Skip to content

v0.5.0

Latest

Choose a tag to compare

@github-actions github-actions released this 24 Jun 19:08
c5a0438

Added

  • scripts/wg_bootstrap.sh — VPN-first node bootstrap. A multipurpose
    orchestrator-run script that enrolls a node from the operator
    workstation: vpn joins the node to the WireGuard VPN by calling the
    control plane directly (POST /<ver>/clients/manual over mTLS), pushes
    the rendered wg0.conf to the node, and brings the tunnel up; cinc
    runs knife bootstrap over the now-up VPN; all does both, handing the
    assigned VPN IP from the first phase to the second. The tunnel teardown
    before rewriting the config preserves the reprovision-safety contract.
    Shape tests in tests/test_wg_bootstrap_script.py.

Changed

  • Peer discovery now clears stale results instead of accumulating
    ghosts.
    Each successful discovery pass is treated as authoritative
    for the server: any DiscoveredPeer row whose public key was not
    observed in the pass is pruned, so a peer removed from a server's
    running config disappears from the table on the next run rather than
    lingering with an old last_seen_at. Pruning runs only after a
    successful wg show — an unreachable host returns early and never
    wipes the known peer set. The discover_peers_task result gains a
    pruned count, and the Discovered Peers dashboard clears its
    displayed list the moment a "Discover all servers" run is dispatched
    so the table never shows a previous pass's peers while a new run is
    in flight. Regression tests in tests/test_discovery.py and
    web/__tests__/discovered-peers.test.tsx.

Removed

  • The wg_node Cinc cookbook (cookbooks/wg_node/). It brought a node
    onto the VPN by converging against the Cinc server first, which forced
    the Cinc server to be reachable before the node had any VPN connectivity
    — i.e. public-facing. scripts/wg_bootstrap.sh (above) replaces it by
    flipping the order: VPN first, then Cinc over the tunnel, so the Cinc
    server can stay VPN-only/private. The cookbook-test / cookbook-lint
    Makefile targets are dropped with it.

Published images

  • ghcr.io/jfudally/wg_manager:0.5.0 — API + worker
  • ghcr.io/jfudally/wg_manager-web:0.5.0 — dashboard

Pull either with a granularity-appropriate tag (0.5.0, or a coarser 0.5 / 0 / latest).

Supply-chain attestation

Both images are signed via cosign keyless OIDC and carry an
in-toto CycloneDX SBOM attestation. Verify with:

cosign verify \
    --certificate-identity-regexp \
        'https://github.com/jfudally/wg_manager/.github/workflows/release.yml@.*' \
    --certificate-oidc-issuer \
        'https://token.actions.githubusercontent.com' \
    ghcr.io/jfudally/wg_manager:0.5.0

The SBOMs are also attached as release assets:

  • sbom-api.cdx.json — CycloneDX SBOM of the API + worker image's Python deps
  • sbom-web.cdx.json — CycloneDX SBOM of the dashboard image's Node deps