1
1
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
infrastructure/host_vars/gitlab.archlinux.org/misc.yml
Kristian Klausen 27553ab31a
Remove the WG private keys from the vault and store them only on the servers
With the support for network.wireguard.* credentials[1] in systemd
v256[2], we can now easily avoid storing the credentials centrally in
our ansible vault, which is preferable as it makes the private keys less
exposed. It may also make fine-grained access easier in the future[3] as
there is no longer a vault file for each server.

All the keys have been rotated and the new private keys are only stored
on the servers.

[1] https://github.com/systemd/systemd/pull/30826
[2] https://github.com/systemd/systemd/releases/tag/v256
[3] https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/64
2024-12-15 17:08:21 +01:00

18 lines
493 B
YAML

ansible_port: 2222
filesystem: btrfs
enable_zram_swap: true
additional_addresses: ["213.133.111.6/32", "2a01:4f8:222:174c::2/64"]
wireguard_address: 10.0.0.5
wireguard_public_key: ebEWzriL3dohjDP49Hp+SGHZBnzx8fjnohDN3igQlCc=
hostname: "gitlab.archlinux.org"
network_interface: "en*"
ipv4_address: "213.133.111.15"
ipv4_netmask: "/32"
ipv6_address: "2a01:4f8:222:174c::1"
ipv6_netmask: "/64"
ipv4_gateway: "213.133.111.1"
ipv6_gateway: "fe80::1"
system_disks:
- /dev/nvme0n1
- /dev/nvme1n1