What kills us here, for what it’s worth, was a decision we made a year and a half ago for clients to generate their own WireGuard keypairs, so none of our servers needed to keep them — which means that every time a Github action runs, it creates a new temporary peer, because there’s no way to “look up” a previously-used peer from our API.
We’re going to do something in flyctl to account for this tomorrow, I think.