-
Kristian Klausen authoredWith the support for network.wireguard.* credentials[1] in systemd v256[2], we can now easily avoid storing the credentials centrally in our ansible vault, which is preferable as it makes the private keys less exposed. It may also make fine-grained access easier in the future[3] as there is no longer a vault file for each server. All the keys have been rotated and the new private keys are only stored on the servers. [1] https://github.com/systemd/systemd/pull/30826 [2] https://github.com/systemd/systemd/releases/tag/v256 [3] #64
Kristian Klausen authoredWith the support for network.wireguard.* credentials[1] in systemd v256[2], we can now easily avoid storing the credentials centrally in our ansible vault, which is preferable as it makes the private keys less exposed. It may also make fine-grained access easier in the future[3] as there is no longer a vault file for each server. All the keys have been rotated and the new private keys are only stored on the servers. [1] https://github.com/systemd/systemd/pull/30826 [2] https://github.com/systemd/systemd/releases/tag/v256 [3] #64
WireGuard
Many of our servers communicate through wireguard VPN with each others. If you need to collect logs with loki and metrics with prometheus for dashboards you need to have a wiregauard IP.
Setting up
-
For a new server add a new unused wireguard IP and set the following in
host_vars/<fqdn>/miscwireguard_address: <wg-ip> wireguard_public_key: <wg-pubkey> -
Generate the private key on the server with
wg genkey | systemd-creds encrypt - /etc/credstore.encrypted/network.wireguard.private.wg0and restart systemd-networkd withsystemctl restart systemd-networkdTips:
-
Pick next available IP for Wireguard from
grep -r wireguard_address host_vars/ | cut -f3 -d: | sort -h -
Wireguard key generation docs: https://www.wireguard.com/quickstart/#key-generation
-
-
Execute
wireguardandprometheusroles onmonitoring.archlinux.org.ymlplaybook to get data from the server