action #169564
Updated by okurz about 1 month ago
## Acceptance criteria * **AC1**: All hosts in the NUE2 server room that are managed via Salt have WireGuard setup via Salt so they can reach the CC area * **AC2:** The setup is reproducible area. ## Suggestions * Follow steps on https://confluence.suse.com/display/~dawei_pang/VMs+on+vm-server.qa2.suse.asia+accessing+CC+area#VMsonvmserver.qa2.suse.asiaaccessingCCarea-HowtoprepareWGonyourVMs on one host and prepare a Salt change to apply this to other relevant hosts. * Introduce a special role or add a condition based on worker classes to setup WireGuard only on hosts in the NUE2 server room. * Take https://confluence.suse.com/display/enginfra/Wireguard+gateway+-+auto+configuration+tool as inspiration for the Salt change. * This involves letting IT do the final configuration manually. Supposedly that's also where the keypair is generated and the public key copied over to the WG gateway. * Have a look at https://sd.suse.com/servicedesk/customer/portal/1/SD-171369 in case we get a response from IT after all. * Talk to Beijing Colleagues who have already been through this. * Put into salt or documentation what needs to be done if we want to reproduce, e.g. put private keys into the salt pillar repo * When done, add affected workers back to Salt, e.g. via `for key in petrol.qe.nue2.suse.org sapworker1.qe.nue2.suse.org diesel.qe.nue2.suse.org mania.qe.nue2.suse.org; do salt-key --accept="$key" --include-rejected --yes; done`