-
Kristian Klausen authoredheftig has agreed to have his access reduced, as a way to reduce the number of people with access to the "super" vault. With this change the matrix vault is moved from the "super" vault to the "default" vault as that is needed for maintaining the matrix server. Fix #567
Kristian Klausen authoredheftig has agreed to have his access reduced, as a way to reduce the number of people with access to the "super" vault. With this change the matrix vault is moved from the "super" vault to the "default" vault as that is needed for maintaining the matrix server. Fix #567
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
root_access.yml 1.81 KiB
# deploy tag 'sudo' when this changes
sudo_users:
- root
- foutrelis
- freswa
- jelle
- svenstaro
- anthraxx
- klausenbusk
- artafinde
- gromit
# deploy tag 'root_ssh' when this changes
root_ssh_keys:
- key: foutrelis.pub
- key: freswa.pub
- key: heftig_nitrokey.pub
hosts:
- matrix.archlinux.org
- key: jelle.pub
- key: svenstaro.pub
- key: anthraxx.pub
- key: klausenbusk.pub
- key: artafinde.pub
- key: gromit.pub
# run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
# changes; before doing so, make sure to 'gpg --lsign-key' all keys from both
# sets (or if you use TOFU, `gpg --tofu-policy good`) before committing the
# re-encrypted password file, then test that both vaults are working using
# `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
# NOTE: adding a key to this list gives access to both default and super vaults
vault_super_pgpkeys: &vault_super_pgpkeys
- 86CFFCA918CF3AF47147588051E8B148A9999C34 # foutrelis
- 05C7775A9E8B977407FE08E69D4C5AA15426DA0A # freswa
- E499C79F53C96A54E572FEE1C06086337C50773E # jelle
- 8FC15A064950A99DD1BD14DD39E4B877E62EB915 # svenstaro
- E240B57E2C4630BA768E2F26FC1B547C8D8172C8 # anthraxx
- DB650286BD9EAE39890D3FE6FE3DC1668CB24956 # klausenbusk
- 2191B89431BAC0A8B96DE93D244740D17C7FD0EC # artafinde
- F00B96D15228013FFC9C9D0393B11DAA4C197E3D # gromit
# run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes;
# before doing so, make sure to 'gpg --lsign-key' all keys below (or if you use
# TOFU, `gpg --tofu-policy good`) before committing the re-encrypted password
# file, then test that the vault is working by running `ansible-vault view
# misc/vaults/vault_hcloud.yml`
vault_default_pgpkeys:
- *vault_super_pgpkeys
- 83BC8889351B5DEBBB68416EB8AC08600F108CDF # heftig