2019-02-10 15:27:46 +01:00
|
|
|
# deploy tag 'sudo' when this changes
|
2019-02-10 15:06:33 +01:00
|
|
|
sudo_users:
|
2019-10-10 23:48:50 +02:00
|
|
|
- root
|
2019-02-10 15:06:33 +01:00
|
|
|
- foutrelis
|
2020-11-15 15:22:15 +01:00
|
|
|
- freswa
|
2019-02-10 15:06:33 +01:00
|
|
|
- heftig
|
2019-10-10 23:48:50 +02:00
|
|
|
- jelle
|
2019-02-10 15:06:33 +01:00
|
|
|
- svenstaro
|
2019-09-12 22:41:14 +02:00
|
|
|
- anthraxx
|
2021-06-02 16:17:31 +02:00
|
|
|
- klausenbusk
|
2023-01-30 07:03:04 +01:00
|
|
|
- artafinde
|
2019-02-10 15:06:33 +01:00
|
|
|
|
2019-02-10 15:27:46 +01:00
|
|
|
# deploy tag 'root_ssh' when this changes
|
2016-05-27 22:46:00 +02:00
|
|
|
root_ssh_keys:
|
2021-04-01 18:12:56 +02:00
|
|
|
- key: foutrelis.pub
|
|
|
|
- key: freswa.pub
|
2023-12-28 00:11:40 +01:00
|
|
|
- key: heftig_nitrokey.pub
|
2021-04-01 18:12:56 +02:00
|
|
|
- key: jelle.pub
|
|
|
|
- key: svenstaro.pub
|
|
|
|
- key: anthraxx.pub
|
2021-04-01 18:15:03 +02:00
|
|
|
- key: klausenbusk.pub
|
2022-05-06 19:55:47 +02:00
|
|
|
- key: artafinde.pub
|
2023-10-20 23:37:44 +02:00
|
|
|
- key: gromit.pub
|
|
|
|
hosts:
|
|
|
|
- wiki.archlinux.org
|
2023-11-28 14:21:32 +01:00
|
|
|
- man.archlinux.org
|
2023-12-13 23:18:27 +01:00
|
|
|
- gitlab.archlinux.org
|
2024-01-06 20:00:02 +01:00
|
|
|
- build.archlinux.org
|
2018-01-10 21:02:25 +01:00
|
|
|
|
2023-12-28 00:21:12 +01:00
|
|
|
# run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
|
|
|
|
# changes; before doing so, make sure to 'gpg --lsign-key' all keys from both
|
|
|
|
# sets (or if you use TOFU, `gpg --tofu-policy good`) before committing the
|
|
|
|
# re-encrypted password file, then test that both vaults are working using
|
|
|
|
# `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
|
2022-05-01 14:26:32 +02:00
|
|
|
# NOTE: adding a key to this list gives access to both default and super vaults
|
|
|
|
vault_super_pgpkeys: &vault_super_pgpkeys
|
2021-02-14 14:05:32 +01:00
|
|
|
- 86CFFCA918CF3AF47147588051E8B148A9999C34 # foutrelis
|
|
|
|
- 05C7775A9E8B977407FE08E69D4C5AA15426DA0A # freswa
|
2023-12-27 23:56:32 +01:00
|
|
|
- 83BC8889351B5DEBBB68416EB8AC08600F108CDF # heftig
|
2021-02-14 14:05:32 +01:00
|
|
|
- E499C79F53C96A54E572FEE1C06086337C50773E # jelle
|
|
|
|
- 8FC15A064950A99DD1BD14DD39E4B877E62EB915 # svenstaro
|
|
|
|
- E240B57E2C4630BA768E2F26FC1B547C8D8172C8 # anthraxx
|
2021-06-02 16:17:31 +02:00
|
|
|
- DB650286BD9EAE39890D3FE6FE3DC1668CB24956 # klausenbusk
|
2023-01-30 07:03:04 +01:00
|
|
|
- B4B759625D4633430B74877059E43E106B247368 # artafinde
|
2022-05-01 14:26:32 +02:00
|
|
|
|
2023-12-28 00:21:12 +01:00
|
|
|
# run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes;
|
|
|
|
# before doing so, make sure to 'gpg --lsign-key' all keys below (or if you use
|
|
|
|
# TOFU, `gpg --tofu-policy good`) before committing the re-encrypted password
|
|
|
|
# file, then test that the vault is working by running `ansible-vault view
|
|
|
|
# misc/vaults/vault_hcloud.yml`
|
2022-05-01 14:26:32 +02:00
|
|
|
vault_default_pgpkeys:
|
|
|
|
- *vault_super_pgpkeys
|
2023-10-20 23:37:44 +02:00
|
|
|
- F00B96D15228013FFC9C9D0393B11DAA4C197E3D # gromit
|