wg: add pass example to wg-quick man page

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

src/wg-quick.8

@@ -130,32 +130,13 @@ The peer's allowed IPs entry implies that this interface should be configured as
 which this script does.
 
 Building on the last example, one might attempt the so-called ``kill-switch'', in order
-to prevent the flow of unencrypted packets through the non-WireGuard interfaces:
+to prevent the flow of unencrypted packets through the non-WireGuard interfaces, by adding the following
+two lines `PostUp` and `PreDown` lines to the `[Interface]` section:
 
-    [Interface] 
-.br
-    Address = 10.200.100.8/24
-.br
-    DNS = 10.200.100.1
-.br
-    PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM= 
-.br
     \fBPostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
 .br
     \fBPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
 .br
-     
-.br
-    [Peer] 
-.br
-    PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU= 
-.br
-    PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak= 
-.br
-    AllowedIPs = 0.0.0.0/0 
-.br
-    Endpoint = demo.wireguard.com:51820 
-.br
 
 The `PostUp' and `PreDown' fields have been added to specify an
 .BR iptables (8)
@@ -165,7 +146,13 @@ are either not coming out of the tunnel encrypted or not going through the tunne
 that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET
 sockets, which bypass Netfilter.)
 
-Here is a more complicated example, fit for usage on a server:
+Or, perhaps it is desirable to store private keys in encrypted form, such as through use of
+.BR pass (1):
+
+    \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
+.br
+
+For use on a server, the following is a more complicated example involving multiple peers:
     
     [Interface]
 .br