.gitlab/issue_templates/Offboarding.md

@@ -17,13 +17,13 @@ This template should be used for offboarding Arch Linux team members.
 - [ ] Set user to inactive in archweb: https://www.archlinux.org/admin/auth/user/
 - [ ] Remove member from [staff mailing list](https://lists.archlinux.org/admin/staff/members)
 - [ ] Ask the user to leave `#archlinux-staff` on Libera Chat and forget the password
-- [ ] Remove staff cloak on Libera Chat
+- [ ] Remove staff cloak on Libera Chat ([Group contacts](https://wiki.archlinux.org/title/Arch_IRC_channels#Libera_Chat_group_contacts))
 
 ## TU/Developer offboarding checklist
 
 - [ ] Remove entry in `group_vars/all/archusers.yml`.
 - [ ] Remove SSH pubkey from `pubkeys/<username>.pub`.
-- [ ] Run `ansible-playbook -t archusers playbooks/*.yml`.
+- [ ] Run `ansible-playbook -t archusers  $(git grep -l archusers playbooks/ | grep -v phrik)`.
 - [ ] Remove the user from the `Trusted Users`/`Developers` groups on Keycloak.
 - [ ] Moderate email address on [arch-dev-public](https://lists.archlinux.org/admin/arch-dev-public/members) (find member and moderate)
 - [ ] Remove member from [arch-tu](https://lists.archlinux.org/admin/arch-tu/members) and/or [arch-dev](https://lists.archlinux.org/admin/arch-dev/members) mailing lists

.gitlab/issue_templates/Onboarding.md

@@ -41,6 +41,9 @@ The mailing list password can be found in misc/additional-credentials.vault.
 - [ ] Remove personal information (such as **Full Name** and **Personal e-mail
   address**, as well as the clearsigned representation of this data), remove
   the description history and make the issue non-confidential.
+- [ ] Request staff cloak on Libera Chat ([Group contacts](https://wiki.archlinux.org/title/Arch_IRC_channels#Libera_Chat_group_contacts))
+- [ ] Go to [Arch Linux group](https://gitlab.archlinux.org/groups/archlinux/-/group_members) -> Enter Admin mode -> go to members -> add username as "minimal access"
+- [ ] Go to [Arch Staff group](https://gitlab.archlinux.org/groups/archlinux/teams/staff/-/group_members) -> Enter Admin mode -> go to members -> add username as "reporter"
 
 ## Packager onboarding checklist
 
@@ -57,7 +60,7 @@ The mailing list password can be found in misc/additional-credentials.vault.
 
 - [ ] Add entry in `group_vars/all/archusers.yml`.
 - [ ] Add SSH pubkey to `pubkeys/<username>.pub`.
-- [ ] Run `ansible-playbook -t archusers playbooks/*.yml`.
+- [ ] Run `ansible-playbook -t archusers  $(git grep -l archusers playbooks/ | grep -v phrik)`.
 - [ ] Assign the user to the `Developers` groups on Keycloak.
 - [ ] Assign the user to the `Developers` group on [archlinux.org](https://archlinux.org/admin/auth/user/).
 - [ ] Subscribe **communication e-mail address** to internal [arch-dev](https://lists.archlinux.org/admin/arch-dev/members/add) mailing list.
@@ -67,7 +70,7 @@ The mailing list password can be found in misc/additional-credentials.vault.
 
 - [ ] Add entry in `group_vars/all/archusers.yml`.
 - [ ] Add SSH pubkey to `pubkeys/<username>.pub`.
-- [ ] Run `ansible-playbook -t archusers playbooks/*.yml`.
+- [ ] Run `ansible-playbook -t archusers  $(git grep -l archusers playbooks/ | grep -v phrik)`.
 - [ ] Assign the user to the `Trusted Users` groups on Keycloak.
 - [ ] Assign the user to the `Trusted Users` group on [archlinux.org](https://archlinux.org/admin/auth/user/).
 - [ ] Subscribe **communication e-mail address** to internal [arch-tu](https://lists.archlinux.org/admin/arch-tu/members/add) mailing list.

docs/email.md

@@ -16,6 +16,13 @@ If the user wants to forward email, either enter the destination directly in
 the /etc/postfix/users file or enter a username and then put the destination
 into `~username/.forward` so that they can edit it themselves.
 
+If the user is a new onboarded user the password has to be made empty, so the
+user can login and set a password:
+
+```
+passwd -d $username
+```
+
 # SMTP Architecture
 
 All hosts should be relaying outbound SMTP traffic via our primary MX server

group_vars/all/archusers.yml

@@ -55,6 +55,11 @@ arch_users:
       - dev
       - tu
       - multilib
+  artafinde:
+    name: "Leonidas Spyropoulos"
+    ssh_key: "artafinde.pub"
+    groups:
+      - tu
   anatolik:
     name: "Anatol Pomozov"
     ssh_key: anatolik.pub
@@ -178,12 +183,6 @@ arch_users:
       - dev
       - multilib
       - tu
-  eschwartz:
-    name: "Eli Schwartz"
-    ssh_key: eschwartz.pub
-    groups:
-      - tu
-      - multilib
   escondida:
     name: "Ivy Foster"
     ssh_key: escondida.pub
@@ -292,13 +291,6 @@ arch_users:
       - dev
       - tu
       - multilib
-  jgc:
-    name: "Jan de Groot"
-    ssh_key: jgc.pub
-    groups:
-      - dev
-      - multilib
-      - tu
   jleclanche:
     name: "Jerome Leclanche"
     ssh_key: jleclanche.pub

hosts

@@ -57,7 +57,6 @@ homedir.archlinux.org
 bbs.archlinux.org
 bugs.archlinux.org
 aur.archlinux.org
-aur-dev.archlinux.org
 wiki.archlinux.org
 
 [postgresql_servers]
@@ -99,7 +98,6 @@ repro2.pkgbuild.com
 
 [memcached]
 aur.archlinux.org
-aur-dev.archlinux.org
 wiki.archlinux.org
 patchwork.archlinux.org
 

one-shots/keycloak-importer/archusers.yml

@@ -191,12 +191,6 @@ arch_users:
   #     - dev
   #     - multilib
   #     - tu
-  # eschwartz:
-  #   name: "Eli Schwartz"
-  #   ssh_key: eschwartz.pub
-  #   groups:
-  #     - tu
-  #     - multilib
   # escondida:
   #   name: "Ivy Foster"
   #   ssh_key: escondida.pub

pubkeys/artafinde.pub

+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEkKl29v447RLdHNomiQfQhdr66vCzU50vF74C/dh2zO inglor@tiamat

pubkeys/eschwartz.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6OXMLKmaxM23AlPegGQozTxQSDDjtwHf8Ur6JRD//2eGfGp4Ej2IgSauS/0wQdWWBf0eDZeL4iFW/JQOtweyxlotbQQsB//VvAbAYUnuQh+i7VlVoCnfuL0zD0mfAvWoxhqBbxVWGHQD6bQv2YPUSlV0w8222qlg/XeQtaJ8W7Xd+Ap4jCk9uG6Pjx6bTtueHfX+ZHlGxxAyJRz1LZgL/Vu2JT7UeXBrAkPqFJoW6JFQT5lKXuGn603LM1smi6Y4YnpWJZ9Z5Q7uQL8/iqh2u02hCy8V4fbwsIovbRnTkJJSyFe7hFvu7VA1/lmh6Cb4KO7UDQ1ne0nGbfCSq8WV7 eschwartz@vostro

pubkeys/jgc.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu111psclLoPNpwGva9ocmb+6c0xCEDCPXfWX3OZFSqs3bawqgxgC/sOrFV9UqravbfMQvDJRu+5XQyoaEEEm+h707UOXh6AAsg3zpruXRl49qb73vyDJZgxx6KtN5WgM9pVz4JPkLoNL3HAgk1pLj1ama9CeKhRL0Lzi+G8ZK23kMK2IacIMWWvtetqKXIPhp4qCKhOs4SHeOMstz/d4lHbDj3foITLisq1bF3Q4DbrdPlD6hWXJ0RalbfMwjL4g+Aj2G6XYnga9o9V+dbluLBAFOCVoS1FpROX5dM1pahIqfq+YgWeexBccKbu2/mgAY7T16Hvvq5YXf/TIRFjifQ== jan@server

roles/archbuild/files/gitpkg

@@ -383,7 +383,7 @@ if gitify
         warn "pkgver() deduction failed: #{e}"
       end
 
-      ver_sed << "s/-/+/g"
+      ver_sed << "s/[^-]*-g/r&/;s/-/+/g"
 
       <<~END
         cd #{localname}

roles/dbscripts/defaults/main.yml

 ---
 dbscripts_commit: HEAD
 dbscripts_update: true
-dbscripts_pgp_emails: ['eschwartz@archlinux.org', 'jelle@archlinux.org']
+dbscripts_pgp_emails: ['jelle@archlinux.org']

roles/matrix/tasks/main.yml

@@ -77,7 +77,7 @@
 - name: install synapse
   pip:
     name:
-      - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.47.1'
+      - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]==1.48.0'
     state: latest
     extra_args: '--upgrade-strategy=eager'
     virtualenv: /var/lib/synapse/venv

roles/matrix/templates/homeserver.yaml.j2

@@ -658,8 +658,8 @@ retention:
 #
 #federation_certificate_verification_whitelist:
 #  - lon.example.com
-#  - *.domain.com
-#  - *.onion
+#  - "*.domain.com"
+#  - "*.onion"
 
 # List of custom certificate authorities for federation traffic.
 #
@@ -2082,6 +2082,12 @@ sso:
     #
     #algorithm: "provided-by-your-issuer"
 
+    # Name of the claim containing a unique identifier for the user.
+    #
+    # Optional, defaults to `sub`.
+    #
+    #subject_claim: "sub"
+
     # The issuer to validate the "iss" claim against.
     #
     # Optional, if provided the "iss" claim will be required and
@@ -2403,8 +2409,8 @@ user_directory:
     # indexes were (re)built was before Synapse 1.44, you'll have to
     # rebuild the indexes in order to search through all known users.
     # These indexes are built the first time Synapse starts; admins can
-    # manually trigger a rebuild following the instructions at
-    #     https://matrix-org.github.io/synapse/latest/user_directory.html
+    # manually trigger a rebuild via API following the instructions at
+    #     https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run
     #
     # Uncomment to return search results containing all known users, even if that
     # user does not share a room with the requester.

roles/prometheus/files/node.rules.yml

@@ -3,8 +3,8 @@ groups:
     interval: 60s
     rules:
       - alert: HostHighCpuLoad
-        expr: 100 - (avg by(instance) (irate(node_cpu_seconds_total{mode="idle",instance!~"build.archlinux.org",instance!~"repro1.pkgbuild.com",instance!~"repro2.pkgbuild.com",instance!~"runner2.archlinux.org"}[5m])) * 100) > 90
-        for: 5m
+        expr: 100 - (avg by(instance) (irate(node_cpu_seconds_total{mode="idle",instance!~"build.archlinux.org",instance!~"repro1.pkgbuild.com",instance!~"repro2.pkgbuild.com",instance!~"runner2.archlinux.org",instance!~"runner1.archlinux.org"}[10m])) * 100) > 90
+        for: 10m
         labels:
           severity: warning
         annotations:

roles/prometheus/templates/prometheus.yml.j2

@@ -159,9 +159,8 @@ scrape_configs:
     scrape_interval: 15s
     metrics_path: "/metrics/synapse.{{ endpoint }}"
     scheme: https
-    basic_auth:
-      username: {{ vault_matrix_secrets.metrics_user }}
-      password: {{ vault_matrix_secrets.metrics_password }}
+    authorization:
+      credentials: {{ vault_matrix_secrets.metrics_token }}
     static_configs:
       - targets: ["matrix.archlinux.org:443"]
 {% endfor %}