Remove the WG private keys from the vault and store them only on the servers

With the support for network.wireguard.* credentials[1] in systemd v256[2], we can now easily avoid storing the credentials centrally in our ansible vault, which is preferable as it makes the private keys less exposed. It may also make fine-grained access easier in the future[3] as there is no longer a vault file for each server.

All the keys have been rotated and the new private keys are only stored on the servers.

[1] https://github.com/systemd/systemd/pull/30826 [2] https://github.com/systemd/systemd/releases/tag/v256 [3] #64

docs/wireguard.md

@@ -9,7 +9,7 @@ Many of our servers communicate through wireguard VPN with each others. If you n
     wireguard_public_key: <wg-pubkey>
     ```
 
-1. Save the private key in a encypted vault in  `host_vars/<fqdn>/vault_wireguard.yml`
+1. Generate private key on the server with `wg genkey | systemd-creds encrypt - /etc/credstore.encrypted/network.wireguard.private.wg0` and restart systemd-networkd with `systemctl restart systemd-networkd`
 
     Tips: 
     - Pick next available IP for Wireguard from `grep -r wireguard_address host_vars/ | cut -f3 -d: | sort -h`