Rotate WireGuard VPN Keys
This runbook rotates the WireGuard private key for a tenant VPN server. Rotation is zero-touch on the server side: update the Barbican secret and the server picks it up automatically within 60 seconds — no SSH access, no restart, no signal required.
Rotate Ansible Vault Passwords
Rotating the Ansible Vault password
Rotate SSH Keys
This runbook rotates the Ed25519 key pair used to access all infrastructure hosts (bare-metal nodes, management cluster VMs, Hedgehog fabric). Rotation uses a zero-downtime approach: the new key is added to all hosts before the old key is removed.
Rotate TLS Certificates
Rotating the TLS certificates