DeveloperWiki:Staff Services

From ArchWiki

Staff Services

Arch Linux provides a number of services for Arch Linux Staff which they can freely use but fair use is applicable.

This server hosts Keycloak, a single sign on server Arch Linux uses to easily onboard new users to new groups and provide a seemless login experience through all our services once they all use SSO. Currently Gitab, Matrix and Hedgedoc use SSO and staff only need a Keycloak account to be able to use these services.

Generally it’s recommended to secure this account. By default all staff accounts require 2-Factor authentication through OTP or Webauthn. Keycloak allows multiple 2-Factor authentication providers to be set up, it is recommended to set up a backup 2-Factor authentication method in case you lose access to one of your devices.

This can be configured in the keycloak security page[dead link 2023-05-06 ⓘ]. Note that the first configured device is configured as the default.


For all staff an email address is available, during onboarding an email address should have been created for you.


  • SMTP/IMAP server:
  • SMTP port: 465 (TLS)
  • IMAP port: 993 (TLS)
  • username: the system account name
  • password: set by each user themselves with ssh

Email forwarding can be achieved by creating a sieve rule.


Hedgedoc instance

Hedgedoc is an open source collaborative markdown editor to be used to work together on documents or share sensitive snippets. As staff you can login to hedgedoc using your Keycloak account.

  • By default only Staff is able to edit and view the document you shared as URL.
  • To allow outsiders to edit view documents select a different option than Limited in the right top dropdown menu.

Public HTML / Home directory (

A personal web hosting server for TUS, developers and (on request) support staff to share patches, packages and other Arch Linux related files. Login to and run:

$ mkdir ~/public_html
$ setfacl -m user:http:x ~
$ setfacl -m user:http:rx ~/public_html

Then visit

Build server (

A build server is available for Developers / Trusted Users to build packages using devtools.

Traditionally extra-x86_64-build and similar devtool commands runs build chroots locally on the users computer. offload-build -r extra accomplishes the same on the build server.


Gitlab can be used to collaborate on Arch Linux projects in the Arch Linux namespace or to host Arch Linux related projects in your personal space. To request an official new project in the Arch Linux namespace create an issue in the infrastructure repository using the New Official Project template.

Archweb is not only the main website for our distribution, all Staff have an account there to be shown as team member of their respected team on the website. Apart from that it offers the following functionality:

  • Signing off packages in testing repositories, see the Arch Testing Team page
  • Adopting/orphaning packages as Developer / Trusted user
  • Viewing your out of date packages and reports on packages you maintain in the repository
  • Creating To Do lists for rebuilds or packaging change tasks.
  • Posting news articles, requires a proposal on arch-dev-public and a 1 day waiting period

Tier 0 Mirror

A Tier 0 Mirror is available for Staff to access the most recent packages from Arch Linux for debugging, rebuilds. Access is granted via archweb.

Hosting upstream tarballs

Sometimes packagers need to keep an archive of previous upstream releases, secure a copy of sources which upstream deletes or distribute releases for internal packages. is the internal service for hosting these sources. This service is hosted on under /srv/sources. There are two directories available.

sources/ is used to rehost distributed package sources which needs the sources available for package compliance. This is mostly limited to the GPL licenses. This is an automatic process administerd by dbscripts with the sourceballs service.

other/ is for source rehosting. There is no set structure but generally the top-level directory is used for core and extra.

Directories here can be used for package releases. Some upstreams have a tendency to remove past releases, and to accomplish reproducible builds and have older packages still be buildable it’s a good idea to upload these releases for safe-keeping.

IRC Cloak

IRC cloaks are used on the IRC network to show affiliation to an open-source project on the Libera Chat network. These are visible through /whois and displayed as ~taco@archlinux/trusteduser/Taco. These are given out by the group contacts for each project.

For an up-to-date list of group contacts see Arch IRC channels#Libera Chat group contacts.


We offer a Matrix homeserver for Arch team members. Matrix is a federated communication service with a variety of available clients for multiple platforms, mobile included. The flagship Element clients offer us file upload, end-to-end encryption, push notifications and integrations with third-party services.

Signing in

For the initial sign-in you need to use a client that supports OpenID Single-Sign-On, such as Element Web. Enter as the username and Element should offer to sign into our homeserver.

You will be automatically invited to several rooms:

  • A public room for Arch Linux users.
  • A staff-only room with end-to-end encryption.

Password login is currently disabled, which might exclude some clients. It can be re-enabled should demand exist.

If you need to provide your client with a homeserver address, use

IRC bridges

Our bridge

We bridge several of our private IRC channels on Libera Chat to Matrix, which you need to be invited into:

  • Bridged with #archlinux-dev.
  • Bridged with #archlinux-tu.
  • Bridged with #archlinux-staff.

Please request an invitation in for the rooms you need to be in. bridge

Channels without keys are available via the official Libera Chat bridge. For example:

  • Bridged with #archlinux-devops.
  • Bridged with #archlinux-projects.

Please avoid joining large bridged rooms (such as, as these slow down the server immensely.

Libera Chat may require you to have a registered nick to join certain channels. Once contacts you, tell it !username username, then !storepass password with the username and the password of your Libera Chat NickServ account. Then !reconnect and it will reconnect you as registered.