[arch-devops] Hetzner 2FA and CAA added to domains

Giancarlo Razzolini grazzolini at archlinux.org
Tue Aug 7 16:58:15 UTC 2018

Hi All,

I have enabled Certificate Authority Authorization (RFC 6844) on both our main domains,
archlinux.org and pkgbuild.com. Since we only use letsencrypt to issue certificates, I
have added a CAA record only allowing it to issue SSL certificates. We can easily change
it if needed in the future.

I have also enabled 2FA for hetzner. Since it allows more than one token, the idea is for
each one of us in the devops team to have a separate token. I'm going to send you all an
encrypted email with the recovery key. This key should only be used in the unlikely event
that we have any of our 2FA compromised or we need to login to the account in and emergency.

If we use this recovery key, a new one should be issued and emailed to all the members again.

I have created a token for myself, and I'm going to add another "master" token that I'll add
to the ansible vault. You guys can use this token to login and create another for yourself.
Please add your ansible username to the description, like I have done for my token.

Aaron, since you don't have root access to the ansible repository, I can either give you access or,
if you don't want to handle ansible stuff, I can email separately to you both the recovery key and
the "master" token seed so you can create your own.

Giancarlo Razzolini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20180807/9b020535/attachment.sig>

More information about the arch-devops mailing list