mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-11 20:36:03 +02:00
b4d60ae2f6
The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's.
48 lines
1.6 KiB
YAML
48 lines
1.6 KiB
YAML
---
|
|
|
|
# deploy tag 'sudo' when this changes
|
|
sudo_users:
|
|
- root
|
|
- foutrelis
|
|
- freswa
|
|
- grazzolini
|
|
- heftig
|
|
- jelle
|
|
- svenstaro
|
|
- anthraxx
|
|
- klausenbusk
|
|
|
|
# deploy tag 'root_ssh' when this changes
|
|
root_ssh_keys:
|
|
- key: foutrelis.pub
|
|
- key: freswa.pub
|
|
- key: grazzolini.pub
|
|
- key: heftig.pub
|
|
- key: jelle.pub
|
|
- key: svenstaro.pub
|
|
- key: anthraxx.pub
|
|
- key: klausenbusk.pub
|
|
additional_keys: [klausenbusk_2.pub]
|
|
|
|
# - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
|
|
# changes; before doing so, make sure to 'gpg --lsign-key' all listed keys
|
|
# - before committing the re-encrypted password file, test if both vaults are
|
|
# working using `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
|
|
# NOTE: adding a key to this list gives access to both default and super vaults
|
|
vault_super_pgpkeys: &vault_super_pgpkeys
|
|
- 86CFFCA918CF3AF47147588051E8B148A9999C34 # foutrelis
|
|
- 05C7775A9E8B977407FE08E69D4C5AA15426DA0A # freswa
|
|
- ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB # grazzolini
|
|
- A2FF3A36AAA56654109064AB19802F8B0D70FC30 # heftig
|
|
- E499C79F53C96A54E572FEE1C06086337C50773E # jelle
|
|
- 8FC15A064950A99DD1BD14DD39E4B877E62EB915 # svenstaro
|
|
- E240B57E2C4630BA768E2F26FC1B547C8D8172C8 # anthraxx
|
|
- DB650286BD9EAE39890D3FE6FE3DC1668CB24956 # klausenbusk
|
|
|
|
# - run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes
|
|
# - before running it, make sure to 'gpg --lsign-key' all keys listed below
|
|
# - before committing the re-encrypted password file, test that the vault
|
|
# is working by running `ansible-vault view misc/vaults/vault_hcloud.yml`
|
|
vault_default_pgpkeys:
|
|
- *vault_super_pgpkeys
|