[arch-devops] Gluebuddy progress

[Jelle van der Waa]

Hi all,

Yesterday anthraxx and I hacked together on getting gluebuddy ready for 
production. Gluebuddy is a tool to automatically put Arch Linux Staff in 
the correct Gitlab organization/teams and can later be expanded to 
enforce more repository settings.

The open pull request was updated to not remove our archceo Arch Linux 
group owner and handles our three devops onboarding/offboarding tasks of 
adding users to the Staff team, Infrastructure Team and Arch Linux 
group. [1]

There are a few open questions:

We match on extern_id which is the username in Gitlab and not the 
keycloak id, is that correct and is that an issue?
For keycloak access we now use the admin account, we should rather use 
an openid client which has “realm-management roles” such as 
“query-groups, query-users, view-users”
The gitlab personal token used for changing
For deploying it to a live server we need:

Setup a new VPS for running gluebuddy
Create a systemd/service with timer so gluebuddy runs every X minutes
Find a way to distribute gluebuddy, an option is to use Gitlab release 
where we upload a signed locally build gluebuddy (retrieve and veriy 
this in the ansible role). As packaging doesn’t make much sense here.
Create an ansible role for gluebuddy

[1] https://gitlab.archlinux.org/archlinux/gluebuddy/-/merge_requests/2

Greetings,

Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20211203/987f68fe/attachment.sig>