With the support for network.wireguard.* credentials[1] in systemd
v256[2], we can now easily avoid storing the credentials centrally in
our ansible vault, which is preferable as it makes the private keys less
exposed. It may also make fine-grained access easier in the future[3] as
there is no longer a vault file for each server.

All the keys have been rotated and the new private keys are only stored
on the servers.

[1] https://github.com/systemd/systemd/pull/30826
[2] https://github.com/systemd/systemd/releases/tag/v256
[3] #64

The naming of yaml files should be consistent.

This is meant as a internal authenticated and encrypted network which we
can use for internal services, we don't want to expose to the internet
or when encryption is desired but not easily implementable.

Previously we configured our network conf to all interfaces, which
shouldn't be done as not all our routed to the internet and this causes
systemd-network-online target to fail.

Closes: #231

Jelle van der Waa authored 4 years ago and Jelle van der Waa committed 4 years ago

To simplify the archive role, split it up in the web serving part for
the archive-mirrors, gemini and keep the archive role for only the
archive operation. This simplifies the new role as only two lines are
required to setup the the archive mirror website.

Setup Kape servers as archive mirrors (asia,europe,america), Gitlab
runner and Rebuilderd worker. All machines except runner1 are EFI
machines with grub setup and a EFI parition which is not supported by
our ansible install role and is manually rolled out.