add simple wireguard support

Dockerfile

@@ -1,6 +1,6 @@
 from novit.tech/direktil/dkl:bbea9b9 as dkl
 # ------------------------------------------------------------------------
-from golang:1.24.4-bookworm as build
+from golang:1.25.0-trixie as build
 
 run apt-get update && apt-get install -y git
 
@@ -22,13 +22,13 @@ run \
  hack/build ./...
 
 # ------------------------------------------------------------------------
-from debian:bookworm
+from debian:trixie
 entrypoint ["/bin/dkl-local-server"]
 
 env _uncache=1
 run apt-get update \
  && yes |apt-get install -y genisoimage gdisk dosfstools util-linux udev binutils systemd \
- grub2 grub-pc-bin grub-efi-amd64-bin ca-certificates curl openssh-client qemu-utils \
+ grub2 grub-pc-bin grub-efi-amd64-bin ca-certificates curl openssh-client qemu-utils wireguard-tools \
  && apt-get clean
 
 copy --from=dkl   /bin/dkl /bin/dls /bin/

cmd/dkl-local-server/cluster-render-context.go

@@ -60,6 +60,14 @@ func templateFuncs(sslCfg *cfsslconfig.Config) map[string]any {
 
 	return map[string]any{
 		"quote": strconv.Quote,
+		"yaml":  asYaml,
+		"indent": func(s, indent string) string {
+			buf := new(strings.Builder)
+			for _, line := range strings.Split(s, "\n") {
+				buf.WriteString(indent + line + "\n")
+			}
+			return buf.String()
+		},
 
 		"password": func(cluster, name, hashAlg string) (password string, err error) {
 			key := cluster + "/" + name
@@ -203,7 +211,7 @@ func templateFuncs(sslCfg *cfsslconfig.Config) map[string]any {
 	}
 }
 
-func asYaml(v interface{}) (string, error) {
+func asYaml(v any) (string, error) {
 	ba, err := yaml.Marshal(v)
 	if err != nil {
 		return "", err

cmd/dkl-local-server/render-context.go

@@ -266,6 +266,20 @@ func (ctx *renderContext) TemplateFuncs() map[string]any {
 
 			return
 		},
+		"wg_key": func(name string) (key string, err error) {
+			return wgKey(name + "/hosts/" + ctx.Host.Name)
+		},
+		"wg_psk": func(name, peerName string) (key string, err error) {
+			a := ctx.Host.Name
+			b := peerName
+			if a > b {
+				a, b = b, a
+			}
+			return wgKey(name + "/psks/" + a + " " + b)
+		},
+		"wg_pubkey": func(name, host string) (key string, err error) {
+			return wgKey(name + "/hosts/" + host)
+		},
 	} {
 		funcs[name] = method
 	}

cmd/dkl-local-server/wireguard.go

@@ -0,0 +1,44 @@
+package main
+
+import (
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+var wgKeys = KVSecrets[string]{"wireguard"}
+
+func wgKey(path string) (key string, err error) {
+	return wgKeys.GetOrCreate(path, func() (key string, err error) {
+		k, err := wgtypes.GeneratePrivateKey()
+		if err != nil {
+			return
+		}
+		key = k.String()
+		return
+	})
+}
+
+func wgPSKey(path string) (key string, err error) {
+	return wgKeys.GetOrCreate(path, func() (key string, err error) {
+		k, err := wgtypes.GenerateKey()
+		if err != nil {
+			return
+		}
+		key = k.String()
+		return
+	})
+}
+
+func wgPubKey(path string) (pubkey string, err error) {
+	key, err := wgKey(path)
+	if err != nil {
+		return
+	}
+
+	k, err := wgtypes.ParseKey(key)
+	if err != nil {
+		return
+	}
+
+	pubkey = k.PublicKey().String()
+	return
+}

go.mod

@@ -11,12 +11,15 @@ require (
 	github.com/emicklei/go-restful v2.16.0+incompatible
 	github.com/emicklei/go-restful-openapi v1.4.1
 	github.com/go-git/go-git/v5 v5.16.2
+	github.com/klauspost/compress v1.18.0
 	github.com/mcluseau/go-swagger-ui v0.0.0-20191019002626-fd9128c24a34
 	github.com/miolini/datacounter v1.0.3
 	github.com/oklog/ulid v1.3.1
 	github.com/pierrec/lz4 v2.6.1+incompatible
 	github.com/sergeymakinen/go-crypt v1.0.1
 	golang.org/x/crypto v0.39.0
+	golang.org/x/sys v0.33.0
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	gopkg.in/src-d/go-billy.v4 v4.3.2
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v2 v2.4.0
@@ -55,7 +58,6 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/kisielk/sqlstruct v0.0.0-20210630145711-dae28ed37023 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
@@ -71,7 +73,6 @@ require (
 	github.com/zmap/zlint/v3 v3.5.0 // indirect
 	golang.org/x/mod v0.25.0 // indirect
 	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.26.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect

go.sum

@@ -3,8 +3,6 @@ dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/DataDog/zstd v1.5.7 h1:ybO8RBeh29qrxIhCA9E8gKY6xfONU9T6G6aP9DTKfLE=
-github.com/DataDog/zstd v1.5.7/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
@@ -313,6 +311,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
 gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0=
 gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=