# Runbook — swap the `flossfw` wg1 peer public key **When:** the TaPPaaS operator has run Task 0 of [`plans/2026-06-28-tappaas-side-publishing.md`](../docs/superpowers/plans/2026-06-28-tappaas-side-publishing.md) and sent you their **WireGuard public key**. You replace the placeholder key on the VPS hub so the `wg1` tunnel to `10.13.0.9` can complete a handshake. **Reach:** none needed — this runs locally from `~/Projects/AnsibleBaobabV4`; the deploy reaches the VPS over the public bastion ([access.md](../access.md) B2). The peer entry in `host_vars/makerfloss.yml` references `{{ vault_wireguard_makerfloss_peers.flossfw.public_key }}`, so the swap is a one-value edit in the vault, then a redeploy. (The `private_key` stored under `flossfw` in the vault is now **unused** — the operator generated their own; you may leave it or delete it.) ## Fix — paste the operator's public key and run ```bash cd ~/Projects/AnsibleBaobabV4 NEWPUB='PASTE_OPERATORS_PUBLIC_KEY_HERE' # 44-char base64 ending '=' # sanity-check the value looks like a wg key [[ "$NEWPUB" =~ ^[A-Za-z0-9+/]{43}=$ ]] || { echo "not a valid wg pubkey"; } # 1) Decrypt vault to tmpfs, replace ONLY flossfw.public_key, re-encrypt .venv/bin/ansible-vault decrypt group_vars/all/90-secrets.vault.yml --output /dev/shm/secrets.plain.yml python3 - "$NEWPUB" <<'PY' import sys newpub = sys.argv[1] path = "/dev/shm/secrets.plain.yml" lines = open(path).read().splitlines(keepends=True) in_flossfw = False done = False for i, ln in enumerate(lines): if ln.rstrip("\n") == " flossfw:": in_flossfw = True continue if in_flossfw: # stop if we left the flossfw block (next key at <=2-space indent) if ln.strip() and not ln.startswith(" "): break if ln.lstrip().startswith("public_key:"): indent = ln[:len(ln) - len(ln.lstrip())] lines[i] = f'{indent}public_key: "{newpub}"\n' done = True break assert done, "flossfw.public_key line not found" open(path, "w").writelines(lines) print("replaced flossfw.public_key") PY .venv/bin/ansible-vault encrypt /dev/shm/secrets.plain.yml --output group_vars/all/90-secrets.vault.yml --encrypt-vault-id prod shred -u /dev/shm/secrets.plain.yml 2>/dev/null; rm -f /dev/shm/secrets.plain.yml # 2) Redeploy the WireGuard hub config .venv/bin/ansible-playbook play_setup.yml -i inventories/prod/hosts.yml --limit makerfloss -t wireguard-server # 3) Commit (encrypted vault only) git add group_vars/all/90-secrets.vault.yml git commit -m "wg1: set flossfw peer public key (TaPPaaS operator onboarding)" git push ``` ## Verify ```bash # The new key is registered for 10.13.0.9 on the hub ssh -p 7576 sjat@makerfloss.eu "sudo wg show wg1 allowed-ips" | grep 10.13.0.9 # -> the line should show the operator's key (matches NEWPUB), allowed-ip 10.13.0.9/32 # Once the operator brings their tunnel up, a handshake appears: ssh -p 7576 sjat@makerfloss.eu "sudo wg show wg1 latest-handshakes" | grep -i "$NEWPUB" # -> non-zero / recent timestamp = tunnel established # End-to-end (after their Caddy :80 backend is up) — returns 200 instead of 502: curl -s -o /dev/null -w '%{http_code}\n' https://whoami.tappaas.makerfloss.eu/ ``` If `wg show` still lists the old key, the vault edit or redeploy didn't take — re-check the `git diff` was the vault file and the play ran `failed=0`. ## Links - TaPPaaS-side plan (what the operator runs): [`../docs/superpowers/plans/2026-06-28-tappaas-side-publishing.md`](../docs/superpowers/plans/2026-06-28-tappaas-side-publishing.md) - VPS-side design/plan (the contract): [`../docs/superpowers/specs/2026-06-28-tappaas-vps-publishing-design.md`](../docs/superpowers/specs/2026-06-28-tappaas-vps-publishing-design.md) - Sibling pattern: [`publishing-services-mf01.md`](publishing-services-mf01.md)