# Admin Bootstrap and OIDC Role Sync ## Overview - **Admin bootstrap:** In production, no seeds run. The first admin user is created/updated from environment variables in the Docker entrypoint (after migrate, before server). Password can be changed without redeploy via `bin/mv eval "Mv.Release.seed_admin()"`. - **OIDC role sync:** Optional mapping from OIDC groups (e.g. from Authentik profile scope) to the Admin role. Users in the configured admin group get the Admin role on registration and on each sign-in. ## Admin Bootstrap (Part A) ### Environment Variables - `ADMIN_EMAIL` – Email of the admin user to create/update. If unset, seed_admin/0 does nothing. - `ADMIN_PASSWORD` – Password for the admin user. If unset (and no file), no user is created in production. - `ADMIN_PASSWORD_FILE` – Path to a file containing the password (e.g. Docker secret). ### Release Task - `Mv.Release.seed_admin/0` – Reads ADMIN_EMAIL and password from ADMIN_PASSWORD or ADMIN_PASSWORD_FILE. If both are set, creates or updates the user with the Admin role. Idempotent. ### Entrypoint - rel/overlays/bin/docker-entrypoint.sh – After migrate, runs seed_admin(), then starts the server. ### Seeds (Dev/Test) - priv/repo/seeds.exs – Uses ADMIN_PASSWORD or ADMIN_PASSWORD_FILE when set; otherwise fallback "testpassword" only in dev/test. ## OIDC Role Sync (Part B) ### Configuration - `OIDC_ADMIN_GROUP_NAME` – OIDC group name that maps to the Admin role. If unset, no role sync. - `OIDC_GROUPS_CLAIM` – JWT claim name for group list (default "groups"). - Module: Mv.OidcRoleSyncConfig (oidc_admin_group_name/0, oidc_groups_claim/0). ### Sync Logic - Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info) – If admin group configured, sets user role to Admin or Mitglied based on user_info groups. ### Where It Runs 1. Registration: register_with_rauthy after_action calls OidcRoleSync. 2. Sign-in: sign_in_with_rauthy prepare after_action calls OidcRoleSync for each user. ### Internal Action - User.set_role_from_oidc_sync – Internal update (role_id only). Used by OidcRoleSync; not exposed. ## See Also - .env.example – Admin and OIDC group env vars. - lib/mv/release.ex – seed_admin/0. - lib/mv/oidc_role_sync.ex – Sync implementation. - docs/oidc-account-linking.md – OIDC account linking.