DeveloperWiki:Staff Services

From ArchWiki

Staff Services

Arch Linux provides a number of services for Arch Linux Staff which they can freely use but fair use is applicable.

This server hosts Keycloak, a single sign on server Arch Linux uses to easily onboard new users to new groups and provide a seamless login experience through all our services once they all use SSO. Currently Gitlab, Matrix and HedgeDoc use SSO and staff only need a Keycloak account to be able to use these services.

Generally it’s recommended to secure this account. By default all accounts require 2-Factor authentication through OTP or WebAuthn. Keycloak allows multiple 2-Factor authentication providers to be set up, it is recommended to set up a backup 2-Factor authentication method in case you lose access to one of your devices.

This can be configured in the keycloak security page. Note that the first configured device is configured as the default.


For all staff an email address is available, during onboarding an email address should have been created for you.


  • SMTP/IMAP server:
  • SMTP port: 465 (TLS)
  • IMAP port: 993 (TLS)
  • username: the system account name
  • password: set by each user themselves with ssh

Email forwarding can be achieved by creating a sieve rule.


HedgeDoc instance

HedgeDoc is an open source collaborative markdown editor to be used to work together on documents or share sensitive snippets. As part of staff you can login to hedgedoc using your Keycloak account.

  • By default only Staff is able to edit and view the document you shared as URL.
  • To allow outsiders to edit view documents select a different option than Limited in the right top dropdown menu.

Public HTML / Home directory (

A personal web hosting server for TUS, developers and (on request) support staff to share patches, packages and other Arch Linux related files. Login to and run:

$ mkdir ~/public_html
$ setfacl -m user:http:x ~
$ setfacl -m user:http:rx ~/public_html

Then visit

Build server (

A build server is available for Developers / Package Maintainers to build packages using devtools.

You can use it by setting things up as described in, which mostly boils down to adjusting the ~/.makepkg.conf and using the --offload flag for pkgctl which wraps the legacy offload-build tool.


Gitlab can be used to collaborate on Arch Linux projects in the Arch Linux namespace or to host Arch Linux related projects in your personal space. To request an official new project in the Arch Linux namespace create an issue in the infrastructure repository using the New Official Project template.

Archweb is not only the main website for our distribution, all Staff have an account there to be shown as team member of their respected team on the website. Apart from that it offers the following functionality:

  • Signing off packages in testing repositories, see the Arch Testing Team page
  • Adopting/orphaning packages as Developer / Package Maintainers
  • Viewing your out of date packages and reports on packages you maintain in the repository
  • Creating To Do lists for rebuilds or packaging change tasks.
  • Posting news articles, requires a proposal on arch-dev-public and a 1 day waiting period

Tier 0 Mirror

A Tier 0 Mirror is available for Staff to access the most recent packages from Arch Linux for debugging, rebuilds. Access is granted via archweb.

Hosting upstream tarballs

Sometimes packagers need to keep an archive of previous upstream releases, secure a copy of sources which upstream deletes or distribute releases for internal packages. is the internal service for hosting these sources. This service is hosted on under /srv/sources. There are two directories available.

sources/ is used to rehost distributed package sources which needs the sources available for package compliance. This is mostly limited to the GPL licenses. This is an automatic process administerd by dbscripts with the sourceballs service.

other/ is for source rehosting. There is no set structure but generally the top-level directory is used for core and extra.

Directories here can be used for package releases. Some upstreams have a tendency to remove past releases, and to accomplish reproducible builds and have older packages still be buildable it’s a good idea to upload these releases for safe-keeping.

IRC Cloak

IRC cloaks are used on the IRC network to show affiliation to an open-source project on the Libera Chat network. These are visible through /whois and displayed as ~taco@archlinux/package-maintainer/Taco. These are given out by the group contacts for each project.

For an up-to-date list of group contacts see Arch IRC channels#Libera Chat group contacts.


We offer a Matrix homeserver for Arch team members. Matrix is a federated communication service with a variety of available clients for multiple platforms, mobile included. The flagship Element clients offer us file upload, end-to-end encryption, push notifications and integrations with third-party services.

Signing in

For the initial sign-in you need to use a client that supports OpenID Single-Sign-On, such as Element Web. Enter as the username and Element should offer to sign into our homeserver.

You will be automatically invited to several spaces and rooms:

  • A public space for Arch Linux users.
    • A public room for Arch Linux users.
  • A staff-only space for Arch Linux staff.
    • A staff-only room with end-to-end encryption.

Password login is currently disabled, which might exclude some clients. It can be re-enabled should demand exist.

If you need to provide your client with a homeserver address, use

Our rooms bridged to IRC

We bridge several of our private IRC channels on Libera.Chat to Matrix.

These rooms are open to all staff-space members:

  • Bridged with #archlinux-packaging.
  • Bridged with #archlinux-staff.

The following rooms are not open to all staff, so you need to be invited:

  • Bridged with #archlinux-dev.
  • Bridged with #archlinux-tu.

Please request an invitation in for the rooms you need to be in.

These rooms are bridged to public channels, for which you should log into Libera.Chat via SASL:

  • Bridged with #archlinux-aurweb.
  • Bridged with #archlinux-bugs.
  • Bridged with #archlinux-devops.
  • Bridged with #archlinux-pacman.
  • Bridged with #archlinux-projects.
  • Bridged with #archlinux-reproducible.
  • Bridged with #archlinux-security.
  • Bridged with #archlinux-testing.
  • Bridged with #archlinux-wiki.

If you fail to do so, your bridged IRC user cannot join the channels, meaning your messages won't be bridged. See Libera.Chat's guide on how to register a nickname. Afterwards, contact and send it the folllowing commands:

  • !username username, with the primary nickname you registered with, then
  • !storepass password, with your password for NickServ, and then
  • !reconnect to reconnect and attempt the SASL login.

If this worked, should contact you after the reconnect.