Onboarding a new employee
- These steps are performed by a d-centralize admin to onboard a new employee.
- There are also tasks for the whole team to onboard the employee.
- There’s also the new employee orientation for the new employee to read.
Adding a new user
Section titled “Adding a new user”Start Here
Section titled “Start Here”Help the new user connect to the Wi-Fi, login to their d-centralize account, and give them the link to this handbook.
Automated accounts (the sync tool)
Section titled “Automated accounts (the sync tool)”Most accounts are provisioned by the onboarding sync tool. Add the new hire to
onboarding/users.yaml
in dc scripts — localpart,
full name, the Bitwarden item holding their private email, their keycloak_groups,
and any extra services (cuda-dev, or wireguard with vpn_devices) — then run:
cd ~/git/scripts/onboardinguv run sync_users.py # dry-run: review the planuv run sync_users.py --apply # provision (Bitwarden unlocked)It is idempotent (safe to re-run) and provisions:
- Mailbox (mailcow) — the
@d-centralize.nlaccount, single sign-on from the start. Webmail/UI login goes through Keycloak; mail clients (IMAP/SMTP) use app passwords. - Keycloak SSO — the account, created with their
@d-centralize.nlemail so single sign-on works across every app immediately. 2FA is enforced after a short grace period. - Vaultwarden — org membership and group/collection access derived from
keycloak_groups. - cuda-dev box(es) — for users with
cuda-devinservices: a container per host, with the SSH key delivered through a Bitwarden Send. - VPN peer(s) — for users with
wireguardinservices: one WireGuard peer per device invpn_devices, applied to the router, the config delivered as a scannable QR through a Bitwarden Send.
The steps below cover only what the sync tool does not handle.
Key agreement
Section titled “Key agreement”Before handing out the office keys, draft a key agreement using inContract.
Also create a 6-digit code for opening the front door through the Loqed app.
- Choose
Sleutel toevoegen Naam van ontvanger: Enter first + last name.- Enable:
Toegangscodeand set a random pin. - Share the generated key to the user through email.
IM memberships
Section titled “IM memberships”- Invite the user to the
d-centralizeMattermost and appropriate teams. - For Appsemble, add members to the
Appsemble team, Server settings —> members —> Appsemble —> Members. Add members to the team.
GitLab account
Section titled “GitLab account”In dc scripts, use gitlab/add_gitlab_user.py to invite the user
to the following projects:
| Group | Role | Link |
|---|---|---|
| dcentralize | Reporter | dcentralize_group |
| Handbook project | Developer | handbook_project |
Note that if you provide a user access to a project like:
(https://gitlab.d-centralize.nl/pro6pp/pro6pp) and this project uses
the
dependency_proxy,
make sure this user is also added as guest to the group
(https://gitlab.d-centralize.nl/pro6pp) or else the CI pipelines will
always fail.
Note that the users still need to be approved after having accepted the invite by an admin through the gitlab pending users screen.
If a user needs to run pipelines which depend on a Container Registry
from another project (see
container_registry_permissions),
the user needs at least reporter access in that project holding
containers. Inherited guest permissions from the group are not enough.
Clockify account
Section titled “Clockify account”Users that have admin permissions in Clockify can add
new users to the d-centralize team. Then add relevant
projects and/or clients when needed.
Sentry account
Section titled “Sentry account”To troubleshoot issues, it’s useful to have access to Sentry. Invite people through self-hosted sentry.
Nextcloud
Section titled “Nextcloud”When user signs in, the user appears in the user list and you can assign the group(s).
Wi-Fi account
Section titled “Wi-Fi account”Mail Inphos support to obtain a personal Wi-Fi login + access to the service portal for the new team member.