Skip to content
Snippets Groups Projects
Verified Commit 1950fbeb authored by Kristian Klausen's avatar Kristian Klausen :tada:
Browse files

Merge branch 'wireguard-vault-removal' into 'master'

Remove the WG private keys from the vault and store them only on the servers

See merge request !891
parents 6d39c3c6 27553ab3
No related branches found
No related tags found
1 merge request!891Remove the WG private keys from the vault and store them only on the servers
Pipeline #114660 passed
Showing
with 11 additions and 92 deletions
......@@ -9,7 +9,7 @@ Many of our servers communicate through wireguard VPN with each others. If you n
wireguard_public_key: <wg-pubkey>
```
1. Save the private key in a encypted vault in `host_vars/<fqdn>/vault_wireguard.yml`
1. Generate the private key on the server with `wg genkey | systemd-creds encrypt - /etc/credstore.encrypted/network.wireguard.private.wg0` and restart systemd-networkd with `systemctl restart systemd-networkd`
Tips:
- Pick next available IP for Wireguard from `grep -r wireguard_address host_vars/ | cut -f3 -d: | sort -h`
......
filesystem: btrfs
wireguard_address: 10.0.0.16
wireguard_public_key: 8CbVXc2+FllLpZb/sv/csHzqaOOsasJlV0gmkIzhBXo=
wireguard_public_key: crSq52AQ/ODcZekod0Xw/fBRALl3yv51gNMgPSFrxWc=
$ANSIBLE_VAULT;1.1;AES256
39656138306339653936386338383364616566313037393563383133323734383235366234663430
3836316538373966643036336532653534643236333361370a393862653165343964363065643439
30626338313066353930663036653734323364633537616536393439306134363964346434313663
6663663431343637380a353731316331386466353537303537666663333239326462633636326438
39343936653031316431383734316166663739393738366462636361313762393034656330653332
66336534396134613333646666356266306633326138353131623634343436393533383736633066
32373663313632393430313464396131396262616162613733613562616464353131656333323935
63653836383737663337
......@@ -16,4 +16,4 @@ system_disks:
- /dev/sdc
raid_level: "raid5"
wireguard_address: 10.0.0.27
wireguard_public_key: aC544PuXq63LgIeOvVD5dw++9XJE47YKUqeRw3ol0Qo=
wireguard_public_key: 5oI+dah4LlkUPBs/JI5lJAgDxBQa/+ofu0hLfxAkcio=
$ANSIBLE_VAULT;1.1;AES256
39393666386564646432636132366332363234636531363930663564316235386639613431656337
3533376363376332646161316230343566326266323230350a343561303331656134346634633132
33333062303732363138373936363061303063306632636234363737623931613938653563353630
3838356538316531380a306563613562376135656164363065346136376231666532313433326661
39353831616463343833313361643032366363383565303235363733613964386137643236646661
63656237663637653564396165306534316438663534356361333561643637663166363433313832
38313563666636343737656530393061336262333334343166393862316432343162653266626366
38623764343939386635
......@@ -11,5 +11,5 @@ fail2ban_jails:
dovecot: false
nginx_limit_req: true
wireguard_address: 10.0.0.1
wireguard_public_key: 0Vx7jfWinpTPHKPxvmKtZlp3hcLebawz+vQM8EIEm1k=
wireguard_public_key: 2Mk9WPdkf+1Q6Kk6g5eeX5xSHfCisiGJAdmSjRyefBo=
nginx_enable_http3: true
$ANSIBLE_VAULT;1.1;AES256
33623361656563376138323966373530383432393838323238343661306531363262653864626530
3137643364303338663665343837343862356139633830370a633766373830306561353562656634
63333861616437326132343765356231373963386563386131343462623962386333376236363339
3433376666383135360a636663616238346435613635353834393739336234336536336366393835
66616266356531663365633362333363376439633835616466633338353033376366633461653830
33663763616233396636613661623138313831316436383566363361383535363766363764613164
39336636393438363632383964303936346165633464616636386265356538383064333464316636
31633635313539383134
......@@ -16,4 +16,4 @@ system_disks:
- /dev/sdc
raid_level: "raid5"
wireguard_address: 10.0.0.26
wireguard_public_key: Bvia4T68/PCa01MSg+wclUJ1rJ5Hth9khui3y3Tr5EM=
wireguard_public_key: cU2/3DKCNCWJwZP6SF7ifKHS+VFeC7VQ212eTof8IxU=
$ANSIBLE_VAULT;1.1;AES256
31366437643838616630653261666262376336623336363235386333313639633364626436366437
3038366565393761643434623166363863326638666634340a353562383664373264636166346562
38316634653136313038346261376434623030346464363465343235653365633932656131343936
3433386162313537330a373538306161616263653937363335616666303639306461656433653233
37323532336639666539353237393939336337363833646366363035393631626633636437333263
65333831353362613364656135643131633738303134366361643561366538306430323161363130
64396230653231636532396339316236643536663938643036636664653564343538663162393336
61383037333965396330
......@@ -6,5 +6,5 @@ fail2ban_jails:
nginx_limit_req: true
memcached_socket: "/run/memcached/aurweb.sock"
wireguard_address: 10.0.0.2
wireguard_public_key: TPLeGQ7qU6ZNtcgDbEV0SSYScvK+XS5igcPdGSXo6UA=
wireguard_public_key: 51KGJWs3ZlI4tEdOpYFENhf22aETQEn9ApbmVyiF4zQ=
nginx_enable_http3: true
$ANSIBLE_VAULT;1.1;AES256
38303834643063336663396561303562333061313961346265666162313933323862386633306231
3033663637323139626363343033663864656432393461610a643162623931326362653964373865
64303239643366323834393136306434643239393865303663626439376238333131323163326165
3138643036373536660a386236373536643937353132333933666664653132366361343839333932
63363265383962626136616562633363306464616333346661366235303332636435343664396466
39393936383038303663336431323034633730343432306233613731613064333261643938633166
62623037393063353965336634326135663535613661343164316336643536303135353631613336
30643062303161336532
filesystem: btrfs
wireguard_address: 10.0.0.17
wireguard_public_key: i65GF9BaoTDvTXLJBpZWbuu2jV3F2mc0tH16Y6cQY1g=
wireguard_public_key: F5gX6SV5aka/fxEkgsVm1YRCYoeDY6d/H5C9U3/SrVU=
$ANSIBLE_VAULT;1.1;AES256
65346463623631643532663531316535373432383537343833613536643764353965376331333833
3866313230356133326132633834376564396132393637360a346263393438633966663536643338
37313034363665333433663163313334386437346635663336313363386534383635343463383935
6330343133626235610a643536303231343435383265366434373562363236376233303365393430
63353961663432316438653932326339653961646634343034373739643330363562633164343539
38323061336364366533626536383661666238633230653466626361326466356534303735393464
31393536653832366661393061663862366563333134333930373365316562386137323132613130
32646164663865346363
filesystem: btrfs
wireguard_address: 10.0.0.44
wireguard_public_key: vtu2TM79djeQQA0qqPVuZHxSHz8hdHQ1P15ONF6zSx4=
wireguard_public_key: /x1Czg/8u24dVhi+WMSGeSbw2HKk3la0K8X1WsDk7yA=
$ANSIBLE_VAULT;1.1;AES256
36623330313366306639313763636132616435633030616363383733386663373966396466396532
6239386539646333383436653435613731323666346365310a363663353436323562353930336662
31303162656166333165303966346137363266393763383463633636623330373966376537623433
3432353931333031610a663365653431356536343861363964323861366130636161633461323165
65633966386166663064393830333061633466313033356538643466323138346531313838663133
31356665323935316165633836636436316137356565323930393766623661393334306139343061
37646266373236643332333736326264333866396137623237383361333362333832326161636461
31616262616538643233
......@@ -14,4 +14,4 @@ raid_level: "raid1"
archbuild_fs: 'btrfs'
wireguard_address: 10.0.0.18
wireguard_public_key: /P8QGSFgvRETkYdsvAtNQWWT3pE7FpouCz+x1N4yIm4=
wireguard_public_key: 9Lii487Uuzu5ihJwHx6RBpCiUWRHl9VGwC+Oz5wzejk=
$ANSIBLE_VAULT;1.1;AES256
34353334323261383932313330303432363235663333643237613030346161313166383662313863
6630323266346530646363333164656433366134626537380a366232303237656138336464626139
34653130326137303465626130373437333238323936343661663466343036663233333736663732
6161366463343234620a353833623438336633333562386366343638623339363235656138333931
61333732326532653536376133313861333837303064616239646361366531373261666263343236
63353234313634623131666566353738313566383136663366623761373466623530326465326132
63383830363039313666666136353435623863383164613736303034346336316663316339616161
37663539323132616462
filesystem: btrfs
ipv4_address: 157.90.255.107
wireguard_address: 10.0.0.33
wireguard_public_key: lLZtvFIrmtUXRXmw+qQC8LZ00NzN1wlvcI4grNWt2lE=
wireguard_public_key: Vv2qAjdcPpAvt1hOV5zc4WR6iTqmiPdDNr5+9Wv2Jw4=
$ANSIBLE_VAULT;1.1;AES256
37393533623530623933343165626263336435303161356262626137643866363763356162383164
6331393262656363303261346361396131303566643634360a363632656333343533353162326630
62373738383865383362666534336135346533643935333631373234373139366432306532636632
3632356365313166610a393137356532363161386232393839386634313131353138383061306337
30363939376639383234366239376230333266396633363261346265323337386333326231633162
39363036646539396464376637303732653530323164663266383264356662653462353135373137
33343462653434646430316233303161353131633366656133396362313632633663353938613837
39643334316165653332
......@@ -2,4 +2,4 @@ filesystem: btrfs
ipv4_address: 168.119.240.111
ipv6_address: 2a01:4f8:c010:74d4::1
wireguard_address: 10.0.0.35
wireguard_public_key: Wp9ruR2+pCj0TsATuJZiUxk9x6BwcUhXs/yZlmGYjRE=
wireguard_public_key: R3ZlD7HmoiGH2FyIGSaiYc1hIA7JHp3ivXQlRGc7iyA=
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment