Wireguard VPN
=============

+---------------+----------------------------------------------------------------------+
| Metric        | Target                                                               |
+===============+======================================================================+
| RPO           | n/a (stateless service)                                              |
+---------------+----------------------------------------------------------------------+
| RTO           | 1 hour                                                               |
+---------------+----------------------------------------------------------------------+

Wireguard is provisioned using Ansible and runs on the :doc:`recovery-hetzner`
server called ``kiste1``.

Wireguard can be re-provisioned using `this playbook`_, i.e.

.. code-block:: console

    $ source ./.venv/bin/activate
    $ # Get the Vault password from Bitwarden (note that this is not hashi-vault!)
    $ ansible-playbook playbooks/wireguard-server.yaml --check --diff --ask-vault-pass


.. _this playbook: https://github.com/crate/infrastructure/blob/master/playbooks/wireguard-server.yaml