DeveloperWiki:Staff Services

From ArchWiki

Staff Services

Arch Linux provides a number of services for Arch Linux Staff which they can freely use but fair use is applicable.

accounts.archlinux.org

This server hosts Keycloak, a single sign on server Arch Linux uses to easily onboard new users to new groups and provide a seemless login experience through all our services once they all use SSO. Currently Gitab, Matrix and Hedgedoc use SSO and staff only need a Keycloak account to be able to use these services.

Generally it’s recommended to secure this account. By default all staff accounts require 2-Factor authentication through OTP or Webauthn. Keycloak allows multiple 2-Factor authentication providers to be set up, it is recommended to set up a backup 2-Factor authentication method in case you lose access to one of your devices.

This can be configured in the keycloak security page[dead link 2023-05-06 ⓘ]. Note that the first configured device is configured as the default.

Email

For all staff an @archlinux.org email address is available, during onboarding an email address should have been created for you.

Configuration

  • SMTP/IMAP server: mail.archlinux.org
  • SMTP port: 465 (TLS)
  • IMAP port: 993 (TLS)
  • username: the system account name
  • password: set by each user themselves with ssh mail.archlinux.org

Email forwarding can be achieved by creating a sieve rule.

Sieve

Hedgedoc instance

Hedgedoc is an open source collaborative markdown editor to be used to work together on documents or share sensitive snippets. As staff you can login to hedgedoc using your Keycloak account.

Tip:
  • By default only Staff is able to edit and view the document you shared as URL.
  • To allow outsiders to edit view documents select a different option than Limited in the right top dropdown menu.

Public HTML / Home directory (pkgbuild.com)

A personal web hosting server for TUS, developers and (on request) support staff to share patches, packages and other Arch Linux related files. Login to homedir.archlinux.org and run:

$ mkdir ~/public_html
$ setfacl -m user:http:x ~
$ setfacl -m user:http:rx ~/public_html

Then visit https://pkgbuild.com/~username/.

Build server (build.archlinux.org)

A build server is available for Developers / Package Maintainers to build packages using devtools.

Traditionally extra-x86_64-build and similar devtool commands runs build chroots locally on the users computer. offload-build -r extra accomplishes the same on the build server.

Gitlab

Gitlab can be used to collaborate on Arch Linux projects in the Arch Linux namespace or to host Arch Linux related projects in your personal space. To request an official new project in the Arch Linux namespace create an issue in the infrastructure repository using the New Official Project template.

Archweb

archlinux.org is not only the main website for our distribution, all Staff have an account there to be shown as team member of their respected team on the website. Apart from that it offers the following functionality:

  • Signing off packages in testing repositories, see the Arch Testing Team page
  • Adopting/orphaning packages as Developer / Package Maintainers
  • Viewing your out of date packages and reports on packages you maintain in the repository
  • Creating To Do lists for rebuilds or packaging change tasks.
  • Posting news articles, requires a proposal on arch-dev-public and a 1 day waiting period

Tier 0 Mirror

A Tier 0 Mirror is available for Staff to access the most recent packages from Arch Linux for debugging, rebuilds. Access is granted via archweb.

Hosting upstream tarballs

Sometimes packagers need to keep an archive of previous upstream releases, secure a copy of sources which upstream deletes or distribute releases for internal packages.

https://sources.archlinux.org is the internal service for hosting these sources. This service is hosted on repos.archlinux.org under /srv/sources. There are two directories available.

sources/ is used to rehost distributed package sources which needs the sources available for package compliance. This is mostly limited to the GPL licenses. This is an automatic process administerd by dbscripts with the sourceballs service.

other/ is for source rehosting. There is no set structure but generally the top-level directory is used for core and extra.

Directories here can be used for package releases. Some upstreams have a tendency to remove past releases, and to accomplish reproducible builds and have older packages still be buildable it’s a good idea to upload these releases for safe-keeping.

IRC Cloak

IRC cloaks are used on the IRC network to show affiliation to an open-source project on the Libera Chat network. These are visible through /whois and displayed as ~taco@archlinux/trusteduser/Taco. These are given out by the group contacts for each project.

For an up-to-date list of group contacts see Arch IRC channels#Libera Chat group contacts.

Matrix

We offer a Matrix homeserver for Arch team members. Matrix is a federated communication service with a variety of available clients for multiple platforms, mobile included. The flagship Element clients offer us file upload, end-to-end encryption, push notifications and integrations with third-party services.

Signing in

For the initial sign-in you need to use a client that supports OpenID Single-Sign-On, such as Element Web. Enter @username:archlinux.org as the username and Element should offer to sign into our homeserver.

You will be automatically invited to several spaces and rooms:

  • #public-space:archlinux.org: A public space for Arch Linux users.
    • #archlinux:archlinux.org: A public room for Arch Linux users.
  • #staff-space:archlinux.org: A staff-only space for Arch Linux staff.
    • #internal:archlinux.org: A staff-only room with end-to-end encryption.

Password login is currently disabled, which might exclude some clients. It can be re-enabled should demand exist.

If you need to provide your client with a homeserver address, use https://matrix.archlinux.org.

Our rooms bridged to IRC

We bridge several of our private IRC channels on Libera.Chat to Matrix.

These rooms are open to all staff-space members:

  • #packaging:archlinux.org: Bridged with #archlinux-packaging.
  • #staff:archlinux.org: Bridged with #archlinux-staff.

The following rooms are not open to all staff, so you need to be invited:

  • #developers:archlinux.org: Bridged with #archlinux-dev.
  • #trusted-users:archlinux.org: Bridged with #archlinux-tu.

Please request an invitation in #internal:archlinux.org for the rooms you need to be in.

These rooms are bridged to public channels, for which you should log into Libera.Chat via SASL:

  • #aurweb:archlinux.org: Bridged with #archlinux-aurweb.
  • #bugs:archlinux.org: Bridged with #archlinux-bugs.
  • #devops:archlinux.org: Bridged with #archlinux-devops.
  • #pacman:archlinux.org: Bridged with #archlinux-pacman.
  • #projects:archlinux.org: Bridged with #archlinux-projects.
  • #reproducible:archlinux.org: Bridged with #archlinux-reproducible.
  • #security:archlinux.org: Bridged with #archlinux-security.
  • #testing:archlinux.org: Bridged with #archlinux-testing.
  • #wiki:archlinux.org: Bridged with #archlinux-wiki.

If you fail to do so, your bridged IRC user cannot join the channels, meaning your messages won't be bridged. See Libera.Chat's guide on how to register a nickname. Afterwards, contact @irc-bridge:archlinux.org and send it the folllowing commands:

  • !username username, with the primary nickname you registered with, then
  • !storepass password, with your password for NickServ, and then
  • !reconnect to reconnect and attempt the SASL login.

If this worked, @liberachat_SaslServ:archlinux.org should contact you after the reconnect.