Remove the WG private keys from the vault and store them only on the servers
Compare changes
Due to an influx of spam, we have had to temporarily disable account registrations. Please write an email to accountsupport@archlinux.org, with your desired username, if you want to get access. Sorry for the inconvenience.
With the support for network.wireguard.* credentials[1] in systemd v256[2], we can now easily avoid storing the credentials centrally in our ansible vault, which is preferable as it makes the private keys less exposed. It may also make fine-grained access easier in the future[3] as there is no longer a vault file for each server.
All the keys have been rotated and the new private keys are only stored on the servers.
[1] https://github.com/systemd/systemd/pull/30826 [2] https://github.com/systemd/systemd/releases/tag/v256 [3] #64