Nasqueron Operations tasks are discussed on IRC Libera #nasqueron-ops, could be interesting to join that one.

The rOPS repository is pretty sensible, as code pushed there will be executed by Salt under extended root privileges.

ACL

Currently, the protection for this repository is who can push. We can extend push rights to groups interested to join operations in the future and learn for it, and simply check for Differential approval: for example @DorianWinty has submitted D2664 and I've approved it, so it's fine to merge, as far as ACL as concerned.

If that's the only concern we can technically do this:

Created H27 to define the policy implementing that table.

Code in repository = code deployed to the servers

There is a second concern. Configuration in rOPS and in servers should be idempotent. As such, code should be merged only immediately before deployment (*).

I guess we can enforce that one socially.

(*) For SSH keys, it seems a divergent practice is to wait after user confirmation, but that led in the past to an account provisioned on Eglide but not documented in the repository, and an uid conflict, same uid assigned to two users. So probably best to merge it and revert/amend it afterwards if the key has been lost or whatever.

Dorian request

No objection from my side, beings are welcome to help with servers tasks, and with the notes above, which apply to anyone including current ops, we can move forward.

Would like feedback from @Sandlayth too on this matter.

Rule H27 works perfectly well.

With correct approval:

Without correct technical approval (social approval was given):

It seems nice to me.