Amend documentation given some real user experience

README.md

@@ -9,6 +9,12 @@ Currently supported sources:
 
 ## Configuration
 
+> [!WARNING]
+>
+> When creating a service user, limit them to the specific project and
+> organization scope that they are intended to sync. `famedly-sync`
+> currently does not separately limit the scope of the sync, see #103.
+
 The tool expects a configuration file located at `./config.yaml`. See example configuration at [config.sample.yaml](./config.sample.yaml).
 
 The default path can be changed by setting the new path to the environment variable `FAMEDLY_SYNC_CONFIG`.
@@ -121,7 +127,7 @@ docker compose up
 Or alternatively, without `docker compose`:
 
 ```
-docker run --rm -it --network host --volume ./opt:/opt/famedly-sync-agent docker-oss.nexus.famedly.de/famedly-sync-agent:latest
+docker run --rm -it --network host --volume ./opt:/opt/famedly-sync docker-oss.nexus.famedly.de/famedly-sync-agent:latest
 ```
 
 ### Kubernetes Deployment

docker-compose.yaml

@@ -4,5 +4,5 @@ services:
     volumes:
       - type: bind
         source: ./opt
-        target: /opt/famedly-sync-agent
+        target: /opt/famedly-sync
     network_mode: host

ldap-sync-cronjob.yaml

@@ -14,7 +14,7 @@ spec:
               image: docker-oss.nexus.famedly.de/famedly-sync-agent:v0.4.0
               imagePullPolicy: IfNotPresent
               volumeMounts:
-                - mountPath: /opt/famedly-sync-agent/
+                - mountPath: /opt/famedly-sync/
                   name: famedly-sync-config
           restartPolicy: OnFailure
           volumes:

sample-configs/csv-config.sample.yaml

@@ -3,12 +3,16 @@ zitadel:
   # The Famedly user endpoint to sync to.
   url: https://auth.famedly.de
   # The Famedly-provided service user credentials.
-  key_file: /opt/famedly-sync-agent/service-user.json
+  key_file: /opt/famedly-sync/service-user.json
   # The organization whose users to sync.
   organization_id: 278274756195721220
   # The project to grant users access to.
   project_id: 278274945274880004
   # The identity provider ID to enable SSO login for
+  #
+  # WARNING: This user *must* be scoped to the specific org/project,
+  # as famedly-sync does not limit syncs to the configured org/project
+  # by itself.
   idp_id: 281430143275106308
 
 feature_flags:

sample-configs/ldap-config.sample.yaml

@@ -3,12 +3,16 @@ zitadel:
   # The Famedly user endpoint to sync to.
   url: https://auth.famedly.de
   # The Famedly-provided service user credentials.
-  key_file: /opt/famedly-sync-agent/service-user.json
+  key_file: /opt/famedly-sync/service-user.json
   # The organization whose users to sync.
   organization_id: 278274756195721220
   # The project to grant users access to.
   project_id: 278274945274880004
   # The identity provider ID to enable SSO login for
+  #
+  # WARNING: This user *must* be scoped to the specific org/project,
+  # as famedly-sync does not limit syncs to the configured org/project
+  # by itself.
   idp_id: 281430143275106308
 
 feature_flags:

sample-configs/ukt-config.sample.yaml

@@ -3,12 +3,16 @@ zitadel:
   # The Famedly user endpoint to sync to.
   url: https://auth.famedly.de
   # The Famedly-provided service user credentials.
-  key_file: /opt/famedly-sync-agent/service-user.json
+  key_file: /opt/famedly-sync/service-user.json
   # The organization whose users to sync.
   organization_id: 278274756195721220
   # The project to grant users access to.
   project_id: 278274945274880004
   # The identity provider ID to enable SSO login for
+  #
+  # WARNING: This user *must* be scoped to the specific org/project,
+  # as famedly-sync does not limit syncs to the configured org/project
+  # by itself.
   idp_id: 281430143275106308
 
 feature_flags: