|
|
# DevOps Meeting 2021-02-25
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
|
|
|
## Arch-boxes mirroring on mirrors
|
|
|
|
|
|
https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/296
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* svenstaro
|
|
|
|
|
|
## SPI follow-up
|
|
|
|
|
|
We received some kind of document from them but that's about it.
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* anthraxx
|
|
|
|
|
|
## Archweb SSO
|
|
|
|
|
|
Work is underway to get archweb on Keycloak.
|
|
|
|
|
|
https://github.com/archlinux/archweb/issues/284
|
|
|
https://github.com/archlinux/archweb/tree/oidc
|
|
|
|
|
|
The mapping of Roles/Groups to Django groups/repository permissions for new users seems to work fine on logon,
|
|
|
but we need to also handle the case where a user is updated
|
|
|
- We seem to need a periodic role/group syncing from keycloak to django (also for offboarding developers for example)
|
|
|
- Inspiration: https://gitlab.archlinux.org/archlinux/mail-credential-syncer
|
|
|
- The django oidc library creates a random uuid for the username, as many functionality's in archweb depend on the username we'll use the keycloak preferred_username but this would imply the username is unique.
|
|
|
- For matching users from Keycloak, we currently use the email address, do we guarrantee that a username/email is unique?
|
|
|
- Logging out of keycloak from archweb is a bit tedious and needs to be implemented still.
|
|
|
|
|
|
Make sure that users cannot change their email/username as those values should come from Keycloak?
|
|
|
|
|
|
## Gluebuddy
|
|
|
|
|
|
- Mapping of keycloak usernames to GitLab usernames unique?
|
|
|
- Users can currently change their GitLab username: https://gitlab.archlinux.org/-/profile/account
|
|
|
- Can be disabled: https://docs.gitlab.com/ee/administration/user_settings.html#disallow-users-changing-usernames
|
|
|
- GitLab uses `sub` for uid: https://docs.gitlab.com/ee/administration/auth/oidc.html
|
|
|
- What happens with external auth providers in terms of unique usernames?
|
|
|
- https://www.keycloak.org/docs/latest/server_admin/#_identity_broker_first_login
|
|
|
- Staff keycloak hierarchy and who should be put into the GitLab group
|
|
|
|
|
|
### Actionable
|
|
|
|
|
|
* Disable GitLab username changing: https://docs.gitlab.com/ee/administration/user_settings.html#disallow-users-changing-usernames
|
|
|
* Document that username must NEVER be changed
|
|
|
|
|
|
## Confidential issue
|
|
|
|
|
|
https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/284
|
|
|
|
|
|
### Actionable
|
|
|
|
|
|
* Report upstream
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* wCPO
|
|
|
|
|
|
## Move network manager check to a new VPS?
|
|
|
|
|
|
https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/311
|
|
|
https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/239
|
|
|
|
|
|
Should we additionally consider moving it to a separate machine?
|
|
|
|
|
|
### Actionable
|
|
|
|
|
|
* Use the redirect.al.org machine
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* Jelle & wCPO
|
|
|
|
|
|
## nginx monitoring
|
|
|
|
|
|
I will add nginx-mod-vts to our monitoring, it is sadly a third party module, but it does
|
|
|
allows us to monitor status codes, upstream, bytes send, request timings.
|
|
|
|
|
|
https://github.com/vozlt/nginx-module-vts
|
|
|
|
|
|
## signstar
|
|
|
|
|
|
Follow up with diabonas
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* anthraxx |
|
|
\ No newline at end of file |