The mailing list password can be found in [`misc/additional-credentials.vault`](misc/additional-credentials.vault).
The mailing list password can be found in [`misc/vaults/additional-credentials.vault`](misc/vaults/additional-credentials.vault).
-[ ] Add new user email as per [`docs/email.md`](docs/email.md).
-[ ] Create a new user in [archweb](https://www.archlinux.org/devel/newuser/). Select the appropriate group membership and allowed repos (if applicable).
@@ -20,7 +20,7 @@ run the provisioning script: `ansible-playbook playbooks/tasks/install-arch.yml
The provisioning script configures a sane basic systemd with sshd. By design, it is NOT idempotent.
After the provisioning script has run, it is safe to reboot.
Once in the new system, run the regular playbook: `HCLOUD_TOKEN=$(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key) ansible-playbook playbooks/$hostname.yml`.
Once in the new system, run the regular playbook: `HCLOUD_TOKEN=$(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_api_key) ansible-playbook playbooks/$hostname.yml`.
This playbook is the one regularity used for administrating the server and is entirely idempotent.
When adding a new machine you should also deploy our SSH known_hosts file and update the SSH hostkeys file in this git repo.
...
...
@@ -29,9 +29,16 @@ It will also deploy any new SSH host keys to all our machines.
#### Note about GPG keys
The `root_access.yml` file contains the `root_gpgkeys` variable that determine the users that have access to the vault, as well as the borg backup keys.
All the keys should be on the local user gpg keyring and at **minimum** be locally signed with `--lsign-key`. This is necessary for running either the reencrypt-vault-key
or the fetch-borg-keys tasks.
The `root_access.yml` file contains the `vault_default_pgpkeys` variable which
determines the users that have access to the `default` vault, as well as the
borg backup keys. A separate `super` vault exists for storing highly sensitive
secrets like Hetzner credentials; access to the `super` vault is controlled by
the `vault_super_pgpkeys` variable.
All the keys should be on the local user gpg keyring and at **minimum** be
locally signed with `--lsign-key`. This is necessary for running any of the