From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 504401FF13F for ; Thu, 07 May 2026 14:43:40 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 345431A08F; Thu, 7 May 2026 14:41:13 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Subject: [PATCH proxmox-perl-rs v4 16/31] pve-rs: sdn: wireguard: add private keys module Date: Thu, 7 May 2026 14:39:51 +0200 Message-ID: <20260507124008.417223-17-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260507124008.417223-1-s.hanreich@proxmox.com> References: <20260507124008.417223-1-s.hanreich@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1778157509710 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.640 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: D2ULHO4EUE3UOCIKP5DLQX5FJLSY2DIB X-Message-ID-Hash: D2ULHO4EUE3UOCIKP5DLQX5FJLSY2DIB X-MailFrom: s.hanreich@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This exposes the implementation of the WireGuard private key storage to Perl. It can be used to create / delete and list the private keys stored in the section config file under /etc/pve/priv/wg-keys.cfg. It also provides a helper method that can be used for cleaning up the private keys file. It removes all private keys from the section config that are no longer contained in the fabric config. This can be used for cleaning up the auto-generated WireGuard private keys when applying the SDN configuration. Signed-off-by: Stefan Hanreich --- pve-rs/Cargo.toml | 1 + pve-rs/Makefile | 1 + pve-rs/src/bindings/sdn/mod.rs | 1 + pve-rs/src/bindings/sdn/wireguard.rs | 103 +++++++++++++++++++++++++++ 4 files changed, 106 insertions(+) create mode 100644 pve-rs/src/bindings/sdn/wireguard.rs diff --git a/pve-rs/Cargo.toml b/pve-rs/Cargo.toml index c92d822..3065f9b 100644 --- a/pve-rs/Cargo.toml +++ b/pve-rs/Cargo.toml @@ -50,6 +50,7 @@ proxmox-sys = "1" proxmox-tfa = { version = "6.0.3", features = ["api"] } proxmox-time = "2" proxmox-ve-config = { version = "0.6", features = [ "frr" ] } +proxmox-wireguard = { version = "0.1" } # [patch.crates-io] # pbs-api-types = { path = "../../proxmox/pbs-api-types" } diff --git a/pve-rs/Makefile b/pve-rs/Makefile index 25642cd..d458293 100644 --- a/pve-rs/Makefile +++ b/pve-rs/Makefile @@ -34,6 +34,7 @@ PERLMOD_PACKAGES := \ PVE::RS::SDN::Fabrics \ PVE::RS::SDN::PrefixLists \ PVE::RS::SDN::RouteMaps \ + PVE::RS::SDN::WireGuard::PrivateKeys \ PVE::RS::SDN \ PVE::RS::TFA diff --git a/pve-rs/src/bindings/sdn/mod.rs b/pve-rs/src/bindings/sdn/mod.rs index c6361c3..0776ebb 100644 --- a/pve-rs/src/bindings/sdn/mod.rs +++ b/pve-rs/src/bindings/sdn/mod.rs @@ -1,6 +1,7 @@ pub(crate) mod fabrics; pub(crate) mod prefix_lists; pub(crate) mod route_maps; +pub(crate) mod wireguard; #[perlmod::package(name = "PVE::RS::SDN", lib = "pve_rs")] pub mod pve_rs_sdn { diff --git a/pve-rs/src/bindings/sdn/wireguard.rs b/pve-rs/src/bindings/sdn/wireguard.rs new file mode 100644 index 0000000..ba1ad3f --- /dev/null +++ b/pve-rs/src/bindings/sdn/wireguard.rs @@ -0,0 +1,103 @@ +#[perlmod::package(name = "PVE::RS::SDN::WireGuard::PrivateKeys", lib = "pve_rs")] +pub mod pve_rs_sdn_wireguard { + //! The `PVE::RS::SDN::WireGuard` package. + //! + //! This provides an abstraction for the WireGuard private key storage + + use std::{ops::Deref, sync::Mutex}; + + use anyhow::Error; + use proxmox_section_config::typed::{ApiSectionDataEntry, SectionConfigData}; + use proxmox_wireguard::PublicKey; + use serde::{Deserialize, Serialize}; + + use perlmod::Value; + use proxmox_ve_config::sdn::fabric::section_config::{ + node::NodeId, + protocol::wireguard::{ + private_keys::{FabricPrivateKeysSectionConfig, WireGuardPrivateKeys}, + WireGuardInterfaceName, + }, + }; + + use crate::bindings::pve_rs_sdn_fabrics::PerlFabricConfig; + + /// A WireGuard private key config instance. + #[derive(Serialize, Deserialize)] + pub struct PerlWireguardPrivateKeyConfig { + /// The fabric config instance + pub private_keys: Mutex, + } + + /// Class method: Parse the raw configuration from `/etc/pve/priv/wg-keys.cfg`. + #[export] + pub fn config(#[raw] class: Value, raw_config: &[u8]) -> Result { + let raw_config = std::str::from_utf8(raw_config)?; + let config = + FabricPrivateKeysSectionConfig::parse_section_config("wg-keys.cfg", raw_config)?; + + Ok( + perlmod::instantiate_magic!(&class, MAGIC => Box::new(PerlWireguardPrivateKeyConfig { + private_keys: Mutex::new(config.try_into()?), + })), + ) + } + + /// Method: Convert the configuration into the section config string. + /// + /// Used for writing `/etc/pve/priv/wg-keys.cfg` + #[export] + pub fn to_raw(#[try_from_ref] this: &PerlWireguardPrivateKeyConfig) -> Result { + let private_keys = this.private_keys.lock().unwrap(); + + let raw_config: SectionConfigData = + private_keys.deref().clone().into(); + + FabricPrivateKeysSectionConfig::write_section_config("wg-keys.cfg", &raw_config) + } + + /// Method: Create a WireGuard key, if it doesn't exist. + /// + /// Returns the public key of the created / existing private key. + #[export] + pub fn upsert( + #[try_from_ref] this: &PerlWireguardPrivateKeyConfig, + node: NodeId, + interface: WireGuardInterfaceName, + ) -> Result { + this.private_keys.lock().unwrap().upsert(node, interface) + } + + /// Method: Delete a WireGuard private key. + #[export] + pub fn delete( + #[try_from_ref] this: &PerlWireguardPrivateKeyConfig, + node: NodeId, + interface: WireGuardInterfaceName, + ) -> Result<(), Error> { + this.private_keys + .lock() + .unwrap() + .remove(&node, &interface) + .map(|_| ()) + .ok_or_else(|| { + anyhow::anyhow!( + "could not find private_key for node {node} and interface {interface}" + ) + }) + } + + #[export] + /// Method: Deletes all private keys from `this` that do not exist in the `fabric_config`. + pub fn cleanup( + #[try_from_ref] this: &PerlWireguardPrivateKeyConfig, + #[try_from_ref] fabric_config: &PerlFabricConfig, + ) -> Result<(), Error> { + let mut private_key_config = this.private_keys.lock().unwrap(); + let fabric_config = fabric_config.fabric_config.lock().unwrap(); + + private_key_config.cleanup(&fabric_config) + } + + perlmod::declare_magic!(Box : &PerlWireguardPrivateKeyConfig as "PVE::RS::SDN::WireGuard::Config"); +} -- 2.47.3