Skip to content
Snippets Groups Projects
Verified Commit adb7be52 authored by Kristian Klausen's avatar Kristian Klausen :tada:
Browse files

Document onboarding of support staff

We have offered a arch mail address, for support staff, for over a
year[1][2] and the only difference, is that support staff must only be
granted SSH access to mail.archlinux.org. SSH access to
homedir.archlinux.org is also allowed, but it is opt-in[3].

[1] 7287d6d3 ("archroles: Add support-staff group")
[2] 50c3e0f9 ("archusers: Support restricting users to specific hosts")
[3] e0e52552 ("Allow Alad access to homedir.archlinux.org")

Fix #372
parent c940cf5e
Branches keycloak-password-reset-time
No related tags found
1 merge request!627Cleanup onboarding and offboarding template
......@@ -14,6 +14,9 @@ This template should be used for offboarding Arch Linux team members.
## All roles checklist
- [ ] Remove user email by reverting instructions from `docs/email.md`.
- [ ] Remove entry in `group_vars/all/archusers.yml`.
- [ ] Remove SSH pubkey from `pubkeys/<username>.pub`.
- [ ] Run `ansible-playbook -t archusers $(git grep -l archusers playbooks/ | grep -v phrik)`.
- [ ] Setup forwarding if requested (please add the current date as a comment above the mail address in Postfix's `users` file).
- [ ] Inform the user of the conditions for forwarding.
- In most cases we only offer forwarding for 6 months.
......@@ -24,13 +27,10 @@ This template should be used for offboarding Arch Linux team members.
- [ ] Moderate email address on [arch-dev-public](https://lists.archlinux.org/mailman3/lists/arch-dev-public.lists.archlinux.org/members/member/) (find member and moderate)
- [ ] Ask the user to leave `#archlinux-staff` on Libera Chat and forget the password
- [ ] Remove staff cloak on Libera Chat ([Group contacts](https://wiki.archlinux.org/title/Arch_IRC_channels#Libera_Chat_group_contacts))
- [ ] Remove the user from relevant staff groups on Keycloak.
## TU/Developer offboarding checklist
- [ ] Remove entry in `group_vars/all/archusers.yml`.
- [ ] Remove SSH pubkey from `pubkeys/<username>.pub`.
- [ ] Run `ansible-playbook -t archusers $(git grep -l archusers playbooks/ | grep -v phrik)`.
- [ ] Remove the user from the `Trusted Users`/`Developers` groups on Keycloak.
- [ ] Remove member from [arch-tu](https://lists.archlinux.org/mailman3/lists/arch-tu.lists.archlinux.org/members/member/) and/or [arch-dev](https://lists.archlinux.org/mailman3/lists/arch-dev.lists.archlinux.org/members/member/) mailing lists
- [ ] Create [issue in archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/new) (choose *"Remove Packager Key"* and/or *"Remove Main Key"* template)
......@@ -39,11 +39,9 @@ This template should be used for offboarding Arch Linux team members.
- [ ] Remove entries in `group_vars/all/root_access.yml`.
- [ ] Run `ansible-playbook -t root_ssh playbooks/all-hosts-basic.yml`.
- [ ] Run `ansible-playbook playbooks/hetzner_storagebox.yml playbooks/rsync.net.yml`.
- [ ] Remove the user from the `DevOps` group on Keycloak.
- [ ] Remove member from [arch-devops-private mailing lists](https://lists.archlinux.org/mailman3/lists/arch-devops-private.lists.archlinux.org/members/member/)
- [ ] Remove pubkey from [Hetzner's key management](https://robot.your-server.de/key/index)
## Wiki Administrator checklist
- [ ] Remove the user from the `Wiki Admins` group on Keycloak.
- [ ] Remove member from [arch-wiki-admins mailing list](https://lists.archlinux.org/mailman3/lists/arch-wiki-admins.lists.archlinux.org/members/member/).
......@@ -31,7 +31,13 @@ https://www.gnupg.org/gph/en/manual/x135.html
## All roles checklist
- [ ] Add new user email as per [`docs/email.md`](docs/email.md).
- [ ] Add user mail if TU or developer, or support staff and **communication e-mail address** is arch.
- [ ] Add new user email as per [`docs/email.md`](docs/email.md).
- [ ] Add entry in [`group_vars/all/archusers.yml`](group_vars/all/archusers.yml).
- If support staff `hosts` should be set to `mail.archlinux.org`.
- `homedir.archlinux.org` is also allowed for support staff, but it is opt-in.
- [ ] Add SSH pubkey to `pubkeys/<username>.pub`.
- [ ] Run `ansible-playbook -t archusers $(git grep -l archusers playbooks/ | grep -v phrik)`.
- [ ] Create a new user in [archweb](https://www.archlinux.org/devel/newuser/). Select the appropriate group membership and allowed repos (if applicable).
- [ ] Subscribe **communication e-mail address** to internal [staff mailing list](https://lists.archlinux.org/mailman3/lists/staff.lists.archlinux.org/mass_subscribe/).
- [ ] Allow sending from **communication e-mail address** on [arch-dev-public](https://lists.archlinux.org/mailman3/lists/arch-dev-public.lists.archlinux.org/members/member/) (subscribe and/or find address and remove moderation).
......@@ -56,32 +62,28 @@ https://www.gnupg.org/gph/en/manual/x135.html
## Developer onboarding checklist
- [ ] Add entry in [`group_vars/all/archusers.yml`](group_vars/all/archusers.yml).
- [ ] Add SSH pubkey to `pubkeys/<username>.pub`.
- [ ] Run `ansible-playbook -t archusers $(git grep -l archusers playbooks/ | grep -v phrik)`.
- [ ] Assign the user to the `Developers` groups on Keycloak.
- [ ] Assign the user to the `Developers` group on [archlinux.org](https://archlinux.org/admin/auth/user/).
- [ ] Subscribe **communication e-mail address** to internal [arch-dev](https://lists.archlinux.org/mailman3/lists/arch-dev.lists.archlinux.org/mass_subscribe/) mailing list.
## TU onboarding checklist
- [ ] Add entry in [`group_vars/all/archusers.yml`](group_vars/all/archusers.yml).
- [ ] Add SSH pubkey to `pubkeys/<username>.pub`.
- [ ] Run `ansible-playbook -t archusers $(git grep -l archusers playbooks/ | grep -v phrik)`.
- [ ] Assign the user to the `Trusted Users` groups on Keycloak.
- [ ] Assign the user to the `Trusted Users` group on [archlinux.org](https://archlinux.org/admin/auth/user/).
- [ ] Subscribe **communication e-mail address** to internal [arch-tu](https://lists.archlinux.org/mailman3/lists/arch-tu.lists.archlinux.org/mass_subscribe/) mailing list.
## Support staff checklist
- [ ] Assign the user to the proper support staff group on Keycloak.
## DevOps onboarding checklist
- [ ] Add entries in [`group_vars/all/root_access.yml`](group_vars/all/root_access.yml).
- [ ] Run `ansible-playbook -t root_ssh playbooks/all-hosts-basic.yml`.
- [ ] Run `ansible-playbook playbooks/hetzner_storagebox.yml playbooks/rsync.net.yml`.
- [ ] Assign the user to the `DevOps` group on Keycloak.
- [ ] Subscribe **communication e-mail address** to internal [arch-devops-private](https://lists.archlinux.org/mailman3/lists/arch-devops-private.lists.archlinux.org/mass_subscribe/) mailing list.
- [ ] Add pubkey to [Hetzner's key management](https://robot.your-server.de/key/index) for Dedicated server rescue system.
## Wiki Administrator checklist
- [ ] Assign the user to the `Wiki Admins` group on Keycloak.
- [ ] Subscribe **communication e-mail address** to the [arch-wiki-admins](https://lists.archlinux.org/mailman3/lists/arch-wiki-admins.lists.archlinux.org/mass_subscribe/) mailing list.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment