Yesterday anthraxx and I hacked together on getting gluebuddy ready for production. Gluebuddy is a tool to automatically put Arch Linux Staff in the correct Gitlab organization/teams and can later be expanded to enforce more repository settings.
The open pull request was updated to not remove our archceo Arch Linux group owner and handles our three devops onboarding/offboarding tasks of adding users to the Staff team, Infrastructure Team and Arch Linux group. 
There are a few open questions:
We match on extern_id which is the username in Gitlab and not the keycloak id, is that correct and is that an issue? For keycloak access we now use the admin account, we should rather use an openid client which has “realm-management roles” such as “query-groups, query-users, view-users” The gitlab personal token used for changing For deploying it to a live server we need:
Setup a new VPS for running gluebuddy Create a systemd/service with timer so gluebuddy runs every X minutes Find a way to distribute gluebuddy, an option is to use Gitlab release where we upload a signed locally build gluebuddy (retrieve and veriy this in the ansible role). As packaging doesn’t make much sense here. Create an ansible role for gluebuddy
Jelle van der Waa