- Create Wikitech wiki (LDAP) user - https://wikitech.wikimedia.org | uid: hnowlan
- Phabricator User + 2FA | confirm login works on https://phabricator.wikimedia.org/ and setup 2fa
- Phabricator permissions to see NDA and Ops restricted tickets, and added to trusted users for antivandal exempt: https://phabricator.wikimedia.org/project/profile/29/ https://phabricator.wikimedia.org/project/profile/61/ https://phabricator.wikimedia.org/project/profile/974/
- Add to private IRC channels https://office.wikimedia.org/wiki/IRC#Channel_operators_commands
- Add to ops mailing lists (ops and ops-private minimum requirements) | https://lists.wikimedia.org/mailman/listinfo/ops
- Add to Exim mail aliases (root via private.git:modules/privateexim/files/wikimedia.org)
- Icinga contact in private.git (requires shell access, private puppet repo)
- Icinga user and permissions (icinga commands, test privileges to run commands on hosts/services (public puppet repo)
- Phone/pager setup (addition to the Icinga contact)
- Add to wmf LDAP group (for web services) | requires Wikitech user and shell access | gives access to https://wikitech.wikimedia.org/wiki/LDAP/Groups#wmf_group
- Access to Office Wiki (OIT grants that) | please confirm login works https://office.wikimedia.org
- Gerrit login and +2 on operations/puppet (this is automatic from being added to LDAP groups above) | confirm login on https://gerrit.wikimedia.org and ability to +2 in operations/puppet repo
- Create shell user (can connect to bastions) | please create a SSH key for this and paste the public part
- Server root shell (membership in ops admin group) and add to "ops" LDAP group | code change in public puppet repo in admins module
- Access to pwstore | please create a GPG key for this and have it signed by >= 2 others
- Access to Google group for maint-announce mails
- Access to the "maint-announce and vendor" calendar
- Add to "Ops vendor maintenance" Calendar
|operations/puppet : production||Fix username in Icinga authorization config for Hugh|
|operations/puppet : production||icinga: let Hugh Nowlan run commands on all hosts and services|
|operations/puppet : production||admin: upgrade Hugh Nowlan to root shell user (ops)|
|operations/puppet : production||admins: add Hugh Nowlan to ldap_only_admins (wmf)|
This checklist is from a template for onboarding in SRE.
I started by adding you to the ops mailing lists and i can see you already have a Wikitech user (great!).
Feel free to start with something like the checkbox confirming you can login on Phabricator and setup 2FA.
Also if you want to generate an SSH key and paste it here on the ticket that would be a step towards getting your shell access setup.
I'll talk to you about the details and other check boxes tomorrow. (am in PST)
Unfortunately it seems I don't have permissions to issue commands. I attempted to downtime a service on a host that's not yet in use (restbase2023) and received a "Not Authorized" error. And yeah, I don't think people have signed things since all-hands yet.
Oh good I'm guessing from your response that you did attend the key signing party at all hands. Also should mention that the link you provided didn't work for me i hit this error this is likely because sks is now pretty broken. i have uploaded your key to keys.openpgp.org however I'm not sure what the current guidance is on what keyservers to use wikitech still lists pool.sks-keyservers.net which dose have you key.
@MoritzMuehlenhoff should we still be using pool.sks-keyservers.net or should we update our documentation to use keys.openpgp.org (which strips signatures so not great), or potential set up our own server?
While the keyserver networks have some structural issues which are pending some changes and a number of keys have been DDoSed by malicious key updates, there's currently not actual impediment to simply continue to use the SKS network (GPG clients have also added countermeasures against malformed keys, which were shipped in security updates of distros). As such, we can simply continue to use it for now.
Long term I'd like to simply store GPG keys for @wikimedia.org staff in our DNS zone file.