tf-stage2: use 1h timeout for keycloak pw resets

Recently somebody complained that the email only reached them after the password reset link had already become invalid, which is definitely something that can happen with the previously set 5min timeout. 5 minutes timeout are too short aswell for any complex email analysis setup or greylisting, and we therefore bump this value to one hour, which is still short enough from a security perspective but gives our users a bit more time to act on the reset. Signed-off-by: Christian Heusel <christian@heusel.eu>

tf-stage2: use 1h timeout for keycloak pw resets
388f7b7e · Christian Heusel · 8df0f2f0 · 388f7b7e
Verified Commit 388f7b7e authored 3 months ago by Christian Heusel
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -94,6 +94,9 @@ resource "keycloak_realm" "archlinux" {
  registration_flow      = "Arch Registration"
  reset_credentials_flow = "Arch Reset Credentials"

+  // set one hour validity for password reset mails etc
+  action_token_generated_by_user_lifespan = "60m0s"
+
  smtp_server {
    host              = "mail.archlinux.org"
    from              = "accounts@archlinux.org"