diff --git a/host_vars/accounts.archlinux.org b/host_vars/accounts.archlinux.org
deleted file mode 100644
index ca1d9755887c76591124cff5c945654901096e53..0000000000000000000000000000000000000000
--- a/host_vars/accounts.archlinux.org
+++ /dev/null
@@ -1,2 +0,0 @@
----
-filesystem: btrfs
diff --git a/host_vars/accounts.archlinux.org/misc b/host_vars/accounts.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..ee5fee99ebe0eb43f52bb91dca1dc7675a520643
--- /dev/null
+++ b/host_vars/accounts.archlinux.org/misc
@@ -0,0 +1,4 @@
+---
+filesystem: btrfs
+wireguard_address: 10.0.0.16
+wireguard_public_key: 8CbVXc2+FllLpZb/sv/csHzqaOOsasJlV0gmkIzhBXo=
diff --git a/host_vars/accounts.archlinux.org/vault_wireguard.yml b/host_vars/accounts.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5a05a68b59fe44c7442cdbc86114ba7a04744adb
--- /dev/null
+++ b/host_vars/accounts.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+33323763616365653362633239316230356233346361653863363765383130303035386333643832
+6637323065373731633063333065383461613537383462630a336561616238643339353366373061
+36316264303337336462653330623236316434663364616434373531393139343237623235343731
+6630623763376636360a393064373336333135323938646462303938386430383033323131346165
+37663532343234366533353065663731393764323833393065383835303163666234613834633830
+32363133646239316163343464643364313135643263333666383633356130363162336338633231
+32336639626138383532333532343839613161366133616232303030346430656438383639383333
+66626231326564313630
diff --git a/host_vars/america.mirror.pkgbuild.com b/host_vars/america.mirror.pkgbuild.com/misc
similarity index 81%
rename from host_vars/america.mirror.pkgbuild.com
rename to host_vars/america.mirror.pkgbuild.com/misc
index 971746ac5b7afb7bf32db0bde14e36fc1695854c..fdccef1345b6809cee1fcee7be02b6e755f539b2 100644
--- a/host_vars/america.mirror.pkgbuild.com
+++ b/host_vars/america.mirror.pkgbuild.com/misc
@@ -14,3 +14,5 @@ system_disks:
- /dev/sdb
- /dev/sdc
raid_level: "raid5"
+wireguard_address: 10.0.0.27
+wireguard_public_key: aC544PuXq63LgIeOvVD5dw++9XJE47YKUqeRw3ol0Qo=
diff --git a/host_vars/america.mirror.pkgbuild.com/vault_wireguard.yml b/host_vars/america.mirror.pkgbuild.com/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..465d92923b9c94427646014587121dde84f097a7
--- /dev/null
+++ b/host_vars/america.mirror.pkgbuild.com/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30316462376531623136316535643161623535663533376130663738646436633339336135363030
+6138666365643535376161373732346263343237373865380a333035343065623366663630623762
+37646339666230643763313262353362613833303739623530663062653936616434353538313736
+3430633630663762310a623361353137613535303265313365323832643038383731323766633031
+65623863343039333064613536373338376263333433633766366438306639366464383234303334
+31343233386464623137313661376637663562663161656662343563323564613331363861326363
+33623161653962626632303937616437656234623934336165646433376461633034343565306636
+30306464333861613636
diff --git a/host_vars/archlinux.org/misc b/host_vars/archlinux.org/misc
index 303be77bdbd41858eaecf9c2da64a38250d5699a..ced9db72580c4826005a60a04f176f86063309dd 100644
--- a/host_vars/archlinux.org/misc
+++ b/host_vars/archlinux.org/misc
@@ -11,3 +11,5 @@ fail2ban_jails:
postfix: false
dovecot: false
nginx_limit_req: false
+wireguard_address: 10.0.0.1
+wireguard_public_key: 0Vx7jfWinpTPHKPxvmKtZlp3hcLebawz+vQM8EIEm1k=
diff --git a/host_vars/archlinux.org/vault_wireguard.yml b/host_vars/archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5fe89ba4458723d7fdec25156462479507fb8821
--- /dev/null
+++ b/host_vars/archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+33396138393732366231323839666464383363356230393034653837623739666463633165613562
+3038656463616662356637353031633366626263366132630a326561366130393361356663353265
+63333162633432653262313663643931323839303064343663333964653964316631623463303464
+3466613661643264340a323634306365626133336364623562343662356666363135396639323562
+65353932656133373161616431353030646232613230636236323132663539373038386134656439
+31666164343136643065666261393632376135333763323036363630653336323466633835613061
+31373663626265663736666639346531396130336564376561353866663331643139343363346137
+62663431366662646239
diff --git a/host_vars/asia.mirror.pkgbuild.com b/host_vars/asia.mirror.pkgbuild.com/misc
similarity index 81%
rename from host_vars/asia.mirror.pkgbuild.com
rename to host_vars/asia.mirror.pkgbuild.com/misc
index f180bdaf5340f1ac7e735363e0011a69e527a7f5..0d4a237949c9f95737ad850530a10fdac9a87995 100644
--- a/host_vars/asia.mirror.pkgbuild.com
+++ b/host_vars/asia.mirror.pkgbuild.com/misc
@@ -14,3 +14,5 @@ system_disks:
- /dev/sdb
- /dev/sdc
raid_level: "raid5"
+wireguard_address: 10.0.0.26
+wireguard_public_key: Bvia4T68/PCa01MSg+wclUJ1rJ5Hth9khui3y3Tr5EM=
diff --git a/host_vars/asia.mirror.pkgbuild.com/vault_wireguard.yml b/host_vars/asia.mirror.pkgbuild.com/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0f245adefb5fdecad461747f4b06ddb928017b79
--- /dev/null
+++ b/host_vars/asia.mirror.pkgbuild.com/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+33323264633434383735333239373530343739393265333232346364373231653235306434643362
+6637643163343432353631383864313933656461363664610a356533303134343463346261303534
+37346261383837313739396663393061653366623461363636303332383764386138343662623434
+3732633633653835380a626663346139366662353465656131626361373535633664633130323465
+61333364393033613963333231616164623363306463613463333265353038336362366134656533
+36666363303931313565656165353932656436623064346134336364656263313962326166373633
+39366163643734626637633330616361623963373261306234613933653862653732653037373663
+39373433313638333932
diff --git a/host_vars/aur-dev.archlinux.org/misc b/host_vars/aur-dev.archlinux.org/misc
index 5478268e1effb72122edb12636432e96bafb8eea..a18d7aad8c7a136fc5390b17d55eb5c006e883c2 100644
--- a/host_vars/aur-dev.archlinux.org/misc
+++ b/host_vars/aur-dev.archlinux.org/misc
@@ -1,3 +1,5 @@
---
filesystem: btrfs
memcached_socket: "/var/run/aurweb.sock"
+wireguard_address: 10.0.0.3
+wireguard_public_key: E4wLmumdWE1oVjWxPL5FU+BiuPxPdJa6K0wLZVlC0ys=
diff --git a/host_vars/aur-dev.archlinux.org/vault_wireguard.yml b/host_vars/aur-dev.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1cbdd21820cb82daaf0750962e4c367705a39c58
--- /dev/null
+++ b/host_vars/aur-dev.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+35373338643430383735666136303462623436376563373865613234336666303166616434333062
+6266353665626536613135303662316165303933336338360a383665313933613532306266306265
+62633635613337306230623866666635616561613162386463653038643533396465373532613731
+6637363030396430380a613137623063666166393733363835323232353131396534326432616230
+64353532633266396264356461313533313838666166633436343839663532346336323036663461
+64613063643764633330383962646665613931303262306232323931353137396635316662623331
+62356530616466346239316262653037306635613363316634383738336166306664643366623664
+36386336383837623130
diff --git a/host_vars/aur.archlinux.org/misc b/host_vars/aur.archlinux.org/misc
index 5478268e1effb72122edb12636432e96bafb8eea..46ffcf028cefcbc46e1a7546ce7e8d63d763e937 100644
--- a/host_vars/aur.archlinux.org/misc
+++ b/host_vars/aur.archlinux.org/misc
@@ -1,3 +1,5 @@
---
filesystem: btrfs
memcached_socket: "/var/run/aurweb.sock"
+wireguard_address: 10.0.0.2
+wireguard_public_key: TPLeGQ7qU6ZNtcgDbEV0SSYScvK+XS5igcPdGSXo6UA=
diff --git a/host_vars/aur.archlinux.org/vault_wireguard.yml b/host_vars/aur.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6367e1fae0dc25242da311b339012ad2a077c193
--- /dev/null
+++ b/host_vars/aur.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+35363236323535383430323830613237333164626435346232383939313331383762393734373563
+3931386663623766333861363632646561343363343939650a333134663238346663666235646239
+32376162333866343336636338346530373062656261313337663463633566643134353930313266
+6332313361353561360a383136666164363762383934633263643634373131333566616137646363
+36626538393565353730623632643363393433333464313430386265666434663031613263326333
+66303134646332316336303436343165303162623536383236633138333364343262396537623036
+32616631393963623066353261653236343065356136653662613962626138666436346433336261
+32373837363436666234
diff --git a/host_vars/bbs.archlinux.org b/host_vars/bbs.archlinux.org
deleted file mode 100644
index ca1d9755887c76591124cff5c945654901096e53..0000000000000000000000000000000000000000
--- a/host_vars/bbs.archlinux.org
+++ /dev/null
@@ -1,2 +0,0 @@
----
-filesystem: btrfs
diff --git a/host_vars/bbs.archlinux.org/misc b/host_vars/bbs.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..4e008f1983f0b10ce030980f08ee201217436092
--- /dev/null
+++ b/host_vars/bbs.archlinux.org/misc
@@ -0,0 +1,4 @@
+---
+filesystem: btrfs
+wireguard_address: 10.0.0.17
+wireguard_public_key: i65GF9BaoTDvTXLJBpZWbuu2jV3F2mc0tH16Y6cQY1g=
diff --git a/host_vars/bbs.archlinux.org/vault_wireguard.yml b/host_vars/bbs.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c3edf0b043901690d172785a7cbaa59ef79dc61a
--- /dev/null
+++ b/host_vars/bbs.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30313339663933346136303730396535623437363431643439643163383638336366393961356537
+6135306633366235343262343462643565343633353236660a333432653666626564613134313233
+39396335383536303263353436653265373163393439636639383030633630636161653165306238
+3630393533383231340a623466396335306538656535386233313633623836336332666331323230
+33386631626430306431373035306261653964613064666462303132316537663664643263373833
+65656565306233323464373365656661626431373136663539363239663037363836393262643932
+37653064633534666539656666303434396163326666636161653363636365386661626232333138
+31626630363439346461
diff --git a/host_vars/bugs.archlinux.org b/host_vars/bugs.archlinux.org
deleted file mode 100644
index ca1d9755887c76591124cff5c945654901096e53..0000000000000000000000000000000000000000
--- a/host_vars/bugs.archlinux.org
+++ /dev/null
@@ -1,2 +0,0 @@
----
-filesystem: btrfs
diff --git a/host_vars/bugs.archlinux.org/misc b/host_vars/bugs.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..7357f94d813434c63a19e97f21e265c351af9151
--- /dev/null
+++ b/host_vars/bugs.archlinux.org/misc
@@ -0,0 +1,4 @@
+---
+filesystem: btrfs
+wireguard_address: 10.0.0.19
+wireguard_public_key: Y5sWHwa/Hy6A7ga6lOU8uD/i/ZHZEBlkw2EW/CFE4ys=
diff --git a/host_vars/bugs.archlinux.org/vault_wireguard.yml b/host_vars/bugs.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..4d757d20a445c247090c10644466af08a0bbd17a
--- /dev/null
+++ b/host_vars/bugs.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30393733656630383333323036613031653966633339653535623763303031663335353535386633
+3061316664646533343765633766653337373736343236630a383566393435396138613363383937
+30313137643061643034653835343935353438646236393066636631376464386664623436383932
+3937333264303436310a326664633066333735646365333561346134353862393930303433346266
+35373936393337343530383966373636366239653437303466393465376339396432376339616538
+64373463393665323732663930666265343764346232636535393866323036323466336633346338
+65343638636566353264653930656638343032343539303763306461306363303865373836363331
+65313837396133323539
diff --git a/host_vars/build.archlinux.org b/host_vars/build.archlinux.org/misc
similarity index 75%
rename from host_vars/build.archlinux.org
rename to host_vars/build.archlinux.org/misc
index 46918938731758622bb28fedfcee925371e0466f..5330ef480efeb9f43d9cd5bd0865e3ba89964e3d 100644
--- a/host_vars/build.archlinux.org
+++ b/host_vars/build.archlinux.org/misc
@@ -12,3 +12,5 @@ system_disks:
- /dev/nvme0n1
archbuild_fs: 'btrfs'
+wireguard_address: 10.0.0.18
+wireguard_public_key: /P8QGSFgvRETkYdsvAtNQWWT3pE7FpouCz+x1N4yIm4=
diff --git a/host_vars/build.archlinux.org/vault_wireguard.yml b/host_vars/build.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..750bf5cb85102658eeccfad2ec0bfa3e9ea4fd5a
--- /dev/null
+++ b/host_vars/build.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+31396131356132383730343334323834623361633934373162346361366631306163383636356633
+3938336234613135353362643463306437303961313466630a646464376262376330373761633435
+62373031616661653533363536383136646231323566366663316363353439663534383331353934
+3330333130653839390a353035393062353364356264333063393461313135343233653462626136
+37623039623037303064356162313665366331666635356530633038336631643166373233333366
+65653161303666306337346435383837323966626665623863323866393339343963373863626336
+36633330373735643632383962376265323538393562373433373466323163613635353438643862
+30323131663936653134
diff --git a/host_vars/dashboards.archlinux.org b/host_vars/dashboards.archlinux.org
deleted file mode 100644
index 03f71d93b201363915b9871ed57198cb8346cd24..0000000000000000000000000000000000000000
--- a/host_vars/dashboards.archlinux.org
+++ /dev/null
@@ -1,4 +0,0 @@
----
-filesystem: btrfs
-ipv4_address: 157.90.255.107
-prometheus_domain: dashboards.archlinux.org
diff --git a/host_vars/dashboards.archlinux.org/misc b/host_vars/dashboards.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..628bfa1fe9dea99d402a1f29d971df1752e99e34
--- /dev/null
+++ b/host_vars/dashboards.archlinux.org/misc
@@ -0,0 +1,6 @@
+---
+filesystem: btrfs
+ipv4_address: 157.90.255.107
+prometheus_domain: dashboards.archlinux.org
+wireguard_address: 10.0.0.33
+wireguard_public_key: lLZtvFIrmtUXRXmw+qQC8LZ00NzN1wlvcI4grNWt2lE=
diff --git a/host_vars/dashboards.archlinux.org/vault_wireguard.yml b/host_vars/dashboards.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f30b0c3fa19713ec1fa1e2f3a91d67623a931ee3
--- /dev/null
+++ b/host_vars/dashboards.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+32316238313666326461626231613030353366386164303430623436363762396564363738356266
+3433653635376539393737663535356234343066626439340a323031393966373963313438393663
+30383339326336346237313564643238303561363430336530356663323963393365646365383763
+3633386165623532660a333863386535656237343431623730373539366664306237613532393565
+37646132656639343862653637623031633965363437653664623635363534373464326439373562
+65656230306233326538616533653634343163626665356536653565356162363035653564366232
+65643164353365633931666433613733306265393033353437643263373839383035663764363935
+32626263386661623136
diff --git a/host_vars/europe.mirror.pkgbuild.com b/host_vars/europe.mirror.pkgbuild.com/misc
similarity index 81%
rename from host_vars/europe.mirror.pkgbuild.com
rename to host_vars/europe.mirror.pkgbuild.com/misc
index 86ab9f1adcba6d8cbe0232cbd7ba67cbbe26e34e..f5c66587e7b04599c56eb42322151f0b72cfb435 100644
--- a/host_vars/europe.mirror.pkgbuild.com
+++ b/host_vars/europe.mirror.pkgbuild.com/misc
@@ -14,3 +14,5 @@ system_disks:
- /dev/sdb
- /dev/sdc
raid_level: "raid5"
+wireguard_address: 10.0.0.28
+wireguard_public_key: rg3PyaA3nXNZt2C8l4tvzMiTOT47a/jU11WR3EzU0Co=
diff --git a/host_vars/europe.mirror.pkgbuild.com/vault_wireguard.yml b/host_vars/europe.mirror.pkgbuild.com/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1ad69d8d4dab7b62610f9ba56d73666388374741
--- /dev/null
+++ b/host_vars/europe.mirror.pkgbuild.com/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+36323530653365303339343530633765373330636163663035633534303332373033616137326439
+3232663238353661386533383364613765653333616561610a646431383362646666306436366661
+66653865633834656135643764656133373931373833386662393266636438626135636135613339
+6634356364313835350a303837313139323263396438613665383736343461396161373035316532
+32626531613638313563653766623763386332353766643131336466623566666466393630623635
+30633532643737646635313630636462313335326630326430386136366363353334356563346262
+33626136363732313036373433383466346235393865623239326566313535346237363339396635
+31363733333965393738
diff --git a/host_vars/gemini.archlinux.org b/host_vars/gemini.archlinux.org/misc
similarity index 79%
rename from host_vars/gemini.archlinux.org
rename to host_vars/gemini.archlinux.org/misc
index 74a1fb2559aeab0445fd113db66049693db06af3..3eae8550fd69fc7ee92279a59c9f38025a39c35d 100644
--- a/host_vars/gemini.archlinux.org
+++ b/host_vars/gemini.archlinux.org/misc
@@ -17,3 +17,5 @@ system_disks:
raid_level: "raid6"
archive_domain: archive.archlinux.org
+wireguard_address: 10.0.0.20
+wireguard_public_key: 6foPuhPBEUi+tPP7PjFT1nKpEksyyqT8zAX+yOjWDVo=
diff --git a/host_vars/gemini.archlinux.org/vault_wireguard.yml b/host_vars/gemini.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9dc346049e1a43f64da2cfe478815ffd46fd191e
--- /dev/null
+++ b/host_vars/gemini.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+65393031333063396465303139613939623236396233326261323265626133313630636436373934
+3837366263646666303131663637666230393334333836310a636463633730373234656431303462
+64343537613663343432653661373732326535363361333037306365383631326536353835323238
+3337623762633732650a343139616436323162383730636538663536346164656233666335363531
+62643838636236323762303263316139306130666534386237653834623632306536366530383433
+62646166316266333831343637303463643935373437623036613632373138633866643562653832
+64333263616637333561656131373635313136393938633230306264666538396139343435353762
+61636131653564623661
diff --git a/host_vars/gitlab.archlinux.org b/host_vars/gitlab.archlinux.org/misc
similarity index 58%
rename from host_vars/gitlab.archlinux.org
rename to host_vars/gitlab.archlinux.org/misc
index 6572f026040a409817c4524a6f96a302cb0438d3..7ca302a958faaa39c39605e2ce57557045b9443c 100644
--- a/host_vars/gitlab.archlinux.org
+++ b/host_vars/gitlab.archlinux.org/misc
@@ -2,3 +2,5 @@
filesystem: btrfs
gitlab_backupdir: /srv/gitlab/data/backups
additional_addresses: ["116.203.6.156/32", "2a01:4f8:c2c:5d2d::2/64"]
+wireguard_address: 10.0.0.5
+wireguard_public_key: EbZisS0fwM6B8Nkugy1lyox+A8L13hniucVIPVCK5R0=
diff --git a/host_vars/gitlab.archlinux.org/vault_wireguard.yml b/host_vars/gitlab.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2bfb550e34f6c888d2bce0e77e9dab7e342a61ec
--- /dev/null
+++ b/host_vars/gitlab.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+36336564373231613339326361383934653537653534656639376133326238663965633135353266
+6331303335636232356237326362383566613632646237650a393536363063613732616666353164
+30643636376330373033323366663337393232353062666330613161643763313537643165623533
+3766303365626265310a366333383863376530373861313063396430643738346662636536363936
+31386138386362303465616664366639323439323064346235653137323266623062653763613834
+31666530323236366466616431653736333332346266666633376233626439663264376536643461
+37333739386266336634653438366339666133353064373339313761356135313662636365663334
+65616337663531336435
diff --git a/host_vars/homedir.archlinux.org b/host_vars/homedir.archlinux.org
deleted file mode 100644
index ca1d9755887c76591124cff5c945654901096e53..0000000000000000000000000000000000000000
--- a/host_vars/homedir.archlinux.org
+++ /dev/null
@@ -1,2 +0,0 @@
----
-filesystem: btrfs
diff --git a/host_vars/homedir.archlinux.org/misc b/host_vars/homedir.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..a33b1f96977a4b699784df5edfcd635971b66dc2
--- /dev/null
+++ b/host_vars/homedir.archlinux.org/misc
@@ -0,0 +1,4 @@
+---
+filesystem: btrfs
+wireguard_address: 10.0.0.13
+wireguard_public_key: 0MrXhX6fmtetZ1Rnu93+rQ8yWgOmxrwyY/hXSsy98FI=
diff --git a/host_vars/homedir.archlinux.org/vault_wireguard.yml b/host_vars/homedir.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..95dd69620555dcd009acd094570d1a3f03e606cb
--- /dev/null
+++ b/host_vars/homedir.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30343332326135613735616630323036646334643238393634666563323936343934656433396161
+3936613433346639336231613930636562363832366464640a623836343162323739333335323036
+31643366326366663366306666323139626335666532643436316564373264643533323237366165
+6636363865643334630a373431373236656261366539646565356636653765346434353036323333
+31343339393262343739616662616235643230613530346330366236653238316662656463613639
+30303338626666663037396661653132353531323836336162363432346364343730303835393635
+61383736356233353736363462333632333463313231613362343938623338396135633737313839
+34623634333935303333
diff --git a/host_vars/lists.archlinux.org b/host_vars/lists.archlinux.org
deleted file mode 100644
index c162214f42b7163cfa681b52347443df3fb6fc3e..0000000000000000000000000000000000000000
--- a/host_vars/lists.archlinux.org
+++ /dev/null
@@ -1,3 +0,0 @@
----
-filesystem: btrfs
-ipv4_address: 95.217.236.249
diff --git a/host_vars/lists.archlinux.org/misc b/host_vars/lists.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..13494d3e6392dd0b7cc499703a447bd56a2eea44
--- /dev/null
+++ b/host_vars/lists.archlinux.org/misc
@@ -0,0 +1,5 @@
+---
+filesystem: btrfs
+ipv4_address: 95.217.236.249
+wireguard_address: 10.0.0.34
+wireguard_public_key: t6Er4qAMe/lWNnAByWdXhbUwXKYfj9CkkJgMp28UQl8=
diff --git a/host_vars/lists.archlinux.org/vault_wireguard.yml b/host_vars/lists.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..08625aec5850b6e85964478c8d93da1682f36df4
--- /dev/null
+++ b/host_vars/lists.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30356338396364333231613238656433373562613936633837623136366633396665363330373137
+6565326632323834623532613235303861366436363564620a323363303761333161666663663466
+64623361636638643565396634653033666666363130623163343730366337383231336139623261
+3865623264653563350a306230393265396632343664646336316630663163363530306666383837
+62373035306231626461353334393935396661303162633265396132666132663536313062373538
+35383935333761323733383264333538623063646538316137353732636164666661653933396362
+61313930656238343866656661343036306136393033353163306339636330313235646630626530
+39326339326137376230
diff --git a/host_vars/mail.archlinux.org/misc b/host_vars/mail.archlinux.org/misc
index 966a4e2933152aab697e3dbe59def80841ff4cbb..b33a2e7e13a426ca13358a9fb8faf78a66733ed6 100644
--- a/host_vars/mail.archlinux.org/misc
+++ b/host_vars/mail.archlinux.org/misc
@@ -11,3 +11,5 @@ fail2ban_jails:
ipv4_address: "95.216.189.61"
ipv6_address: "2a01:4f9:c010:3052::1"
dns_servers: ["127.0.0.1"]
+wireguard_address: 10.0.0.14
+wireguard_public_key: +RJ/ZNRmw2uCHxSjJZHftk7lWUl5nJ6VSZww8GPwhEI=
diff --git a/host_vars/mail.archlinux.org/vault_wireguard.yml b/host_vars/mail.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..4500805d9b4d9ac16bd4dc001a3f54eb176643ac
--- /dev/null
+++ b/host_vars/mail.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+38396238623261393535393638366230386563663339363064396239303463656536303334393066
+3665373931353031353934383763343133306530323439330a633235633534356662363038303738
+32363565613037633532363830303639366563323939636239613231393739363461383438666665
+6261656134363135610a373636393038366361393336366363653335646234656662346333333630
+65616235313863646433653536633536306361626331626665333562656132336434343637333139
+38623666336336306632363839623937653436336431623231303435363665373465653139336463
+30316262303864623335623837613933336561663436343331333837656466643639353939386664
+32616663303163616262
diff --git a/host_vars/man.archlinux.org b/host_vars/man.archlinux.org/misc
similarity index 53%
rename from host_vars/man.archlinux.org
rename to host_vars/man.archlinux.org/misc
index 9d6b87125ddc22ad1953897b697502c933cf3007..449f63d977f2116738553b9f7cac4fbc385a439d 100644
--- a/host_vars/man.archlinux.org
+++ b/host_vars/man.archlinux.org/misc
@@ -5,3 +5,5 @@ fail2ban_jails:
postfix: false
dovecot: false
nginx_limit_req: true
+wireguard_address: 10.0.0.32
+wireguard_public_key: PkAuiYdsDs4eI9JytK8MUCK1umDblQHg1SH+Z80zs30=
diff --git a/host_vars/man.archlinux.org/vault_wireguard.yml b/host_vars/man.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e522723ea9941f9de0afa5b460ab567690229d1c
--- /dev/null
+++ b/host_vars/man.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30353562373861623035343865306463663663636631633533393535316335363866396430313832
+6530363163656633663332353462613761663035363133310a326531663730303138656265653131
+39643362643066343664316564333035623439643566353538656338623233333132396465633466
+3663393534623766620a366532336565633665346433333133303130353334376335646363646163
+64383230373464373764643133643161336264393934383962353662343261303965353139343430
+62383835333562626430663431376638323534363735643036633664616136373739326136376264
+63363337343932353635306232366162346561343133663430313635316536396162386166363732
+33306330663239363665
diff --git a/host_vars/matrix.archlinux.org b/host_vars/matrix.archlinux.org
deleted file mode 100644
index ca1d9755887c76591124cff5c945654901096e53..0000000000000000000000000000000000000000
--- a/host_vars/matrix.archlinux.org
+++ /dev/null
@@ -1,2 +0,0 @@
----
-filesystem: btrfs
diff --git a/host_vars/matrix.archlinux.org/misc b/host_vars/matrix.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..3c34f78d5a8a0622e85ed8e74f599ace39d41a42
--- /dev/null
+++ b/host_vars/matrix.archlinux.org/misc
@@ -0,0 +1,4 @@
+---
+filesystem: btrfs
+wireguard_address: 10.0.0.15
+wireguard_public_key: QWkTL58mJd0+Lz5AvGVmbdSSk29y/W60WUdhTgyGLCk=
diff --git a/host_vars/matrix.archlinux.org/vault_wireguard.yml b/host_vars/matrix.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bedfe55b1e63762c1aa8d587182ab4b3878544a2
--- /dev/null
+++ b/host_vars/matrix.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+65373066316239376138383430386530343036303137383361363738356166303463643035336534
+3364393039343135633265353937383866303263313530330a333134356665623238363463363534
+31356462393438303737636231336666386535356635653138366338393530633763396436626630
+6635636464633537610a663039396264336432393232633163653138633862643530643839326536
+37373339353538306638303339623566623164653832333831386538613034343534313731356166
+32383333333131343037366133386138353262353061383531373765393439376238626338393531
+65346337393233653338646663303633393965373438636530346266663130343530386336396139
+34366262326138643662
diff --git a/host_vars/md.archlinux.org b/host_vars/md.archlinux.org
deleted file mode 100644
index ca1d9755887c76591124cff5c945654901096e53..0000000000000000000000000000000000000000
--- a/host_vars/md.archlinux.org
+++ /dev/null
@@ -1,2 +0,0 @@
----
-filesystem: btrfs
diff --git a/host_vars/md.archlinux.org/misc b/host_vars/md.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..f4888eb5c9b6e274f7caf9299a8f4aab752af7b5
--- /dev/null
+++ b/host_vars/md.archlinux.org/misc
@@ -0,0 +1,4 @@
+---
+filesystem: btrfs
+wireguard_address: 10.0.0.31
+wireguard_public_key: eCIzf+ckdWPvJYjNaxdlLRH9kq9mfJZswA8KwCmtJgQ=
diff --git a/host_vars/md.archlinux.org/vault_wireguard.yml b/host_vars/md.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..582d8b5b1a22610840894b9a7c82eae912285f14
--- /dev/null
+++ b/host_vars/md.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30356136643164646266366536663932326536356132373763303364643762666433656435343033
+3734353332633866363031623831306432313565616464640a326238656163386534383762653335
+35653766323363343863613265666164333563386664313431303134663564333465343935613265
+6331633364616165610a656136616338343038373566376638623965653764343937636430623564
+32383438393537383034633665383062636138326663623435616565393539646137653736363539
+34646631393964313666383039623031663938343066393936393237313633336666656433353832
+66663033616133616333356238386338373363666430336263356533306165303236613261363161
+34383263623230356634
diff --git a/host_vars/mirror.pkgbuild.com b/host_vars/mirror.pkgbuild.com/misc
similarity index 68%
rename from host_vars/mirror.pkgbuild.com
rename to host_vars/mirror.pkgbuild.com/misc
index 53e1194e0b9fb5f0b066ed2849f2cb8a7c5696aa..38c985adb5c0cd8950c8777d01d3dd7378fe3af9 100644
--- a/host_vars/mirror.pkgbuild.com
+++ b/host_vars/mirror.pkgbuild.com/misc
@@ -7,3 +7,5 @@ ipv4_address: "78.46.209.220"
ipv4_netmask: "/32"
ipv6_address: "2a01:4f8:c2c:c62f::1"
ipv6_netmask: "/64"
+wireguard_address: 10.0.0.12
+wireguard_public_key: auE2J1+MYo59uZIwADncjCfSX7/Q0YdvmG+CVIgvtgo=
diff --git a/host_vars/mirror.pkgbuild.com/vault_wireguard.yml b/host_vars/mirror.pkgbuild.com/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..58cb4cb1687efeb022fbef95c6eeb10ccfda4fa2
--- /dev/null
+++ b/host_vars/mirror.pkgbuild.com/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+37653134356362333735633438663031313830356165306335316266613535316431643033346266
+3930663733613166343564306164643136383933336637630a333730373039383939313262313237
+66333434616638373537666339613530386463366635343433613936613739663962386162353461
+3933373038323935650a316332313835613836353361386138656632373131343131633865653433
+35623566646130303864623163303364663663353439306130646437363961336232386336336261
+31653030653732613330613031656238333736346664353635623963656537313764323035623833
+32626163393235376434363330633562363931383535656462656665356533373630343537333162
+34386636613431353763
diff --git a/host_vars/monitoring.archlinux.org/misc b/host_vars/monitoring.archlinux.org/misc
index 48ec180f1e5088cbe7de59a467f60bc2357f6583..31cf2745d33d1d30da2c0089d4606f65281c3210 100644
--- a/host_vars/monitoring.archlinux.org/misc
+++ b/host_vars/monitoring.archlinux.org/misc
@@ -1,3 +1,5 @@
---
filesystem: btrfs
ipv4_address: 95.217.220.31
+wireguard_address: 10.0.0.4
+wireguard_public_key: LR3lPa9ABwUkvbm3NqdxeAqX+NOG8FpbICG/+1Ra5lg=
diff --git a/host_vars/monitoring.archlinux.org/vault_wireguard.yml b/host_vars/monitoring.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..cfa8ff45a44b137bd8ba418dc09961d95a325029
--- /dev/null
+++ b/host_vars/monitoring.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+63643864656332633231356361366265386330656137363764613763626262323762613765393639
+6533356361343062373664383534383333383535613430370a313936643437646134396663366535
+61313364623732393864373230383164333532306235666130613761383035376236343763303131
+3364393437313339350a353964336464623738613731326666366435386132303232333262623335
+63353332313037633563646537653438306531616161636663656662316464663063303239363634
+38623039623836633134623836646161663838623462656236363231346437646562353831383935
+64396364373037393332323861303233376237326538613534653631626334346434303461373338
+65636563643731373939
diff --git a/host_vars/patchwork.archlinux.org/misc b/host_vars/patchwork.archlinux.org/misc
index df2e971775c3563536f7b4c5fbcc70c609a66cde..673b5fef96634940496775e6866151418eb02afa 100644
--- a/host_vars/patchwork.archlinux.org/misc
+++ b/host_vars/patchwork.archlinux.org/misc
@@ -10,3 +10,5 @@ fail2ban_jails:
dovecot: false
nginx_limit_req: false
+wireguard_address: 10.0.0.23
+wireguard_public_key: DVeDuKQKf4FzfgS8hp3iZj1tD7gi3SJm8GqDfA+XZn4=
diff --git a/host_vars/patchwork.archlinux.org/vault_wireguard.yml b/host_vars/patchwork.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d96000a4fdfd1eb5261b00b8bf50353ac1337592
--- /dev/null
+++ b/host_vars/patchwork.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+64333433393562363961663030376336616636383433633639346463656633396233323939633161
+6463623464623533343162613738656363653233336463300a333634326263353865333134303835
+34663464363166316131373835326439623662343661373235333261663061396363383966653963
+3836326233313832640a623262393561316466303332393839643438313762616434343866316264
+37323561613234633130613863326530316136613362386636313034666637353330633539653234
+36353363393565653834373631326339663762666463333637323233303135653630306363373162
+30393366323931663464666561646266373166326636656366323831333131356261363638393231
+32636164616637643632
diff --git a/host_vars/phrik.archlinux.org/misc b/host_vars/phrik.archlinux.org/misc
index 727b43d2d6bed3382c9a4e6c479348a9a654a929..1e3beb9569413183a76d4a3f0a2f0a2e383ea9f9 100644
--- a/host_vars/phrik.archlinux.org/misc
+++ b/host_vars/phrik.archlinux.org/misc
@@ -8,3 +8,5 @@ arch_users:
groups:
- tu
arch_groups: []
+wireguard_address: 10.0.0.9
+wireguard_public_key: ETzZyW9HAwDmJffZOiLH+DF+wl7bR37NYDEtn/zm+hk=
diff --git a/host_vars/phrik.archlinux.org/vault_wireguard.yml b/host_vars/phrik.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0a73ca5c8bcf7875624e2f8ddabaff91d6e9f8e7
--- /dev/null
+++ b/host_vars/phrik.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+32656662326630313831356139366466663166376130613430616262373534633166666163363230
+3534613335663264383064316639643761643563643565620a316231646462646465636635343164
+62303737623663333762656632613930666164353661626134326461646137323337666139303634
+3037376139653062320a393635623332346330383961363733663363326263393234353163613564
+39646264336664626634303934306135663031323532303239396234396330623338326665303336
+35353261643462373038666366353134323832343336313337633965646431306435643036643432
+38643966323264303066306464316362613263316136633432643033383266323964376162636337
+35386238623531646433
diff --git a/host_vars/quassel.archlinux.org b/host_vars/quassel.archlinux.org
deleted file mode 100644
index ca1d9755887c76591124cff5c945654901096e53..0000000000000000000000000000000000000000
--- a/host_vars/quassel.archlinux.org
+++ /dev/null
@@ -1,2 +0,0 @@
----
-filesystem: btrfs
diff --git a/host_vars/quassel.archlinux.org/misc b/host_vars/quassel.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..79e5df913c69d9cec509bc0e6c064314bc3b4008
--- /dev/null
+++ b/host_vars/quassel.archlinux.org/misc
@@ -0,0 +1,4 @@
+---
+filesystem: btrfs
+wireguard_address: 10.0.0.10
+wireguard_public_key: 4SFiwJRHbGSDtEypEDhS6ar2jmwfBwthPSGHZ8XShXY=
diff --git a/host_vars/quassel.archlinux.org/vault_wireguard.yml b/host_vars/quassel.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..aa09216dc3f13a3c5f981c7545d158dc865aee01
--- /dev/null
+++ b/host_vars/quassel.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+33636638333066356431343838623962633836623666653839333836353633383761653430633236
+6265626635376236363365666235323839636634353235390a303738313061303661623132323236
+30363436316465376431333661306534356334313431396664646464653330383461666238623264
+3136393965343532320a333631353439383434336263353664386139353230633038626266313131
+33653534626562663065333262323364643962323264633839373164656163383030326264393434
+37343563383034663933623163346263663433633736376232386339386339656333373736616135
+30616638656161623232636337633636396232323363656162323166646139646633616261356163
+65626262353964313164
diff --git a/host_vars/redirect.archlinux.org b/host_vars/redirect.archlinux.org
deleted file mode 100644
index ca1d9755887c76591124cff5c945654901096e53..0000000000000000000000000000000000000000
--- a/host_vars/redirect.archlinux.org
+++ /dev/null
@@ -1,2 +0,0 @@
----
-filesystem: btrfs
diff --git a/host_vars/redirect.archlinux.org/misc b/host_vars/redirect.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..8a6ff0110f457e0236813ad1b51f935a466b6fa3
--- /dev/null
+++ b/host_vars/redirect.archlinux.org/misc
@@ -0,0 +1,4 @@
+---
+filesystem: btrfs
+wireguard_address: 10.0.0.25
+wireguard_public_key: n11Ps2sc0Cxsi1sLaYFq7dkhlDtTnOZCGovRYbzDGR8=
diff --git a/host_vars/redirect.archlinux.org/vault_wireguard.yml b/host_vars/redirect.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b57ac979902359046d2e964203bfda6110395312
--- /dev/null
+++ b/host_vars/redirect.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+38383865396661663065313039333236336262643966333431663363613462393538373336613063
+6238343362303664303262373135373536323166383530630a656639373835333037326638303538
+32616131323438633464656233636461656139393734653731373933326666386539333162346530
+6165343632613931610a363561363734633264643631346265383462353565633436646439616536
+37633863623563316364643530616461623531636462373766356239343139323463653338386431
+61653530346564303435663735303531643131386638633032363864363132383834626532623966
+65363665356461666364333465653832636565643835373136376634333132373531666165653132
+37646430343637336666
diff --git a/host_vars/repro1.pkgbuild.com b/host_vars/repro1.pkgbuild.com/misc
similarity index 78%
rename from host_vars/repro1.pkgbuild.com
rename to host_vars/repro1.pkgbuild.com/misc
index 7ee9fc9a2a9627aacc1bf2a505460d76ce79f0b0..490e6d5fa67acfc00e74b92aecefa9579b4d0fd8 100644
--- a/host_vars/repro1.pkgbuild.com
+++ b/host_vars/repro1.pkgbuild.com/misc
@@ -16,3 +16,5 @@ configure_network: true
rebuilderd_workers:
- repro11
- repro12
+wireguard_address: 10.0.0.21
+wireguard_public_key: ajhueWT62CpFWcO89uQB2bvouM+7pcFGTELoE6nc9DM=
diff --git a/host_vars/repro1.pkgbuild.com/vault_wireguard.yml b/host_vars/repro1.pkgbuild.com/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d09a60eada0cc2a1cf5bb0e335561d0a18cb1835
--- /dev/null
+++ b/host_vars/repro1.pkgbuild.com/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+61643561323731613730376231656163656335623032363335353433306538383261663935323163
+3135633763393631303862306336623264613764663231300a363434393736636561623431623763
+66373638373133356464613566643362623065336131346631353931623530633466326362396235
+3137613364326435610a633262643836383233303439356636323130653766656462303938656365
+66323130393666653530323261633736313035356435623663353333633537626361326339316332
+65643431323231366338376338626536393266363763633365386436663031346136316363333037
+66316636363864303734616534366437633530333366336661363965313333306561376433656536
+37663762633666633036
diff --git a/host_vars/repro2.pkgbuild.com b/host_vars/repro2.pkgbuild.com/misc
similarity index 80%
rename from host_vars/repro2.pkgbuild.com
rename to host_vars/repro2.pkgbuild.com/misc
index 24be4355fa3aa466fe5ec0768c603428c2e63f4a..68d893f042346a7338f1ace56d3aedbc736428e3 100644
--- a/host_vars/repro2.pkgbuild.com
+++ b/host_vars/repro2.pkgbuild.com/misc
@@ -20,3 +20,5 @@ rebuilderd_workers:
- repro22
- repro23
- repro24
+wireguard_address: 10.0.0.29
+wireguard_public_key: PQDUQxGH6n3PY/dqlDk6DsSV5XBYQvJWJbVJldEuYic=
diff --git a/host_vars/repro2.pkgbuild.com/vault_wireguard.yml b/host_vars/repro2.pkgbuild.com/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..cbac9291d1254bcaa983d9a2eac5723b2f2ac994
--- /dev/null
+++ b/host_vars/repro2.pkgbuild.com/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+63333630393633666136626330353132373030376661313230646461643363303437393539623030
+3063616536373038613064366538383463616136646134310a316539383338623737326238333361
+65623337373637653139633637373534306363666335383263393630346437643965303862303930
+3039383936616534300a623433373066366538363132626235663964623439333435653837383337
+37653638616238653166616362613232663766643437383564383139643235666235666361306463
+66373539363030643761643064663531616432633666663931633930666530663736323935636334
+33366564623633326331346566663730323763643665393933656466393563613961653665633664
+63316230326632326532
diff --git a/host_vars/reproducible.archlinux.org b/host_vars/reproducible.archlinux.org
deleted file mode 100644
index 361abceffe229016779da145b22d794bb175e97b..0000000000000000000000000000000000000000
--- a/host_vars/reproducible.archlinux.org
+++ /dev/null
@@ -1,3 +0,0 @@
----
-
-filesystem: btrfs
diff --git a/host_vars/reproducible.archlinux.org/misc b/host_vars/reproducible.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..5598bcb3b628708fcc70d0e17f346093a2e1f78a
--- /dev/null
+++ b/host_vars/reproducible.archlinux.org/misc
@@ -0,0 +1,5 @@
+---
+
+filesystem: btrfs
+wireguard_address: 10.0.0.6
+wireguard_public_key: F2X4lMxdET35mceNtRVqSxVVbwEUVey5IjveG0yHJ0Q=
diff --git a/host_vars/reproducible.archlinux.org/vault_wireguard.yml b/host_vars/reproducible.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..80b3aa43f0ea44a43fce5b3479aa839984e8ec93
--- /dev/null
+++ b/host_vars/reproducible.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+66333666343239333332333131393430363739373462306337353039666162313034336165326336
+6235343465633963633331666438323462656666393739320a303966613934613137346434636334
+30656164616432623135386334356330303432663637356332616134663265333062336334303966
+3232373538363233660a323862353761343265393130303364346436326264313038383062646466
+65356133623361313937643338316439353662633465656538363830306430633732366564383064
+66366362333130663665313130376463356164633331616530373230313936343234316566613362
+62323866653335393264333165373139613938363631643133653963343733383864633365343137
+65666233336233313032
diff --git a/host_vars/runner1.archlinux.org/misc b/host_vars/runner1.archlinux.org/misc
index 71986d719eff32cfbf9a814dad5974fb1c5488e4..10ec8140bc471216d087bf9b1ef04fd2e2363ee7 100644
--- a/host_vars/runner1.archlinux.org/misc
+++ b/host_vars/runner1.archlinux.org/misc
@@ -15,3 +15,5 @@ system_disks:
raid_level: "raid1"
configure_network: true
+wireguard_address: 10.0.0.30
+wireguard_public_key: VghPKlYaYYcdt4peH2n9X95ebTamz2MeOI8NvMTmomI=
diff --git a/host_vars/runner1.archlinux.org/vault_wireguard.yml b/host_vars/runner1.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d1cddbb8f10d931306f5f35db2cb0f2e00142ab2
--- /dev/null
+++ b/host_vars/runner1.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+62323062333663353534663331643633666335323333656438653438336436366161666237653334
+3736633161316335386166353566613239303537666630610a633033323163616136303634653633
+35323065623734353837626536623966343533643031623164666232333562633938373934353736
+3666376635656262610a323430316263633032356163656130376435383638316534336433353533
+66393333643930643737373666343832636236393834356633633330306632326535643038363266
+36366333353335623434356666363931326431323430343633356132653233313130336337373333
+61333833343434666239633566313264393738626665316439323936386263363737326365643465
+66633264626236373338
diff --git a/host_vars/runner2.archlinux.org/misc b/host_vars/runner2.archlinux.org/misc
index dcaa0759669aa2f085b068f2bfff8184bb2b1b5c..8d2e62a9e6c4382c3acdd5fbd1f744b617aba7ff 100644
--- a/host_vars/runner2.archlinux.org/misc
+++ b/host_vars/runner2.archlinux.org/misc
@@ -12,3 +12,5 @@ network_interface: "enp1s0f0np0"
system_disks:
- /dev/sda
configure_network: true
+wireguard_address: 10.0.0.7
+wireguard_public_key: 27QE/u1liW2251mHvnika7cZ1Lv8O4h+0S6D2g1jZTE=
diff --git a/host_vars/runner2.archlinux.org/vault_wireguard.yml b/host_vars/runner2.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3667c55b8c8907b1259b82a13b9126eda9687801
--- /dev/null
+++ b/host_vars/runner2.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+34353963613832346662633636386135616336646239323738633263363965366238613133376630
+3639333039323966323338643232343933326231653630620a313562323162363739653434336137
+30393834623432303837653834633965356464393036636332616230346534346464316630613966
+6433633537303165390a613931613832333635666432313734313335376166383034336163633566
+33666531613666623265313535363461636162643166343532333331663133623465623534323462
+37643832633462346462376338633432646162616435623764393338656465383166653430633937
+37613836343061346362656438613232323135656465393061616336396536333865633838313033
+39313936363034343437
diff --git a/host_vars/secure-runner1.archlinux.org/misc b/host_vars/secure-runner1.archlinux.org/misc
index ffd3ea5396857d51317a5e176bc21740d6fa5874..d7bd5a2e2d2f92eb8e9affac10663799bcafecf5 100644
--- a/host_vars/secure-runner1.archlinux.org/misc
+++ b/host_vars/secure-runner1.archlinux.org/misc
@@ -12,3 +12,5 @@ network_interface: "en*"
system_disks:
- /dev/nvme0n1
- /dev/nvme1n1
+wireguard_address: 10.0.0.8
+wireguard_public_key: 6cb0sL2PgD55IXWr5j/uIn9wCgUL+HT83vWrxWClSBU=
diff --git a/host_vars/secure-runner1.archlinux.org/vault_wireguard.yml b/host_vars/secure-runner1.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..721db52251bddca8bd3444b327cf819d53bccaf7
--- /dev/null
+++ b/host_vars/secure-runner1.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+31663637376338646130393262303635666163653066636265666630363131363132646665323735
+6661656235363338333237316439306661643932633036630a353062636430313163393938633437
+63623161356364656462653533306330383765626234383335333861383764373733633038326133
+6232383863353363300a303961663162343236643330326532316162643130613864393534376635
+31633663623632313562383764353465643430346432363130393839326135386532323437326535
+39376561316638666334653239383530653235633332653132613361643732616530613636656531
+32303961303163363861656665316134353435326439623332323139383765623835366162646335
+37623765313065616130
diff --git a/host_vars/security.archlinux.org b/host_vars/security.archlinux.org
deleted file mode 100644
index 95100c83dab4a9c25f43bdd3247a5230b05322c5..0000000000000000000000000000000000000000
--- a/host_vars/security.archlinux.org
+++ /dev/null
@@ -1,7 +0,0 @@
----
-filesystem: btrfs
-
-fail2ban_jails:
- sshd: true
- postfix: false
- dovecot: false
diff --git a/host_vars/security.archlinux.org/misc b/host_vars/security.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..75df6277fee703ea1c3f48b278ce65f54fce9199
--- /dev/null
+++ b/host_vars/security.archlinux.org/misc
@@ -0,0 +1,9 @@
+---
+filesystem: btrfs
+
+fail2ban_jails:
+ sshd: true
+ postfix: false
+ dovecot: false
+wireguard_address: 10.0.0.24
+wireguard_public_key: CENgItOHJI/lLUNcUNpC+1oZJBvX/G+nemAKZYfCSCw=
diff --git a/host_vars/security.archlinux.org/vault_wireguard.yml b/host_vars/security.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8db04f6d2163c0768ebcf18e9e045507e7e2921a
--- /dev/null
+++ b/host_vars/security.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+35303834303939316362396235336663626233343436626131393033636364316566316161333833
+3734353862653661343034656231653061383365373265340a613263373064353437623963366564
+32333630326332333433363461303334373237383931373837343765323836383337393562643739
+3966396638653131660a336339376564396366393366353664623664633033396332653263633234
+37303361383362623439393331626137326461366334383638653565613166323737663136323262
+35396234346334336338353036363130386639383464313364656464363865303266633965653134
+62326638356131336439663833356438346639396463653862303964386361633431616364653263
+38323934633336653930
diff --git a/host_vars/state.archlinux.org b/host_vars/state.archlinux.org
deleted file mode 100644
index ca1d9755887c76591124cff5c945654901096e53..0000000000000000000000000000000000000000
--- a/host_vars/state.archlinux.org
+++ /dev/null
@@ -1,2 +0,0 @@
----
-filesystem: btrfs
diff --git a/host_vars/state.archlinux.org/misc b/host_vars/state.archlinux.org/misc
new file mode 100644
index 0000000000000000000000000000000000000000..12684443e326eaa068de5da391d3486f150b8867
--- /dev/null
+++ b/host_vars/state.archlinux.org/misc
@@ -0,0 +1,4 @@
+---
+filesystem: btrfs
+wireguard_address: 10.0.0.11
+wireguard_public_key: cRNS30527OCEgijC7FHrtdXxdNnwWsXP8F1QAoKgAFQ=
diff --git a/host_vars/state.archlinux.org/vault_wireguard.yml b/host_vars/state.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f5d1ed50757544194e028e065c8fa06deb806b06
--- /dev/null
+++ b/host_vars/state.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30623966386233383161626338323132623637626439363735393265326463633965353631646165
+6439633062646463326361613632656437613639326632610a363761303462343562646663323831
+62383732393639376532353962626562643866343830343633383031316435323637343061366337
+3762303832653938660a666336613331663436653836616333663366643833656465616432303733
+35646262316639666232646233366337646239613562616431633032393538363438626635313530
+32373465346461646366333466313862643135363366353166396566306335333837626430333934
+33613631363261613364623831363330353236363861363436633064393435333433643561316330
+39343833313863666363
diff --git a/host_vars/wiki.archlinux.org b/host_vars/wiki.archlinux.org/misc
similarity index 61%
rename from host_vars/wiki.archlinux.org
rename to host_vars/wiki.archlinux.org/misc
index c36e3285041b184513bbe646512caea6c7288680..9d39ee0eac59c6ffe9e447b704f5c75052630a59 100644
--- a/host_vars/wiki.archlinux.org
+++ b/host_vars/wiki.archlinux.org/misc
@@ -7,3 +7,5 @@ fail2ban_jails:
postfix: false
dovecot: false
nginx_limit_req: false
+wireguard_address: 10.0.0.22
+wireguard_public_key: bZeNWMLtyNDaFR7jjWr06nNZt/vV/OKNleV7XZZs+lc=
diff --git a/host_vars/wiki.archlinux.org/vault_wireguard.yml b/host_vars/wiki.archlinux.org/vault_wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..aa9abc6f74fba7130d383911558b20f757640642
--- /dev/null
+++ b/host_vars/wiki.archlinux.org/vault_wireguard.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+31326134383434623962343263616233323034636435343437386264386462373065313831643737
+3833643966366266343537656366616565323761643837620a616435346437383363623532396563
+38343931306466633663356637323532303334613638363034303862383563396437356332653331
+6434346434343431640a386436613463343631323435363763383534666430633133636236353832
+37396365643335633532366662353138646234646563633331373435316531343038346132646564
+30366235313237396166623639383432376534656666376362383331323562333937393064333434
+37366637343835636465633537613364353232353462373936636131336333666237343163613130
+62626164633930653337
diff --git a/hosts b/hosts
index b80daaeb1912e0894b9204ae6c389f636daff884..8bc6dedadbdd469cd08237cc4b340270174e0c0c 100644
--- a/hosts
+++ b/hosts
@@ -142,6 +142,42 @@ man.archlinux.org
dashboards.archlinux.org
lists.archlinux.org
+[wireguard]
+archlinux.org
+aur.archlinux.org
+aur-dev.archlinux.org
+monitoring.archlinux.org
+gitlab.archlinux.org
+reproducible.archlinux.org
+runner2.archlinux.org
+secure-runner1.archlinux.org
+phrik.archlinux.org
+quassel.archlinux.org
+state.archlinux.org
+mirror.pkgbuild.com
+homedir.archlinux.org
+mail.archlinux.org
+matrix.archlinux.org
+accounts.archlinux.org
+bbs.archlinux.org
+build.archlinux.org
+bugs.archlinux.org
+gemini.archlinux.org
+repro1.pkgbuild.com
+wiki.archlinux.org
+patchwork.archlinux.org
+security.archlinux.org
+redirect.archlinux.org
+asia.mirror.pkgbuild.com
+america.mirror.pkgbuild.com
+europe.mirror.pkgbuild.com
+repro2.pkgbuild.com
+runner1.archlinux.org
+md.archlinux.org
+man.archlinux.org
+dashboards.archlinux.org
+lists.archlinux.org
+
[kape_servers]
asia.mirror.pkgbuild.com
america.mirror.pkgbuild.com
diff --git a/playbooks/accounts.archlinux.org.yml b/playbooks/accounts.archlinux.org.yml
index 3eeb99245fd9d0265943de528a71a12036252b5a..88d714123f015294026fb8b2843ea7c39e929678 100644
--- a/playbooks/accounts.archlinux.org.yml
+++ b/playbooks/accounts.archlinux.org.yml
@@ -7,6 +7,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: sshd }
- { role: root_ssh }
- { role: prometheus_exporters }
diff --git a/playbooks/all-hosts-basic.yml b/playbooks/all-hosts-basic.yml
index bf4a2137f34d6077947673931e43bbd9d9fd5cb5..943c40520416b098a6fc469ed27f004934b69a98 100644
--- a/playbooks/all-hosts-basic.yml
+++ b/playbooks/all-hosts-basic.yml
@@ -7,6 +7,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
# reconfiguring sshd may break the AUR on luna (unchecked)
# - { role: sshd, tags: ['sshd'] }
- { role: root_ssh }
diff --git a/playbooks/archive-mirrors.yml b/playbooks/archive-mirrors.yml
index c5df2995e9bf30abba64755644d3654e152fc04c..946eadbcc60bde3b4e95b0a4c3370f2dd408a5fd 100644
--- a/playbooks/archive-mirrors.yml
+++ b/playbooks/archive-mirrors.yml
@@ -6,6 +6,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: hardening }
- { role: sshd }
- { role: root_ssh }
diff --git a/playbooks/archlinux.org.yml b/playbooks/archlinux.org.yml
index e51290b914fe8569cdf7f77976cbc3c941b247bb..95520c51aa65c6520253ed6ee1d87219aa9e601b 100644
--- a/playbooks/archlinux.org.yml
+++ b/playbooks/archlinux.org.yml
@@ -39,3 +39,4 @@
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
+ - { role: wireguard }
diff --git a/playbooks/aur-dev.archlinux.org.yml b/playbooks/aur-dev.archlinux.org.yml
index 6c7cb1a057a4d64ac6a32498e6a1edf33a8722f7..92b106adcae6196f96dc72fb824ccaae19502abc 100644
--- a/playbooks/aur-dev.archlinux.org.yml
+++ b/playbooks/aur-dev.archlinux.org.yml
@@ -21,3 +21,4 @@
- { role: aurweb, aurweb_domain: 'aur-dev.archlinux.org', aurweb_version: 'pu' }
- { role: prometheus_exporters }
- { role: promtail }
+ - { role: wireguard }
diff --git a/playbooks/aur.archlinux.org.yml b/playbooks/aur.archlinux.org.yml
index d4f1e120dbcf4a2e5faf515f7073967f3d2b88a1..528e95d0baf0e8879c452054c4ef930b2caed7c6 100644
--- a/playbooks/aur.archlinux.org.yml
+++ b/playbooks/aur.archlinux.org.yml
@@ -21,3 +21,4 @@
- { role: postfix, postfix_relayhost: "mail.archlinux.org" }
- { role: fail2ban }
- { role: aurweb }
+ - { role: wireguard }
diff --git a/playbooks/bbs.archlinux.org.yml b/playbooks/bbs.archlinux.org.yml
index a6e9cfec4d6cdc6302711dfc834954c3656aa60d..f2d22821f0b705030c6d4fba3e7aa8d80c090e7d 100644
--- a/playbooks/bbs.archlinux.org.yml
+++ b/playbooks/bbs.archlinux.org.yml
@@ -19,3 +19,4 @@
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
+ - { role: wireguard }
diff --git a/playbooks/bugs.archlinux.org.yml b/playbooks/bugs.archlinux.org.yml
index ab90441dbd0a3e19eb825cd608e0cd025e6814e5..ad359f9cb5c6fa4b228b7f5817275430f6014fb2 100644
--- a/playbooks/bugs.archlinux.org.yml
+++ b/playbooks/bugs.archlinux.org.yml
@@ -19,3 +19,4 @@
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
+ - { role: wireguard }
diff --git a/playbooks/build.archlinux.org.yml b/playbooks/build.archlinux.org.yml
index 01ff31445fa2410aa34d365f9df631a34cde6d93..507aede63f9ae2f625fe75d1dc2056aa8a116594 100644
--- a/playbooks/build.archlinux.org.yml
+++ b/playbooks/build.archlinux.org.yml
@@ -15,3 +15,4 @@
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
+ - { role: wireguard }
diff --git a/playbooks/dashboards.archlinux.org.yml b/playbooks/dashboards.archlinux.org.yml
index 9f0f55ccc6874dfa8fc52411715d18537856af62..4bc84c9d42fc4ec74d2ab08c414f0b00f68dc8b2 100644
--- a/playbooks/dashboards.archlinux.org.yml
+++ b/playbooks/dashboards.archlinux.org.yml
@@ -3,6 +3,7 @@
remote_user: root
roles:
- { role: firewalld }
+ - { role: wireguard }
- { role: common }
- { role: tools }
- { role: sshd }
diff --git a/playbooks/gemini.archlinux.org.yml b/playbooks/gemini.archlinux.org.yml
index d64cd0637205fdbfc2139caa61708d2b9cd3b480..51e9574dcdb92a82a0769e4a1793235aa9f2492a 100644
--- a/playbooks/gemini.archlinux.org.yml
+++ b/playbooks/gemini.archlinux.org.yml
@@ -10,6 +10,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: sshd }
- { role: root_ssh }
- { role: borg_client, tags: ['borg'] }
diff --git a/playbooks/gitlab-runners.yml b/playbooks/gitlab-runners.yml
index 65b08811722a52888ad8d05e26944728464e7c75..2f86dfb1f847d9f32ce5a04145ae0a32fd5c1b03 100644
--- a/playbooks/gitlab-runners.yml
+++ b/playbooks/gitlab-runners.yml
@@ -5,6 +5,7 @@
roles:
- { role: common }
- { role: firewalld }
+ - { role: wireguard }
- { role: hardening }
- { role: sshd }
- { role: root_ssh }
diff --git a/playbooks/gitlab.archlinux.org.yml b/playbooks/gitlab.archlinux.org.yml
index 83b5b07c1e255d3aaa124e832bdb9758d898e25a..7979379eff23d14988412ba361b96ae686c7517b 100644
--- a/playbooks/gitlab.archlinux.org.yml
+++ b/playbooks/gitlab.archlinux.org.yml
@@ -7,6 +7,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: sshd }
- { role: root_ssh }
- { role: gitlab,
diff --git a/playbooks/homedir.archlinux.org.yml b/playbooks/homedir.archlinux.org.yml
index ec38949d869cc84e78e6634eadc5dac572c6a96c..f1d5294f6a447a55c3a64553aa5d93aaa6c190d0 100644
--- a/playbooks/homedir.archlinux.org.yml
+++ b/playbooks/homedir.archlinux.org.yml
@@ -16,3 +16,4 @@
- { role: prometheus_exporters }
- { role: promtail }
- { role: fail2ban }
+ - { role: wireguard }
diff --git a/playbooks/lists.archlinux.org.yml b/playbooks/lists.archlinux.org.yml
index a20dea7ac0b693f11cba23590231bfe4683dcd48..af2e515c2f290eb399cca091a696e47f32b39cd8 100644
--- a/playbooks/lists.archlinux.org.yml
+++ b/playbooks/lists.archlinux.org.yml
@@ -4,6 +4,7 @@
roles:
- { role: common }
- { role: firewalld }
+ - { role: wireguard }
- { role: tools }
- { role: sshd }
- { role: root_ssh }
diff --git a/playbooks/mail.archlinux.org.yml b/playbooks/mail.archlinux.org.yml
index de383c3aa52407619c1f57eaad91e29f48eeef5e..3055d80995567d270665116285791284566454cc 100644
--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -19,3 +19,4 @@
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
+ - { role: wireguard }
diff --git a/playbooks/man.archlinux.org.yml b/playbooks/man.archlinux.org.yml
index 63a2cc90d96d4ce4633150036ffcd92d22933879..3228e4eb9a971fda0dcedae9266f4ed3169ab564 100644
--- a/playbooks/man.archlinux.org.yml
+++ b/playbooks/man.archlinux.org.yml
@@ -5,6 +5,7 @@
remote_user: root
roles:
- { role: firewalld }
+ - { role: wireguard }
- { role: common }
- { role: tools }
- { role: sshd }
diff --git a/playbooks/matrix.archlinux.org.yml b/playbooks/matrix.archlinux.org.yml
index c4140d871ff3a1253325a30d8b1c4ceaca78ca05..84cf39189c1fd6442dfa3c7c65acdac442b9b7a0 100644
--- a/playbooks/matrix.archlinux.org.yml
+++ b/playbooks/matrix.archlinux.org.yml
@@ -7,6 +7,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: sshd }
- { role: root_ssh }
- { role: borg_client, tags: ["borg"] }
diff --git a/playbooks/md.archlinux.org.yml b/playbooks/md.archlinux.org.yml
index f10096660e9c00dd6015780d95a17f0b99176f8e..497fe76f1731e7613f724f98e48b50e20c245a38 100644
--- a/playbooks/md.archlinux.org.yml
+++ b/playbooks/md.archlinux.org.yml
@@ -7,6 +7,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: sshd }
- { role: root_ssh }
- { role: fail2ban }
diff --git a/playbooks/mirrors.yml b/playbooks/mirrors.yml
index e9d3cbf562806acd2ce9c4f27d5be405c07eb707..632a0b6a4318aad4e46e650dd798c28c13551267 100644
--- a/playbooks/mirrors.yml
+++ b/playbooks/mirrors.yml
@@ -14,3 +14,4 @@
- { role: prometheus_exporters }
- { role: promtail }
- { role: fail2ban }
+ - { role: wireguard }
diff --git a/playbooks/monitoring.archlinux.org.yml b/playbooks/monitoring.archlinux.org.yml
index 3ab2b98e319874634e106e6d40e556495400195e..121be67c74fdee01f1f53382dca139b08694da22 100644
--- a/playbooks/monitoring.archlinux.org.yml
+++ b/playbooks/monitoring.archlinux.org.yml
@@ -3,6 +3,7 @@
remote_user: root
roles:
- { role: firewalld }
+ - { role: wireguard }
- { role: common }
- { role: tools }
- { role: sshd }
diff --git a/playbooks/patchwork.archlinux.org.yml b/playbooks/patchwork.archlinux.org.yml
index 00fcd84d8cb7b89588c1d7af62d9b0292e4cbc0f..7c766c8a81ce11090327e4bf72c566a3b686d039 100644
--- a/playbooks/patchwork.archlinux.org.yml
+++ b/playbooks/patchwork.archlinux.org.yml
@@ -21,3 +21,4 @@
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
+ - { role: wireguard }
diff --git a/playbooks/phrik.yml b/playbooks/phrik.yml
index 88d02ea2347941183a87ec92109d4feb13ff50b0..55e4cc18cc26e31941e7fbe2b3cffe2a9427d4b0 100644
--- a/playbooks/phrik.yml
+++ b/playbooks/phrik.yml
@@ -13,3 +13,4 @@
- { role: root_ssh }
- { role: prometheus_exporters }
- { role: promtail }
+ - { role: wireguard }
diff --git a/playbooks/quassel.archlinux.org.yml b/playbooks/quassel.archlinux.org.yml
index b423b14698123e5c18ff30433ab1e102f6e588c3..d107e25f935393634466c5ee1c74370d3e4e772f 100644
--- a/playbooks/quassel.archlinux.org.yml
+++ b/playbooks/quassel.archlinux.org.yml
@@ -7,6 +7,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: sshd }
- { role: root_ssh }
- { role: borg_client, tags: ["borg"] }
diff --git a/playbooks/rebuilderd-workers.yml b/playbooks/rebuilderd-workers.yml
index ea5e6b46f89153949c7db06c969fcf68e0c3cab7..b1deff2304c72c90f4e6c06eb482fb22ba2af9bf 100644
--- a/playbooks/rebuilderd-workers.yml
+++ b/playbooks/rebuilderd-workers.yml
@@ -7,6 +7,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: sshd }
- { role: root_ssh }
- { role: rebuilderd_worker }
diff --git a/playbooks/redirect.archlinux.org.yml b/playbooks/redirect.archlinux.org.yml
index 29a5ac4f04c3ec96bfad370642ef501816bb4116..873e2437c0a4c39d989282d1b6bd3c2a70cdb713 100644
--- a/playbooks/redirect.archlinux.org.yml
+++ b/playbooks/redirect.archlinux.org.yml
@@ -5,6 +5,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: sshd }
- { role: root_ssh }
- { role: certbot }
diff --git a/playbooks/reproducible.archlinux.org.yml b/playbooks/reproducible.archlinux.org.yml
index 2405582a435482c38cbd7f62e0b669702deedde7..e5462adbc7957b36863b164da07dfd2907db3f9e 100644
--- a/playbooks/reproducible.archlinux.org.yml
+++ b/playbooks/reproducible.archlinux.org.yml
@@ -7,6 +7,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: sshd }
- { role: root_ssh }
- { role: borg_client, tags: ["borg"] }
diff --git a/playbooks/security.archlinux.org.yml b/playbooks/security.archlinux.org.yml
index 782265fcfe8c33f0a7a3fd07896a9ab6a2783c16..3a7619d7a76f32e5b9af307f9825a01cd47ba80e 100644
--- a/playbooks/security.archlinux.org.yml
+++ b/playbooks/security.archlinux.org.yml
@@ -21,3 +21,4 @@
- { role: fail2ban }
- { role: prometheus_exporters }
- { role: promtail }
+ - { role: wireguard }
diff --git a/playbooks/state.archlinux.org.yml b/playbooks/state.archlinux.org.yml
index e2a722f9b9ed82aa110c9bf5b3508e6a89eb9a01..b0a4b68e1af10118a4ad9f2d216c18283c1a4ac4 100644
--- a/playbooks/state.archlinux.org.yml
+++ b/playbooks/state.archlinux.org.yml
@@ -7,6 +7,7 @@
- { role: common }
- { role: tools }
- { role: firewalld }
+ - { role: wireguard }
- { role: sshd }
- { role: certbot }
- { role: borg_client, tags: ["borg"] }
diff --git a/playbooks/wiki.archlinux.org.yml b/playbooks/wiki.archlinux.org.yml
index 1c616579613390101cfc4c123c32563427e7ff86..4f062147c6c76820a8b9762d1a7aa56c69903964 100644
--- a/playbooks/wiki.archlinux.org.yml
+++ b/playbooks/wiki.archlinux.org.yml
@@ -5,6 +5,7 @@
remote_user: root
roles:
- { role: firewalld }
+ - { role: wireguard }
- { role: common }
- { role: tools }
- { role: sshd }
diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c18d90f7f6cfe891fdf560c588af3f2090085665
--- /dev/null
+++ b/roles/wireguard/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+# https://github.com/systemd/systemd/issues/9627
+- name: delete wg0
+ command: networkctl delete wg0
+ register: result
+ failed_when: result.rc not in [0, 1]
+ listen: reload wireguard
+
+- name: reload .network and .netdev files
+ command: networkctl reload
+ listen: reload wireguard
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..527b19545d71d2c891e9cc5a9db5eb5b0a984990
--- /dev/null
+++ b/roles/wireguard/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+# Used for debugging
+- name: install wireguard-tools
+ pacman: name=wireguard-tools state=present
+
+- name: install wireguard configuration
+ template: src={{ item.src }} dest=/etc/systemd/network/{{ item.dest }} owner=root group=systemd-network mode=0640
+ loop:
+ - {src: wg0.netdev.j2, dest: wg0.netdev}
+ - {src: wg0.network.j2, dest: wg0.network}
+ notify: reload wireguard
+
+- name: create wireguard zone
+ ansible.posix.firewalld: zone=wireguard permanent=yes state=present
+ register: result
+
+- name: reload firewalld
+ service: name=firewalld state=reloaded
+ when: result.changed
+
+- name: add wg0 to the wireguard zone
+ ansible.posix.firewalld: zone=wireguard interface=wg0 permanent=yes immediate=yes state=enabled
+
+- name: open firewall holes
+ ansible.posix.firewalld: port=51820/udp permanent=yes immediate=yes state=enabled
diff --git a/roles/wireguard/templates/wg0.netdev.j2 b/roles/wireguard/templates/wg0.netdev.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a2247f8e833f62c5c09e95674bbbbb619cb6c1bd
--- /dev/null
+++ b/roles/wireguard/templates/wg0.netdev.j2
@@ -0,0 +1,15 @@
+[NetDev]
+Name=wg0
+Kind=wireguard
+
+[WireGuard]
+ListenPort=51820
+PrivateKey={{ vault_wireguard_private_key }}
+
+{% for host in groups['wireguard'] if host != inventory_hostname %}
+[WireGuardPeer]
+PublicKey={{ hostvars[host]['wireguard_public_key'] }}
+AllowedIPs={{ hostvars[host]['wireguard_address'] }}/32
+Endpoint={{ host }}:51820
+
+{% endfor %}
diff --git a/roles/wireguard/templates/wg0.network.j2 b/roles/wireguard/templates/wg0.network.j2
new file mode 100644
index 0000000000000000000000000000000000000000..0150ad936de81a6b2b80e57785da519dfc39c901
--- /dev/null
+++ b/roles/wireguard/templates/wg0.network.j2
@@ -0,0 +1,5 @@
+[Match]
+Name=wg0
+
+[Network]
+Address={{ wireguard_address }}/24