.ansible-lint

@@ -4,10 +4,10 @@ exclude_paths:
   - playbooks/tasks
   - roles/prometheus/files/node.rules.yml
 skip_list:
-  # line too long (x > 80 characters) (line-length)
-  - 'line-length'
-  # yaml: too many spaces inside braces (braces)
-  - 'braces'
+  # yaml: line too long (x > 160 characters) (yaml[line-length])
+  - yaml[line-length]
+  # yaml: too many spaces inside braces (yaml[braces])
+  - yaml[braces]
   # Do not recommend running tasks as handlers
   - 'no-handler'
   # Do not force galaxy info in meta/main.yml

.gitlab-ci.yml

@@ -8,8 +8,8 @@ ansible-lint:
     # This probably happens due to gitlab-runner mounting the git repo into the container
     - chmod o-w .
     # Fix syntax-check rule (https://github.com/ansible-community/ansible-lint/issues/1350#issuecomment-778764110)
-    - sed "s/,hcloud_inventory.py//" -i ansible.cfg
-    - sed "/^vault_password_file/d" -i ansible.cfg
+    - sed -i "/^vault_identity_list/d" ansible.cfg
+    - sed -i -e "/vars_files:/d" -e "/misc\/vaults\/vault_/d" playbooks/*.yml
     # Fix load-failure: Failed to load or parse file
     - ansible-lint $(printf -- "--exclude %s " */*/vault_*)
 

.gitlab/issue_templates/New Official Project.md

@@ -38,9 +38,9 @@ If you want to add a new official project, here are some guidelines to follow:
    - All of these should be activated by default as per group rules but it's good to check.
 1. [ ] The *Protected Branches* in https://gitlab.archlinux.org/archlinux/my-example/-/settings/repository should specify
        `Allowed to merge` and `Allowed to push` as `Developers + Maintainers.`
-1. [ ] Disable unneeded project features under *Visibility, project features, permissions* (https://gitlab.archlinux.org/archlinux/my-example/edit)  
+1. [ ] Disable unneeded project features under *Visibility, project features, permissions* (https://gitlab.archlinux.org/archlinux/my-example/edit)
    Always:
-   - `Users can request access`: `off`  
+   - `Users can request access`: `off`
    Often, but not always:
    - Repository -> Container registry
    - Repository -> Git Large File Storage (LFS)
@@ -86,7 +86,7 @@ If you want to add a new official project, here are some guidelines to follow:
    - `Issues`
    - `Projects`
 1. [ ] Go to https://github.com/archlinux/my-example/settings/hooks and add a new webhook
-   - `Payload URL`: `$(misc/get_key.py misc/vault_github.yml github_pull_closer_webhook_url)`
+   - `Payload URL`: `$(misc/get_key.py misc/vaults/vault_github.yml github_pull_closer_webhook_url)`
    - `Content type`: `application/json`
    - `Which events would you like to trigger this webhook?`
      - `Let me select individual events.`: `Pull requests`

.gitlab/issue_templates/Offboarding.md

@@ -37,7 +37,7 @@ This template should be used for offboarding Arch Linux team members.
 ## DevOps offboarding checklist
 
 - [ ] Remove entries in `group_vars/all/root_access.yml`.
-- [ ] Run `ansible-playbook -t root_ssh playbooks/*.yml`.
+- [ ] Run `ansible-playbook -t root_ssh playbooks/all-hosts-basic.yml`.
 - [ ] Run `ansible-playbook playbooks/hetzner_storagebox.yml playbooks/rsync.net.yml`.
 - [ ] Remove the user from the `DevOps` group on Keycloak.
 - [ ] Remove member from [arch-devops-private mailing lists](https://lists.archlinux.org/admin/arch-devops-private/members)

.gitlab/issue_templates/Onboarding.md

@@ -30,7 +30,7 @@ https://www.gnupg.org/gph/en/manual/x135.html
 -->
 
 ## All roles checklist
-The mailing list password can be found in [`misc/additional-credentials.vault`](misc/additional-credentials.vault).
+The mailing list password can be found in [`misc/vaults/additional-credentials.vault`](misc/vaults/additional-credentials.vault).
 
 - [ ] Add new user email as per [`docs/email.md`](docs/email.md).
 - [ ] Create a new user in [archweb](https://www.archlinux.org/devel/newuser/). Select the appropriate group membership and allowed repos (if applicable).

README.md

@@ -20,7 +20,7 @@ run the provisioning script: `ansible-playbook playbooks/tasks/install-arch.yml
 The provisioning script configures a sane basic systemd with sshd. By design, it is NOT idempotent.
 After the provisioning script has run, it is safe to reboot.
 
-Once in the new system, run the regular playbook: `HCLOUD_TOKEN=$(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key) ansible-playbook playbooks/$hostname.yml`.
+Once in the new system, run the regular playbook: `HCLOUD_TOKEN=$(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_api_key) ansible-playbook playbooks/$hostname.yml`.
 This playbook is the one regularity used for administrating the server and is entirely idempotent.
 
 When adding a new machine you should also deploy our SSH known_hosts file and update the SSH hostkeys file in this git repo.
@@ -29,23 +29,23 @@ It will also deploy any new SSH host keys to all our machines.
 
 #### Note about GPG keys
 
-The `root_access.yml` file contains the `root_gpgkeys` variable that determine the users that have access to the vault, as well as the borg backup keys.
-All the keys should be on the local user gpg keyring and at **minimum** be locally signed with `--lsign-key`. This is necessary for running either the reencrypt-vault-key
-or the fetch-borg-keys tasks.
+The `root_access.yml` file contains the `vault_default_pgpkeys` variable which
+determines the users that have access to the `default` vault, as well as the
+borg backup keys. A separate `super` vault exists for storing highly sensitive
+secrets like Hetzner credentials; access to the `super` vault is controlled by
+the `vault_super_pgpkeys` variable.
 
-#### Note about Ansible dynamic inventories
-
-We use a dynamic inventory script in order to automatically get information for
-all servers directly from hcloud. You don't really have to do anything to make
-this work but you should keep in mind to NOT add hcloud servers to `hosts`!
-They'll be available automatically.
+All the keys should be on the local user gpg keyring and at **minimum** be
+locally signed with `--lsign-key`. This is necessary for running any of the
+`reencrypt-vault-default-key`, `reencrypt-vault-super-key `or `fetch-borg-keys`
+tasks.
 
 #### Note about packer
 
 We use packer to build snapshots on hcloud to use as server base images.
 In order to use this, you need to install packer and then run
 
-    packer build -var $(misc/get_key.py misc/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.json
+    packer build -var $(misc/get_key.py misc/vaults/vault_hetzner.yml hetzner_cloud_api_key --format env) packer/archlinux.json
 
 This will take some time after which a new snapshot will have been created on the primary hcloud archlinux project.
 
@@ -151,26 +151,20 @@ This section has been moved to [docs/servers.md](docs/servers.md).
 
 ## Ansible repo workflows
 
-### Replace vault password and change vaulted passwords
-
-  - Generate a new key and save it as ./new-vault-pw: `pwgen -s 64 1 > new-vault-pw`
-  - `for i in $(ag ANSIBLE_VAULT -l); do ansible-vault rekey --new-vault-password-file new-vault-pw $i; done`
-  - Change the key in misc/vault-password.gpg
-  - `rm new-vault-pw`
-
-### Re-encrypting the vault after adding or removing a new GPG key
-
-  - Make sure you have all the GPG keys **at least** locally signed
-  - Run the `playbooks/tasks/reencrypt-vault-key.yml` playbook and make sure it does not have **any** failed task
-  - Test that the vault is working by running ansible-vault view on any encrypted vault file
-  - Commit and push your changes
-
 ### Fetching the borg keys for local storage
 
   - Make sure you have all the GPG keys **at least** locally signed
   - Run the `playbooks/tasks/fetch-borg-keys.yml` playbook
   - Make sure the playbook runs successfully and check the keys under the borg-keys directory
 
+### Re-encrypting the vaults after adding a new PGP key
+
+Follow the instructions in [group_vars/all/root_access.yml](group_vars/all/root_access.yml).
+
+### Changing the vault password on encrypted files
+
+See [docs/vault-rekeying.md](docs/vault-rekeying.md).
+
 ## Backup documentation
 
 We use BorgBackup for all of our backup needs. We have a primary backup storage as well as an

ansible.cfg

 [defaults]
-inventory = hosts,hcloud_inventory.py
+inventory = hosts
 library = library
 remote_tmp = $HOME/.ansible/tmp
 remote_user = root
 nocows = 1
 roles_path = roles
-vault_password_file = misc/get-vault-pass.sh
+vault_id_match = True
+vault_identity_list = default@misc/vault-keyring-client.sh,super@misc/vault-keyring-client.sh
 retry_files_enabled = False
 callback_plugins = plugins/callback
 callbacks_enabled = profile_tasks

docs/monitoring.md

@@ -5,7 +5,6 @@ To access our monitoring system, go to https://monitoring.archlinux and log in v
 
 ## Adding a new host to monitoring
 
-* Add $host to node_exporters in `hosts`
 * Rollout exporter on host: `ansible-playbook playbooks/host.yml -t prometheus_exporters`
 * Rollout changes on monitoring host: `ansible-playbook playbooks/monitoring.archlinux.org.yml -t prometheus`
 

docs/otp.md

@@ -14,7 +14,7 @@ Run
 
     pass otp insert -i GitHub -a archlinux-master-token github.com/archlinux-master-token -s
 
-When asked for a secret, provide the `github_master_seed` from `misc/vault_github.yml`.
+When asked for a secret, provide the `github_master_seed` from `misc/vaults/vault_github.yml`.
 You can then run
 
     pass otp code github.com/archlinux-master-token
@@ -30,7 +30,7 @@ Run
 
     pass otp insert -i Hetzner -a archlinux-master-token Hetzner/archlinux-master-token -s
 
-When asked for a secret, provide the `hetzner_master_seed` from `misc/vault_hetzner.yml`.
+When asked for a secret, provide the `hetzner_master_seed` from `misc/vaults/vault_hetzner.yml`.
 You can then run
 
     pass otp code Hetzner/archlinux-master-token
@@ -43,7 +43,7 @@ Run
 
     pass otp insert -i UptimeRobot -a archlinux UptimeRobot/archlinux-master-token -s
 
-When asked for a secret, provide the `2FA token seed` from `misc/additional-credentials.vault`.
+When asked for a secret, provide the `2FA token seed` from `misc/vaults/additional-credentials.vault`.
 You can then run
 
     pass otp code UptimeRobot/archlinux-master-token
@@ -63,6 +63,19 @@ You can then run
 
 to generate a token to log in.
 
+## Vagrant Cloud
+
+Run
+
+    pass otp insert -i VagrantCloud -a archlinux VagrantCloud/archlinux-master-token -s
+
+When asked for a secret, provide the `vagrant_cloud_seed` from `misc/vaults/vault_vagrant_cloud.yml`.
+You can then run
+
+    pass otp code VagrantCloud/archlinux-master-token
+
+to generate a token to log in.
+
 ### Adding your own account
 
 Hetzner supports multiple 2FA devices at once which allows you to add your own 2FA app of choice

docs/servers.md

@@ -85,19 +85,24 @@ So to set up this server from scratch, run:
 
 ### Services
   - Regular mirror.
-  - Running a authoritative DNS server (PowerDNS) for our GeoIP mirror
 
 ## reproducible.archlinux.org
 
 [Rebuilderd docs](./docs/rebuilderd.md)
 
 ### Services
-  - Runs a master [rebuilderd](https://reproducible.archlinux.org) instance two workers:
-    - repro1.pkgbuild.com (packet.net Arch Linux box)
+  - Runs a master [rebuilderd](https://reproducible.archlinux.org) instance
+    with two workers:
+    - repro1.pkgbuild.com (Equinix Metal box with a Xeon E-2278G and 32G RAM)
+    - repro2.pkgbuild.com (Kape server with an EPYC 7702P and 256G RAM)
+
+## runner1.archlinux.org
+
+Medium-fast-ish Kape Arch Linux box.
 
 ## runner2.archlinux.org
 
-Medium-fast-ish packet.net Arch Linux box.
+Medium-fast-ish Equinix Metal Arch Linux box.
 
 ### Services
   - GitLab runner
@@ -135,6 +140,7 @@ Prometheus, and Grafana server which receives selected performance/metrics from
 
 ### Services
   - Redirects (nginx redirects)
+  - Authoritative DNS server (PowerDNS) for ACME DNS challenges
   - ping
 
 ## security.archlinux.org
@@ -151,6 +157,14 @@ Prometheus, and Grafana server which receives selected performance/metrics from
 
   Online collborative markdwown editor for Arch Linux Staff.
 
+## mailman3.archlinux.org
+
+This server runs mailman3 as mailman2 and mailman3 can't be installed on the same server. The HTTP and LMTP traffic is routed over WireGuard from lists.archlinux.org.
+
+### Services
+
+  - mailman3
+
 ### Services
   - [hedgedoc](https://hedgedoc.org/)
 

docs/ssh-hostkeys.txt

@@ -186,15 +186,15 @@
 3072 MD5:b6:14:30:bd:fe:43:46:6a:20:a2:8b:b0:aa:d4:35:19 root@archlinux-packer (RSA)
 
 # mailman3.archlinux.org
-1024 SHA256:uYhlq19YzcZ8PEModMv2Y65xsiq1H+mjdwZ8PtbPET8 root@archlinux-packer (DSA)
-256 SHA256:85YiWFreKiw2Pv/XaKTqs0J0VInFtyVahpDRx2O9/B4 root@archlinux-packer (ECDSA)
-256 SHA256:b0mcOvNMzGrekDDtx83ZB1p5kN0meFek7zz1LbkfeHM root@archlinux-packer (ED25519)
-3072 SHA256:5hC4XSzA+/CgpL6cLYt0UbHB4aUs/o0IPxSScZwoi4A root@archlinux-packer (RSA)
-
-1024 MD5:3b:20:ad:1e:65:d8:3a:2e:09:69:62:46:e6:d9:6a:3e root@archlinux-packer (DSA)
-256 MD5:8d:ee:10:9b:05:56:b3:c7:4a:de:00:ad:95:c1:95:fa root@archlinux-packer (ECDSA)
-256 MD5:25:a8:b9:3c:fe:74:e7:7f:39:03:8e:23:dc:20:eb:bf root@archlinux-packer (ED25519)
-3072 MD5:20:a0:74:13:bd:97:59:11:75:a4:67:28:92:c3:40:35 root@archlinux-packer (RSA)
+1024 SHA256:U1A+NO+I+JRg0YPo+UgwGfbextnL+pVuqjWGdyokLpI root@archlinux-packer (DSA)
+256 SHA256:vdEZ5/6Xxd7Azjzaf5xz5kfzQrWcq1raz5cFAIclooE root@archlinux-packer (ECDSA)
+256 SHA256:iCeRz+2HK7heoapDRscHpgbEX4cbem1BZpWzrAoOxTQ root@archlinux-packer (ED25519)
+3072 SHA256:sqUYYmrNXzYPL5TtsBsTnaANsZ/P7miyCAIkt0YWfBg root@archlinux-packer (RSA)
+
+1024 MD5:8f:94:fe:a9:56:ee:3f:cc:a4:e7:a5:4f:2b:02:e8:c3 root@archlinux-packer (DSA)
+256 MD5:ca:3e:2d:aa:8a:4b:71:3a:18:22:59:0f:6e:ff:ae:5d root@archlinux-packer (ECDSA)
+256 MD5:a8:d3:f8:42:ff:ae:7d:71:1b:fe:93:4b:f7:df:38:5f root@archlinux-packer (ED25519)
+3072 MD5:51:ea:a4:ec:76:87:ee:89:e7:3a:fc:80:ea:fe:2d:9c root@archlinux-packer (RSA)
 
 # man.archlinux.org
 1024 SHA256:11C7Qa1GSNBBspSlber3Sp+LEMRpfr/VWkypfu6OnhA root@archlinux-packer (DSA)

docs/ssh-known_hosts.txt

@@ -96,9 +96,9 @@ mail.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTOoGxsf23f6AjIHcQQuvbTO
 mail.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPrURadxte8UJiteGa6+Q+OjTAjhvGAQFkNSXj1pr4k03uxkU6l2v2LuTygk+4SZSCyUsKvNx/ljJeHBnuecQ8rRv19ZFqy/GQKB3oEmiNYMo2dYYlJWwTVBHatmghhB1j2y40yqdKWH2xQuXC3HtnS7fHG0g1Rc4R9KB4MQlcXkwnSEMpwpWBoO7sr0M4YTdwE+nSG9aNfyPbPGp3mX4ATz5X5hPJOlSFVDV6NuKrA+5qyt4jSKdeG5IuWeEnEJesYJEvShYdY9DvMCXnZykB0emzzk+5+Cp2lTPf9LOO3wNsTgHV/CwkoAoMgr9+ASefhBr3nxmmrs9T7nwuobGCGFUqQ2D8IKCmsWGVKXYERViz3x/gYUIlHgVJpoIXCFFqbdpWwxKR1aDMug2fFe699/FzuPdqrWPFdQMF2mPQ0w3AH/62KGp+PULE2HxrlCiY/gF2m8iJLgunxVKmi/c0ufgK9QilnKcPO+W4tcISa5MYt7MSTTLV9eVsgVjGhOU=
 
 # mailman3.archlinux.org
-mailman3.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFIHctq5/hKXaU//Jkzifp71ePIzcxdlxE5SZz1e7AcNp0Cci9W8A8NPtP6DMUvv4ezdKp+A/Czcy49tQolI30s=
-mailman3.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0FZBrH2DQQoGn85t+2PN8t8FmUst9PsEsmGekfFAc+
-mailman3.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqZnMXg8rPkeKh3w9U/rNMc9NXjLu5K7Azfs0o/rIm3Hm2thLJH4i6hVGpSIfCw77WzoW0kotAEMkX3WaO/MXqp7qWiEv5Xy/Y9p2YNYdCdkhDdDhmuHSlYT+acnSHVPSjdN3SaaxXoN1/GAb5jlRMItZncind3gU0G6Kpls6N9tHsbjNqOG9Yv6hAlYfyVn4Q20H1ABLCJSUgWNOXq5DrqOLddblajbg4gQ8u6tYSpKDkPyEA8vmOueoTcwzB7k+aZRJmR9CVh5tsYc6QyBlljkFY8xhwLxVRMAe7dPND7LsTbfO20zVlZ94rPkTN46lb9ekrVwlzLlFd0nnJ2iWFiBU9HKelsxj5r8OorZfRkpXa8QVW04smQxycgHutEmsDGob5OFYkAPrdbuE0vA8KOk02D8NWhFHcG2nR/zMohNEJQsoTIHx7xeagFrC4Xgn7M+nhCVIIpbAOkRFjHAr4j2fGHjLzxV3EPkLN08aIcK53uHZTo2YSHL+JoU936o8=
+mailman3.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLYxKdG6ntbOV/YpVbRkJiJfAPt8BTTN/hKm0uebSwpuQbbv5hxXLSOYeA0C/yJBNXXX4EJ82J88oEJQBFxiPvY=
+mailman3.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+GtJoC+QEUyKA/ZneTBXOBs7W3JBAEb1nLDkjzsqa1
+mailman3.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdPJQIkN6wDk/140HS1WCIKc0Iz7Oq8c98XaLB0i9ksUxkWB4rxia/WP5RRF+g9yAqZvIg0f5W0d85pfuh+1TOccXk8r6GsH+gRIEkdmwu4Mf7iBpkQxl3n70yjNGxgbwGkVG9vREvJ4v3l/NRZrX2/N3RvcPG9TQwjFFOFYTRZNfUPvsppk572yQ8cjf7oUvJmLOwsKagO5WMUoKFAbO35/Mp2H6VbApYtIdpkFOXnaJUVduHInNa18CmKl28ZSTsigLkYb8pboS6RacJYgA5kK0vQsXCguDrA+SI9k1xW4i9FjUWsLlPuLkk9c7Tj39R95gWhxWwQ99ApNDVvZa+skSbMS7h4/d3NosyM2OO9LfqPiHn2xDsuvmpN0ScCwuocwR09EMrj4MQKzo31ITFHuSyxob0Z4yTQrKvJxdNwveXqaRHFNXUvSWtoRkk2cKB5hjsr0QCROBidYu4WG+/LfolzJQfuRqH7dvg5dvmJLrcozfcCpxspdBTIEKLG/c=
 
 # man.archlinux.org
 man.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhnsStoFw6rbVpE1S1vsXNk8de1SyMag1C+v0DWVSuNYzTylYg4322WbYzw45z2XhxrF6XmCSDMvgxvFwnfLQA=

docs/vault-rekeying.md

+# Vault rekeying
+
+## Changing the default vault password
+
+```bash
+# Generate a new password for the default vault
+pwgen -s 64 >new-default-pw
+
+# Re-encrypt all default vaults
+ansible-vault rekey --new-vault-password-file ./new-default-pw \
+  $(git grep -l 'ANSIBLE_VAULT;1.1;AES256$')
+
+# Save the new password in encrypted form
+# (replace "RECIPIENT" with your email)
+gpg -r RECIPIENT -o misc/vault-default-password.gpg -e new-default-pw
+
+# Re-encrypt the new password with all DevOps keys
+ansible-playbook playbooks/tasks/reencrypt-vault-default-key.yml
+
+# Ensure the new password is usable
+ansible-vault view misc/vaults/vault_hcloud.yml
+
+# Remove the unencrypted password file
+rm new-default-pw
+
+# Review and commit the changes
+```
+
+## Changing the super vault password
+
+```bash
+# Generate a new password for the super vault
+pwgen -s 64 >new-super-pw
+
+# Re-encrypt all super vaults
+ansible-vault rekey --new-vault-id super@./new-super-pw \
+  $(git grep -l 'ANSIBLE_VAULT;1.2;AES256;super$')
+
+# Save the new password in encrypted form
+# (replace "RECIPIENT" with your email)
+gpg -r RECIPIENT -o misc/vault-super-password.gpg -e new-super-pw
+
+# Re-encrypt the new password with all DevOps super keys
+ansible-playbook playbooks/tasks/reencrypt-vault-super-key.yml
+
+# Ensure the new password is usable
+ansible-vault view misc/vaults/vault_hetzner.yml
+
+# Remove the unencrypted password file
+rm new-super-pw
+
+# Review and commit the changes
+```

group_vars/all/archusers.yml

----
-
 arch_groups:
   - dev
   - tu
@@ -267,13 +265,6 @@ arch_users:
     shell: /bin/zsh
     groups:
       - tu
-  fukawi2:
-    name: "Phillip Smith"
-    ssh_key: fukawi2.pub
-    hosts:
-      - mail.archlinux.org
-    groups:
-      - support-staff
   gitlab:
     name: ""
     groups: []
@@ -505,6 +496,7 @@ arch_users:
     ssh_key: kpcyrd.pub
     groups:
       - tu
+      - multilib
   raster:
     name: "Carsten Haitzler"
     ssh_key: raster.pub
@@ -572,3 +564,9 @@ arch_users:
     ssh_key: yan12125.pub
     groups:
       - tu
+
+# utility accounts to protect from the "disable ssh keys of disabled users" task
+utility_users:
+  gemini.archlinux.org:
+    - svn-packages
+    - svn-community

group_vars/all/geo.yml

+geo_acme_dns_challenge_ns: redirect.archlinux.org
+geo_domains:
+  - geo.mirror.pkgbuild.com
+geo_options:
+  geo.mirror.pkgbuild.com:
+    health_check_path: /lastupdate

group_vars/all/postfix.yml

 # This is overridden for the actual mail server which uses mail.archlinux.org.
-mail_domain: "{{inventory_hostname}}"
+mail_domain: "{{ inventory_hostname }}"
 
 # password used by postfix for relaying to a central smtp server
-postfix_relay_password: "{{vault_postfix_relay_password}}"
+postfix_relay_password: "{{ vault_postfix_relay_password }}"

group_vars/all/root_access.yml

----
-
 # deploy tag 'sudo' when this changes
 sudo_users:
   - root
@@ -23,10 +21,20 @@ root_ssh_keys:
   - key: anthraxx.pub
   - key: klausenbusk.pub
     additional_keys: [klausenbusk_2.pub]
+  - key: artafinde.pub
+    hosts:
+      - dashboards.archlinux.org
+      - gitlab.archlinux.org
+      - monitoring.archlinux.org
+      - lists.archlinux.org
+      - mailman3.archlinux.org
 
-# run playbook 'playbooks/tasks/reencrypt-vault-key.yml' when this changes
-# before running it, make sure to gpg --lsign-key all of the below keys
-root_gpgkeys:
+# - run 'playbooks/tasks/reencrypt-vault-{super,default}-key.yml' when this
+#   changes; before doing so, make sure to 'gpg --lsign-key' all listed keys
+# - before committing the re-encrypted password file, test if both vaults are
+#   working using `ansible-vault view misc/vaults/vault_{hetzner,hcloud}.yml`
+# NOTE: adding a key to this list gives access to both default and super vaults
+vault_super_pgpkeys: &vault_super_pgpkeys
   - 86CFFCA918CF3AF47147588051E8B148A9999C34  # foutrelis
   - 05C7775A9E8B977407FE08E69D4C5AA15426DA0A  # freswa
   - ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB  # grazzolini
@@ -35,3 +43,11 @@ root_gpgkeys:
   - 8FC15A064950A99DD1BD14DD39E4B877E62EB915  # svenstaro
   - E240B57E2C4630BA768E2F26FC1B547C8D8172C8  # anthraxx
   - DB650286BD9EAE39890D3FE6FE3DC1668CB24956  # klausenbusk
+
+# - run 'playbooks/tasks/reencrypt-vault-default-key.yml' when this changes
+# - before running it, make sure to 'gpg --lsign-key' all keys listed below
+# - before committing the re-encrypted password file, test that the vault
+#   is working by running `ansible-vault view misc/vaults/vault_hcloud.yml`
+vault_default_pgpkeys:
+  - *vault_super_pgpkeys
+  - B4B759625D4633430B74877059E43E106B247368  # artafinde

group_vars/all/vault_arch-boxes.yml

-$ANSIBLE_VAULT;1.1;AES256
-31616334663762643765636239633666663235363933616561386333313365666536663435623739
-3433363161663531313562666662353437333233396134390a336230353662316436363166326562
-39623835623266643133313865316437613133633630383463393361656132626334356432356338
-3730653762633437350a316461396263616662623638306565333362396532636331313263366362
-30333432626161316433393831386262613461613836616138326430386662396536383133663338
-34303238663239326133396138623465643865633931653965336664303761626562383331326663
-63623666613837333933386564396231363036633964346433376336353066396433313863656335
-37373763666136386435363733666434363965336334663762643038386135356531653138653738
-33653261613163366461366466316262363862383931383932386139636130383965393965393762
-6530663632323266653064356639316330323330316134326564

group_vars/all/vault_archive.yml

-$ANSIBLE_VAULT;1.1;AES256
-63313830353630313333373332386337306165346632356563373537383539633735666562356637
-6537343465356337613632343432353934356364373064370a326237353134373465303736646536
-36356461336663306532613861356464663032393636656661323061313237353930653935373333
-3432643831306536320a396533343961333866313738633965623862623063623464316638646537
-62353639383065333966653034623437393538343266373938666335653637643639343662623832
-30393232633763346239663066356430616565323338363634326434383537366232373865386462
-32353839353330626263356237353635366332613435303064616235336531653938366235396165
-35306361616237336261336631626638633064383332343330336337666361346134313337393033
-30633134346362393562363239323530363563633333613730623937393733646138633938373666
-3437656233333937376461616539393565376536383262643230

group_vars/all/vault_archmanweb.yml

 $ANSIBLE_VAULT;1.1;AES256
-61323463643538343139646562616537313436663237633061333262636333363564306433353330
-3064306136366262653432383632333764353832376162320a323066366462343039646235393633
-63373666323931623530653035373936303631376631346163353239653932393638353261356366
-3766663931616137340a383735623532313462313533346539636334383339623561386165316663
-63386465393033323736343662383731383232643035636666623963646436306461303063386662
-65653439646438373466366635303662393031333739313739636434666166373235356562316464
-36376332646635623964303837336139303564333566366462666631346461636363653639383361
-62643833386334393136643465396430303835326339383632333165643233656462303432353735
-31383735316265636635393830636135343339623033396362396533363263386536
+36663862666633393061663238386535343736376131623339643561386130393930633166343538
+3631353437626231633263353862666361316462666535630a633661363231613038366266633966
+61653433633835343132323432346437313839363733343130393361653533356135303763656432
+6164666362636435320a616666373034336330643436303865656562626238396530343237666530
+61633134383636343266616433353930376139643139623465383839303766323836326133396265
+65383962323932346139336330303635326637623265366562646261363565396335663930633230
+35623931343635623932306364323637313132613165663531656231646239316562366433323464
+31303763616631316332333436353861323733353336396662363733616264666130663631663462
+30656634343738623432333465303133316332363035346661366538643765653935