mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
27553ab31a
With the support for network.wireguard.* credentials[1] in systemd v256[2], we can now easily avoid storing the credentials centrally in our ansible vault, which is preferable as it makes the private keys less exposed. It may also make fine-grained access easier in the future[3] as there is no longer a vault file for each server. All the keys have been rotated and the new private keys are only stored on the servers. [1] https://github.com/systemd/systemd/pull/30826 [2] https://github.com/systemd/systemd/releases/tag/v256 [3] https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/64
19 lines
947 B
Markdown
19 lines
947 B
Markdown
# WireGuard
|
|
|
|
Many of our servers communicate through wireguard VPN with each others. If you need to collect logs with `loki` and metrics with `prometheus` for dashboards you need to have a wiregauard IP.
|
|
|
|
## Setting up
|
|
1. For a new server add a new unused wireguard IP and set the following in `host_vars/<fqdn>/misc`
|
|
```
|
|
wireguard_address: <wg-ip>
|
|
wireguard_public_key: <wg-pubkey>
|
|
```
|
|
|
|
1. Generate the private key on the server with `wg genkey | systemd-creds encrypt - /etc/credstore.encrypted/network.wireguard.private.wg0` and restart systemd-networkd with `systemctl restart systemd-networkd`
|
|
|
|
Tips:
|
|
- Pick next available IP for Wireguard from `grep -r wireguard_address host_vars/ | cut -f3 -d: | sort -h`
|
|
|
|
- Wireguard key generation docs: https://www.wireguard.com/quickstart/#key-generation
|
|
1. Execute `wireguard` and `prometheus` roles on `monitoring.archlinux.org.yml` playbook to get data from the server
|