infrastructure/group_vars/all/root_access.yml

# deploy tag 'sudo' when this changes
sudo_users:
  - root
  - foutrelis
  - freswa
  - jelle
  - svenstaro
  - anthraxx
  - klausenbusk
  - artafinde
  - gromit

# deploy tag 'root_ssh' when this changes
root_ssh_keys:
  - key: foutrelis.pub
  - key: freswa.pub
  - key: heftig_nitrokey.pub
    hosts:
      - matrix.archlinux.org
  - key: jelle.pub
  - key: svenstaro.pub
  - key: anthraxx.pub
  - key: klausenbusk.pub
  - key: artafinde.pub
  - key: gromit.pub

# run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
# changes; before doing so, make sure to 'gpg --lsign-key' all keys from both
# sets (or if you use TOFU, `gpg --tofu-policy good`) before committing the
# re-encrypted password file, then test that both vaults are working using
# `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
# NOTE: adding a key to this list gives access to both default and super vaults
vault_super_pgpkeys: &vault_super_pgpkeys
  - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
  - 05C7775A9E8B977407FE08E69D4C5AA15426DA0A  # freswa
  - E499C79F53C96A54E572FEE1C06086337C50773E  # jelle
  - 8FC15A064950A99DD1BD14DD39E4B877E62EB915  # svenstaro
  - E240B57E2C4630BA768E2F26FC1B547C8D8172C8  # anthraxx
  - DB650286BD9EAE39890D3FE6FE3DC1668CB24956  # klausenbusk
  - 2191B89431BAC0A8B96DE93D244740D17C7FD0EC  # artafinde
  - F00B96D15228013FFC9C9D0393B11DAA4C197E3D  # gromit

# run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes;
# before doing so, make sure to 'gpg --lsign-key' all keys below (or if you use
# TOFU, `gpg --tofu-policy good`) before committing the re-encrypted password
# file, then test that the vault is working by running `ansible-vault view
# misc/vaults/vault_hcloud.yml`
vault_default_pgpkeys:
  - *vault_super_pgpkeys
  - 83BC8889351B5DEBBB68416EB8AC08600F108CDF  # heftig