add wg interface to access postgres

configure/ansible.cfg

@@ -1,6 +1,7 @@
 [defaults]
 inventory=inventory
 interpreter_python=/usr/bin/python3
+vault_password_file=util/secret-service-client.sh
 
 [diff]
 always = True

configure/atlas.yml

@@ -71,12 +71,11 @@
       databases: all
       method: trust
       users: terraform
-      address: "{{ item }}"
+      address: "10.42.0.0/24"
       create: true
     become: true
     become_user: postgres
     notify: restart postgres
-    with_items: ["192.168.0.0/16", "10.0.0.0/8"]
   - name: Open postgres port
     ini_file:
       path: /etc/postgresql/15/main/postgresql.conf
@@ -89,3 +88,5 @@
       src: dmz.conf
       dest: /etc/network/interfaces.d/dmz.conf
     notify: enable interfaces
+  roles:
+    - githubixx.ansible_role_wireguard

configure/inventory/host_vars/atlas.yml

@@ -1 +1,16 @@
 storage_pools: [iso, disk, init]
+wireguard_addresses:
+  - "10.42.0.1/32"
+wireguard_endpoint: "atlas.lan"
+wireguard_private_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65666463346536363662353234666662376330396365656361636530663032366436653336383134
+          6463636362636530316434626561623866306165313638330a633761626361393963303933313738
+          30336535333761393663396534373363333465306232343238666538383039636138393661373839
+          3935626664326237310a386337306364663463663764376631336431363062656137376635366361
+          35393135626261626565333261316363633838353833666163666132363462636431626234383864
+          3039633631356339663234656233343635653236356235623532
+wireguard_unmanaged_peers:
+  pim:
+    public_key: "xQ1hkwpIf5x7Wkx1leQHXx3RK8fjGWt2ZmG9XUN3V08="
+    allowed_ips: "10.42.0.2/32"

configure/util/secret-service-client.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+pass=`secret-tool lookup ansible_vault atlas`
+retval=$?
+
+if [ $retval -ne 0 ]; then
+	read -s pass
+fi
+echo $pass