Fix the book again (#1302)

* fixing templates and making the book build script quit harder on failures

Makefile

@@ -160,6 +160,7 @@ book: ## Build the Kanidm book
 book:
 	cargo doc --no-deps
 	mdbook build kanidm_book
+	rm -rf ./docs/
 	mv ./kanidm_book/book/ ./docs/
 	mkdir -p ./docs/rustdoc/${BOOK_VERSION}
 	mv ./target/doc/* ./docs/rustdoc/${BOOK_VERSION}/
@@ -172,6 +173,7 @@ book_versioned:
 	git pull origin "${BOOK_VERSION}"
 	cargo doc --no-deps --quiet
 	mdbook build kanidm_book
+	rm -rf ./docs/
 	mkdir -p ./docs
 	mv ./kanidm_book/book/ ./docs/${BOOK_VERSION}/
 	mkdir -p ./docs/${BOOK_VERSION}/rustdoc/

build_all_the_docs.sh

@@ -1,24 +1,37 @@
 #!/bin/bash
 
+set -e
+
 git config --global pull.ff only
 DOCS_DIR="/tmp/kanidm_docs"
 
 echo "DOCS DIR: ${DOCS_DIR}"
 echo "PWD: $(pwd)"
 
+if [ "${GITHUB_ACTIONS}" ]; then
+    echo "Running in Github Actions"
+    git config user.email "kanidm@kanidm.com"
+    git config user.name "Kanidm Github Actions Runner"
+fi
+
+git fetch --all
+
 function build_version() {
     BOOK_VERSION=$1
     echo "Book version: ${BOOK_VERSION}"
     echo "<li><a href=\"/kanidm/${BOOK_VERSION}\">${BOOK_VERSION}</a></li>" >> "${DOCS_DIR}/index.html"
 
-    git switch -c "${BOOK_VERSION}" || git switch "${BOOK_VERSION}"
+    if [ "$(git branch --show-current)" != "${BOOK_VERSION}" ]; then
-	git pull origin "${BOOK_VERSION}"
+        git switch -c "${BOOK_VERSION}" || git switch "${BOOK_VERSION}"
+    fi
     echo "Running mdbook build"
 	mdbook build kanidm_book
     echo "Running cargo doc"
     cargo doc --quiet --no-deps
     echo "Moving book to ${DOCS_DIR}/${BOOK_VERSION}/"
     mv ./kanidm_book/book/ "${DOCS_DIR}/${BOOK_VERSION}/"
+    echo "Cleaning out rustdoc dir..."
+    rm -rf "${DOCS_DIR}/${BOOK_VERSION}/rustdoc/"
 	echo "Moving rustdoc to ${DOCS_DIR}/${BOOK_VERSION}/rustdoc/"
     mkdir -p "${DOCS_DIR}/${BOOK_VERSION}/rustdoc/"
     mv ./target/doc/* "${DOCS_DIR}/${BOOK_VERSION}/rustdoc/"
@@ -61,5 +74,6 @@ cat >> "${DOCS_DIR}/index.html" <<-'EOM'
 EOM
 ls -la "${DOCS_DIR}"
 
+rm -rf ./docs/
 mv "${DOCS_DIR}" ./docs/
 ln -s "${LATEST}" ./docs/stable

kanidm_book/src/accounts_and_groups.md

@@ -51,8 +51,15 @@ sensitive data), group management, and more.
 By default the `admin` and `idm_admin` accounts have no password, and can not be accessed. They need
 to be "recovered" from the server that is running the kanidmd server.
 
-{{#template templates/kani-warning.md imagepath=images title=Warning! text=The server must not be
+<!-- deno-fmt-ignore-start -->
-running at this point, as it requires exclusive access to the database. }}
+
+{{#template templates/kani-warning.md
+imagepath=images
+title=Warning!
+text=The server must not be running at this point, as it requires exclusive access to the database.
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 ```shell
 kanidmd recover_account admin -c /etc/kanidm/server.toml
@@ -127,10 +134,15 @@ these attributes.
 kanidm person update demo_user --legalname "initial name" --mail "initial@email.address"
 ```
 
-{{#template templates/kani-warning.md imagepath=images title=Warning! text=Persons may change their
+<!-- deno-fmt-ignore-start -->
-own displayname, name, and legal name at any time. You MUST NOT use these values as primary keys in
+
-external systems. You MUST use the `uuid` attribute present on all entries as an external primary
+{{#template templates/kani-warning.md
-key. }}
+imagepath=images
+title=Warning!
+text=Persons may change their own displayname, name, and legal name at any time. You MUST NOT use these values as primary keys in external systems. You MUST use the `uuid` attribute present on all entries as an external primary key.
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 ## Resetting Person Account Credentials
 
@@ -225,8 +237,14 @@ ldapwhoami -H ldaps://idm.example.com -x -D "dn=token" -w "..."
 
 ## Resetting Service Account Credentials (Deprecated)
 
-{{#template templates/kani-warning.md imagepath=images text=Api Tokens are a better method to manage
+<!-- deno-fmt-ignore-start -->
-credentials for service accounts, and passwords may be removed in the future! }}
+
+{{#template templates/kani-warning.md
+imagepath=images
+text=Api Tokens are a better method to manage credentials for service accounts, and passwords may be removed in the future!
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 Service accounts can not have their credentials interactively updated in the same manner as persons.
 Service accounts may only have server side generated high entropy passwords.
@@ -262,9 +280,11 @@ Kanidm supports accounts that are only able to authenticate between a pair of da
 
 This can be displayed with:
 
-    kanidm person validity show demo_user --name idm_admin
+```bash
-    valid after: 2020-09-25T21:22:04+10:00
+kanidm person validity show demo_user --name idm_admin
-    expire: 2020-09-25T01:22:04+10:00
+valid after: 2020-09-25T21:22:04+10:00
+expire: 2020-09-25T01:22:04+10:00
+```
 
 These datetimes are stored in the server as UTC, but presented according to your local system time
 to aid correct understanding of when the events will occur.
@@ -276,7 +296,7 @@ You may set these time and date values in any timezone you wish (such as your lo
 the server will transform these to UTC. These time values are in iso8601 format, and you should
 specify this as:
 
-```
+```shell
 YYYY-MM-DDThh:mm:ssZ+-hh:mm
 Year-Month-Day T hour:minutes:seconds Z +- timezone offset
 ```
@@ -304,7 +324,7 @@ kanidm person validity expire_at demo_user never|clear --name idm_admin
 To "lock" an account, you can set the expire_at value to the past, or unix epoch. Even in the
 situation where the "valid from" is _after_ the expire_at, the expire_at will be respected.
 
-```
+```bash
 kanidm person validity expire_at demo_user 1970-01-01T00:00:00+00:00 --name idm_admin
 ```
 
@@ -317,7 +337,7 @@ By default, Kanidm allows an account to change some attributes, but not their ma
 Adding the user to the `idm_people_self_write_mail` group, as shown below, allows the user to edit
 their own mail.
 
-```
+```bash
 kanidm group add_members idm_people_self_write_mail_priv demo_user --name idm_admin
 ```
 

kanidm_book/src/choosing_a_domain_name.md

@@ -4,9 +4,15 @@ Through out this book, Kanidm will make reference to a "domain name". This is yo
 name that you intend to use for Kanidm. Choosing this domain name however is not simple as there are
 a number of considerations you need to be careful of.
 
-{{#template templates/kani-warning.md imagepath=images/ title=Take note! text=Incorrect choice of
+<!-- deno-fmt-ignore-start -->
-the domain name may have security impacts on your Kanidm instance, not limited to credential
+
-phishing, theft, session leaks and more. It is critical you follow the advice in this chapter. }}
+{{#template templates/kani-warning.md
+imagepath=images/
+title=Take note!
+text=Incorrect choice of the domain name may have security impacts on your Kanidm instance, not limited to credential phishing, theft, session leaks and more. It is critical you follow the advice in this chapter.
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 ## Considerations
 
@@ -45,7 +51,7 @@ some phishing scenarioes.
 Consider we own `kanidm.com`. If we were to run geographical instances, and have testing
 environments the following domain and hostnames could be used.
 
-_production_
+#### Production Domain Name
 
 - origin: `https://idm.kanidm.com`
 - domain name: `idm.kanidm.com`
@@ -56,7 +62,7 @@ still works with webauthn and cookies which are transferable between instances.
 
 It is critical no other hosts are registered under this domain name.
 
-_testing_
+#### Testing Domain Name
 
 - origin: `https://idm.dev.kanidm.com`
 - domain name: `idm.dev.kanidm.com`
@@ -77,12 +83,12 @@ access the cookies issued by `kanidm.com`, effectively leaking them to all other
 
 Second instance overlap:
 
-_production_
+#### Production
 
 - origin: `https://idm.kanidm.com`
 - domain name: `idm.kanidm.com`
 
-_testing_
+#### Testing
 
 - origin: `https://dev.idm.kanidm.com`
 - domain name: `dev.idm.kanidm.com`

kanidm_book/src/developers/designs/rest_interface.md

@@ -1,11 +1,17 @@
 # REST Interface
 
-{{#template\
+<!-- deno-fmt-ignore-start -->
-../../templates/kani-warning.md imagepath=../../images/ title=Note! text=Here begins some early
-notes on the REST interface - much better ones are in the repository's designs directory. }}
 
-There's an endpoint at `/<api_version>/routemap` (for example, https://localhost/v1/routemap) which
+{{#template ../../templates/kani-warning.md
-is based on the API routes as they get instantiated.
+imagepath=../../images/
+title=Note!
+text=Here begins some early notes on the REST interface - much better ones are in the repository's designs directory.
+}}
+
+<!-- deno-fmt-ignore-end -->
+
+There's an endpoint at `/<api_version>/routemap` (for example, `https://localhost/v1/routemap`)
+which is based on the API routes as they get instantiated.
 
 It's _very, very, very_ early work, and should not be considered stable at all.
 

kanidm_book/src/installing_client_tools.md

@@ -62,9 +62,15 @@ brew install kanidm
 
 ### Fedora / Centos Stream
 
-{{#template templates/kani-warning.md imagepath=images title=Take Note! text=Kanidm frequently uses
+<!-- deno-fmt-ignore-start -->
-new Rust versions and features, however Fedora and Centos frequently are behind in Rust releases. As
+
-a result, they may not always have the latest Kanidm versions available. }}
+{{#template templates/kani-warning.md
+imagepath=images
+title=Take Note!
+text=Kanidm frequently uses new Rust versions and features, however Fedora and Centos frequently are behind in Rust releases. As a result, they may not always have the latest Kanidm versions available.
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 Fedora has limited support through the development repository. You need to add the repository
 metadata into the correct directory:

kanidm_book/src/integrations/ldap.md

@@ -6,10 +6,15 @@ authentication for many years, with almost every application in the world being
 bind to LDAP. As many organisations still rely on LDAP, Kanidm can host a read-only LDAP interface
 for these legacy applications.
 
-{{#template\
+<!-- deno-fmt-ignore-start -->
-../templates/kani-warning.md imagepath=../images title=Warning! text=The LDAP server in Kanidm is
+
-not a fully RFC-compliant LDAP server. This is intentional, as Kanidm wants to cover the common use
+{{#template ../templates/kani-warning.md
-cases - simple bind and search. }}
+imagepath=../images
+title=Warning!
+text=The LDAP server in Kanidm is not a fully RFC-compliant LDAP server. This is intentional, as Kanidm wants to cover the common use cases - simple bind and search.
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 ## What is LDAP
 
@@ -187,7 +192,7 @@ ldapsearch -H ldap://127.0.0.1:3389 -b 'dc=example,dc=com' -x '(name=test1)'
 
 All give the same error:
 
-```
+```bash
 ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
 ```
 

kanidm_book/src/integrations/oauth2.md

@@ -129,10 +129,15 @@ kanidm system oauth2 update_scope_map <name> <kanidm_group_name> [scopes]...
 kanidm system oauth2 update_scope_map nextcloud nextcloud_admins admin
 ```
 
-{{#template ../templates/kani-warning.md imagepath=../images title=WARNING text=If you are creating
+<!-- deno-fmt-ignore-start -->
-an OpenID Connect (OIDC) resource server you
+
-<b>MUST</b> provide a scope map named <code>openid</code>. Without this, OpenID clients <b>WILL NOT
+{{#template ../templates/kani-warning.md
-WORK</b> }}
+imagepath=../images
+title=WARNING
+text=If you are creating an OpenID Connect (OIDC) resource server you <b>MUST</b> provide a scope map named <code>openid</code>. Without this, OpenID clients <b>WILL NOT WORK</b>!
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 > **HINT** OpenID connect allows a number of scopes that affect the content of the resulting
 > authorisation token. If one of the following scopes are requested by the OpenID client, then the
@@ -194,9 +199,14 @@ Not all resource servers support modern standards like PKCE or ECDSA. In these s
 necessary to disable these on a per-resource server basis. Disabling these on one resource server
 will not affect others.
 
-{{#template ../templates/kani-warning.md imagepath=../images title=WARNING text=Changing these
+<!-- deno-fmt-ignore-start -->
-settings MAY have serious consequences on the security of your resource server. You should avoid
+
-changing these if at all possible! }}
+{{#template ../templates/kani-warning.md
+imagepath=../images
+title=WARNING text=Changing these settings MAY have serious consequences on the security of your resource server. You should avoid changing these if at all possible!
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 To disable PKCE for a resource server:
 
@@ -217,7 +227,7 @@ kanidm system oauth2 warning_enable_legacy_crypto <resource server name>
 Add the following to a `mod_auth_openidc.conf`. It should be included in a `mods_enabled` folder or
 with an appropriate include.
 
-```
+```conf
 OIDCRedirectURI /protected/redirect_uri
 OIDCCryptoPassphrase <random password here>
 OIDCProviderMetadataURL https://kanidm.example.com/oauth2/openid/<resource server name>/.well-known/openid-configuration
@@ -264,7 +274,7 @@ You may optionally choose to add:
 
 If you forget this, you may see the following error in logs:
 
-```
+```bash
 Host 172.24.11.129 was not connected to because it violates local access rules
 ```
 
@@ -292,7 +302,7 @@ Velociraptor supports OIDC. To configure it select "Authenticate with SSO" then
 interactive configuration generator. Alternately, you can set the following keys in
 server.config.yaml:
 
-```
+```yaml
 GUI:
   authenticator:
     type: OIDC
@@ -309,7 +319,7 @@ kanidm system oauth2 warning_insecure_client_disable_pkce <resource server name>
 
 Initial users are mapped via their email in the Velociraptor server.config.yaml config:
 
-```
+```yaml
 GUI:
   initial_users:
   - name: <email address>

kanidm_book/src/intro.md

@@ -10,8 +10,15 @@ The intent of the Kanidm project is to:
 - Make system, network, application and web authentication easy and accessible.
 - Secure and reliable by default, aiming for the highest levels of quality.
 
-{{#template templates/kani-warning.md imagepath=images title=NOTICE text=Kanidm is still a work in
+<!-- deno-fmt-ignore-start -->
-progress. Many features will evolve and change over time which may not be suitable for all users. }}
+
+{{#template templates/kani-warning.md
+imagepath=images
+title=NOTICE
+text=Kanidm is still a work in progress. Many features will evolve and change over time which may not be suitable for all users.
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 ## Why do I want Kanidm?
 

kanidm_book/src/prepare_the_server.md

@@ -36,12 +36,12 @@ report issues, we will make every effort to help resolve them.
 
 ## System Requirements
 
-#### CPU
+### CPU
 
 If you are using the x86\_64 cpu-optimised version, you must have a CPU that is from 2013 or newer
 (Haswell, Ryzen). The following instruction flags are used.
 
-```
+```asm
 cmov, cx8, fxsr, mmx, sse, sse2, cx16, sahf, popcnt, sse3, sse4.1, sse4.2, avx, avx2,
 bmi, bmi2, f16c, fma, lzcnt, movbe, xsave
 ```
@@ -54,12 +54,19 @@ In this case, you should use the standard server:latest image.
 In the future we may apply a baseline of flags as a requirement for x86\_64 for the server:latest
 image. These flags will be:
 
-```
+```asm
 cmov, cx8, fxsr, mmx, sse, sse2
 ```
 
-{{#template templates/kani-alert.md imagepath=images title=Tip text=You can check your cpu flags on
+<!-- deno-fmt-ignore-start -->
-Linux with the command `lscpu` }}
+
+{{#template templates/kani-alert.md
+imagepath=images
+title=Tip
+text=You can check your cpu flags on Linux with the command `lscpu`
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 #### Memory
 
@@ -91,7 +98,7 @@ critical element of ensuring a secure system.
 The key.pem should be a single PEM private key, with no encryption. The file content should be
 similar to:
 
-```
+```bash
 -----BEGIN RSA PRIVATE KEY-----
 MII...<base64>
 -----END RSA PRIVATE KEY-----
@@ -101,7 +108,7 @@ The chain.pem is a series of PEM formatted certificates. The leaf certificate, o
 that matches the private key should be the first certificate in the file. This should be followed by
 the series of intermediates, and the final certificate should be the CA root. For example:
 
-```
+```bash
 -----BEGIN CERTIFICATE-----
 <leaf certificate>
 -----END CERTIFICATE-----

kanidm_book/src/recycle_bin.md

@@ -3,10 +3,15 @@
 The recycle bin is a storage of deleted entries from the server. This allows recovery from mistakes
 for a period of time.
 
-{{#template\
+<!-- deno-fmt-ignore-start -->
-templates/kani-warning.md imagepath=images title=Warning! text=The recycle bin is a best effort -
+
-when recovering in some cases not everything can be "put back" the way it was. Be sure to check your
+{{#template templates/kani-warning.md
-entries are valid once they have been revived. }}
+imagepath=images
+title=Warning!
+text=The recycle bin is a best effort - when recovering in some cases not everything can be "put back" the way it was. Be sure to check your entries are valid once they have been revived.
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 ## Where is the Recycle Bin?
 
@@ -51,7 +56,7 @@ such as the oauth2 scope map type.
 
 An example of this data loss is the following steps:
 
-```
+```bash
 add user1
 add group1
 add user1 as member of group1
@@ -64,7 +69,7 @@ revive group1
 In this series of steps, due to the way that referential integrity is implemented, the membership of
 user1 in group1 would be lost in this process. To explain why:
 
-```
+```bash
 add user1
 add group1
 add user1 as member of group1 // refint between the two established, and memberof added

kanidm_book/src/server_configuration.md

@@ -1,22 +1,28 @@
-## Configuring the Server
+# Configuring the Server
 
-### Configuring server.toml
+## Configuring server.toml
 
 You need a configuration file in the volume named `server.toml`. (Within the container it should be
 `/data/server.toml`) Its contents should be as follows:
 
-```
+```toml
 {{#rustdoc_include ../../examples/server_container.toml}}
 ```
 
 This example is located in
 [examples/server_container.toml](https://github.com/kanidm/kanidm/blob/master/examples/server_container.toml).
 
-{{#template templates/kani-warning.md imagepath=images title=Warning! text=You MUST set the `domain`
+<!-- deno-fmt-ignore-start -->
-name correctly, aligned with your `origin`, else the server may refuse to start or some features
-(e.g. webauthn, oauth) may not work correctly! }}
 
-### Check the configuration is valid.
+{{#template templates/kani-warning.md
+imagepath=images
+title=Warning!
+text=You MUST set the `domain` name correctly, aligned with your `origin`, else the server may refuse to start or some features (e.g. webauthn, oauth) may not work correctly!
+}}
+
+<!-- deno-fmt-ignore-end -->
+
+## Check the configuration is valid
 
 You should test your configuration is valid before you proceed.
 
@@ -25,7 +31,7 @@ docker run --rm -i -t -v kanidmd:/data \
     kanidm/server:latest /sbin/kanidmd configtest -c /data/server.toml
 ```
 
-### Default Admin Account
+## Default Admin Account
 
 Then you can setup the initial admin account and initialise the database into your volume. This
 command will generate a new random password for the admin account.
@@ -36,7 +42,7 @@ docker run --rm -i -t -v kanidmd:/data \
 # success - recover_account password for user admin: vv...
 ```
 
-### Run the Server
+## Run the Server
 
 Now we can run the server so that it can accept connections. This defaults to using
 `-c /data/server.toml`
@@ -45,7 +51,7 @@ Now we can run the server so that it can accept connections. This defaults to us
 docker run -p 443:8443 -v kanidmd:/data kanidm/server:latest
 ```
 
-### Using the NET\_BIND\_SERVICE capability
+## Using the NET\_BIND\_SERVICE capability
 
 If you plan to run without using docker port mapping or some other reverse proxy, and your
 bindaddress or ldapbindaddress port is less than `1024` you will need the `NET_BIND_SERVICE` in

kanidm_book/src/server_update.md

@@ -1,6 +1,6 @@
-## Updating the Server
+# Updating the Server
 
-### Preserving the Previous Image
+## Preserving the Previous Image
 
 You may wish to preserve the previous image before updating. This is useful if an issue is
 encountered in upgrades.
@@ -10,7 +10,7 @@ docker tag kanidm/server:latest kanidm/server:<DATE>
 docker tag kanidm/server:latest kanidm/server:2022-10-24
 ```
 
-### Update your Image
+## Update your Image
 
 Pull the latest version of Kanidm that matches your CPU profile
 
@@ -19,15 +19,21 @@ docker pull kanidm/server:latest
 docker pull kanidm/server:x86_64_latest
 ```
 
-### Perform a backup
+## Perform a backup
 
 See [backup and restore](backup_restore.md)
 
-### Update your Instance
+## Update your Instance
 
-{{#template templates/kani-warning.md imagepath=images title=WARNING text=It is not always
+<!-- deno-fmt-ignore-start -->
-guaranteed that downgrades are possible. It is critical you know how to backup and restore before
+
-you proceed with this step. }}
+{{#template templates/kani-warning.md
+imagepath=images
+title=WARNING
+text=It is not always guaranteed that downgrades are possible. It is critical you know how to backup and restore before you proceed with this step.
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 Docker updates by deleting and recreating the instance. All that needs to be preserved in your
 storage volume.

kanidm_book/src/sync/concepts.md

@@ -53,10 +53,15 @@ kanidm system sync generate-token ipasync mylabel
 token: eyJhbGci...
 ```
 
-{{#template\
+<!-- deno-fmt-ignore-start -->
-../templates/kani-warning.md imagepath=../images title=Warning! text=The sync account token has a
+
-high level of privilege, able to create new accounts and groups. It should be treated carefully as a
+{{#template ../templates/kani-warning.md
-result! }}
+imagepath=../images
+title=Warning!
+text=The sync account token has a high level of privilege, able to create new accounts and groups. It should be treated carefully as a result!
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 If you need to revoke the token, you can do so with:
 
@@ -89,9 +94,15 @@ If you are performing a migration from an external IDM to Kanidm, when that migr
 you can nominate that Kanidm now owns all of the imported data. This is achieved by finalising the
 sync account.
 
-{{#template ../templates/kani-warning.md imagepath=../images title=Warning! text=You can not undo
+<!-- deno-fmt-ignore-start -->
-this operation. Once you have finalised an agreement, Kanidm owns all of the synchronised data, and
+
-you can not resume synchronisation. }}
+{{#template ../templates/kani-warning.md
+imagepath=../images
+title=Warning!
+text=You can not undo this operation. Once you have finalised an agreement, Kanidm owns all of the synchronised data, and you can not resume synchronisation.
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 ```bash
 kanidm system sync finalise <sync account name>
@@ -106,9 +117,15 @@ Once finalised, imported accounts can now be fully managed by Kanidm.
 If you decide to cease importing accounts or need to remove all imported accounts from a sync
 account, you can choose to terminate the agreement removing all data that was imported.
 
-{{#template ../templates/kani-warning.md imagepath=../images title=Warning! text=You can not undo
+<!-- deno-fmt-ignore-start -->
-this operation. Once you have terminated an agreement, Kanidm deletes all of the synchronised data,
+
-and you can not resume synchronisation. }}
+{{#template ../templates/kani-warning.md
+imagepath=../images
+title=Warning!
+text=You can not undo this operation. Once you have terminated an agreement, Kanidm deletes all of the synchronised data, and you can not resume synchronisation.
+}}
+
+<!-- deno-fmt-ignore-end -->
 
 ```bash
 kanidm system sync terminate <sync account name>