[PATCH pve-network 3/3] fabrics: wireguard: implement wireguard key auto-generation

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network 3/3] fabrics: wireguard: implement wireguard key auto-generation
Date: Thu, 19 Feb 2026 15:56:33 +0100	[thread overview]
Message-ID: <20260219145649.441418-17-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20260219145649.441418-1-s.hanreich@proxmox.com>

Add additional logic to the existing fabrics API endpoints that
automatically create / delete keypairs for wireguard interfaces in
/etc/wireguard/proxmox. This is accomplished by proxying create /
update / delete API calls for internal wireguard nodes to the
respective node and handling the wireguard key generation there. After
generating the key, it is stored alongside the user-defined
configuration in the section config. This allows for easy access to
the public key of other nodes while being able to store the generated
wireguard keypairs locally on each node without involving pmxcfs.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 .../API2/Network/SDN/Fabrics/FabricNode.pm    | 129 +++++++++++++++++-
 1 file changed, 123 insertions(+), 6 deletions(-)

diff --git a/src/PVE/API2/Network/SDN/Fabrics/FabricNode.pm b/src/PVE/API2/Network/SDN/Fabrics/FabricNode.pm
index 000e4c3..f6483d5 100644
--- a/src/PVE/API2/Network/SDN/Fabrics/FabricNode.pm
+++ b/src/PVE/API2/Network/SDN/Fabrics/FabricNode.pm
@@ -3,11 +3,13 @@ package PVE::API2::Network::SDN::Fabrics::FabricNode;
 use strict;
 use warnings;
 
-use PVE::JSONSchema qw(get_standard_option);
-use PVE::Tools qw(extract_param);
+use PVE::JSONSchema qw(get_standard_option parse_property_string);
+use PVE::Tools qw(extract_param run_command);
 
 use PVE::Network::SDN;
 use PVE::Network::SDN::Fabrics;
+use PVE::Network::SDN::WireGuard;
+use PVE::RS::SDN::Fabrics;
 
 use PVE::RESTHandler;
 use base qw(PVE::RESTHandler);
@@ -131,9 +133,20 @@ __PACKAGE__->register_method({
     },
 });
 
+my sub is_internal_wireguard_node {
+    my ($node) = @_;
+    return $node->{protocol} eq 'wireguard' && $node->{role} eq 'internal';
+}
+
 __PACKAGE__->register_method({
     name => 'add_node',
     path => '',
+    proxyto_callback => sub {
+        my ($rpcenv, $proxyto, $param) = @_;
+
+        return $param->{node_id} if is_internal_wireguard_node($param);
+        return 'localhost';
+    },
     method => 'POST',
     description => 'Add a node',
     protected => 1,
@@ -162,8 +175,36 @@ __PACKAGE__->register_method({
                 my $digest = extract_param($param, 'digest');
                 PVE::Tools::assert_if_modified($config->digest(), $digest) if $digest;
 
-                $config->add_node($param);
-                PVE::Network::SDN::Fabrics::write_config($config);
+                if (is_internal_wireguard_node($param) && $param->{interfaces}) {
+                    my @parsed_interfaces = map {
+                        PVE::RS::SDN::Fabrics::parse_wireguard_create_interface($_)
+                    } $param->{interfaces}->@*;
+
+                    my @interfaces;
+                    for my $interface (@parsed_interfaces) {
+                        $interface->{public_key} =
+                            PVE::Network::SDN::WireGuard::create_wireguard_keypair(
+                                $interface->{name});
+                        push @interfaces,
+                            PVE::RS::SDN::Fabrics::print_wireguard_interface($interface);
+                    }
+
+                    $param->{interfaces} = \@interfaces;
+                    $config->add_node($param);
+
+                    eval { PVE::Network::SDN::Fabrics::write_config($config) };
+                    if (my $err = $@) {
+                        for my $interface (@parsed_interfaces) {
+                            PVE::Network::SDN::WireGuard::delete_wireguard_keypair(
+                                $interface->{name});
+                        }
+
+                        die $err;
+                    }
+                } else {
+                    $config->add_node($param);
+                    PVE::Network::SDN::Fabrics::write_config($config);
+                }
             },
             "adding node failed",
             $lock_token,
@@ -174,6 +215,15 @@ __PACKAGE__->register_method({
 __PACKAGE__->register_method({
     name => 'update_node',
     path => '{node_id}',
+    proxyto_callback => sub {
+        my ($rpcenv, $proxyto, $param) = @_;
+
+        my $config = PVE::Network::SDN::Fabrics::config();
+        my $old_node = $config->get_node($param->{fabric_id}, $param->{node_id});
+
+        return $old_node->{node_id} if is_internal_wireguard_node($old_node);
+        return 'localhost';
+    },
     method => 'PUT',
     description => 'Update a node',
     protected => 1,
@@ -205,8 +255,55 @@ __PACKAGE__->register_method({
                 my $digest = extract_param($param, 'digest');
                 PVE::Tools::assert_if_modified($config->digest(), $digest) if $digest;
 
-                $config->update_node($fabric_id, $node_id, $param);
-                PVE::Network::SDN::Fabrics::write_config($config);
+                my $old_node = $config->get_node($fabric_id, $node_id);
+
+                # required so rust can parse the proper wireguard node
+                # variant
+                $param->{role} = $old_node->{role} if $old_node->{protocol} eq 'wireguard';
+
+                if (is_internal_wireguard_node($param)) {
+                    my %new_interfaces = map {
+                        my $interface =
+                            PVE::RS::SDN::Fabrics::parse_wireguard_create_interface($_);
+                        $interface->{name} => $interface
+                    } $param->{interfaces}->@*;
+
+                    my %old_interfaces = map {
+                        my $interface = PVE::RS::SDN::Fabrics::parse_wireguard_interface($_);
+                        $interface->{name} => $interface
+                    } $old_node->{interfaces}->@*;
+
+                    my @interfaces;
+                    for my $interface_name (keys %new_interfaces) {
+                        my $interface = $new_interfaces{$interface_name};
+                        $interface->{public_key} =
+                            PVE::Network::SDN::WireGuard::create_wireguard_keypair($interface_name)
+                            if !exists($old_interfaces{$interface_name});
+                        push @interfaces,
+                            PVE::RS::SDN::Fabrics::print_wireguard_interface($interface);
+                    }
+                    $param->{interfaces} = \@interfaces;
+
+                    $config->update_node($fabric_id, $node_id, $param);
+                    eval { PVE::Network::SDN::Fabrics::write_config($config); };
+
+                    if (my $err = $@) {
+                        for my $interface (values %new_interfaces) {
+                            PVE::Network::SDN::WireGuard::delete_wireguard_keypair(
+                                $interface->{name});
+                        }
+
+                        die $err;
+                    }
+
+                    for my $interface_name (keys %old_interfaces) {
+                        PVE::Network::SDN::WireGuard::delete_wireguard_keypair($interface_name)
+                            if !exists($new_interfaces{$interface_name});
+                    }
+                } else {
+                    $config->update_node($fabric_id, $node_id, $param);
+                    PVE::Network::SDN::Fabrics::write_config($config);
+                }
             },
             "updating node failed",
             $lock_token,
@@ -220,6 +317,15 @@ __PACKAGE__->register_method({
     method => 'DELETE',
     description => 'Add a node',
     protected => 1,
+    proxyto_callback => sub {
+        my ($rpcenv, $proxyto, $param) = @_;
+
+        my $config = PVE::Network::SDN::Fabrics::config();
+        my $old_node = $config->get_node($param->{fabric_id}, $param->{node_id});
+
+        return $old_node->{node_id} if is_internal_wireguard_node($old_node);
+        return 'localhost';
+    },
     permissions => {
         check => [
             'and',
@@ -251,8 +357,19 @@ __PACKAGE__->register_method({
                 my $digest = extract_param($param, 'digest');
                 PVE::Tools::assert_if_modified($config->digest(), $digest) if $digest;
 
+                my $old_node = $config->get_node($fabric_id, $node_id);
+
                 $config->delete_node($fabric_id, $node_id);
                 PVE::Network::SDN::Fabrics::write_config($config);
+
+                if (is_internal_wireguard_node($old_node)) {
+                    for my $interface_string ($old_node->{interfaces}->@*) {
+                        my $interface =
+                            PVE::RS::SDN::Fabrics::parse_wireguard_interface($interface_string);
+                        PVE::Network::SDN::WireGuard::delete_wireguard_keypair(
+                            $interface->{name});
+                    }
+                }
             },
             "deleting node failed",
             $lock_token,
-- 
2.47.3

next prev parent reply	other threads:[~2026-02-19 15:06 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-19 14:56 [RFC manager/network/proxmox{,-ve-rs,-perl-rs} 00/27] Add WireGuard as protocol to SDN fabrics Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox 1/2] wireguard: skip serializing preshared_key if unset Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox 2/2] wireguard: implement ApiType for endpoints and hostnames Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-ve-rs 1/9] debian: update control file Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-ve-rs 2/9] clippy: fix 'hiding a lifetime that's elided elsewhere is confusing' Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-ve-rs 3/9] sdn-types: add wireguard-specific PersistentKeepalive api type Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-ve-rs 4/9] ve-config: fabrics: split interface name regex into two parts Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-ve-rs 5/9] ve-config: fabric: refactor fabric config entry impl using macro Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-ve-rs 6/9] ve-config: fabrics: add protocol-specific properties for wireguard Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-ve-rs 7/9] ve-config: sdn: fabrics: add wireguard to the fabric config Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-ve-rs 8/9] ve-config: fabrics: wireguard add validation for wireguard config Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-ve-rs 9/9] ve-config: fabrics: implement wireguard config generation Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-perl-rs 1/2] pve-rs: fabrics: wireguard: generate ifupdown2 configuration Stefan Hanreich
2026-02-19 14:56 ` [PATCH proxmox-perl-rs 2/2] pve-rs: fabrics: add helpers for parsing interface property strings Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-network 1/3] sdn: add wireguard helper module Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-network 2/3] fabrics: wireguard: add schema definitions for wireguard Stefan Hanreich
2026-02-19 14:56 ` Stefan Hanreich [this message]
2026-02-19 14:56 ` [PATCH pve-manager 01/11] network: sdn: generate wireguard configuration on apply Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-manager 02/11] ui: fix parsing of property-strings when values contain = Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-manager 03/11] ui: fabrics: i18n: make node loading string translatable Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-manager 04/11] ui: fabrics: split node selector creation and config Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-manager 05/11] ui: fabrics: edit: make ipv4/6 support generic over fabric panels Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-manager 06/11] ui: fabrics: node: make ipv4/6 support generic over edit panels Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-manager 07/11] ui: fabrics: interface: " Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-manager 08/11] ui: fabrics: wireguard: add interface edit panel Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-manager 09/11] ui: fabrics: wireguard: add node " Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-manager 10/11] ui: fabrics: wireguard: add fabric " Stefan Hanreich
2026-02-19 14:56 ` [PATCH pve-manager 11/11] ui: fabrics: hook up wireguard components Stefan Hanreich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260219145649.441418-17-s.hanreich@proxmox.com \
    --to=s.hanreich@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal