diff --git a/docs/divers/adminsys/acroread-debian.md b/docs/divers/admin/acroread-debian.md
similarity index 100%
rename from docs/divers/adminsys/acroread-debian.md
rename to docs/divers/admin/acroread-debian.md
diff --git a/docs/divers/adminsys/gnome-appfolders.md b/docs/divers/admin/gnome-appfolders.md
similarity index 100%
rename from docs/divers/adminsys/gnome-appfolders.md
rename to docs/divers/admin/gnome-appfolders.md
diff --git a/docs/divers/adminsys/img/gnome-appfolders.png b/docs/divers/admin/img/gnome-appfolders.png
similarity index 100%
rename from docs/divers/adminsys/img/gnome-appfolders.png
rename to docs/divers/admin/img/gnome-appfolders.png
diff --git a/docs/divers/adminsys/index.md b/docs/divers/admin/index.md
similarity index 100%
rename from docs/divers/adminsys/index.md
rename to docs/divers/admin/index.md
diff --git a/docs/divers/adminsys/reset-winpasswd.md b/docs/divers/admin/reset-winpasswd.md
similarity index 100%
rename from docs/divers/adminsys/reset-winpasswd.md
rename to docs/divers/admin/reset-winpasswd.md
diff --git a/docs/divers/devops/index.md b/docs/divers/devops/index.md
index 240294be..179cb6d9 100644
--- a/docs/divers/devops/index.md
+++ b/docs/divers/devops/index.md
@@ -1,5 +1,4 @@
# Guides Devops
- [Déployer un site web avec Hugo](hugo.md)
-- [Déployer une documentation avec Mkdocs](mkdocs.md)
-- [Keycloak as SSO for Nextcloud](keycloak-nextcloud.md)
+- [Keycloak as SSO for Nextcloud](sso/index.md)
diff --git a/docs/divers/devops/keycloak-nextcloud.md b/docs/divers/devops/keycloak-nextcloud.md
deleted file mode 100644
index 5bb42445..00000000
--- a/docs/divers/devops/keycloak-nextcloud.md
+++ /dev/null
@@ -1,207 +0,0 @@
-# Keycloak as SSO in Nextcloud
-
-## Keycloak configuration
-
-### Create a client
-
-We need first to create a client in keycloak, to connect to Nextcloud.
-
-Name `Client id` as you wish.
-
-
-
-Use the following settings:
-
-
-
-and
-
-
-
-### Map groups in client
-
-#### Create a new role in client
-
-In **Roles** tab, we create a role admin that we will map to Nextcloud.
-
-
-
-Create here all the groups you'll need in Nextcloud
-
-**You will also have to create them in Nextcloud! **
-
-#### Configure mapper for roles
-
-This will allow us to map roles from client to nextcloud's groups.
-
-
-
-Choose the **Name** you want, but **Token Claim Name** must be `ownCloudGroups`.
-
-#### Map roles for user
-
-Go to an admin user you created (or create an user) and map admin role we created.
-
-Go to the **Role Mappings** tab, then select the client you created in the **Client Roles**
-selection box, then click on **Add Selected** in the bottom-left to promote a role from available
-to assigned roles.
-
-
-
-#### Check if mapping has been catched by client
-
-Go back to client part and evaluate client scope for the admin user you just configured.
-
-Go to your client, tab **Client Scopes**, select your user and clic on **Evaluate**.
-
-Check the **Generated Access Token** tab to see if the user get admin role.
-
-
-
-### Map quota
-
-We have the ability to define storage quota for each user we create.
-
-#### Configure mapper for quota
-
-
-
-#### Configure quota for user
-
-
-
-### Get informations
-
-We need client secret and realm endpoints to configure nextcloud.
-
-#### Get Client Secret
-
-Go in **Client** -> **Credentials**, to get client secret that we will need to configure nextcloud plugin.
-
-
-
-#### See Endpoints
-
-You will also need endpoints urls to adapt Nextcloud Social Login plugin configuration.
-
-Go in **Realm Settings** -> **General**, clic on `OpenID EndpointConfiguration`.
-
-
-
-You will be redirected to the API endpoint, showing you endpoits url and other infos:
-
-
-
-
-#### Install the plugin
-
-**OpenID Connect Login** is a plugin made by pulsejet that can be found in Nextcloud AppStore.
-
-#### Configure Nextcloud
-
-Configuration of the plugin can only be made by modifying `config.php`.
-
-```
-$CONFIG = array (
- 'allow_user_to_change_display_name' => false,
- 'lost_password_link' => 'disabled',
-
- // URL of provider. All other URLs are auto-discovered from .well-known
- 'oidc_login_provider_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM',
-
- // Client ID and secret registered with the provider
- 'oidc_login_client_id' => 'nextcloud.domain.ext', // Client ID, Step 1
- 'oidc_login_client_secret' => 'secret', // Client Secret: Got to Clients -> Client -> Credentials
-
- // Automatically redirect the login page to the provider
- 'oidc_login_auto_redirect' => false,
-
- // Redirect to this page after logging out the user
- 'oidc_login_logout_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM/protocol/openid-connect/logout?&redirect_uri=http%3A%2F%2Fnextcloud.domain.ext%2F',
-
- // Quota to assign if no quota is specified in the OIDC response (bytes)
- 'oidc_login_default_quota' => '1000000000',
-
- // Login button text
- 'oidc_login_button_text' => 'OpenID',
-
- // Attribute map for OIDC response. Available keys are:
- // i) id: Unique identifier for username
- // ii) name: Full name
- // iii) mail: Email address
- // iv) quota: Nextcloud storage quota
- // v) home: Home directory location. A symlink or external storage to this location is used
- // vi) ldap_uid: LDAP uid to search for when running in proxy mode
- // vii) groups: Array or space separated string of NC groups for the user
- //
- // The attributes in the OIDC response are flattened by adding the nested
- // array key as the prefix and an underscore. Thus,
- //
- // $profile = [
- // 'id' => 1234,
- // 'attributes' => [
- // 'uid' => 'myuid'
- // ]
- // ];
- //
- // would become,
- //
- // $profile = [
- // 'id' => 1234,
- // 'attributes_uid' => 'myuid'
- // ]
- //
- 'oidc_login_attributes' => array (
- 'id' => 'preffered_username',
- 'name' => 'name',
- 'mail' => 'email',
- 'quota' => 'ownCloudQuota',
- 'home' => 'homeDirectory',
- 'ldap_uid' => 'uid',
- 'groups' => 'ownCloudGroups',
- ),
-
- // Default group to add users to (optional, defaults to nothing)
- 'oidc_login_default_group' => 'oidc',
-
- // Use external storage instead of a symlink to the home directory
- // Requires the files_external app to be enabled
- 'oidc_login_use_external_storage' => false,
-
- // Set OpenID Connect scope
- 'oidc_login_scope' => 'openid profile',
-
- // Run in LDAP proxy mode
- // In this mode, instead of creating users of its own, OIDC login
- // will get the existing user from an LDAP database and only
- // perform authentication with OIDC. All user data will be derived
- // from the LDAP database instead of the OIDC user response
- //
- // The `id` attribute in `oidc_login_attributes` must return the
- // "Internal Username" (see expert settings in LDAP integration)
- 'oidc_login_proxy_ldap' => false,
-
- // Disable creation of new users from OIDC login
- 'oidc_login_disable_registration' => false,
-
- // Fallback to direct login if login from OIDC fails
- // Note that no error message will be displayed if enabled
- 'oidc_login_redir_fallback' => true,
-
- // Use an alternative login page
- // This page will be php-included instead of a redirect if specified
- // In the example below, the PHP file `login.php` in `assets`
- // in nextcloud base directory will be included
- // Note: the PHP variable $OIDC_LOGIN_URL is available for redirect URI
- // Note: you may want to try setting `oidc_login_logout_url` to your
- // base URL if you face issues regarding re-login after logout
- // 'oidc_login_alt_login_page' => 'assets/login.php',
-
- // For development, you may disable TLS verification. Default value is `true`
- // which should be kept in production
- 'oidc_login_tls_verify' => true,
-
- // If you are behind a proxy
- 'overwriteprotocol' => 'https',
-);
-```
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-evaluaterolemapping.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-evaluaterolemapping.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_client-evaluaterolemapping.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-evaluaterolemapping.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-getcredentials.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-getcredentials.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_client-getcredentials.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-getcredentials.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-newrole.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-newrole.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_client-newrole.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-newrole.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidmapperquota.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-openidmapperquota.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidmapperquota.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-openidmapperquota.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidmapperroles.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-openidmapperroles.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidmapperroles.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-openidmapperroles.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-settings.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-settings.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_client-settings.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_client-settings.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_create-client.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_create-client.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_create-client.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_create-client.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_realm-accessconf.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_realm-accessconf.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_realm-accessconf.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_realm-accessconf.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_realm-json.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_realm-json.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_realm-json.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_realm-json.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_user-openidattributequota.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_user-openidattributequota.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_user-openidattributequota.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_user-openidattributequota.png
diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_user-rolemapping.png b/docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_user-rolemapping.png
similarity index 100%
rename from docs/divers/devops/img/keycloak-nextcloud/keycloak_user-rolemapping.png
rename to docs/divers/devops/sso/img/keycloak-nextcloud/keycloak_user-rolemapping.png
diff --git a/docs/divers/devops/sso/img/sso-keycloak-askpwdreset.png b/docs/divers/devops/sso/img/sso-keycloak-askpwdreset.png
new file mode 100644
index 00000000..7d1df85b
Binary files /dev/null and b/docs/divers/devops/sso/img/sso-keycloak-askpwdreset.png differ
diff --git a/docs/divers/devops/sso/img/sso-keycloak-enable-terms.png b/docs/divers/devops/sso/img/sso-keycloak-enable-terms.png
new file mode 100644
index 00000000..d44c218e
Binary files /dev/null and b/docs/divers/devops/sso/img/sso-keycloak-enable-terms.png differ
diff --git a/docs/divers/devops/sso/index.md b/docs/divers/devops/sso/index.md
new file mode 100644
index 00000000..8c17eef3
--- /dev/null
+++ b/docs/divers/devops/sso/index.md
@@ -0,0 +1,79 @@
+# Introduction
+
+This guide will cover the configuration of Keycloak as SSO for different services, like Nextcloud or Mattermost.
+
+The list of users users and groups is mapped with a LDAP server.
+
+We assume you already have a reachable LDAP server.
+
+```mermaid
+graph LR;
+ A(LDAP server)<-->B(Keycloak SSO);
+ B(Keycloak SSO)<-->A(LDAP server);
+ B(Keycloak SSO)<-->C(Nextcloud);
+ B(Keycloak SSO)<-->D(Mattermost);
+ B(Keycloak SSO)<-->E(Wordpress);
+```
+
+The sequences happens this way, using Nextcloud as an example.
+
+First, Nextcloud redirects login request to Keycloak, and keycloak checks
+in his internal database if user exists and is connected to this client.
+
+```mermaid
+sequenceDiagram;
+ participant L as LDAP;
+ participant N as Nextcloud;
+ participant K as Keycloak;
+ participant U as User;
+ activate U;
+ U->>N: Login;
+ Note over U,N: User asks for Nextcloud
login page url;
+ activate N;
+ N->>K: Redirect Login Page;
+ Note over N,K: Nextcloud redirects to
Keycloak login page;
+ activate K;
+ K->>U: Serve Login Page;
+ U->>K: Enter credentials;
+ Note over K,U: User enters credentials
in Keycloak login page;
+ loop Internal;
+ Note left of K: Check internal Db
if user exists
and is linked
to this client;
+ end;
+ deactivate K;
+ deactivate N;
+```
+
+If user exists in Keycloak database, keycloak updates Ldap data and let
+Ldap Server in charge for password authentication.
+
+```mermaid
+sequenceDiagram;
+ participant L as LDAP;
+ participant N as Nextcloud;
+ participant K as Keycloak;
+ participant U as User;
+ activate U;
+ activate K;
+ activate N;
+ K->>L: Final Auth;
+ Note over K,L: Keycloak delegates password
authentication to Ldap Server
+ activate L;
+ alt auth succed;
+ L->>K: success;
+ Note over L,K: Ldap tells Keycloak that auth succeeded;
+ K->>L: update;
+ Note over L,K: Keycloak updates groups and user atribute in Ldap;
+ deactivate L;
+ K->>N: user creation;
+ Note over N,K: Keycloak creates user
in Nextcloud if not exists;
+ K->>N: authentication;
+ Note over K,N: Keycloak authenticates
User in Nextcloud;
+ N->>U: access;
+ Note over N,U: Nextcloud is accessible by User
+ else auth failed;
+ K->>U: Back to login page;
+ end;
+ deactivate K;
+ deactivate N;
+```
+
diff --git a/docs/divers/devops/sso/sso-keycloak.md b/docs/divers/devops/sso/sso-keycloak.md
new file mode 100644
index 00000000..3f935af3
--- /dev/null
+++ b/docs/divers/devops/sso/sso-keycloak.md
@@ -0,0 +1,121 @@
+# Keycloak configuration
+
+## Customize theme
+
+### Duplicate existing theme
+
+Duplicate keycloak theme and rename it to `my-theme`.
+
+Put the folder `my-theme` inside `themes` folder. I you are using Docker, you could simply bind a local folder to `/opt/jboss/keycloak/themes`.
+
+### Change logos
+
+Copy your logo `my-brand-logo.png` and your background `my-brand-bg.png` to the following destinations:
+ - `my-theme/welcome/resources/`
+ - `my-theme/login/resources/img/`
+ - `my-theme/admin/resources/img/`
+ - `my-theme/account/resources/img/`
+
+Put also a new `favicon.ico` in `my-teme/welcome/resources/`
+
+Now modify html and css calls to catch your logo name:
+```
+find my-theme/ -type f -exec sed -i 's/keycloak-logo-text.png/my-brand-logo.png/g' {} +
+find my-theme/ -type f -exec sed -i 's/keyclok-logo.png/my-brand-logo.png/g' {} +
+find my-theme/ -type f -exec sed -i 's,/logo.png,/my-brand-logo.png,g' {} +
+find my-theme/ -type f -exec sed -i 's,/bg.png,/my-theme-bg.png,g' {} +
+find my-theme/ -type f -exec sed -i 's/keycloak-bg.png/my-theme-bg.png/g' {} +
+```
+
+If your logo doesn't appear totally in login page, you can change `width` and `height`
+in `div.kc-logo-text` (file `my-theme/login/resources/css/login.css`).
+
+If your logo is distorted in nav bar, you can change `background-size`
+in `.navbar-pf .navbar-brand` (file `admin/resources/css/styles.css` ).
+
+From that last `.navbar-pf .navbar-brand` bloc copy the values `height`,
+`width` and `background-size` and report them to `.navbar-title`
+in `account/resources/css/account.css`.
+
+### Add terms and conditions
+
+#### Enable in Keycloak
+
+In Keycloak console admin, go to `Authentication > Required Actions` and enable `Terms and conditions`:
+
+
+
+#### Modify message template
+
+If you want to modify actual page title (`Terms and Conditions`), you can modify the following:
+- `termsTitle`
+- `termsTitleHtml`
+- `termsText`
+- `termsPlainText`
+
+in `${KEYCLOAK_THEMES}/base/login/messages/messages_fr.properties`.
+
+#### Modify 'execute actions' email
+
+This email is sent when administrator triggers it, asking for acoount / password / policy update from the user.
+
+You can use that trigger at registration, asking for Password Update, so user can access password reset form.
+Go in in `Ùsers --> Credentials --> Credential reset `:
+
+
+
+This email is generated using template at `${KEYCLOAK_THEMES}/base/email/html/password-reset.ftl`.
+
+The message content is in :
+- `executeActionsBodyHtmlSubject`
+- `executeActionsBodyHtmlBody`
+- `executeActionsBodyHtmlBodyHtml`
+
+in `${KEYCLOAK_THEMES}/base/email/messages/messages_fr.properties`
+and `${KEYCLOAK_THEMES}/base/email/text/password-reset.ftl`
+
+Copy those three files in your own theme directory and custom it as you want.
+
+#### Modify after execution message
+
+When user executes the actions asked by mail, he ends on a simple page without no link nor redirection.
+
+You may want to add some links in template taken from `base/login/info.ftl`:
+
+```
+<#import "template.ftl" as layout>
+<@layout.registrationLayout displayMessage=false; section>
+ <#if section = "header">
+ <#if messageHeader??>
+ ${messageHeader}
+ <#else>
+ ${message.summary}
+
+ <#elseif section = "form">
+
+
+
+```
+
+#### Define available languages
+
+For each sub-theme you need to define which locales are implemented (translated),
+with a comma-separated list of supported locales in `${KEYCLOAK_THEMES}/${SUBTHEME}/theme.properties` like this:
+```
+locales=fr,en
+```
diff --git a/docs/divers/devops/sso/sso-ldap.md b/docs/divers/devops/sso/sso-ldap.md
new file mode 100644
index 00000000..9e0aab1c
--- /dev/null
+++ b/docs/divers/devops/sso/sso-ldap.md
@@ -0,0 +1,96 @@
+# Configure OpenLDAP
+
+We will just need a very basic configuration of Ldap, as Keycloak will
+populate it.
+
+You can use docker-compose to mount an OpenLdap server basically populated at startup.
+
+## Install OpenLdap with docker-compose
+
+Here's the necessary `docker-compose.yml` file, deploying OpenLdap server along phpldapmyadmin web interface:
+
+```
+version: '3'
+services:
+ openldap:
+ image: osixia/openldap
+ volumes:
+ - ./admin.ldif:/container/service/slapd/assets/config/bootstrap/ldif/admin.ldif
+ #args: [ "--copy-service" ]
+ command: "/bin/sh -c '/container/tool/run --copy-service --loglevel debug'"
+ env_file:
+ - .env
+ tty: true
+ stdin_open: true
+ # For replication to work correctly, domainname and hostname must be
+ # set correctly so that "hostname"."domainname" equates to the
+ # fully-qualified domain name for the host.
+ domainname: "pnpro.paris"
+ hostname: "ldap"
+ phpldapadmin:
+ image: osixia/phpldapadmin
+ ports:
+ - 127.0.0.1:8092:80
+ depends_on:
+ - openldap
+ environment:
+ PHPLDAPADMIN_LDAP_HOSTS: "openldap"
+ PHPLDAPADMIN_HTTPS: "false"
+```
+
+You will need to create a `.env` file with following elements (replace the variables):
+```
+LDAP_ORGANIZATION=${ORGANIZATION}
+LDAP_DOMAIN=domain.org
+LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD}
+LDAP_CONFIG_PASSWORD=${LDAP_CONFIG_PASSWORD}
+```
+
+## Add a custom `.ldif` file
+
+We can use the following `admin.ldif` file, considering that root cn already exists:
+
+```
+dn: cn=admin, dc=domain, dc=org
+changetype: modify
+replace: o
+o: Complete Organization Name
+
+dn: ou=people, dc=domain, dc=org
+changetype: add
+objectClass: organizationalUnit
+ou: people
+
+dn: uid=superadmin, ou=people, dc=domain, dc=org
+changetype: add
+objectClass: inetOrgPerson
+uid: superadmin
+cn: Super
+sn: Admin
+mail: contact@domain.org
+employeeNumber: 1
+
+dn: ou=groups, dc=domain, dc=org
+changetype: add
+objectClass: organizationalUnit
+ou: groups
+
+
+dn: cn=admin, ou=groups, dc=domain, dc=org
+changetype: add
+objectClass: groupofNames
+cn: admin
+ou: Admin Group
+member: uid=superadmin, ou=people, dc=domain, dc=org
+
+```
+
+The file, binded to `/container/service/slapd/assets/config/bootstrap/ldif/admin.ldif`
+will be used when running server within docker-compose via command `/container/tool/run --copy-service`.
+
+## Deploy the stack
+
+Run `docker-compose up -d` to deploy the server.
+
+Access phpmyadmin at `http://127.0.0.1:8092` and connect with user
+`cn=admin, dn=domain, dn=org` and password set in `env`.
diff --git a/docs/divers/devops/sso/sso-mattermost.md b/docs/divers/devops/sso/sso-mattermost.md
new file mode 100644
index 00000000..e69de29b
diff --git a/docs/divers/devops/sso/sso-nextcloud.md b/docs/divers/devops/sso/sso-nextcloud.md
new file mode 100644
index 00000000..8e916a2c
--- /dev/null
+++ b/docs/divers/devops/sso/sso-nextcloud.md
@@ -0,0 +1,213 @@
+# Keycloak as SSO in Nextcloud
+
+## Keycloak configuration
+
+### Create a client
+
+We need first to create a client in keycloak, to connect to Nextcloud.
+
+Name `Client id` as you wish.
+
+
+
+Use the following settings:
+
+
+
+and
+
+
+
+### Map groups in client
+
+Since user management is reserved to Keycloak, we need to configure a mapper
+will reflect user/group configuration in Nextcloud.
+
+In fact, we won't
+
+#### Create a new role in client
+
+In **Roles** tab, we create a role admin that we will map to Nextcloud.
+
+
+
+Create here all the groups you'll need in Nextcloud
+
+**You will also have to create them in Nextcloud! **
+
+#### Configure mapper for roles
+
+This will allow us to map roles from client to nextcloud's groups.
+
+
+
+Choose the **Name** you want, but **Token Claim Name** must be `ownCloudGroups`.
+
+#### Map roles for user
+
+Go to an admin user you created (or create an user) and map admin role we created.
+
+Go to the **Role Mappings** tab, then select the client you created in the **Client Roles**
+selection box, then click on **Add Selected** in the bottom-left to promote a role from available
+to assigned roles.
+
+
+
+#### Check if mapping has been catched by client
+
+Go back to client part and evaluate client scope for the admin user you just configured.
+
+Go to your client, tab **Client Scopes**, select your user and clic on **Evaluate**.
+
+Check the **Generated Access Token** tab to see if the user get admin role.
+
+
+
+### Map quota
+
+We have the ability to define storage quota for each user we create.
+
+#### Configure mapper for quota
+
+
+
+#### Configure quota for user
+
+
+
+### Get informations
+
+We need client secret and realm endpoints to configure nextcloud.
+
+#### Get Client Secret
+
+Go in **Client** -> **Credentials**, to get client secret that we will need to configure nextcloud plugin.
+
+
+
+#### See Endpoints
+
+You will also need endpoints urls to adapt Nextcloud Social Login plugin configuration.
+
+Go in **Realm Settings** -> **General**, clic on `OpenID EndpointConfiguration`.
+
+
+
+You will be redirected to the API endpoint, showing you endpoits url and other infos:
+
+
+
+
+#### Install the plugin
+
+**OpenID Connect Login** is a plugin made by pulsejet that can be found in Nextcloud AppStore.
+
+#### Configure Nextcloud
+
+Configuration of the plugin can only be made by modifying `config.php`.
+
+??? note "Unroll to see `config.php` useful settings:"
+ ```
+ $CONFIG = array (
+ 'allow_user_to_change_display_name' => false,
+ 'lost_password_link' => 'disabled',
+
+ // URL of provider. All other URLs are auto-discovered from .well-known
+ 'oidc_login_provider_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM',
+
+ // Client ID and secret registered with the provider
+ 'oidc_login_client_id' => 'nextcloud.domain.ext', // Client ID, Step 1
+ 'oidc_login_client_secret' => 'secret', // Client Secret: Got to Clients -> Client -> Credentials
+
+ // Automatically redirect the login page to the provider
+ 'oidc_login_auto_redirect' => false,
+
+ // Redirect to this page after logging out the user
+ 'oidc_login_logout_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM/protocol/openid-connect/logout?&redirect_uri=http%3A%2F%2Fnextcloud.domain.ext%2F',
+
+ // Quota to assign if no quota is specified in the OIDC response (bytes)
+ 'oidc_login_default_quota' => '1000000000',
+
+ // Login button text
+ 'oidc_login_button_text' => 'OpenID',
+
+ // Attribute map for OIDC response. Available keys are:
+ // i) id: Unique identifier for username
+ // ii) name: Full name
+ // iii) mail: Email address
+ // iv) quota: Nextcloud storage quota
+ // v) home: Home directory location. A symlink or external storage to this location is used
+ // vi) ldap_uid: LDAP uid to search for when running in proxy mode
+ // vii) groups: Array or space separated string of NC groups for the user
+ //
+ // The attributes in the OIDC response are flattened by adding the nested
+ // array key as the prefix and an underscore. Thus,
+ //
+ // $profile = [
+ // 'id' => 1234,
+ // 'attributes' => [
+ // 'uid' => 'myuid'
+ // ]
+ // ];
+ //
+ // would become,
+ //
+ // $profile = [
+ // 'id' => 1234,
+ // 'attributes_uid' => 'myuid'
+ // ]
+ //
+ 'oidc_login_attributes' => array (
+ 'id' => 'preffered_username',
+ 'name' => 'name',
+ 'mail' => 'email',
+ 'quota' => 'ownCloudQuota',
+ 'home' => 'homeDirectory',
+ 'ldap_uid' => 'uid',
+ 'groups' => 'ownCloudGroups',
+ ),
+
+ // Default group to add users to (optional, defaults to nothing)
+ 'oidc_login_default_group' => 'oidc',
+
+ // Use external storage instead of a symlink to the home directory
+ // Requires the files_external app to be enabled
+ 'oidc_login_use_external_storage' => false,
+
+ // Set OpenID Connect scope
+ 'oidc_login_scope' => 'openid profile',
+
+ // Run in LDAP proxy mode
+ // In this mode, instead of creating users of its own, OIDC login
+ // will get the existing user from an LDAP database and only
+ // perform authentication with OIDC. All user data will be derived
+ // from the LDAP database instead of the OIDC user response
+ //
+ // The `id` attribute in `oidc_login_attributes` must return the
+ // "Internal Username" (see expert settings in LDAP integration)
+ 'oidc_login_proxy_ldap' => false,
+
+ // Disable creation of new users from OIDC login
+ 'oidc_login_disable_registration' => false,
+
+ // Fallback to direct login if login from OIDC fails
+ // Note that no error message will be displayed if enabled
+ 'oidc_login_redir_fallback' => true,
+
+ // Use an alternative login page
+ // This page will be php-included instead of a redirect if specified
+ // In the example below, the PHP file `login.php` in `assets`
+ // in nextcloud base directory will be included
+ // Note: the PHP variable $OIDC_LOGIN_URL is available for redirect URI
+ // Note: you may want to try setting `oidc_login_logout_url` to your
+ // base URL if you face issues regarding re-login after logout
+ // 'oidc_login_alt_login_page' => 'assets/login.php',
+
+ // For development, you may disable TLS verification. Default value is `true`
+ // which should be kept in production
+ 'oidc_login_tls_verify' => true,
+
+ // If you are behind a proxy
+ 'overwriteprotocol' => 'https',
+ );
+ ```
diff --git a/docs/divers/devops/sso/sso-wordpress.md b/docs/divers/devops/sso/sso-wordpress.md
new file mode 100644
index 00000000..e69de29b
diff --git a/docs/divers/index.md b/docs/divers/index.md
index 7dec2a61..bba23cda 100644
--- a/docs/divers/index.md
+++ b/docs/divers/index.md
@@ -5,7 +5,7 @@ Dans cette rubrique vous trouverez différentes astuces, mémos, snippets, tips,
Toutes les astuces sont regroupées par catégories:
- [les mémos pour bien utiliser les commandes linux](cmd/index.md)
-- [les tutos d'administration système](adminsys/index.md)
-- [les guides complets pour déployer des services réseau](guides/index.md)
+- [les tutos d'administration du Poste de travail](admin/index.md)
+- [les tutos d'administration Serveur](server/index.md)
- [les guides DevOps](devops/index.md)
- [les guides internes](internal/index.md)
diff --git a/docs/divers/internal/index.md b/docs/divers/internal/index.md
index 6640dcb7..30bb0eb3 100644
--- a/docs/divers/internal/index.md
+++ b/docs/divers/internal/index.md
@@ -1,5 +1,6 @@
-# Introduction
+# Astuces du Garage
Cette rubrique regroupe des astuces internes au Garage
- [Imprimantes](install-printers.md)
+- [Contribuer à la doc avec mkdocs](mkdocs.md)
diff --git a/docs/divers/devops/mkdocs.md b/docs/divers/internal/mkdocs.md
similarity index 100%
rename from docs/divers/devops/mkdocs.md
rename to docs/divers/internal/mkdocs.md
diff --git a/docs/divers/guides/img/pxe-select-lan.png b/docs/divers/server/img/pxe-select-lan.png
similarity index 100%
rename from docs/divers/guides/img/pxe-select-lan.png
rename to docs/divers/server/img/pxe-select-lan.png
diff --git a/docs/divers/guides/img/pxe-select-wan.png b/docs/divers/server/img/pxe-select-wan.png
similarity index 100%
rename from docs/divers/guides/img/pxe-select-wan.png
rename to docs/divers/server/img/pxe-select-wan.png
diff --git a/docs/divers/guides/img/welcome_to_nginx.png b/docs/divers/server/img/welcome_to_nginx.png
similarity index 100%
rename from docs/divers/guides/img/welcome_to_nginx.png
rename to docs/divers/server/img/welcome_to_nginx.png
diff --git a/docs/divers/guides/index.md b/docs/divers/server/index.md
similarity index 90%
rename from docs/divers/guides/index.md
rename to docs/divers/server/index.md
index ad4e9003..a43a66bb 100644
--- a/docs/divers/guides/index.md
+++ b/docs/divers/server/index.md
@@ -1,4 +1,4 @@
-# Guides d'Administration Système
+# Administration Serveur
- [Installer un serveur PXE](install_pxe.md)
- [Installer Wordpress avec Docker-Compose](wordpress_docker-compose_on_debian-10_with_nginx_reverse-proxy.md)
diff --git a/docs/divers/guides/install_pxe.md b/docs/divers/server/install_pxe.md
similarity index 100%
rename from docs/divers/guides/install_pxe.md
rename to docs/divers/server/install_pxe.md
diff --git a/docs/divers/guides/nextcloud_docker-compose_on_debian-10_with_nginx_reverse-proxy.md b/docs/divers/server/nextcloud_docker-compose_on_debian-10_with_nginx_reverse-proxy.md
similarity index 100%
rename from docs/divers/guides/nextcloud_docker-compose_on_debian-10_with_nginx_reverse-proxy.md
rename to docs/divers/server/nextcloud_docker-compose_on_debian-10_with_nginx_reverse-proxy.md
diff --git a/docs/divers/guides/serveur_debian_smb_ssh.md b/docs/divers/server/serveur_debian_smb_ssh.md
similarity index 100%
rename from docs/divers/guides/serveur_debian_smb_ssh.md
rename to docs/divers/server/serveur_debian_smb_ssh.md
diff --git a/docs/divers/guides/wordpress_docker-compose_on_debian-10_with_nginx_reverse-proxy.md b/docs/divers/server/wordpress_docker-compose_on_debian-10_with_nginx_reverse-proxy.md
similarity index 100%
rename from docs/divers/guides/wordpress_docker-compose_on_debian-10_with_nginx_reverse-proxy.md
rename to docs/divers/server/wordpress_docker-compose_on_debian-10_with_nginx_reverse-proxy.md
diff --git a/docs/index.md b/docs/index.md
index 0bdd3317..5215ea77 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -7,8 +7,8 @@ La documentation est divisée en deux parties:
- [les cours](cours)
- [les autres ressources](divers)
- [les mémos pour bien utiliser les commandes linux](divers/cmd/index.md)
- - [les tutos d'administration système](divers/adminsys/index.md)
- - [les guides complets pour déployer des services réseau](divers/guides/index.md)
+ - [les tutos d'administration système](divers/admin/index.md)
+ - [les guides complets pour déployer des services réseau](divers/server/index.md)
- [les guides DevOps](divers/devops/index.md)
- [les guides internes](divers/internal/index.md)
diff --git a/mkdocs.yml b/mkdocs.yml
index 6ec2371a..7f8f4df4 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -5,9 +5,11 @@ theme:
name: material
custom_dir: overrides
features:
+ - navigation.instant
+ - navigation.expand
- tabs
plugins:
- - markdownmermaid
+ #- markdownmermaid
- search:
min_search_length: 2
- git-authors
@@ -15,7 +17,11 @@ plugins:
markdown_extensions:
- admonition
- pymdownx.details
- - pymdownx.superfences
+ - pymdownx.superfences:
+ custom_fences:
+ - name: mermaid
+ class: mermaid
+ format: !!python/name:pymdownx.superfences.fence_div_format
- pymdownx.highlight:
use_pygments: false
linenums_style: pymdownx.inline
@@ -28,9 +34,10 @@ markdown_extensions:
extra_javascript:
- https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/highlight.min.js
- javascripts/config.js
- - https://unpkg.com/mermaid@7.1.2/dist/mermaid.min.js
+ - https://unpkg.com/mermaid@8.8.2/dist/mermaid.min.js
extra_css:
- https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/styles/default.min.css
+ - https://unpkg.com/mermaid@8.8.2/dist/mermaid.css
nav:
- Accueil: index.md
- Cours:
@@ -51,28 +58,34 @@ nav:
- cours/python/os-script.md
- Divers:
- divers/index.md
- - "Commandes Linux":
- - "Index": divers/cmd/index.md
+ - "Linux":
+ - divers/cmd/index.md
- divers/cmd/backup.md
- divers/cmd/screen.md
- divers/cmd/nmcli.md
- divers/cmd/mount.md
- "Admin Sys":
- - Index: divers/adminsys/index.md
- - "Installer Adobe pdf reader": divers/adminsys/acroread-debian.md
- - "Configurer Gnome AppFolders": divers/adminsys/gnome-appfolders.md
- - "Réinitialiser un mot de passe Windows": divers/adminsys/reset-winpasswd.md
- - "Déploiement de Serveurs":
- - "Index": divers/guides/index.md
- - divers/guides/install_pxe.md
- - "Nextcloud": divers/guides/nextcloud_docker-compose_on_debian-10_with_nginx_reverse-proxy.md
- - "Wordpress": divers/guides/wordpress_docker-compose_on_debian-10_with_nginx_reverse-proxy.md
- - "SSH - SAMBA": divers/guides/serveur_debian_smb_ssh.md
+ - divers/admin/index.md
+ - "Installer Adobe pdf reader": divers/admin/acroread-debian.md
+ - "Configurer Gnome AppFolders": divers/admin/gnome-appfolders.md
+ - "Réinitialiser un mot de passe Windows": divers/admin/reset-winpasswd.md
+ - "Servers":
+ - divers/server/index.md
+ - divers/server/install_pxe.md
+ - "Nextcloud": divers/server/nextcloud_docker-compose_on_debian-10_with_nginx_reverse-proxy.md
+ - "Wordpress": divers/server/wordpress_docker-compose_on_debian-10_with_nginx_reverse-proxy.md
+ - "SSH - SAMBA": divers/server/serveur_debian_smb_ssh.md
- "DevOps":
- - "Index": divers/devops/index.md
+ - divers/devops/index.md
- "Hugo": divers/devops/hugo.md
- - "MkDocs": divers/devops/mkdocs.md
- - "Keycloak Nextcloud": divers/devops/keycloak-nextcloud.md
+ - "Keycloak SSO":
+ - divers/devops/sso/index.md
+ - divers/devops/sso/sso-ldap.md
+ - divers/devops/sso/sso-keycloak.md
+ - divers/devops/sso/sso-nextcloud.md
+ - divers/devops/sso/sso-mattermost.md
+ - divers/devops/sso/sso-wordpress.md
- "Interne":
- "Index": divers/internal/index.md
- "Imprimantes": divers/internal/install-printers.md
+ - "MkDocs": divers/internal/mkdocs.md