One-command vault edit (replace flossfw.public_key) + wireguard-server redeploy + verify handshake, for when the TaPPaaS operator sends their WireGuard public key. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
3.8 KiB
Runbook — swap the flossfw wg1 peer public key
When: the TaPPaaS operator has run Task 0 of
plans/2026-06-28-tappaas-side-publishing.md
and sent you their WireGuard public key. You replace the placeholder key on
the VPS hub so the wg1 tunnel to 10.13.0.9 can complete a handshake.
Reach: none needed — this runs locally from ~/Projects/AnsibleBaobabV4;
the deploy reaches the VPS over the public bastion (access.md B2).
The peer entry in host_vars/makerfloss.yml references
{{ vault_wireguard_makerfloss_peers.flossfw.public_key }}, so the swap is a
one-value edit in the vault, then a redeploy. (The private_key stored under
flossfw in the vault is now unused — the operator generated their own; you
may leave it or delete it.)
Fix — paste the operator's public key and run
cd ~/Projects/AnsibleBaobabV4
NEWPUB='PASTE_OPERATORS_PUBLIC_KEY_HERE' # 44-char base64 ending '='
# sanity-check the value looks like a wg key
[[ "$NEWPUB" =~ ^[A-Za-z0-9+/]{43}=$ ]] || { echo "not a valid wg pubkey"; }
# 1) Decrypt vault to tmpfs, replace ONLY flossfw.public_key, re-encrypt
.venv/bin/ansible-vault decrypt group_vars/all/90-secrets.vault.yml --output /dev/shm/secrets.plain.yml
python3 - "$NEWPUB" <<'PY'
import sys
newpub = sys.argv[1]
path = "/dev/shm/secrets.plain.yml"
lines = open(path).read().splitlines(keepends=True)
in_flossfw = False
done = False
for i, ln in enumerate(lines):
if ln.rstrip("\n") == " flossfw:":
in_flossfw = True
continue
if in_flossfw:
# stop if we left the flossfw block (next key at <=2-space indent)
if ln.strip() and not ln.startswith(" "):
break
if ln.lstrip().startswith("public_key:"):
indent = ln[:len(ln) - len(ln.lstrip())]
lines[i] = f'{indent}public_key: "{newpub}"\n'
done = True
break
assert done, "flossfw.public_key line not found"
open(path, "w").writelines(lines)
print("replaced flossfw.public_key")
PY
.venv/bin/ansible-vault encrypt /dev/shm/secrets.plain.yml --output group_vars/all/90-secrets.vault.yml --encrypt-vault-id prod
shred -u /dev/shm/secrets.plain.yml 2>/dev/null; rm -f /dev/shm/secrets.plain.yml
# 2) Redeploy the WireGuard hub config
.venv/bin/ansible-playbook play_setup.yml -i inventories/prod/hosts.yml --limit makerfloss -t wireguard-server
# 3) Commit (encrypted vault only)
git add group_vars/all/90-secrets.vault.yml
git commit -m "wg1: set flossfw peer public key (TaPPaaS operator onboarding)"
git push
Verify
# The new key is registered for 10.13.0.9 on the hub
ssh -p 7576 sjat@makerfloss.eu "sudo wg show wg1 allowed-ips" | grep 10.13.0.9
# -> the line should show the operator's key (matches NEWPUB), allowed-ip 10.13.0.9/32
# Once the operator brings their tunnel up, a handshake appears:
ssh -p 7576 sjat@makerfloss.eu "sudo wg show wg1 latest-handshakes" | grep -i "$NEWPUB"
# -> non-zero / recent timestamp = tunnel established
# End-to-end (after their Caddy :80 backend is up) — returns 200 instead of 502:
curl -s -o /dev/null -w '%{http_code}\n' https://whoami.tappaas.makerfloss.eu/
If wg show still lists the old key, the vault edit or redeploy didn't take —
re-check the git diff was the vault file and the play ran failed=0.
Links
- TaPPaaS-side plan (what the operator runs):
../docs/superpowers/plans/2026-06-28-tappaas-side-publishing.md - VPS-side design/plan (the contract):
../docs/superpowers/specs/2026-06-28-tappaas-vps-publishing-design.md - Sibling pattern:
publishing-services-mf01.md