sign out of any existing Digitalboard session
 1. Open the Digitalboard service you normally use.
 2. If you are signed in, **sign out** completely.
 3. Close the browser window.
 This makes sure the next login starts cleanly and the linking flow can run.
 ---
 ## Step 2 Open the service in a private window
 1. Open a **new private/incognito browser window**.
 2. Navigate to the Digitalboard service login page.
 You should now see the login page with the available identity provider buttons, including the new one for your home tenant.
 ---
 ## Step 3 Sign in through your home tenant
 1. Click the login button for your **home tenant** (the new one ? for example, **Sign in with WKS Bern**).
 2. Complete the Microsoft sign-in with your **home tenant credentials**.
 Because the email address matches the one already on file from your guest login, Digitalboard now detects the existing account and shows the **Account already exists** screen.
 ![Account already exists dialog](images/account-linking/step-1.png "Digitalboard detects the existing account by email address")
 *Figure 1: The "Account already exists" screen.*
 3. Click **Add to existing account**.
 > Do **not** click **Review profile** ? that option creates a separate new account instead of linking to your existing one. If you click it by mistake, see the troubleshooting section below.
 ---
 ## Step 4 Verify your email address
 To prove that the email address belongs to you, Digitalboard sends a confirmation email to the address on file.
 ![Email verification page](images/account-linking/step-2.png "Digitalboard prompts for email verification before linking")
 *Figure 2: The email verification step.*
 1. Leave this browser tab open.
 2. Open your email inbox in a **separate tab or window**.
 ---
 ## Step 5 Open the confirmation email
 Look for an email with the subject **Link \<Provider Name\>** (for example, *Link WKS Bern*) from `auth@digitalboard.ch`. If it does not appear within a minute, check your spam/junk folder.
 ![Confirmation email](images/account-linking/step-3.png "The confirmation email containing the linking link")
 *Figure 3: The confirmation email sent by Digitalboard.*
 1. Click **Link to confirm account linking**.
 2. The link is valid for **5 minutes** only. If it expires, return to the verification tab and click **Click here to re-send the email**.
 ---
 ## Step 6 ? Confirm the link
 The link opens a confirmation page in your browser.
 1. Click **I confirm**.
 2. You are now signed in to your existing Digitalboard account through your home tenant.
 Your home tenant login is now linked to the same Digitalboard account you used as a guest before. From now on, sign in through your home tenant.
 ---
 ## After linking
 - **Use your home tenant login from now on.** The guest login from the other tenant may still work technically, but should no longer be used. Your administrator may revoke the guest invitation in the other tenant once linking is confirmed.
 - Your existing data, settings, and history remain attached to the same account.
 - If anything looks wrong (missing data, wrong name displayed), contact your administrator before signing in again.
 ---
 ## Troubleshooting
 - **I clicked "Review profile" by mistake and a new account was created** ? Do not try to fix it by signing in again. Contact your administrator and report which email address is affected. The duplicate account needs to be removed before linking can be retried.
 - **I never received the confirmation email** ? Check your spam/junk folder. If it is not there, return to the verification page (still open in the other tab) and click **Click here to re-send the email**. If emails still do not arrive after a few minutes, contact your administrator.
 - **The confirmation link says it expired** ? The link is valid for 5 minutes only. Click **Click here to re-send the email** on the verification page, then open the new email link promptly.
 - **The email link opened in a different browser than the one I started in** ? Go back to the original incognito tab where you started the login and click **If you already verified the email in different browser, Click here to continue**.
 - **I did not see the "Account already exists" screen ? I just ended up signed in to a new, empty account** ? The email address in your home tenant does not match the one used for the guest invitation. Contact your administrator; the email addresses must be aligned before linking can work.
 - **I see the login button for my home tenant but the sign-in fails at Microsoft** ? This is unrelated to linking. Verify that your administrator has authorized you (or your group) to access the Digitalboard application in your home tenant.
--- a/keycloak/images/account-linking/step-1.png
+++ b/keycloak/images/account-linking/step-1.png
--- a/keycloak/images/account-linking/step-2.png
+++ b/keycloak/images/account-linking/step-2.png
--- a/keycloak/images/account-linking/step-3.png
+++ b/keycloak/images/account-linking/step-3.png
--- a/troubleshooting/nextcloud-file-locking.md
+++ b/troubleshooting/nextcloud-file-locking.md
@ -1,26 +0,0 @@
 # Nextcloud File Locking
 ## Problem
 When two users open the same file simultaneously via the desktop sync client, both can write to it, resulting in sync conflicts.
 ## Solution
 Two plugins work together to prevent this:
 - [**files_lock**](https://apps.nextcloud.com/apps/files_lock) — implements WebDAV locking (RFC 4918). When a user opens a file via the desktop client, a lock is acquired server-side. Other clients see the file as locked and cannot write to it.
 - [**notify_push**](https://apps.nextcloud.com/apps/notify_push) — pushes lock state changes to clients in real time, so they don't have to wait for the next poll cycle to discover a lock.
 ## Installation
 ```bash
 docker exec -u www-data <nextcloud-container> php occ app:install files_lock
 docker exec -u www-data <nextcloud-container> php occ app:install notify_push
 ```
 Follow the `notify_push` setup guide to expose the push daemon via Traefik.
 ## Limitations
 - Conflicts are theoretically still possible, but the chances are minimized.
 - Locks are per-session; if a client crashes without releasing the lock, the file may appear locked until the lock expires (default: 30 minutes, can be configured).