siderolabs
diff --git a/‎cmd/talosctl/cmd/mgmt/cluster/create/clusterops/configmaker/internal/makers/common.go‎
Lines changed: 10 additions & 2 deletions b/‎cmd/talosctl/cmd/mgmt/cluster/create/clusterops/configmaker/internal/makers/common.go‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎cmd/talosctl/pkg/mgmt/helpers/wireguard.go‎
Lines changed: 47 additions & 54 deletions b/‎cmd/talosctl/pkg/mgmt/helpers/wireguard.go‎
Lines changed: 47 additions & 54 deletions
diff --git a/‎internal/app/machined/pkg/controllers/network/link_config.go‎
Lines changed: 25 additions & 2 deletions b/‎internal/app/machined/pkg/controllers/network/link_config.go‎
Lines changed: 25 additions & 2 deletions
diff --git a/‎internal/app/machined/pkg/controllers/network/link_config_test.go‎
Lines changed: 67 additions & 0 deletions b/‎internal/app/machined/pkg/controllers/network/link_config_test.go‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎internal/integration/api/network-config.go‎
Lines changed: 52 additions & 0 deletions b/‎internal/integration/api/network-config.go‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎internal/pkg/configuration/configuration.go‎
Lines changed: 2 additions & 0 deletions b/‎internal/pkg/configuration/configuration.go‎
Lines changed: 2 additions & 0 deletions
@@ -326,12 +326,20 @@ func (m *Maker[T]) finalizeMachineConfigs() (*bundle.Bundle, error) {
 		for i := range m.ClusterRequest.Nodes {
 			node := &m.ClusterRequest.Nodes[i]
 
-			patchedCfg, err := wireguardConfigBundle.PatchConfig(node.IPs[0], node.Config)
+			patch, err := wireguardConfigBundle.PatchNode(node.IPs[0])
 			if err != nil {
 				return nil, err
 			}
 
-			node.Config = patchedCfg
+			out, err := configpatcher.Apply(configpatcher.WithConfig(node.Config), []configpatcher.Patch{patch})
+			if err != nil {
+				return nil, err
+			}
+
+			node.Config, err = out.Config()
+			if err != nil {
+				return nil, err
+			}
 		}
 	}
 
 
@@ -7,84 +7,82 @@ package helpers
 import (
 	"fmt"
 	"net/netip"
-	"strings"
 	"time"
 
+	"github.com/siderolabs/gen/xslices"
+	"github.com/siderolabs/go-pointer"
 	sideronet "github.com/siderolabs/net"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
-	"github.com/siderolabs/talos/pkg/machinery/config"
+	"github.com/siderolabs/talos/pkg/machinery/config/configpatcher"
 	"github.com/siderolabs/talos/pkg/machinery/config/container"
-	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/network"
 )
 
 // NewWireguardConfigBundle creates a new Wireguard config bundle.
-func NewWireguardConfigBundle(ips []netip.Addr, wireguardCidr string, listenPort, mastersCount int) (*WireguardConfigBundle, error) {
-	configs := map[string]*v1alpha1.Device{}
+func NewWireguardConfigBundle(ips []netip.Addr, wireguardCidr string, listenPort, controlplanesCount int) (*WireguardConfigBundle, error) {
+	configs := map[netip.Addr]*network.WireguardConfigV1Alpha1{}
 	keys := make([]wgtypes.Key, len(ips))
-	peers := make([]*v1alpha1.DeviceWireguardPeer, len(ips))
+	peers := make([]network.WireguardPeer, len(ips))
+
+	wgCidr, err := netip.ParsePrefix(wireguardCidr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse wireguard cidr %s: %w", wireguardCidr, err)
+	}
 
 	for i, ip := range ips {
 		key, err := wgtypes.GeneratePrivateKey()
 		if err != nil {
 			return nil, err
 		}
 
+		wgAddr, err := sideronet.NthIPInNetwork(wgCidr, i+2)
+		if err != nil {
+			return nil, err
+		}
+
 		keys[i] = key
 
-		peers[i] = &v1alpha1.DeviceWireguardPeer{
-			WireguardAllowedIPs: []string{
-				wireguardCidr,
+		peers[i] = network.WireguardPeer{
+			WireguardAllowedIPs: []network.Prefix{
+				{
+					Prefix: netip.PrefixFrom(wgAddr, wgAddr.BitLen()),
+				},
 			},
 			WireguardPublicKey:                   key.PublicKey().String(),
 			WireguardPersistentKeepaliveInterval: time.Second * 5,
 		}
 
-		if i < mastersCount {
-			peers[i].WireguardEndpoint = fmt.Sprintf("%s:%d", ip.String(), listenPort)
+		if i < controlplanesCount {
+			peers[i].WireguardEndpoint = network.AddrPort{AddrPort: netip.AddrPortFrom(ip, uint16(listenPort))}
 		}
 	}
 
-	parts := strings.Split(wireguardCidr, "/")
-	networkNumber := parts[1]
-
-	network, err := netip.ParsePrefix(wireguardCidr)
-	if err != nil {
-		return nil, err
-	}
-
 	for i, nodeIP := range ips {
-		wgIP, err := sideronet.NthIPInNetwork(network, i+2)
+		wgAddr, err := sideronet.NthIPInNetwork(wgCidr, i+2)
 		if err != nil {
 			return nil, err
 		}
 
-		config := &v1alpha1.DeviceWireguardConfig{}
+		config := network.NewWireguardConfigV1Alpha1("wg0")
 
-		var currentPeers []*v1alpha1.DeviceWireguardPeer
-
-		// add all peers except self
-		for _, peer := range peers {
-			if peer.PublicKey() != keys[i].PublicKey().String() {
-				currentPeers = append(currentPeers, peer)
-			}
-		}
-
-		config.WireguardPeers = currentPeers
+		config.WireguardPeers = xslices.Filter(peers, func(p network.WireguardPeer) bool {
+			return p.WireguardPublicKey != keys[i].PublicKey().String()
+		})
 		config.WireguardPrivateKey = keys[i].String()
-
-		device := &v1alpha1.Device{
-			DeviceInterface:       "wg0",
-			DeviceAddresses:       []string{fmt.Sprintf("%s/%s", wgIP.String(), networkNumber)},
-			DeviceWireguardConfig: config,
-			DeviceMTU:             1500,
+		config.LinkAddresses = []network.AddressConfig{
+			{
+				AddressAddress: netip.PrefixFrom(wgAddr, wgCidr.Bits()),
+			},
 		}
+		config.LinkUp = pointer.To(true)
+		config.LinkMTU = 1500
 
-		if i < mastersCount {
+		if i < controlplanesCount {
 			config.WireguardListenPort = listenPort
 		}
 
-		configs[nodeIP.String()] = device
+		configs[nodeIP] = config
 	}
 
 	return &WireguardConfigBundle{
@@ -94,25 +92,20 @@ func NewWireguardConfigBundle(ips []netip.Addr, wireguardCidr string, listenPort
 
 // WireguardConfigBundle allows assembling wireguard network configuration with first controlplane being listen node.
 type WireguardConfigBundle struct {
-	configs map[string]*v1alpha1.Device
+	configs map[netip.Addr]*network.WireguardConfigV1Alpha1
 }
 
-// PatchConfig generates config patch for a node and patches the configuration data.
-func (w *WireguardConfigBundle) PatchConfig(ip fmt.Stringer, cfg config.Provider) (config.Provider, error) {
-	config := cfg.RawV1Alpha1().DeepCopy()
-
-	if config.MachineConfig.MachineNetwork == nil {
-		config.MachineConfig.MachineNetwork = &v1alpha1.NetworkConfig{
-			NetworkInterfaces: []*v1alpha1.Device{},
-		}
-	}
-
-	device, ok := w.configs[ip.String()]
+// PatchNode generates config patch for a node.
+func (w *WireguardConfigBundle) PatchNode(ip netip.Addr) (configpatcher.Patch, error) {
+	cfg, ok := w.configs[ip]
 	if !ok {
-		return nil, fmt.Errorf("failed to get wireguard config for node %s", ip.String())
+		return nil, fmt.Errorf("no wireguard config for ip %s", ip.String())
 	}
 
-	config.MachineConfig.MachineNetwork.NetworkInterfaces = append(config.MachineConfig.MachineNetwork.NetworkInterfaces, device)
+	ctr, err := container.New(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create wireguard config container: %w", err)
+	}
 
-	return container.New(config)
+	return configpatcher.NewStrategicMergePatch(ctr), nil
 }
@@ -362,7 +362,7 @@ func (ctrl *LinkConfigController) processDevicesConfiguration(
 		}
 
 		if device.WireguardConfig() != nil {
-			if err := wireguardLink(linkMap[deviceInterface], device.WireguardConfig()); err != nil {
+			if err := wireguardLinkLegacy(linkMap[deviceInterface], device.WireguardConfig()); err != nil {
 				logger.Error("error parsing wireguard config", zap.Error(err))
 			}
 		}
@@ -479,6 +479,8 @@ func (ctrl *LinkConfigController) processLinkConfigs(logger *zap.Logger, linkMap
 
 				SetBridgeSlave(linkMap[slaveLinkName], linkName)
 			}
+		case talosconfig.NetworkWireguardConfig:
+			wireguardLink(linkMap[linkName], specificLinkConfig)
 		default:
 			logger.Error("unknown link config type", zap.String("linkName", linkName), zap.String("type", fmt.Sprintf("%T", specificLinkConfig)))
 		}
@@ -535,7 +537,7 @@ func vlanLink(link *network.LinkSpecSpec, vlanName, linkName string, vlan vlaner
 	}
 }
 
-func wireguardLink(link *network.LinkSpecSpec, config talosconfig.WireguardConfig) error {
+func wireguardLinkLegacy(link *network.LinkSpecSpec, config talosconfig.WireguardConfig) error {
 	link.Logical = true
 	link.Kind = network.LinkKindWireguard
 	link.Type = nethelpers.LinkNone
@@ -568,6 +570,27 @@ func wireguardLink(link *network.LinkSpecSpec, config talosconfig.WireguardConfi
 	return nil
 }
 
+func wireguardLink(link *network.LinkSpecSpec, config talosconfig.NetworkWireguardConfig) {
+	link.Logical = true
+	link.Kind = network.LinkKindWireguard
+	link.Type = nethelpers.LinkNone
+	link.Wireguard = network.WireguardSpec{
+		PrivateKey:   config.PrivateKey(),
+		ListenPort:   config.ListenPort().ValueOr(0),
+		FirewallMark: config.FirewallMark().ValueOr(0),
+	}
+
+	for _, peer := range config.Peers() {
+		link.Wireguard.Peers = append(link.Wireguard.Peers, network.WireguardPeer{
+			PublicKey:                   peer.PublicKey(),
+			PresharedKey:                peer.PresharedKey().ValueOr(""),
+			Endpoint:                    peer.Endpoint().ValueOr(""),
+			PersistentKeepaliveInterval: peer.PersistentKeepalive().ValueOr(0),
+			AllowedIPs:                  peer.AllowedIPs(),
+		})
+	}
+}
+
 func dummyLink(link *network.LinkSpecSpec) {
 	link.Logical = true
 	link.Kind = "dummy"
 
@@ -16,12 +16,14 @@ import (
 	"github.com/siderolabs/go-procfs/procfs"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
 	netctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/network"
 	"github.com/siderolabs/talos/pkg/machinery/config/container"
 	networkcfg "github.com/siderolabs/talos/pkg/machinery/config/types/network"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
+	"github.com/siderolabs/talos/pkg/machinery/fipsmode"
 	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
@@ -568,6 +570,71 @@ func (suite *LinkConfigSuite) TestMachineConfigurationNewStyle() {
 	)
 }
 
+func (suite *LinkConfigSuite) TestMachineConfigurationNewStyleNotFIPS() {
+	if fipsmode.Strict() {
+		suite.T().Skip("skipping test in strict FIPS mode")
+	}
+
+	suite.Require().NoError(suite.Runtime().RegisterController(&netctrl.LinkConfigController{}))
+
+	privKey, err := wgtypes.GeneratePrivateKey()
+	suite.Require().NoError(err)
+
+	pskKey, err := wgtypes.GenerateKey()
+	suite.Require().NoError(err)
+
+	peerKey, err := wgtypes.GenerateKey()
+	suite.Require().NoError(err)
+
+	wc1 := networkcfg.NewWireguardConfigV1Alpha1("wg0")
+	wc1.LinkUp = pointer.To(true)
+	wc1.WireguardPrivateKey = privKey.String()
+	wc1.WireguardListenPort = 12345
+	wc1.WireguardPeers = []networkcfg.WireguardPeer{
+		{
+			WireguardPublicKey:    peerKey.PublicKey().String(),
+			WireguardPresharedKey: pskKey.String(),
+			WireguardAllowedIPs:   []networkcfg.Prefix{{Prefix: netip.MustParsePrefix("10.0.0.0/24")}},
+		},
+	}
+
+	ctr, err := container.New(wc1)
+	suite.Require().NoError(err)
+
+	cfg := config.NewMachineConfig(ctr)
+	suite.Create(cfg)
+
+	suite.assertLinks(
+		[]string{
+			"configuration/wg0",
+		}, func(r *network.LinkSpec, asrt *assert.Assertions) {
+			asrt.Equal(network.ConfigMachineConfiguration, r.TypedSpec().ConfigLayer)
+
+			asrt.True(r.TypedSpec().Up)
+			asrt.True(r.TypedSpec().Logical)
+			asrt.Equal(nethelpers.LinkNone, r.TypedSpec().Type)
+			asrt.Equal(network.LinkKindWireguard, r.TypedSpec().Kind)
+			asrt.Equal(
+				network.WireguardSpec{
+					PrivateKey:   privKey.String(),
+					ListenPort:   12345,
+					FirewallMark: 0,
+					Peers: []network.WireguardPeer{
+						{
+							PublicKey:    peerKey.PublicKey().String(),
+							PresharedKey: pskKey.String(),
+							AllowedIPs: []netip.Prefix{
+								netip.MustParsePrefix("10.0.0.0/24"),
+							},
+						},
+					},
+				},
+				r.TypedSpec().Wireguard,
+			)
+		},
+	)
+}
+
 func (suite *LinkConfigSuite) TestDefaultUp() {
 	suite.Require().NoError(
 		suite.Runtime().RegisterController(
 
@@ -22,6 +22,7 @@ import (
 	"github.com/siderolabs/gen/xslices"
 	"github.com/siderolabs/go-pointer"
 	"github.com/stretchr/testify/assert"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/siderolabs/talos/internal/integration/base"
 	"github.com/siderolabs/talos/pkg/machinery/cel"
@@ -581,6 +582,57 @@ func (suite *NetworkConfigSuite) TestBridgeConfig() {
 	rtestutils.AssertNoResource[*networkres.LinkStatus](nodeCtx, suite.T(), suite.Client.COSI, bridgeName)
 }
 
+// TestWireguardConfig tests creation of Wireguard interfaces.
+func (suite *NetworkConfigSuite) TestWireguardConfig() {
+	if suite.Cluster == nil {
+		suite.T().Skip("skipping if cluster is not qemu/docker")
+	}
+
+	node := suite.RandomDiscoveredNodeInternalIP(machine.TypeWorker)
+	nodeCtx := client.WithNode(suite.ctx, node)
+
+	suite.T().Logf("testing on node %q", node)
+
+	wgName := "wg." + strconv.Itoa(rand.IntN(10000))
+
+	privateKey, err := wgtypes.GeneratePrivateKey()
+	suite.Require().NoError(err)
+
+	peerKey, err := wgtypes.GeneratePrivateKey()
+	suite.Require().NoError(err)
+
+	wg := network.NewWireguardConfigV1Alpha1(wgName)
+	wg.WireguardPrivateKey = privateKey.String()
+	wg.WireguardListenPort = 3042
+	wg.WireguardPeers = []network.WireguardPeer{
+		{
+			WireguardPublicKey: peerKey.PublicKey().String(),
+			WireguardAllowedIPs: []network.Prefix{
+				{
+					Prefix: netip.MustParsePrefix("192.168.2.0/24"),
+				},
+			},
+		},
+	}
+	wg.LinkUp = pointer.To(true)
+
+	suite.PatchMachineConfig(nodeCtx, wg)
+
+	rtestutils.AssertResource(nodeCtx, suite.T(), suite.Client.COSI, wgName,
+		func(link *networkres.LinkStatus, asrt *assert.Assertions) {
+			asrt.Equal("wireguard", link.TypedSpec().Kind)
+			asrt.Equal(wg.WireguardListenPort, link.TypedSpec().Wireguard.ListenPort)
+			asrt.Len(link.TypedSpec().Wireguard.Peers, 1)
+			asrt.Equal(peerKey.PublicKey().String(), link.TypedSpec().Wireguard.Peers[0].PublicKey)
+			asrt.Equal(privateKey.PublicKey().String(), link.TypedSpec().Wireguard.PublicKey)
+		},
+	)
+
+	suite.RemoveMachineConfigDocumentsByName(nodeCtx, network.WireguardKind, wgName)
+
+	rtestutils.AssertNoResource[*networkres.LinkStatus](nodeCtx, suite.T(), suite.Client.COSI, wgName)
+}
+
 func init() {
 	allSuites = append(allSuites, new(NetworkConfigSuite))
 }
@@ -3,6 +3,8 @@
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 // Package configuration implements configuration generation.
+//
+//nolint:staticcheck // this whole package is planned to be deprecated
 package configuration
 
 import (