infrastructure/group_vars/all/root_access.yml

# deploy tag 'sudo' when this changes
sudo_users:
  - root
  - foutrelis
  - freswa
  - grazzolini
  - heftig
  - jelle
  - svenstaro
  - anthraxx
  - klausenbusk
  - artafinde

# deploy tag 'root_ssh' when this changes
root_ssh_keys:
  - key: foutrelis.pub
  - key: freswa.pub
  - key: grazzolini.pub
  - key: heftig_nitrokey.pub
  - key: jelle.pub
  - key: svenstaro.pub
  - key: anthraxx.pub
  - key: klausenbusk.pub
  - key: artafinde.pub
  - key: gromit.pub
    hosts:
      - bugs.archlinux.org
      - wiki.archlinux.org
      - man.archlinux.org
      - gitlab.archlinux.org

# - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
#   changes; before doing so, make sure to 'gpg --lsign-key' all listed keys
# - before committing the re-encrypted password file, test if both vaults are
#   working using `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
# NOTE: adding a key to this list gives access to both default and super vaults
vault_super_pgpkeys: &vault_super_pgpkeys
  - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
  - 05C7775A9E8B977407FE08E69D4C5AA15426DA0A  # freswa
  - ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB  # grazzolini
  - 83BC8889351B5DEBBB68416EB8AC08600F108CDF  # heftig
  - E499C79F53C96A54E572FEE1C06086337C50773E  # jelle
  - 8FC15A064950A99DD1BD14DD39E4B877E62EB915  # svenstaro
  - E240B57E2C4630BA768E2F26FC1B547C8D8172C8  # anthraxx
  - DB650286BD9EAE39890D3FE6FE3DC1668CB24956  # klausenbusk
  - B4B759625D4633430B74877059E43E106B247368  # artafinde

# - run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes
# - before running it, make sure to 'gpg --lsign-key' all keys listed below
# - before committing the re-encrypted password file, test that the vault
#   is working by running `ansible-vault view misc/vaults/vault_hcloud.yml`
vault_default_pgpkeys:
  - *vault_super_pgpkeys
  - F00B96D15228013FFC9C9D0393B11DAA4C197E3D  # gromit
Document what to run when root_access variables are changed Signed-off-by: Florian Pritz <bluewind@xinu.at> 2019-02-10 15:27:46 +01:00			`# deploy tag 'sudo' when this changes`
Move sudo_users to root_pubkeys.yml This ensures that all info regarding "who has root" is in one place. Signed-off-by: Florian Pritz <bluewind@xinu.at> 2019-02-10 15:06:33 +01:00			`sudo_users:`
Retire seblu and pierre 2019-10-10 23:48:50 +02:00			`- root`
Move sudo_users to root_pubkeys.yml This ensures that all info regarding "who has root" is in one place. Signed-off-by: Florian Pritz <bluewind@xinu.at> 2019-02-10 15:06:33 +01:00			`- foutrelis`
Give freswa full DevOps access 2020-11-15 15:22:15 +01:00			`- freswa`
root_access: For some reason, after all this time, still did not had sudo access. 2019-04-14 23:11:27 +02:00			`- grazzolini`
Move sudo_users to root_pubkeys.yml This ensures that all info regarding "who has root" is in one place. Signed-off-by: Florian Pritz <bluewind@xinu.at> 2019-02-10 15:06:33 +01:00			`- heftig`
Retire seblu and pierre 2019-10-10 23:48:50 +02:00			`- jelle`
Move sudo_users to root_pubkeys.yml This ensures that all info regarding "who has root" is in one place. Signed-off-by: Florian Pritz <bluewind@xinu.at> 2019-02-10 15:06:33 +01:00			`- svenstaro`
root_access: Add anthraxx to the root access file. 2019-09-12 22:41:14 +02:00			`- anthraxx`
Give Kristian full DevOps access 2021-06-02 16:17:31 +02:00			`- klausenbusk`
Give Leonidas full DevOps access 2023-01-30 07:03:04 +01:00			`- artafinde`
Move sudo_users to root_pubkeys.yml This ensures that all info regarding "who has root" is in one place. Signed-off-by: Florian Pritz <bluewind@xinu.at> 2019-02-10 15:06:33 +01:00
Document what to run when root_access variables are changed Signed-off-by: Florian Pritz <bluewind@xinu.at> 2019-02-10 15:27:46 +01:00			`# deploy tag 'root_ssh' when this changes`
Put root ssh keys into group variables 2016-05-27 22:46:00 +02:00			`root_ssh_keys:`
root_ssh: Support giving root access to only some hosts 2021-04-01 18:12:56 +02:00			`- key: foutrelis.pub`
			`- key: freswa.pub`
			`- key: grazzolini.pub`
Fix filename for heftig's new key in root_access The new key is under pubkeys/heftig_nitrokey.pub, and pubkeys/heftig.pub was renamed to pubkeys/heftig_yubikey.pub. Update root_ssh_keys to refer to "heftig_nitrokey.pub" as "heftig.pub" does not exist anymore. Fixes: 13a4bddf0d45 ("pubkeys/heftig: Add my new Nitrokey, reorganize") 2023-12-28 00:11:40 +01:00			`- key: heftig_nitrokey.pub`
root_ssh: Support giving root access to only some hosts 2021-04-01 18:12:56 +02:00			`- key: jelle.pub`
			`- key: svenstaro.pub`
			`- key: anthraxx.pub`
Give klausenbusk root access to {bugs,monitoring}.al.org klausenbusk is our new newest Junior DevOp and he needs some access: * bugs.al.org for helping with migrating Flyspray tasks to GitLab * monitoring.al.org for setting up centralized logging 2021-04-01 18:15:03 +02:00			`- key: klausenbusk.pub`
Onboard artafinde as Junior DevOps artafinde is our new newest Junior DevOp[1] and will get access to: * monitoring.al.org: for setting up gitlab-exporter[1] * gitlab.al.org: for setting up gitlab-exporter[1] * dashboards.al.org: in case he wants to do more monitoring related stuff [1] https://lists.archlinux.org/pipermail/arch-devops/2022-May/000558.html [2] https://gitlab.archlinux.org/artafinde/gitlab-exporter/ Fix #452 2022-05-06 19:55:47 +02:00			`- key: artafinde.pub`
Onboard gromit as Junior DevOps gromit is our newest Junior DevOps[1] and will get access to: * bugs.archlinux.org: for helping with the bug migration * wiki.archlinux.org: for helping with (archwiki) maintenance [1] https://lists.archlinux.org/archives/list/arch-devops@lists.archlinux.org/message/2LAOGIVY33MZLBZCDSQHDQVQNEULLUTW/ Fix #543 2023-10-20 23:37:44 +02:00			`- key: gromit.pub`
			`hosts:`
			`- bugs.archlinux.org`
			`- wiki.archlinux.org`
Give gromit access to the archmanweb server In the context of the bugmigration the navbar of this service has to be redeployed for which I request access to this service. related to: https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/776 Signed-off-by: Christian Heusel <christian@heusel.eu> 2023-11-28 14:21:32 +01:00			`- man.archlinux.org`
Give gromit access to gitlab.archlinux.org So he can help updating gitlab. 2023-12-13 23:18:27 +01:00			`- gitlab.archlinux.org`
playbooks/fetch-borg-keys.yml: Encrypt keys with GPG Signed-off-by: Florian Pritz <bluewind@xinu.at> 2018-01-10 21:02:25 +01:00
Move highly sensitive secrets to new "super" vault The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's. 2022-05-01 14:26:32 +02:00			`# - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this`
			`# changes; before doing so, make sure to 'gpg --lsign-key' all listed keys`
			`# - before committing the re-encrypted password file, test if both vaults are`
			# working using `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
			`# NOTE: adding a key to this list gives access to both default and super vaults`
			`vault_super_pgpkeys: &vault_super_pgpkeys`
Make ansible-lint happy yaml: truthy value should be one of [false, true] (truthy) yaml: wrong indentation: expected 4 but found 2 (indentation) yaml: too few spaces before comment (comments) yaml: missing starting space in comment (comments) yaml: too many blank lines (1 > 0) (empty-lines) yaml: too many spaces after colon (colons) yaml: comment not indented like content (comments-indentation) yaml: no new line character at the end of file (new-line-at-end-of-file) load-failure: Failed to load or parse file parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path. 2021-02-14 14:05:32 +01:00			`- 86CFFCA918CF3AF47147588051E8B148A9999C34 # foutrelis`
			`- 05C7775A9E8B977407FE08E69D4C5AA15426DA0A # freswa`
			`- ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB # grazzolini`
Re-encrypt vault passwords with heftig's new key Follow-up to merge request archlinux/infrastructure!786. New key is already trusted by four master keys in archlinux-keyring 20231222-1. https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/254 2023-12-27 23:56:32 +01:00			`- 83BC8889351B5DEBBB68416EB8AC08600F108CDF # heftig`
Make ansible-lint happy yaml: truthy value should be one of [false, true] (truthy) yaml: wrong indentation: expected 4 but found 2 (indentation) yaml: too few spaces before comment (comments) yaml: missing starting space in comment (comments) yaml: too many blank lines (1 > 0) (empty-lines) yaml: too many spaces after colon (colons) yaml: comment not indented like content (comments-indentation) yaml: no new line character at the end of file (new-line-at-end-of-file) load-failure: Failed to load or parse file parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path. 2021-02-14 14:05:32 +01:00			`- E499C79F53C96A54E572FEE1C06086337C50773E # jelle`
			`- 8FC15A064950A99DD1BD14DD39E4B877E62EB915 # svenstaro`
			`- E240B57E2C4630BA768E2F26FC1B547C8D8172C8 # anthraxx`
Give Kristian full DevOps access 2021-06-02 16:17:31 +02:00			`- DB650286BD9EAE39890D3FE6FE3DC1668CB24956 # klausenbusk`
Give Leonidas full DevOps access 2023-01-30 07:03:04 +01:00			`- B4B759625D4633430B74877059E43E106B247368 # artafinde`
Move highly sensitive secrets to new "super" vault The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's. 2022-05-01 14:26:32 +02:00
			`# - run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes`
			`# - before running it, make sure to 'gpg --lsign-key' all keys listed below`
			`# - before committing the re-encrypted password file, test that the vault`
			# is working by running `ansible-vault view misc/vaults/vault_hcloud.yml`
			`vault_default_pgpkeys:`
			`- *vault_super_pgpkeys`
Onboard gromit as Junior DevOps gromit is our newest Junior DevOps[1] and will get access to: * bugs.archlinux.org: for helping with the bug migration * wiki.archlinux.org: for helping with (archwiki) maintenance [1] https://lists.archlinux.org/archives/list/arch-devops@lists.archlinux.org/message/2LAOGIVY33MZLBZCDSQHDQVQNEULLUTW/ Fix #543 2023-10-20 23:37:44 +02:00			`- F00B96D15228013FFC9C9D0393B11DAA4C197E3D # gromit`