Remove the WG private keys from the vault and store them only on the servers

With the support for network.wireguard.* credentials[1] in systemd v256[2], we can now easily avoid storing the credentials centrally in our ansible vault, which is preferable as it makes the private keys less exposed. It may also make fine-grained access easier in the future[3] as there is no longer a vault file for each server.

All the keys have been rotated and the new private keys are only stored on the servers.

[1] https://github.com/systemd/systemd/pull/30826 [2] https://github.com/systemd/systemd/releases/tag/v256 [3] #64

added 1 commit

• ca6e46ee - wip: remove WG private key from the vault

Compare with previous version

added 2 commits

• e5e2e547 - 1 commit from branch archlinux:master
• ebf10df1 - wip: remove WG private key from the vault

Compare with previous version

approved this merge request

changed the description

I'm ok with this.

As an aside, I think mid-long term we should look into running tailscale/headscale or some other meshing solution for wireguard. Having to manually notify all servers of mesh changes is a bit of a hassle.

approved this merge request

added 34 commits

• ebf10df1...6d39c3c6 - 33 commits from branch archlinux:master
• 170cac05 - Remove the WG private keys from the vault and store them only on the servers

Compare with previous version

reset approvals from @svenstaro and @foutrelis by pushing to the branch

marked this merge request as ready

changed title from Draft: Remove WG private key from the vault to Remove the WG private keys from the vault and store them only on the servers

changed the description

added 1 commit

• 151c8bcf - Remove the WG private keys from the vault and store them only on the servers

Compare with previous version

added 1 commit

• 27553ab3 - Remove the WG private keys from the vault and store them only on the servers

Compare with previous version

changed the description

mentioned in commit 1950fbeb

merged manually