Remove the WG private keys from the vault and store them only on the servers (!891) · Merge requests · Arch Linux / infrastructure

With the support for network.wireguard.* credentials[1] in systemd v256[2], we can now easily avoid storing the credentials centrally in our ansible vault, which is preferable as it makes the private keys less exposed. It may also make fine-grained access easier in the future[3] as there is no longer a vault file for each server.

All the keys have been rotated and the new private keys are only stored on the servers.

[1] https://github.com/systemd/systemd/pull/30826 [2] https://github.com/systemd/systemd/releases/tag/v256 [3] #64

Edited Dec 15, 2024 by Kristian Klausen

Admin message

Remove the WG private keys from the vault and store them only on the servers

Merge request reports