From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH proxmox-ve-rs v5 06/29] ve-config: wireguard: add private keys section config
Date: Tue, 12 May 2026 19:31:21 +0200 [thread overview]
Message-ID: <20260512173145.596958-7-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20260512173145.596958-1-s.hanreich@proxmox.com>
This section configuration file acts as the key storage for all nodes
in all wireguard fabrics. This is possible, because interface names
are required to be unique for a node across all fabrics (since they
will be created with the respective name).
There is also a helper struct, that can be used for further parsing
the section config format into a more structured version. This struct
can be used for performing CRUD operations, and will be exposed to
perl via pve-rs.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
.../section_config/protocol/wireguard.rs | 234 ++++++++++++++++++
1 file changed, 234 insertions(+)
diff --git a/proxmox-ve-config/src/sdn/fabric/section_config/protocol/wireguard.rs b/proxmox-ve-config/src/sdn/fabric/section_config/protocol/wireguard.rs
index 7f5d18b..4005f31 100644
--- a/proxmox-ve-config/src/sdn/fabric/section_config/protocol/wireguard.rs
+++ b/proxmox-ve-config/src/sdn/fabric/section_config/protocol/wireguard.rs
@@ -513,3 +513,237 @@ pub struct WireGuardInterfaceCreateProperties {
#[serde(skip_serializing_if = "Option::is_none")]
pub(crate) ip6_ll: Option<bool>,
}
+
+pub mod private_keys {
+ use std::collections::btree_map::Entry;
+ use std::collections::{BTreeMap, HashMap, HashSet};
+
+ use anyhow::Error;
+ use serde::{Deserialize, Serialize};
+
+ use proxmox_schema::{api, ApiStringFormat, PropertyString};
+ use proxmox_section_config::typed::SectionConfigData;
+ use proxmox_wireguard::{PrivateKey, PublicKey};
+
+ use crate::sdn::fabric::section_config::{
+ node::{Node, NodeId, NODE_ID_FORMAT},
+ protocol::wireguard::{WireGuardInterfaceName, WireGuardNode},
+ };
+ use crate::sdn::fabric::FabricConfig;
+
+ #[api()]
+ #[derive(Clone, Debug, Serialize, Deserialize, Hash)]
+ /// A private key for a wireguard interface
+ pub struct InterfacePrivateKey {
+ name: WireGuardInterfaceName,
+ key: PrivateKey,
+ }
+
+ impl InterfacePrivateKey {
+ pub fn new(name: WireGuardInterfaceName, key: PrivateKey) -> Self {
+ Self { name, key }
+ }
+ }
+
+ #[api(
+ properties: {
+ private_keys: {
+ type: Array,
+ description: "A list of private keys for this node.",
+ items: {
+ type: String,
+ description: "A private key for a wireguard interface.",
+ format: &ApiStringFormat::PropertyString(&InterfacePrivateKey::API_SCHEMA),
+ }
+ }
+ }
+ )]
+ #[derive(Clone, Debug, Serialize, Deserialize, Hash)]
+ /// The private keys for a node in a wireguard fabric.
+ pub struct NodePrivateKeysSection {
+ private_keys: Vec<PropertyString<InterfacePrivateKey>>,
+ }
+
+ impl FromIterator<InterfacePrivateKey> for NodePrivateKeysSection {
+ fn from_iter<T: IntoIterator<Item = InterfacePrivateKey>>(iter: T) -> Self {
+ Self {
+ private_keys: iter.into_iter().map(PropertyString::new).collect(),
+ }
+ }
+ }
+
+ #[api(
+ "id-property": "id",
+ "id-schema": {
+ type: String,
+ description: "Route Map Section ID",
+ format: &NODE_ID_FORMAT,
+ },
+ "type-key": "type",
+ )]
+ #[derive(Clone, Debug, Serialize, Deserialize, Hash)]
+ /// The private key config for wireguard.
+ #[serde(tag = "type", rename_all = "kebab-case")]
+ pub enum FabricPrivateKeysSectionConfig {
+ /// Private keys for a node.
+ Node(NodePrivateKeysSection),
+ }
+
+ impl From<NodePrivateKeysSection> for FabricPrivateKeysSectionConfig {
+ fn from(value: NodePrivateKeysSection) -> Self {
+ Self::Node(value)
+ }
+ }
+
+ #[derive(Clone, Debug, Serialize, Deserialize, Hash)]
+ pub struct WireGuardPrivateKeys(
+ pub(crate) BTreeMap<NodeId, BTreeMap<WireGuardInterfaceName, PrivateKey>>,
+ );
+
+ impl WireGuardPrivateKeys {
+ /// Creates a Private key for the given (node, interface) if it doesn't exist - then
+ /// returns the public key of the stored private key.
+ pub fn upsert(
+ &mut self,
+ node: NodeId,
+ interface: WireGuardInterfaceName,
+ ) -> Result<PublicKey, anyhow::Error> {
+ Ok(match self.0.entry(node).or_default().entry(interface) {
+ Entry::Vacant(vacant_entry) => {
+ let private_key = PrivateKey::generate()?;
+ let public_key = private_key.public_key();
+
+ vacant_entry.insert(private_key);
+ public_key
+ }
+ Entry::Occupied(occupied_entry) => occupied_entry.get().public_key(),
+ })
+ }
+
+ /// Removes a private key.
+ pub fn remove(
+ &mut self,
+ node: &NodeId,
+ interface: &WireGuardInterfaceName,
+ ) -> Option<PrivateKey> {
+ if let Some(node_config) = self.0.get_mut(node) {
+ let removed_interface = node_config.remove(interface);
+
+ if node_config.is_empty() {
+ self.0.remove(node);
+ }
+
+ return removed_interface;
+ }
+
+ None
+ }
+
+ /// Return a private key.
+ pub fn get(
+ &self,
+ node: &NodeId,
+ interface: &WireGuardInterfaceName,
+ ) -> Option<&PrivateKey> {
+ self.0.get(node)?.get(interface)
+ }
+
+ /// Removes all entries in the private key configuration that do not exist in the given [`FabricConfig`].
+ pub fn cleanup(&mut self, fabric_config: &FabricConfig) -> Result<(), Error> {
+ let mut private_keys_nodes = HashSet::new();
+ let mut private_keys_interfaces = HashSet::new();
+
+ let mut fabric_config_nodes = HashSet::new();
+ let mut fabric_config_interfaces = HashSet::new();
+
+ for (node_id, node) in fabric_config.all_nodes() {
+ let Node::WireGuard(node) = node else {
+ continue;
+ };
+
+ let WireGuardNode::Internal(node) = node.properties() else {
+ continue;
+ };
+
+ fabric_config_nodes.insert(node_id.clone());
+
+ fabric_config_interfaces.extend(
+ node.interfaces()
+ .map(|interface| (node_id.clone(), interface.name().clone())),
+ );
+ }
+
+ for (node_id, interfaces) in &self.0 {
+ private_keys_nodes.insert(node_id.clone());
+
+ private_keys_interfaces.extend(
+ interfaces
+ .keys()
+ .map(|interface_name| (node_id.clone(), interface_name.clone())),
+ );
+ }
+
+ for node_id in private_keys_nodes.difference(&fabric_config_nodes) {
+ self.0.remove(node_id);
+ }
+
+ for (node_id, interface_id) in
+ private_keys_interfaces.difference(&fabric_config_interfaces)
+ {
+ self.remove(node_id, interface_id);
+ }
+
+ Ok(())
+ }
+ }
+
+ impl From<WireGuardPrivateKeys> for SectionConfigData<FabricPrivateKeysSectionConfig> {
+ fn from(value: WireGuardPrivateKeys) -> Self {
+ let mut data = HashMap::new();
+
+ for (node_id, interfaces) in value.0.into_iter() {
+ data.insert(
+ node_id.to_string(),
+ NodePrivateKeysSection::from_iter(
+ interfaces
+ .into_iter()
+ .map(|(name, key)| InterfacePrivateKey::new(name, key)),
+ )
+ .into(),
+ );
+ }
+
+ Self::from(data)
+ }
+ }
+
+ impl TryFrom<SectionConfigData<FabricPrivateKeysSectionConfig>> for WireGuardPrivateKeys {
+ type Error = anyhow::Error;
+
+ fn try_from(
+ value: SectionConfigData<FabricPrivateKeysSectionConfig>,
+ ) -> Result<Self, Self::Error> {
+ let mut data = BTreeMap::new();
+
+ for (section_id, FabricPrivateKeysSectionConfig::Node(node)) in value {
+ let node_id = NodeId::from_string(section_id)?;
+
+ let interfaces: &mut BTreeMap<WireGuardInterfaceName, PrivateKey> =
+ data.entry(node_id.clone()).or_default();
+
+ for interface in node.private_keys {
+ let interface = interface.into_inner();
+
+ if interfaces
+ .insert(interface.name.clone(), interface.key)
+ .is_some()
+ {
+ anyhow::bail!("duplicate interface {} for node {node_id}", interface.name);
+ }
+ }
+ }
+
+ Ok(Self(data))
+ }
+ }
+}
--
2.47.3
next prev parent reply other threads:[~2026-05-12 17:32 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 17:31 [PATCH cluster/docs/manager/network/proxmox{-ve-rs,-perl-rs} v5 00/29] Add WireGuard as protocol to SDN fabrics Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-cluster v5 01/29] cfs: add 'priv/wg-keys.cfg' to observed files Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 02/29] sdn-types: add wireguard-specific PersistentKeepalive api type Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 03/29] ve-config: fabrics: split interface name regex into two parts Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 04/29] ve-config: fabric: refactor fabric config entry impl using macro Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 05/29] ve-config: fabrics: add protocol-specific properties for wireguard Stefan Hanreich
2026-05-12 17:31 ` Stefan Hanreich [this message]
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 07/29] ve-config: sdn: fabrics: add wireguard to the fabric config Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 08/29] ve-config: fabrics: wireguard add validation for wireguard config Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 09/29] ve-config: fabrics: implement wireguard config generation Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-perl-rs v5 10/29] pve-rs: fabrics: wireguard: generate ifupdown2 configuration Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-perl-rs v5 11/29] pve-rs: fabrics: add helpers for parsing interface property strings Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-perl-rs v5 12/29] pve-rs: sdn: wireguard: add private keys module Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-network v5 13/29] sdn: add wireguard helper module Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-network v5 14/29] fabrics: wireguard: add schema definitions for wireguard Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-network v5 15/29] fabrics: wireguard: implement wireguard key auto-generation Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 16/29] network: sdn: generate wireguard configuration on apply Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 17/29] ui: fix parsing of property-strings when values contain = Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 18/29] ui: fabrics: i18n: make node loading string translatable Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 19/29] sdn: fabrics view: handle case where interfaces are deleted Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 20/29] ui: fabrics: split node selector creation and config Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 21/29] ui: fabrics: edit: make ipv4/6 support generic over fabric panels Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 22/29] ui: fabrics: node: make ipv4/6 support generic over edit panels Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 23/29] ui: fabrics: interface: " Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 24/29] ui: fabrics: wireguard: add interface edit panel Stefan Hanreich
2026-05-12 17:41 ` Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 25/29] ui: fabrics: wireguard: add node " Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 26/29] ui: fabrics: wireguard: add fabric " Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 27/29] ui: fabrics: hook up wireguard components Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 28/29] fabrics: node edit: add option to include wireguard interfaces Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-docs v5 29/29] sdn: fabrics: add section about wireguard Stefan Hanreich
2026-05-12 17:38 ` Stefan Hanreich
2026-05-13 2:51 ` partially-applied: [PATCH cluster/docs/manager/network/proxmox{-ve-rs,-perl-rs} v5 00/29] Add WireGuard as protocol to SDN fabrics Thomas Lamprecht
2026-05-15 5:02 ` applied: " Thomas Lamprecht
2026-05-15 5:04 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512173145.596958-7-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.