Create new server with previous gateway passphrase

[nopdotcom]

If I have a Streisand instance running at https://poem-walk.example.com, it isn't really that bad to replace it with a new instance if I can change where that DNS name points, right?

For the server owner, the hardest part is the disseminating the new passphrase. (It would be nice to have (at least) LE cert continuity too.)

If users have the passphrase, they can hit the new gateway to pick up new configuration. Reconfiguring their services can be easy or hard, depending on which VPN they're using on which client OS. OpenVPN users can grab a new config file; iOS/macOS users grab a new mobileconfig. (I'm working on Windows.)

All I need is a way of deploying with the same passphrase.

I want to discourage people from choosing passphrases, so I'd prefer the input to the later run to be in some opaque/ASCII-friendly form, like base32, or the binary version of BIP passphrases. It's just there to slow people down; anybody who wants a weak passphrase that much can have it, with or without our help.

[cpu]

I think I would prefer to see better support for migrating the full state between two servers instead of just the gateway password.

[nopdotcom]

I would too, but one is a couple of hours for me, and the other is $BIG hours, and depends on you or @jlund. (I could spend some more time learning ansible too, which might pay off.)

This approach may not be suitable for mainline for a lot of reasons, which I figure everyone can guess.

I may do a tiny good-enough-for-@nopdotcom fork for this, both to see how hard it is, and to see if the general strategy of "surf to gateway DNS, re-download config/key material" is plausible for my alpha testers.