Added
scripts/wg_bootstrap.sh— VPN-first node bootstrap. A multipurpose
orchestrator-run script that enrolls a node from the operator
workstation:vpnjoins the node to the WireGuard VPN by calling the
control plane directly (POST /<ver>/clients/manualover mTLS), pushes
the renderedwg0.confto the node, and brings the tunnel up;cinc
runsknife bootstrapover the now-up VPN;alldoes both, handing the
assigned VPN IP from the first phase to the second. The tunnel teardown
before rewriting the config preserves the reprovision-safety contract.
Shape tests intests/test_wg_bootstrap_script.py.
Changed
- Peer discovery now clears stale results instead of accumulating
ghosts. Each successful discovery pass is treated as authoritative
for the server: anyDiscoveredPeerrow whose public key was not
observed in the pass is pruned, so a peer removed from a server's
running config disappears from the table on the next run rather than
lingering with an oldlast_seen_at. Pruning runs only after a
successfulwg show— an unreachable host returns early and never
wipes the known peer set. Thediscover_peers_taskresult gains a
prunedcount, and the Discovered Peers dashboard clears its
displayed list the moment a "Discover all servers" run is dispatched
so the table never shows a previous pass's peers while a new run is
in flight. Regression tests intests/test_discovery.pyand
web/__tests__/discovered-peers.test.tsx.
Removed
- The
wg_nodeCinc cookbook (cookbooks/wg_node/). It brought a node
onto the VPN by converging against the Cinc server first, which forced
the Cinc server to be reachable before the node had any VPN connectivity
— i.e. public-facing.scripts/wg_bootstrap.sh(above) replaces it by
flipping the order: VPN first, then Cinc over the tunnel, so the Cinc
server can stay VPN-only/private. Thecookbook-test/cookbook-lint
Makefile targets are dropped with it.
Published images
ghcr.io/jfudally/wg_manager:0.5.0— API + workerghcr.io/jfudally/wg_manager-web:0.5.0— dashboard
Pull either with a granularity-appropriate tag (0.5.0, or a coarser 0.5 / 0 / latest).
Supply-chain attestation
Both images are signed via cosign keyless OIDC and carry an
in-toto CycloneDX SBOM attestation. Verify with:
cosign verify \
--certificate-identity-regexp \
'https://github.com/jfudally/wg_manager/.github/workflows/release.yml@.*' \
--certificate-oidc-issuer \
'https://token.actions.githubusercontent.com' \
ghcr.io/jfudally/wg_manager:0.5.0The SBOMs are also attached as release assets:
sbom-api.cdx.json— CycloneDX SBOM of the API + worker image's Python depssbom-web.cdx.json— CycloneDX SBOM of the dashboard image's Node deps