runbook: swap flossfw wg1 peer public key on operator onboarding
One-command vault edit (replace flossfw.public_key) + wireguard-server redeploy + verify handshake, for when the TaPPaaS operator sends their WireGuard public key. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
8a5966e367
commit
29b4d8fea5
2 changed files with 88 additions and 0 deletions
|
|
@ -9,6 +9,7 @@ authoritative config and commands rather than duplicating them.
|
||||||
|---------|--------|
|
|---------|--------|
|
||||||
| [switch-crs310.md](switch-crs310.md) | The MikroTik CRS310 switch — connectivity, VLANs, mgmt-plane lockout recovery, Ansible reconfig. |
|
| [switch-crs310.md](switch-crs310.md) | The MikroTik CRS310 switch — connectivity, VLANs, mgmt-plane lockout recovery, Ansible reconfig. |
|
||||||
| [publishing-services-mf01.md](publishing-services-mf01.md) | Publishing HTTP services on mf01 as `<svc>.mf01.makerfloss.eu` (VPS-terminated TLS over wg1). |
|
| [publishing-services-mf01.md](publishing-services-mf01.md) | Publishing HTTP services on mf01 as `<svc>.mf01.makerfloss.eu` (VPS-terminated TLS over wg1). |
|
||||||
|
| [swap-flossfw-wg-key.md](swap-flossfw-wg-key.md) | Swap the `flossfw` wg1 peer public key on the VPS when the TaPPaaS operator sends theirs (one-value vault edit + redeploy). |
|
||||||
|
|
||||||
## Adding a runbook
|
## Adding a runbook
|
||||||
|
|
||||||
|
|
|
||||||
87
runbooks/swap-flossfw-wg-key.md
Normal file
87
runbooks/swap-flossfw-wg-key.md
Normal file
|
|
@ -0,0 +1,87 @@
|
||||||
|
# Runbook — swap the `flossfw` wg1 peer public key
|
||||||
|
|
||||||
|
**When:** the TaPPaaS operator has run Task 0 of
|
||||||
|
[`plans/2026-06-28-tappaas-side-publishing.md`](../docs/superpowers/plans/2026-06-28-tappaas-side-publishing.md)
|
||||||
|
and sent you their **WireGuard public key**. You replace the placeholder key on
|
||||||
|
the VPS hub so the `wg1` tunnel to `10.13.0.9` can complete a handshake.
|
||||||
|
|
||||||
|
**Reach:** none needed — this runs locally from `~/Projects/AnsibleBaobabV4`;
|
||||||
|
the deploy reaches the VPS over the public bastion ([access.md](../access.md) B2).
|
||||||
|
|
||||||
|
The peer entry in `host_vars/makerfloss.yml` references
|
||||||
|
`{{ vault_wireguard_makerfloss_peers.flossfw.public_key }}`, so the swap is a
|
||||||
|
one-value edit in the vault, then a redeploy. (The `private_key` stored under
|
||||||
|
`flossfw` in the vault is now **unused** — the operator generated their own; you
|
||||||
|
may leave it or delete it.)
|
||||||
|
|
||||||
|
## Fix — paste the operator's public key and run
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd ~/Projects/AnsibleBaobabV4
|
||||||
|
NEWPUB='PASTE_OPERATORS_PUBLIC_KEY_HERE' # 44-char base64 ending '='
|
||||||
|
|
||||||
|
# sanity-check the value looks like a wg key
|
||||||
|
[[ "$NEWPUB" =~ ^[A-Za-z0-9+/]{43}=$ ]] || { echo "not a valid wg pubkey"; }
|
||||||
|
|
||||||
|
# 1) Decrypt vault to tmpfs, replace ONLY flossfw.public_key, re-encrypt
|
||||||
|
.venv/bin/ansible-vault decrypt group_vars/all/90-secrets.vault.yml --output /dev/shm/secrets.plain.yml
|
||||||
|
python3 - "$NEWPUB" <<'PY'
|
||||||
|
import sys
|
||||||
|
newpub = sys.argv[1]
|
||||||
|
path = "/dev/shm/secrets.plain.yml"
|
||||||
|
lines = open(path).read().splitlines(keepends=True)
|
||||||
|
in_flossfw = False
|
||||||
|
done = False
|
||||||
|
for i, ln in enumerate(lines):
|
||||||
|
if ln.rstrip("\n") == " flossfw:":
|
||||||
|
in_flossfw = True
|
||||||
|
continue
|
||||||
|
if in_flossfw:
|
||||||
|
# stop if we left the flossfw block (next key at <=2-space indent)
|
||||||
|
if ln.strip() and not ln.startswith(" "):
|
||||||
|
break
|
||||||
|
if ln.lstrip().startswith("public_key:"):
|
||||||
|
indent = ln[:len(ln) - len(ln.lstrip())]
|
||||||
|
lines[i] = f'{indent}public_key: "{newpub}"\n'
|
||||||
|
done = True
|
||||||
|
break
|
||||||
|
assert done, "flossfw.public_key line not found"
|
||||||
|
open(path, "w").writelines(lines)
|
||||||
|
print("replaced flossfw.public_key")
|
||||||
|
PY
|
||||||
|
.venv/bin/ansible-vault encrypt /dev/shm/secrets.plain.yml --output group_vars/all/90-secrets.vault.yml --encrypt-vault-id prod
|
||||||
|
shred -u /dev/shm/secrets.plain.yml 2>/dev/null; rm -f /dev/shm/secrets.plain.yml
|
||||||
|
|
||||||
|
# 2) Redeploy the WireGuard hub config
|
||||||
|
.venv/bin/ansible-playbook play_setup.yml -i inventories/prod/hosts.yml --limit makerfloss -t wireguard-server
|
||||||
|
|
||||||
|
# 3) Commit (encrypted vault only)
|
||||||
|
git add group_vars/all/90-secrets.vault.yml
|
||||||
|
git commit -m "wg1: set flossfw peer public key (TaPPaaS operator onboarding)"
|
||||||
|
git push
|
||||||
|
```
|
||||||
|
|
||||||
|
## Verify
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# The new key is registered for 10.13.0.9 on the hub
|
||||||
|
ssh -p 7576 sjat@makerfloss.eu "sudo wg show wg1 allowed-ips" | grep 10.13.0.9
|
||||||
|
# -> the line should show the operator's key (matches NEWPUB), allowed-ip 10.13.0.9/32
|
||||||
|
|
||||||
|
# Once the operator brings their tunnel up, a handshake appears:
|
||||||
|
ssh -p 7576 sjat@makerfloss.eu "sudo wg show wg1 latest-handshakes" | grep -i "$NEWPUB"
|
||||||
|
# -> non-zero / recent timestamp = tunnel established
|
||||||
|
|
||||||
|
# End-to-end (after their Caddy :80 backend is up) — returns 200 instead of 502:
|
||||||
|
curl -s -o /dev/null -w '%{http_code}\n' https://whoami.tappaas.makerfloss.eu/
|
||||||
|
```
|
||||||
|
|
||||||
|
If `wg show` still lists the old key, the vault edit or redeploy didn't take —
|
||||||
|
re-check the `git diff` was the vault file and the play ran `failed=0`.
|
||||||
|
|
||||||
|
## Links
|
||||||
|
|
||||||
|
- TaPPaaS-side plan (what the operator runs): [`../docs/superpowers/plans/2026-06-28-tappaas-side-publishing.md`](../docs/superpowers/plans/2026-06-28-tappaas-side-publishing.md)
|
||||||
|
- VPS-side design/plan (the contract): [`../docs/superpowers/specs/2026-06-28-tappaas-vps-publishing-design.md`](../docs/superpowers/specs/2026-06-28-tappaas-vps-publishing-design.md)
|
||||||
|
- Sibling pattern: [`publishing-services-mf01.md`](publishing-services-mf01.md)
|
||||||
|
</content>
|
||||||
Loading…
Add table
Reference in a new issue