infrastructure/group_vars/all/root_access.yml

---

# deploy tag 'sudo' when this changes
sudo_users:
  - root
  - foutrelis
  - freswa
  - grazzolini
  - heftig
  - jelle
  - svenstaro
  - anthraxx
  - klausenbusk

# deploy tag 'root_ssh' when this changes
root_ssh_keys:
  - key: foutrelis.pub
  - key: freswa.pub
  - key: grazzolini.pub
  - key: heftig.pub
  - key: jelle.pub
  - key: svenstaro.pub
  - key: anthraxx.pub
  - key: klausenbusk.pub
    additional_keys: [klausenbusk_2.pub]

# - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
#   changes; before doing so, make sure to 'gpg --lsign-key' all listed keys
# - before committing the re-encrypted password file, test if both vaults are
#   working using `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
# NOTE: adding a key to this list gives access to both default and super vaults
vault_super_pgpkeys: &vault_super_pgpkeys
  - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
  - 05C7775A9E8B977407FE08E69D4C5AA15426DA0A  # freswa
  - ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB  # grazzolini
  - A2FF3A36AAA56654109064AB19802F8B0D70FC30  # heftig
  - E499C79F53C96A54E572FEE1C06086337C50773E  # jelle
  - 8FC15A064950A99DD1BD14DD39E4B877E62EB915  # svenstaro
  - E240B57E2C4630BA768E2F26FC1B547C8D8172C8  # anthraxx
  - DB650286BD9EAE39890D3FE6FE3DC1668CB24956  # klausenbusk

# - run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes
# - before running it, make sure to 'gpg --lsign-key' all keys listed below
# - before committing the re-encrypted password file, test that the vault
#   is working by running `ansible-vault view misc/vaults/vault_hcloud.yml`
vault_default_pgpkeys:
  - *vault_super_pgpkeys