Hi All, I have enabled Certificate Authority Authorization (RFC 6844) on both our main domains, archlinux.org and pkgbuild.com. Since we only use letsencrypt to issue certificates, I have added a CAA record only allowing it to issue SSL certificates. We can easily change it if needed in the future. I have also enabled 2FA for hetzner. Since it allows more than one token, the idea is for each one of us in the devops team to have a separate token. I'm going to send you all an encrypted email with the recovery key. This key should only be used in the unlikely event that we have any of our 2FA compromised or we need to login to the account in and emergency. If we use this recovery key, a new one should be issued and emailed to all the members again. I have created a token for myself, and I'm going to add another "master" token that I'll add to the ansible vault. You guys can use this token to login and create another for yourself. Please add your ansible username to the description, like I have done for my token. Aaron, since you don't have root access to the ansible repository, I can either give you access or, if you don't want to handle ansible stuff, I can email separately to you both the recovery key and the "master" token seed so you can create your own. Cheers, Giancarlo Razzolini