29 files changed, 125 insertions, 39 deletions

diff --git a/tnet/bird-deploy.yml b/tnet/bird-deploy.yml
index ed7cecf..9759c01 100644
--- a/tnet/bird-deploy.yml
+++ b/tnet/bird-deploy.yml
@@ -1,9 +1,9 @@
 - hosts: tnet_bird
   tasks:
     - become: yes
-      copy:
-        dest: "/etc/bird/{{ item }}"
+      template:
         src: "{{ inventory_hostname }}/{{ item }}"
+        dest: "/etc/bird/{{ item }}"
         owner: bird
         group: bird
         mode: 0640
@@ -23,4 +23,3 @@
       systemd:
         name: bird
         state: reloaded
-
diff --git a/tnet/bird-gen-password.yml b/tnet/bird-gen-password.yml
new file mode 100644
index 0000000..501c5ef
--- /dev/null
+++ b/tnet/bird-gen-password.yml
@@ -0,0 +1 @@
+- tasks:
diff --git a/tnet/bird-gen.yml b/tnet/bird-gen.yml
index 9fa71b1..74a83b1 100644
--- a/tnet/bird-gen.yml
+++ b/tnet/bird-gen.yml
@@ -1,25 +1,16 @@
-- name: Remove old configuration
-  hosts: localhost
-  connection: local
-  gather_facts: False
-  tasks:
-    - file:
-        path: files
-        state: absent
-      changed_when: False
-
 - name: Generate Bird configuration
   hosts: tnet_bird
   connection: local
   gather_facts: False
   tasks:
-    - file:
+    - name: rmdir files/$hostname
+      file:
         path: files/{{ inventory_hostname }}
-        state: directory
+        state: absent
       changed_when: False
     - template:
         src: "{{ item }}.j2"
-        dest: "files/{{ inventory_hostname }}/{{ item }}"
+        dest: "templates/{{ inventory_hostname }}/{{ item }}"
       loop:
         - bird-tnet-pre.conf
         - bird-tnet.conf
diff --git a/tnet/group_vars/all/bird.sops.yml b/tnet/group_vars/all/bird.sops.yml
new file mode 100644
index 0000000..334634f
--- /dev/null
+++ b/tnet/group_vars/all/bird.sops.yml
@@ -0,0 +1,46 @@
+bgp_password:
+    conflatorio-knot: ENC[AES256_GCM,data:PBE4TnHXDw==,iv:Kj6SnVvwsYUrKt0Vqd76j6IaxufLP0Rf+Bw3i1M/3tI=,tag:9jPWHiqqTHSG8BMQ/k4pEw==,type:str]
+    coregonus-knot: ENC[AES256_GCM,data:WgO2B0FQVQ==,iv:zhaCbX6M7fMMHr63KgIrOcpnI9dmPJLTOlXJVqYkFb0=,tag:Y2H+RjuPGBMUFJJFEeL5Yw==,type:str]
+    hash-knot: ENC[AES256_GCM,data:SI2yYLIepg==,iv:Icky8rMsLQj77zu5vdqCZBWoHiYlNbIwlAvD5m+DH7A=,tag:9PImx9SXYuusNhZeWVPV7g==,type:str]
+    knot-kv24ix: ENC[AES256_GCM,data:z7SG+zuQ7g==,iv:APPjOs+MH9c0xfxmGEMoAQq00i847jGdbpoSkgwbpY0=,tag:jkgb7PlAF/kb50+i+3WEGw==,type:str]
+    knot-lhn2pi: ENC[AES256_GCM,data:k/pQyjnQyA==,iv:oW9t8Pruu/k/qIG6uG8Ex61QHerYhU09Ns0AI8NKkJA=,tag:H0A4jr/hBcGTuKeNV2zB1Q==,type:str]
+    knot-node1: ENC[AES256_GCM,data:rY0x5yu9zw==,iv:TyyhW1IwtkcU2q2y6ACgEqNEqMJ64PyMQ/kkkyCJB8E=,tag:fepqIEhEbrNFUr9f1iOMAQ==,type:str]
+    knot-node2: ENC[AES256_GCM,data:EE/JkIj23g==,iv:Gv1kd+lOFPir3z0TTlRdeOMffCQreBA5HiCHHwOUu+M=,tag:hwmABQCkbvQ6kSVchUZ6+g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxb2RRcHh2UVN0U0ljeFgr
+            VndTMkRRR0Fzd042R0F5RnZpelZRNmVIcG1jCklHMkFoVjBhb3NrMjB5c3dMcjYv
+            Zkw5c3hIeElQOW54WDJ6a1MySDc2bGMKLS0tIEt3TTdLVkx4UFRCOU5WcWxjbXky
+            b05uMC94dUtxWE1qWHRTbVlubWQ4N1UKcPsMrAWryuaHar6qF/JL40hMkhkGoVsv
+            fj1FGz2xoI1FOtnqU8/LCOZF7ncUjzJS0m2GxiA/WDRLeLSWAi84vg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MEJWVjF4cm04UU44bU9N
+            VEpmVnVDN1VIcm5RVk1VcThqNjFQQ3EzNkdjCnFGcVBMb0NiTzFSUm1qckkzRjNR
+            WEo1ai95L1B2bEpCYnB2blNyOFBwR0kKLS0tIFEyWlRZbUZWdnR0dzVCc0NraHpj
+            OUxUbWp4T1E2TTBTN0NRSDdKaXlJd2cKMwUjax16RyxnQRpxtZDjnrJx7CX06Z37
+            T5GfLprSS4vXGfQkuJTDn7a/v8DfftOBL9ubclIet9cOD8YzIcAiZw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZEdhUlBEV1FBeGhSNVNG
+            YkQ1dmlieWlVMmMvUERNTnJlcVpmV3lBa0JjCnBJUWJmUmp2d01ZdFRlR3M1ZUI0
+            NHhnMmxYNmlHeFFGbjJnK0w4QU5HenMKLS0tIHd6aUk1NWR2SnFCMENzSGFES0hi
+            VzVzNmtJampuZ2tKQnU3Y3FTZFFhdkUKej0Hy9kOYDqg+8B+slMdGE2Krcvqr4uJ
+            X7GxDCdLV7sllK6OlHe2aQkXb16oT0iGG7N61LCzWBDOfx0hzdyFPA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-19T18:22:33Z"
+    mac: ENC[AES256_GCM,data:Gm09oBu15JksqrK3H1TabhshiOShqwZLYFon6aqd8MmNQU0ufItZARU2K32Gu09dmDerE5Kbrq5u5U4fJXDkFRVYcFktIlD5FcCN2DlG7pB9rbpMZEHUt89wMAX6uvFat+66PUbE56Cio3Hlv88sB98VIKSratK2E0mlFB0oqYY=,iv:QaG4djyDGv+bpSz3+q6BTWAZyuUtNSkdG79/HciQlVE=,tag:TZ/qUmvWadnHYW/B00oEmQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
diff --git a/tnet/host_vars/knot/wg.yml b/tnet/host_vars/knot/wg.yml
index 9ad867e..e64a4a6 100644
--- a/tnet/host_vars/knot/wg.yml
+++ b/tnet/host_vars/knot/wg.yml
@@ -6,10 +6,11 @@ tnet_wg:
     address: fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7c
   lhn2ix:
     port: 51002
-    address: fdb1:4242:3538:ffff:18b7:d3ec:5608:db9a
+#    address: fdb1:4242:3538:ffff:18b7:d3ec:5608:db9a
+    address: fdb1:4242:3538:2f02::a
   kv24ix:
     port: 51003
-    address: fe80:fef1:078a:5b64:efd3:ae7b:d286:d7ce
+    address: fdb1:4242:3538:2f01::a
   akili:
     port: 51004
     address: fdb1:4242:3538:ffff:59d7:cf77:8b5d:761a
@@ -37,3 +38,8 @@ tnet_wg:
     if_name: coregonus
     port: 51011
     address: fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d2
+  kioubit_de2:
+    if_name: kioubit_d2
+    endpoint: de2.g-load.eu:23538
+    port: 51012
+    address: fe80::ade1
diff --git a/tnet/host_vars/kv24ix/wg.yml b/tnet/host_vars/kv24ix/wg.yml
index 99c54b6..4a4c833 100644
--- a/tnet/host_vars/kv24ix/wg.yml
+++ b/tnet/host_vars/kv24ix/wg.yml
@@ -1,3 +1,4 @@
 tnet_wg:
   knot:
-    address: fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf
+#    address: fdb1:4242:3538:ffff:18b7:d3ec:5608:db9b
+    address: fdb1:4242:3538:2f02::b/64
diff --git a/tnet/keys/wg-kioubit_de2-knot.pub b/tnet/keys/wg-kioubit_de2-knot.pub
new file mode 100644
index 0000000..aed317e
--- /dev/null
+++ b/tnet/keys/wg-kioubit_de2-knot.pub
@@ -0,0 +1 @@
+B1xSG/XTJRLd+GrWDsB06BqnIq8Xud93YVh/LYYYtUY=
diff --git a/tnet/keys/wg-knot-kioubit_de2.pub b/tnet/keys/wg-knot-kioubit_de2.pub
new file mode 100644
index 0000000..a8d0922
--- /dev/null
+++ b/tnet/keys/wg-knot-kioubit_de2.pub
@@ -0,0 +1 @@
+7QJdCBlpvYWHyg33ifsifWmV/bV6RgUct4lh0ykCK1g=
diff --git a/tnet/keys/wg-knot-kioubit_de2.sops.key b/tnet/keys/wg-knot-kioubit_de2.sops.key
new file mode 100644
index 0000000..6f699b0
--- /dev/null
+++ b/tnet/keys/wg-knot-kioubit_de2.sops.key
@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:pj1LPjdqo+M/GlgWA63LNH/lM7F5rOYeMF1a0qNuBm6/luo5PvRYBj2jyLxa,iv:qlIvXCBXd9dyC6tj9WH0mq3jomzSUc4maPg9zPIvDbM=,tag:cSHZFa18BISZ9owjkHVkVw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MTdPUUFNU0FXcTZWckZJ\nSXV2a3ZQVmE0T3BNTVByMGp0L3ZvZERyNEFjCmFjcmRpeXU5S2tlTnp3NXBPKzl4\nZ1doRVZ0TTYwZkkvSU5RNitySUJoTWsKLS0tIGlsNzJHL0FydVRXT3puT0RuR0R2\nZGZSaXFOWFB2YkoyMi8rZ0tBL2xxbjAKDPy+8yB95EZZq542FtuI3vo4NmcDrVO5\njOvYGmatpxqSZJ9Oy4HpMzKSWvSuKVkZwTcG7Zzrhi6qrhm/TKIRvQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0dGlteEludXNpampzd0lD\nTGtQYjIwV3dEbVlEYUJOTlRXZDJYTGNpM1dzCncxMWg4R0J4aVQxQWlvQXY2ZmFH\nWjlxckFWZ2IzMnNENDZHeGFPUlJtVXMKLS0tIHJET2RLL1dBVURwdHhMZGpiMHlW\nblFaQTlDRDE4TmN6SDBnbTVpa3d1eEkKReWQml+gnXRCFbQtF5tFm8vUrALnY+QB\n/dki/g35K2I4tzyPg7qPgKEdGGUYcPTfg1Fyf2m7Q7xXJ7Xg7T1flA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNTltblFtRGVLM2xSTGp1\nVjFNMzBaNHJ2WmZTeUlON25GZE5hSUF5QVdFCmFQb28xK2dDVFdzcS9hSTZGRnRv\nSDBDNWNGb3lWVFVmNk9VR1N5TTRkd1kKLS0tIHBhZVp3d3U4UzlDK0ZkaWRxdTA5\nelBrVFVId1IydVpOcXl2R2x3SDZlNlkKNB7tdDL9QdglbbN/za18BBbWDEEvgZcr\nIHEiz1UJZZYdKEsfk1w0LRE9IKhh7LdL11hCtfO/2uTVY/4ghDFHcA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-30T17:13:23Z",
+		"mac": "ENC[AES256_GCM,data:zY63cqqaceaSuyIBi06jQcwuUaR/bD8h1EL0B+2M8SLTdPQAQ88cDzWze8NjpN2WqPYsxGNo2RYZe0YPXg3ymEJ9YeOvOBzALUZvf7geF7KOoNAqzzieWmIjt7K6Xmq8w1LmsEN3oM8oUU/vNiNoXLHpcD+/Yamu2d0CGr32TZU=,iv:Aj7Hop2etAvJrfsFrvoag0bvKlaMrJySdea3t4cK9c8=,tag:kN4Tn6kiKEwFy0RW6i/HDA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}
\ No newline at end of file
diff --git a/tnet/files/akili/bird-tnet-pre.conf b/tnet/templates/akili/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/akili/bird-tnet-pre.conf
+++ b/tnet/templates/akili/bird-tnet-pre.conf
diff --git a/tnet/files/akili/bird-tnet.conf b/tnet/templates/akili/bird-tnet.conf
index 24c9b8e..d306fcc 100644
--- a/tnet/files/akili/bird-tnet.conf
+++ b/tnet/templates/akili/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fdb1:4242:3538:ffff:ca85:f812:3935:5fba;
   interface "tnet-hash";
+  password "{{ bgp_password['akili-hash'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fdb1:4242:3538:ffff:59d7:cf77:8b5d:761a;
   interface "tnet-knot";
+  password "{{ bgp_password['akili-knot'] }}";
 }
diff --git a/tnet/files/astyanax/bird-tnet-pre.conf b/tnet/templates/astyanax/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/astyanax/bird-tnet-pre.conf
+++ b/tnet/templates/astyanax/bird-tnet-pre.conf
diff --git a/tnet/files/astyanax/bird-tnet.conf b/tnet/templates/astyanax/bird-tnet.conf
index 3dbf4c9..496cebe 100644
--- a/tnet/files/astyanax/bird-tnet.conf
+++ b/tnet/templates/astyanax/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:a0fd:89e4:42c6:f617:7398:abf4:b516;
   interface "tnet-hash";
+  password "{{ bgp_password['astyanax-hash'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:6728:53fc:fc81:40b3:9beb:8336:ba56;
   interface "tnet-knot";
+  password "{{ bgp_password['astyanax-knot'] }}";
 }
diff --git a/tnet/templates/bird-tnet.conf.j2 b/tnet/templates/bird-tnet.conf.j2
index 2ba456b..1185014 100644
--- a/tnet/templates/bird-tnet.conf.j2
+++ b/tnet/templates/bird-tnet.conf.j2
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -48,6 +46,12 @@ protocol bgp tnet_{{ p }} from tnet_tpl {
 {% else %}
   interface "tnet-{{ p }}";
 {% endif %}
+{% if inventory_hostname < p %}
+{% set password_var = inventory_hostname + "-" + p %}
+{% else %}
+{% set password_var = p + "-" + inventory_hostname %}
+{% endif %}
+  password "{{ "{{ bgp_password['" + password_var + "'] }}" }}";
 {% if peer.rr_client|default(False) %}
 
   rr client;
diff --git a/tnet/files/conflatorio/bird-tnet-pre.conf b/tnet/templates/conflatorio/bird-tnet-pre.conf
index d60e8df..d60e8df 100644
--- a/tnet/files/conflatorio/bird-tnet-pre.conf
+++ b/tnet/templates/conflatorio/bird-tnet-pre.conf
diff --git a/tnet/files/conflatorio/bird-tnet.conf b/tnet/templates/conflatorio/bird-tnet.conf
index 02780a6..4ffcc7f 100644
--- a/tnet/files/conflatorio/bird-tnet.conf
+++ b/tnet/templates/conflatorio/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:4540:476c:d432:2f32:818b:811b:bb61;
   interface "tnet-hash";
+  password "{{ bgp_password['conflatorio-hash'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:47fc:0660:b91f:1063:a6ae:46bb:7589;
   interface "tnet-knot";
+  password "{{ bgp_password['conflatorio-knot'] }}";
 }
diff --git a/tnet/files/coregonus/bird-tnet-pre.conf b/tnet/templates/coregonus/bird-tnet-pre.conf
index d60e8df..d60e8df 100644
--- a/tnet/files/coregonus/bird-tnet-pre.conf
+++ b/tnet/templates/coregonus/bird-tnet-pre.conf
diff --git a/tnet/files/coregonus/bird-tnet.conf b/tnet/templates/coregonus/bird-tnet.conf
index 95ede41..2d2a573 100644
--- a/tnet/files/coregonus/bird-tnet.conf
+++ b/tnet/templates/coregonus/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,4 +38,5 @@ template bgp tnet_tpl {
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d2;
   interface "tnet-knot";
+  password "{{ bgp_password['coregonus-knot'] }}";
 }
diff --git a/tnet/files/hash/bird-tnet-pre.conf b/tnet/templates/hash/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/hash/bird-tnet-pre.conf
+++ b/tnet/templates/hash/bird-tnet-pre.conf
diff --git a/tnet/files/hash/bird-tnet.conf b/tnet/templates/hash/bird-tnet.conf
index a570291..d9c52b0 100644
--- a/tnet/files/hash/bird-tnet.conf
+++ b/tnet/templates/hash/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,6 +38,7 @@ template bgp tnet_tpl {
 protocol bgp tnet_conflatorio from tnet_tpl {
   neighbor fe80:4540:476c:d432:2f32:818b:811b:bb60;
   interface "tnet-confltrio";
+  password "{{ bgp_password['conflatorio-hash'] }}";
 
   rr client;
 }
@@ -47,6 +46,7 @@ protocol bgp tnet_conflatorio from tnet_tpl {
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7c;
   interface "tnet-knot";
+  password "{{ bgp_password['hash-knot'] }}";
 
   rr client;
 }
@@ -54,6 +54,7 @@ protocol bgp tnet_knot from tnet_tpl {
 protocol bgp tnet_lhn2pi from tnet_tpl {
   neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b9;
   interface "tnet-lhn2pi";
+  password "{{ bgp_password['hash-lhn2pi'] }}";
 
   rr client;
 }
@@ -61,6 +62,7 @@ protocol bgp tnet_lhn2pi from tnet_tpl {
 protocol bgp tnet_node1 from tnet_tpl {
   neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1df;
   interface "tnet-node1";
+  password "{{ bgp_password['hash-node1'] }}";
 
   rr client;
 }
@@ -68,6 +70,7 @@ protocol bgp tnet_node1 from tnet_tpl {
 protocol bgp tnet_node2 from tnet_tpl {
   neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8d;
   interface "tnet-node2";
+  password "{{ bgp_password['hash-node2'] }}";
 
   rr client;
 }
diff --git a/tnet/files/knot/bird-tnet-pre.conf b/tnet/templates/knot/bird-tnet-pre.conf
index d60e8df..d60e8df 100644
--- a/tnet/files/knot/bird-tnet-pre.conf
+++ b/tnet/templates/knot/bird-tnet-pre.conf
diff --git a/tnet/files/knot/bird-tnet.conf b/tnet/templates/knot/bird-tnet.conf
index f21be09..699c0f2 100644
--- a/tnet/files/knot/bird-tnet.conf
+++ b/tnet/templates/knot/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,6 +38,7 @@ template bgp tnet_tpl {
 protocol bgp tnet_conflatorio from tnet_tpl {
   neighbor fe80:47fc:660:b91f:1063:a6ae:46bb:7588;
   interface "tnet-confltrio";
+  password "{{ bgp_password['conflatorio-knot'] }}";
 
   rr client;
 }
@@ -47,6 +46,7 @@ protocol bgp tnet_conflatorio from tnet_tpl {
 protocol bgp tnet_coregonus from tnet_tpl {
   neighbor fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d3;
   interface "tnet-coregonus";
+  password "{{ bgp_password['coregonus-knot'] }}";
 
   rr client;
 }
@@ -54,6 +54,7 @@ protocol bgp tnet_coregonus from tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7d;
   interface "tnet-hash";
+  password "{{ bgp_password['hash-knot'] }}";
 
   rr client;
 }
@@ -61,6 +62,7 @@ protocol bgp tnet_hash from tnet_tpl {
 protocol bgp tnet_kv24ix from tnet_tpl {
   neighbor fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf;
   interface "tnet-kv24ix";
+  password "{{ bgp_password['knot-kv24ix'] }}";
 
   rr client;
 }
@@ -68,6 +70,7 @@ protocol bgp tnet_kv24ix from tnet_tpl {
 protocol bgp tnet_lhn2pi from tnet_tpl {
   neighbor fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e9;
   interface "tnet-lhn2pi";
+  password "{{ bgp_password['knot-lhn2pi'] }}";
 
   rr client;
 }
@@ -75,6 +78,7 @@ protocol bgp tnet_lhn2pi from tnet_tpl {
 protocol bgp tnet_node1 from tnet_tpl {
   neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f3;
   interface "tnet-node1";
+  password "{{ bgp_password['knot-node1'] }}";
 
   rr client;
 }
@@ -82,6 +86,7 @@ protocol bgp tnet_node1 from tnet_tpl {
 protocol bgp tnet_node2 from tnet_tpl {
   neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32db;
   interface "tnet-node2";
+  password "{{ bgp_password['knot-node2'] }}";
 
   rr client;
 }
diff --git a/tnet/files/lhn2pi/bird-tnet-pre.conf b/tnet/templates/lhn2pi/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/lhn2pi/bird-tnet-pre.conf
+++ b/tnet/templates/lhn2pi/bird-tnet-pre.conf
diff --git a/tnet/files/lhn2pi/bird-tnet.conf b/tnet/templates/lhn2pi/bird-tnet.conf
index 9f0ef8c..f755c3b 100644
--- a/tnet/files/lhn2pi/bird-tnet.conf
+++ b/tnet/templates/lhn2pi/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b8;
   interface "tnet-hash";
+  password "{{ bgp_password['hash-lhn2pi'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e8;
   interface "tnet-knot";
+  password "{{ bgp_password['knot-lhn2pi'] }}";
 }
diff --git a/tnet/files/node1/bird-tnet-pre.conf b/tnet/templates/node1/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/node1/bird-tnet-pre.conf
+++ b/tnet/templates/node1/bird-tnet-pre.conf
diff --git a/tnet/files/node1/bird-tnet.conf b/tnet/templates/node1/bird-tnet.conf
index 6449582..bafb6de 100644
--- a/tnet/files/node1/bird-tnet.conf
+++ b/tnet/templates/node1/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1de;
   interface "tnet-hash";
+  password "{{ bgp_password['hash-node1'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f2;
   interface "tnet-knot";
+  password "{{ bgp_password['knot-node1'] }}";
 }
diff --git a/tnet/files/node2/bird-tnet-pre.conf b/tnet/templates/node2/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/node2/bird-tnet-pre.conf
+++ b/tnet/templates/node2/bird-tnet-pre.conf
diff --git a/tnet/files/node2/bird-tnet.conf b/tnet/templates/node2/bird-tnet.conf
index b9a2294..8a7b887 100644
--- a/tnet/files/node2/bird-tnet.conf
+++ b/tnet/templates/node2/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8c;
   interface "tnet-hash";
+  password "{{ bgp_password['hash-node2'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da;
   interface "tnet-knot";
+  password "{{ bgp_password['knot-node2'] }}";
 }
diff --git a/tnet/wg-links.yml b/tnet/wg-links.yml
index a050547..6613614 100644
--- a/tnet/wg-links.yml
+++ b/tnet/wg-links.yml
@@ -6,6 +6,7 @@
   handlers:
     # Has to be restart for now, hash doesn't support reloading networkd
     - name: systemctl restart systemd-networkd
+      #when: false
       become: yes
       systemd:
         name: systemd-networkd