mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
27553ab31a
With the support for network.wireguard.* credentials[1] in systemd v256[2], we can now easily avoid storing the credentials centrally in our ansible vault, which is preferable as it makes the private keys less exposed. It may also make fine-grained access easier in the future[3] as there is no longer a vault file for each server. All the keys have been rotated and the new private keys are only stored on the servers. [1] https://github.com/systemd/systemd/pull/30826 [2] https://github.com/systemd/systemd/releases/tag/v256 [3] https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/64
16 lines
335 B
Django/Jinja
16 lines
335 B
Django/Jinja
[NetDev]
|
|
Name=wg0
|
|
Kind=wireguard
|
|
|
|
[WireGuard]
|
|
ListenPort=51820
|
|
PrivateKey=@network.wireguard.private.wg0
|
|
|
|
{% for host in groups['all'] if host != inventory_hostname %}
|
|
[WireGuardPeer]
|
|
PublicKey={{ hostvars[host]['wireguard_public_key'] }}
|
|
AllowedIPs={{ hostvars[host]['wireguard_address'] }}/32
|
|
Endpoint={{ host }}:51820
|
|
|
|
{% endfor %}
|