Merge pull request 'cluster: fix wg0.conf generator' (#54 ) from pr-amery-wg0.conf into main

Reviewed-on: #54
cluster: fix wg0.conf generator
2024-07-24 19:31:22 +02:00 · 2024-07-24 17:30:10 +00:00 · 2024-07-17 17:58:47 +02:00 · 2024-07-17 15:54:35 +00:00 · 2024-06-04 10:53:13 +02:00 · 2024-06-03 20:45:29 +00:00
69 changed files with 5662 additions and 1407 deletions
@@ -1 +1,2 @@
 .tmp
+.version
@@ -0,0 +1,15 @@
+{
+    "cSpell.words": [
+        "asciigoat",
+        "ceph",
+        "cyclomatic",
+        "darvaza",
+        "gofrs",
+        "jpictl",
+        "libdns",
+        "Lookuper",
+        "publicsuffix",
+        "Wrapf",
+        "zerolog"
+    ]
+}
@@ -15,7 +15,8 @@ TMPDIR ?= .tmp
 REVIVE ?= $(GOBIN)/revive
 REVIVE_CONF ?= $(TOOLSDIR)/revive.toml
 REVIVE_RUN_ARGS ?= -config $(REVIVE_CONF) -formatter friendly
-REVIVE_INSTALL_URL ?= github.com/mgechev/revive
+REVIVE_VERSION ?= v1.3.7
+REVIVE_INSTALL_URL ?= github.com/mgechev/revive@$(REVIVE_VERSION)

 GO_INSTALL_URLS = \
 	$(REVIVE_INSTALL_URL) \
@@ -1,21 +1,82 @@
 package main

-import "git.jpi.io/amery/jpictl/pkg/zones"
+import (
+	"os"
+
+	"darvaza.org/core"
+
+	"git.jpi.io/amery/jpictl/pkg/cluster"
+)
+
+const (
+	// DefaultConfigFile is read if -f/--config-file isn't specified.
+	// If it doesn't exist, m/ will be scanned
+	DefaultConfigFile = "cloud.yaml"
+
+	// DefaultClusterDir is the directory we will scan and write
+	// unless something else is indicated
+	DefaultClusterDir = "m"
+
+	// DefaultDomain indicates the domain to use unless
+	// something else is specified
+	DefaultDomain = "jpi.cloud"
+)

 // Config describes the repository
 type Config struct {
 	Base   string
 	Domain string
+
+	ConfigFile string
 }

+var forceScan bool
+
 var cfg = &Config{
-	Base:   "./m",
-	Domain: "m.jpi.cloud",
+	Base:   DefaultClusterDir,
+	Domain: DefaultDomain,
 }

 // LoadZones loads all zones and machines in the config directory
-func (cfg *Config) LoadZones(resolve bool) (*zones.Zones, error) {
-	return zones.New(cfg.Base, cfg.Domain,
-		zones.ResolvePublicAddresses(resolve),
+// or file
+func (cfg *Config) LoadZones(resolve bool) (*cluster.Cluster, error) {
+	var zones *cluster.Cluster
+	var err error
+
+	if !forceScan {
+		// try config file first
+		zones, err = cluster.NewFromConfig(cfg.ConfigFile,
+			cluster.ResolvePublicAddresses(resolve),
+			cluster.WithLogger(log),
+		)
+
+		switch {
+		case err == nil:
+			// file was good
+			return zones, nil
+		case !os.IsNotExist(err) || cfg.ConfigFile != DefaultConfigFile:
+			// file was bad
+			return nil, core.Wrap(err, "NewFromConfig(%q)", cfg.ConfigFile)
+		}
+	}
+
+	// default file doesn't exist. scan instead.
+	return cluster.NewFromDirectory(cfg.Base, cfg.Domain,
+		cluster.ResolvePublicAddresses(resolve),
+		cluster.WithLogger(log),
 	)
 }
+
+func init() {
+	flags := rootCmd.PersistentFlags()
+
+	flags.StringVarP(&cfg.Base, "scan-dir", "d",
+		DefaultClusterDir, "directory to scan for cluster data")
+	flags.StringVarP(&cfg.Domain, "domain", "D",
+		DefaultDomain, "domain to use for scanned data")
+	flags.StringVarP(&cfg.ConfigFile, "config-file", "f",
+		DefaultConfigFile, "config file (JSON or YAML)")
+
+	flags.BoolVarP(&forceScan, "force-scan", "S",
+		false, "ignore config file and scan the directory instead")
+}
@@ -0,0 +1,193 @@
+package main
+
+import (
+	"context"
+	"net/netip"
+	"os"
+	"time"
+
+	"darvaza.org/core"
+	"github.com/spf13/cobra"
+
+	"git.jpi.io/amery/jpictl/pkg/cluster"
+	"git.jpi.io/amery/jpictl/pkg/dns"
+)
+
+const (
+	// DNSSyncTimeout specifies how long are we willing to wait for a DNS
+	// synchronization
+	DNSSyncTimeout = 10 * time.Second
+)
+
+func newDNSManager(m *cluster.Cluster, provider dns.Provider) (*dns.Manager, error) {
+	domain := m.Domain
+	if m.Name != "" {
+		domain = m.Name + "." + domain
+	}
+
+	mgr, err := dns.NewManager(dns.WithDomain(domain), dns.WithLogger(log))
+	if err != nil {
+		return nil, err
+	}
+
+	if provider != nil {
+		// set provider only  if specified
+		err = dns.WithProvider(provider)(mgr)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if err := populateDNSManager(mgr, m); err != nil {
+		return nil, err
+	}
+
+	return mgr, nil
+}
+
+func populateDNSManager(mgr *dns.Manager, m *cluster.Cluster) error {
+	var err error
+
+	ctx := context.TODO()
+
+	m.ForEachZone(func(z *cluster.Zone) bool {
+		z.ForEachMachine(func(p *cluster.Machine) bool {
+			err = mgr.AddHost(ctx, z.Name, int(p.ID), p.IsActive(), p.PublicAddresses...)
+			return err != nil
+		})
+
+		return err != nil
+	})
+	if err != nil {
+		return err
+	}
+
+	m.ForEachRegion(func(r *cluster.Region) bool {
+		r.ForEachZone(func(z *cluster.Zone) bool {
+			err = mgr.AddRegion(ctx, r.Name, z.Name)
+			return err != nil
+		})
+
+		return err != nil
+	})
+
+	return err
+}
+
+// revive:disable:flag-parameter
+func newDNSManagerCommand(_ *cobra.Command,
+	resolve bool, withCredentials bool) (*dns.Manager, error) {
+	// revive:enable:flag-parameter
+	var cred dns.Provider
+
+	if withCredentials {
+		var err error
+
+		cred, err = dns.DefaultDNSProvider()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	m, err := cfg.LoadZones(resolve)
+	if err != nil {
+		return nil, err
+	}
+
+	return newDNSManager(m, cred)
+}
+
+// Command
+var dnsCmd = &cobra.Command{
+	Use: "dns",
+}
+
+var dnsWriteCmd = &cobra.Command{
+	Use:    "write",
+	Short:  "dns write generates public DNS records",
+	PreRun: setVerbosity,
+	RunE: func(cmd *cobra.Command, _ []string) error {
+		mgr, err := newDNSManagerCommand(cmd, true, false)
+		if err != nil {
+			return err
+		}
+
+		_, err = mgr.WriteTo(os.Stdout)
+		return err
+	},
+}
+
+var dnsSyncCmd = &cobra.Command{
+	Use:    "sync",
+	Short:  "dns sync updates public DNS records",
+	PreRun: setVerbosity,
+	RunE: func(cmd *cobra.Command, _ []string) error {
+		mgr, err := newDNSManagerCommand(cmd, true, true)
+		if err != nil {
+			return err
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), DNSSyncTimeout)
+		defer cancel()
+
+		return mgr.Sync(ctx)
+	},
+}
+
+var dnsShowCmd = &cobra.Command{
+	Use:    "show [<name>...]",
+	Short:  "dns show lists entries on DNS for our domain",
+	PreRun: setVerbosity,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		mgr, err := newDNSManagerCommand(cmd, true, true)
+		if err != nil {
+			return err
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), DNSSyncTimeout)
+		defer cancel()
+
+		return mgr.Show(ctx, args...)
+	},
+}
+
+var dnsAddCmd = &cobra.Command{
+	Use:    "add <name> <address..>",
+	Short:  "dns add registers a new machine on the public DNS",
+	Args:   cobra.MinimumNArgs(2),
+	PreRun: setVerbosity,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		var addrs []netip.Addr
+
+		for _, s := range args[1:] {
+			addr, err := core.ParseAddr(s)
+			switch {
+			case err != nil:
+				return core.Wrap(err, s)
+			case !addr.IsValid(), addr.IsUnspecified(), addr.IsPrivate(), addr.IsMulticast():
+				return core.Wrap(core.ErrInvalid, s)
+			default:
+				addrs = append(addrs, addr)
+			}
+		}
+
+		mgr, err := newDNSManagerCommand(cmd, true, true)
+		if err != nil {
+			return err
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), DNSSyncTimeout)
+		defer cancel()
+
+		return mgr.Add(ctx, args[0], addrs...)
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(dnsCmd)
+
+	dnsCmd.AddCommand(dnsWriteCmd)
+	dnsCmd.AddCommand(dnsSyncCmd)
+	dnsCmd.AddCommand(dnsShowCmd)
+	dnsCmd.AddCommand(dnsAddCmd)
+}
@@ -6,7 +6,6 @@ import (
 	"io"
 	"os"

-	"github.com/burntSushi/toml"
 	"github.com/spf13/cobra"
 	"gopkg.in/yaml.v3"
 )
@@ -20,8 +19,8 @@ type Encoder interface {
 type Encoding int

 const (
-	// TOMLEncoding represents TOML encoding
-	TOMLEncoding Encoding = iota
+	// UndefinedEncoding implies the default encoding
+	UndefinedEncoding Encoding = iota
 	// JSONEncoding represents JSON encoding
 	JSONEncoding
 	// YAMLEncoding represents YAML encoding
@@ -42,18 +41,13 @@ func NewYAMLEncoder(w io.Writer) Encoder {
 	return enc
 }

-// NewTOMLEncoder returns a TOML [Encoder] to work on the given [io.Writer]
-func NewTOMLEncoder(w io.Writer) Encoder {
-	enc := toml.NewEncoder(w)
-	return enc
-}
-
 const encoding = YAMLEncoding

 // Command
 var dumpCmd = &cobra.Command{
-	Use:   "dump",
-	Short: "generates a text representation of the config",
+	Use:    "dump",
+	Short:  "generates a text representation of the config",
+	PreRun: setVerbosity,
 	RunE: func(_ *cobra.Command, _ []string) error {
 		var buf bytes.Buffer
 		var enc Encoder
@@ -66,10 +60,8 @@ var dumpCmd = &cobra.Command{
 		switch encoding {
 		case JSONEncoding:
 			enc = NewJSONEncoder(&buf)
-		case YAMLEncoding:
-			enc = NewYAMLEncoder(&buf)
 		default:
-			enc = NewTOMLEncoder(&buf)
+			enc = NewYAMLEncoder(&buf)
 		}

 		if err = enc.Encode(m); err != nil {
@@ -8,15 +8,20 @@ import (

 // Command
 var envCmd = &cobra.Command{
-	Use:   "env",
-	Short: "generates environment variables for shell scripts",
+	Use:    "env",
+	Short:  "generates environment variables for shell scripts",
+	PreRun: setVerbosity,
 	RunE: func(_ *cobra.Command, _ []string) error {
 		m, err := cfg.LoadZones(false)
 		if err != nil {
 			return err
 		}

-		_, err = m.Env(*envExport).WriteTo(os.Stdout)
+		env, err := m.Env(*envExport)
+		if err != nil {
+			return err
+		}
+		_, err = env.WriteTo(os.Stdout)
 		return err
 	},
 }
@@ -4,11 +4,11 @@ import (
 	"bytes"
 	"fmt"
 	"os"
-	"strconv"
 	"strings"

-	"git.jpi.io/amery/jpictl/pkg/zones"
 	"github.com/spf13/cobra"
+
+	"git.jpi.io/amery/jpictl/pkg/cluster"
 )

 // Command
@@ -19,8 +19,9 @@ var gatewayCmd = &cobra.Command{

 // gateway set
 var gatewaySetCmd = &cobra.Command{
-	Use:   "set",
-	Short: "gateway set sets machines as gateways",
+	Use:    "set",
+	Short:  "gateway set sets machines as gateways",
+	PreRun: setVerbosity,
 	RunE: func(_ *cobra.Command, args []string) error {
 		m, err := cfg.LoadZones(false)
 		if err != nil {
@@ -37,9 +38,9 @@ var gatewaySetCmd = &cobra.Command{
 	},
 }

-func gatewaySet(zi zones.ZoneIterator, gw string) error {
+func gatewaySet(zi cluster.ZoneIterator, gw string) error {
 	var err error
-	zi.ForEachZone(func(z *zones.Zone) bool {
+	zi.ForEachZone(func(z *cluster.Zone) bool {
 		for _, m := range z.Machines {
 			if m.Name == gw {
 				z.SetGateway(m.ID, true)
@@ -73,9 +74,9 @@ var gatewayUnsetCmd = &cobra.Command{
 	},
 }

-func gatewayUnset(zi zones.ZoneIterator, ngw string) error {
+func gatewayUnset(zi cluster.ZoneIterator, ngw string) error {
 	var err error
-	zi.ForEachZone(func(z *zones.Zone) bool {
+	zi.ForEachZone(func(z *cluster.Zone) bool {
 		for _, m := range z.Machines {
 			if m.Name == ngw && m.IsGateway() {
 				z.SetGateway(m.ID, false)
@@ -114,10 +115,10 @@ var gatewayListCmd = &cobra.Command{
 	},
 }

-func gatewayListAll(zi zones.ZoneIterator) error {
+func gatewayListAll(zi cluster.ZoneIterator) error {
 	var b bytes.Buffer
 	var err error
-	zi.ForEachZone(func(z *zones.Zone) bool {
+	zi.ForEachZone(func(z *cluster.Zone) bool {
 		b.WriteString(z.Name + ":")
 		var sIDs []string
 		ids, num := z.GatewayIDs()
@@ -126,7 +127,7 @@ func gatewayListAll(zi zones.ZoneIterator) error {
 			return false
 		}
 		for _, i := range ids {
-			sIDs = append(sIDs, strconv.Itoa(i))
+			sIDs = append(sIDs, i.String())
 		}
 		b.WriteString(strings.Join(sIDs, ", "))
 		b.WriteString("\n")
@@ -136,10 +137,10 @@ func gatewayListAll(zi zones.ZoneIterator) error {
 	return err
 }

-func gatewayList(zi zones.ZoneIterator, m string) error {
+func gatewayList(zi cluster.ZoneIterator, m string) error {
 	var b bytes.Buffer
 	var err error
-	zi.ForEachZone(func(z *zones.Zone) bool {
+	zi.ForEachZone(func(z *cluster.Zone) bool {
 		if z.Name == m {
 			b.WriteString(z.Name + ":")
 			ids, num := z.GatewayIDs()
@@ -5,11 +5,10 @@ import (

 	"darvaza.org/sidecar/pkg/logger/zerolog"
 	"darvaza.org/slog"
+	"github.com/spf13/cobra"
 )

-var (
-	log = zerolog.New(nil, slog.Debug)
-)
+var log = zerolog.New(nil, slog.Error)

 // fatal is a convenience wrapper for slog.Logger.Fatal().Print()
 func fatal(err error, msg string, args ...any) {
@@ -24,3 +23,20 @@ func fatal(err error, msg string, args ...any) {

 	panic("unreachable")
 }
+
+var verbosity int
+
+// setVerbosity replaces the global logger using the
+// verbosity level specified via -v flags
+func setVerbosity(_ *cobra.Command, _ []string) {
+	desired := int8(slog.Error) + int8(verbosity)
+	if desired > 6 {
+		desired = 6
+	}
+	log = zerolog.New(nil, slog.LogLevel(desired))
+}
+
+func init() {
+	rootCmd.PersistentFlags().CountVarP(&verbosity, "verbosity", "v",
+		"increase the verbosity level to Warn, Info or Debug")
+}
@@ -2,6 +2,8 @@
 package main

 import (
+	_ "embed"
+
 	"github.com/spf13/cobra"
 )

@@ -10,10 +12,13 @@ const (
 	CmdName = "jpictl"
 )

-var rootCmd = &cobra.Command{
-	Use:   CmdName,
-	Short: "control tool for jpi.cloud",
-}
+var (
+	rootCmd = &cobra.Command{
+		Use:     CmdName,
+		Short:   "control tool for jpi.cloud",
+		Version: version,
+	}
+)

 func main() {
 	if err := rootCmd.Execute(); err != nil {
@@ -0,0 +1,31 @@
+package main
+
+import (
+	_ "embed"
+
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+//go:generate sh -c "git describe | tr -d '\r\n' > .version"
+//go:embed .version
+var version string
+
+var versionCmd = &cobra.Command{
+	Use:   "version",
+	Short: "Returns jpictl's version",
+	Args:  cobra.NoArgs,
+	Run: func(_ *cobra.Command, _ []string) {
+		_, _ = fmt.Fprintf(os.Stdout, "%s\n", version)
+	},
+}
+
+func init() {
+	if version == "" {
+		version = "undetermined"
+	}
+
+	rootCmd.AddCommand(versionCmd)
+}
@@ -6,8 +6,9 @@ import (

 // Command
 var writeCmd = &cobra.Command{
-	Use:   "write",
-	Short: "rewrites all config files",
+	Use:    "write",
+	Short:  "rewrites all config files",
+	PreRun: setVerbosity,
 	RunE: func(_ *cobra.Command, _ []string) error {
 		m, err := cfg.LoadZones(false)
 		if err != nil {
@@ -3,42 +3,50 @@ module git.jpi.io/amery/jpictl
 go 1.19

 require (
-	darvaza.org/core v0.9.5
-	darvaza.org/resolver v0.5.2
-	darvaza.org/sidecar v0.0.0-20230721122716-b9c54b8adbaf
-	darvaza.org/slog v0.5.2
-	github.com/burntSushi/toml v0.3.1
+	asciigoat.org/ini v0.2.5
+	darvaza.org/core v0.14.2
+	darvaza.org/resolver v0.9.2
+	darvaza.org/sidecar v0.4.0
+	darvaza.org/slog v0.5.7
+	darvaza.org/slog/handlers/discard v0.4.11
+	github.com/gofrs/uuid/v5 v5.2.0
 	github.com/hack-pad/hackpadfs v0.2.1
-	github.com/mgechev/revive v1.3.3
-	github.com/spf13/cobra v1.7.0
-	golang.org/x/crypto v0.12.0
-	gopkg.in/gcfg.v1 v1.2.3
+	github.com/libdns/cloudflare v0.1.1
+	github.com/libdns/libdns v0.2.2
+	github.com/mgechev/revive v1.3.7
+	github.com/spf13/cobra v1.8.0
+	golang.org/x/crypto v0.25.0
+	golang.org/x/net v0.27.0
 	gopkg.in/yaml.v3 v3.0.1
 )

 require (
-	darvaza.org/slog/handlers/filter v0.4.4 // indirect
-	darvaza.org/slog/handlers/zerolog v0.4.4 // indirect
-	github.com/BurntSushi/toml v1.3.2 // indirect
+	asciigoat.org/core v0.3.9 // indirect
+	darvaza.org/cache/x/simplelru v0.1.8 // indirect
+	darvaza.org/slog/handlers/filter v0.4.9 // indirect
+	darvaza.org/slog/handlers/zerolog v0.4.9 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/chavacava/garif v0.1.0 // indirect
-	github.com/fatih/color v1.15.0 // indirect
+	github.com/fatih/color v1.17.0 // indirect
 	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517 // indirect
-	github.com/miekg/dns v1.1.55 // indirect
+	github.com/miekg/dns v1.1.59 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/rs/zerolog v1.30.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/rs/zerolog v1.33.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/net v0.14.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/tools v0.12.0 // indirect
-	gopkg.in/warnings.v0 v0.1.2 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 )
@@ -1,68 +1,90 @@
-darvaza.org/core v0.9.5 h1:sS5pZFwicaxJIQixEiqkMr9GknVHYL+EbKDMkR/4jDM=
-darvaza.org/core v0.9.5/go.mod h1:O3tHBMlw+xB47uGh5CUx7dXAujBAMmD8BCRFPZmIw54=
-darvaza.org/resolver v0.5.2 h1:VjHhEr/MJBszeDb7tYlXQ9Bsyh4xrDR7Sd10WAmPD6k=
-darvaza.org/resolver v0.5.2/go.mod h1:fFvsVPEFeMzUIWlLG47Go/6uJYtRLb9R8HIgYg3uaxE=
-darvaza.org/sidecar v0.0.0-20230721122716-b9c54b8adbaf h1:ya5ZQicBb/GWll3rlqra8No7oJXks7y1m/cJGYBypv4=
-darvaza.org/sidecar v0.0.0-20230721122716-b9c54b8adbaf/go.mod h1:by+bPsMa7Rxc/ZYG1qBunrtKocv/DkrPBmyFlmq/j2Q=
-darvaza.org/slog v0.5.2 h1:8TG1WyHjOyh2vW6t3pjzZVaWzpko5MIIpeI7LWqHFvs=
-darvaza.org/slog v0.5.2/go.mod h1:HAkEpxTA/mkiLNUXJo5qsCh8EVCtA3evje8GAaCDWHI=
-darvaza.org/slog/handlers/filter v0.4.4 h1:b2e2T9fQzMdJ0ia+f6b7kw9/T9GFwhFCKob/2tqhGGU=
-darvaza.org/slog/handlers/filter v0.4.4/go.mod h1:cQlJWuolB6guLug09sX/8Zrzct++M6SPCGvXR37E7Cc=
-darvaza.org/slog/handlers/zerolog v0.4.4 h1:OR1ASvH1fBCq3t85t4OU6oJPPuqMB1tsDoSpsh6HVJU=
-darvaza.org/slog/handlers/zerolog v0.4.4/go.mod h1:t60TeEbFcMLo74CkXC2S0rKlnwF4ixZyBR4fqIJV1GE=
-github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
-github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/burntSushi/toml v0.3.1 h1:Hu1cOEC2qtKULZJCzym5tyA35bZr3HREuolgiAzMlhY=
-github.com/burntSushi/toml v0.3.1/go.mod h1:sGTquCpRYr9McuHdv0m6YKIhx8DJGJa4t04/Y9pfSio=
+asciigoat.org/core v0.3.9 h1:hgDDz4ecm3ZvehX++m8A/IzAt+B5oDPiRtxatzfUHPQ=
+asciigoat.org/core v0.3.9/go.mod h1:CAaHwyw8MpAq4a1MYtN2dxJrsK+hmIdW50OndaQZYPI=
+asciigoat.org/ini v0.2.5 h1:4gRIp9rU+XQt8+HMqZO5R7GavMv9Yl2+N+je6djDIAE=
+asciigoat.org/ini v0.2.5/go.mod h1:gmXzJ9XFqf1NLk5nQkj04USQ4tMtdRJHNQX6vp3DzjU=
+darvaza.org/cache/x/simplelru v0.1.8 h1:rvFucut4wKYbsYc994yR3P0M08NqlsvZxr5G4QK82tw=
+darvaza.org/cache/x/simplelru v0.1.8/go.mod h1:Mv1isOJTcXYK+aK0AvUe+/3KpRTXDsYga6rdTS/upNs=
+darvaza.org/core v0.14.2 h1:6p0iznuGfVGbBp+CnkZTw1b76j6Q/j4ffDztZXrrlK8=
+darvaza.org/core v0.14.2/go.mod h1:C+B0GRNLB+/asGfxjQ9XZERdk7xaFxzt5xTIBPiNm2M=
+darvaza.org/resolver v0.9.2 h1:sUX6LZ1eN5TzJW7L4m7HM+BvwBeWl8dYYDGVSe+AIhk=
+darvaza.org/resolver v0.9.2/go.mod h1:XWqPhrxoOKNzRuSozOwmE1M6QVqQL28jEdxylnIO8Nw=
+darvaza.org/sidecar v0.4.0 h1:wHghxzLsiT82WDBBUf34aTqtOvRBg4UbxVIJgKNXRVA=
+darvaza.org/sidecar v0.4.0/go.mod h1:fUzjcFM4rN3bSEl4BKvok3MLpZWEhEa9+0/egmtpfMY=
+darvaza.org/slog v0.5.7 h1:JWC0OqvzR435AidIRDp4T9kdWTURWkUjzP4R78Koq1Q=
+darvaza.org/slog v0.5.7/go.mod h1:12L03t+KYhsZ9IbfF+8if5w9Y91af2par+bSzeBVqIQ=
+darvaza.org/slog/handlers/discard v0.4.11 h1:wr34OnDoRaMV1eGgW7yUaupQxjkTnuHrJmYRPj64RHM=
+darvaza.org/slog/handlers/discard v0.4.11/go.mod h1:ynxyLmZzZ5mP4ACLhQs4MEuDyhkIzjz6DfBHUjhnIK4=
+darvaza.org/slog/handlers/filter v0.4.9 h1:xD8OBwlJytpiwTSDDZqUuNSOsJuaManXQiOj9WEStr8=
+darvaza.org/slog/handlers/filter v0.4.9/go.mod h1:t+sjcf1c46kAdf1TRiQmop91xlkteZrC4WDXoVwHgP8=
+darvaza.org/slog/handlers/zerolog v0.4.9 h1:08FjRnwRGtJsLLBnbgxVorb/bkgm5QEM/LXD2cxeCbM=
+darvaza.org/slog/handlers/zerolog v0.4.9/go.mod h1:PZYfx6eOxQfD+cXJQp52iwKgcD30QVYHoXxOCojAOdw=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/chavacava/garif v0.1.0 h1:2JHa3hbYf5D9dsgseMKAmc/MZ109otzgNFk5s87H9Pc=
 github.com/chavacava/garif v0.1.0/go.mod h1:XMyYCkEL58DF0oyW4qDjjnPWONs2HBqYKI+UIPD+Gww=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
+github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
+github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
 github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4=
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gofrs/uuid/v5 v5.2.0 h1:qw1GMx6/y8vhVsx626ImfKMuS5CvJmhIKKtuyvfajMM=
+github.com/gofrs/uuid/v5 v5.2.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/hack-pad/hackpadfs v0.2.1 h1:FelFhIhv26gyjujoA/yeFO+6YGlqzmc9la/6iKMIxMw=
 github.com/hack-pad/hackpadfs v0.2.1/go.mod h1:khQBuCEwGXWakkmq8ZiFUvUZz84ZkJ2KNwKvChs4OrU=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/libdns/cloudflare v0.1.1 h1:FVPfWwP8zZCqj268LZjmkDleXlHPlFU9KC4OJ3yn054=
+github.com/libdns/cloudflare v0.1.1/go.mod h1:9VK91idpOjg6v7/WbjkEW49bSCxj00ALesIFDhJ8PBU=
+github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s=
+github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517 h1:zpIH83+oKzcpryru8ceC6BxnoG8TBrhgAvRg8obzup0=
 github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517/go.mod h1:KQ7+USdGKfpPjXk4Ga+5XxQM4Lm4e3gAogrreFAYpOg=
-github.com/mgechev/revive v1.3.3 h1:GUWzV3g185agbHN4ZdaQvR6zrLVYTUSA2ktvIinivK0=
-github.com/mgechev/revive v1.3.3/go.mod h1:NhpOtVtDbjYNDj697eDUBTobijCDHQKar4HDKc0TuTo=
-github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
-github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/mgechev/revive v1.3.7 h1:502QY0vQGe9KtYJ9FpxMz9rL+Fc/P13CI5POL4uHCcE=
+github.com/mgechev/revive v1.3.7/go.mod h1:RJ16jUbF0OWC3co/+XTxmFNgEpUPwnnA0BRllX2aDNA=
+github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
+github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
-github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.30.0 h1:SymVODrcRsaRaSInD9yQtKbtWqwsfoPcRff/oRXLj4c=
-github.com/rs/zerolog v1.30.0/go.mod h1:/tk+P47gFdPXq4QYjvCmT5/Gsug2nagsFWBWhAiSi1w=
+github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
+github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
+github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -72,30 +94,25 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
-golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 h1:MGwJjxBy0HJshjDNfLsYO8xppfqWlA5ZT9OhtUUhTNw=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
-golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss=
-golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/gcfg.v1 v1.2.3 h1:m8OOJ4ccYHnx2f4gQwpno8nAX5OGOh7RLaaz0pj3Ogs=
-gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
-gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
-gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -0,0 +1,2 @@
+// Package ceph deals with ceph config
+package ceph
@@ -0,0 +1,70 @@
+package ceph
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/netip"
+	"strings"
+
+	"github.com/gofrs/uuid/v5"
+
+	"asciigoat.org/ini/basic"
+)
+
+// Config represents a ceph.conf file
+type Config struct {
+	Global GlobalConfig `ini:"global"`
+}
+
+// GlobalConfig represents the [global] section of a ceph.conf file
+type GlobalConfig struct {
+	FSID           uuid.UUID    `ini:"fsid"`
+	Monitors       []string     `ini:"mon_initial_members,comma"`
+	MonitorsAddr   []netip.Addr `ini:"mon_host,comma"`
+	ClusterNetwork netip.Prefix `ini:"cluster_network"`
+}
+
+// WriteTo writes a Wireguard [Config] onto the provided [io.Writer]
+func (cfg *Config) WriteTo(w io.Writer) (int64, error) {
+	var buf bytes.Buffer
+
+	writeGlobalToBuffer(&buf, &cfg.Global)
+	return buf.WriteTo(w)
+}
+
+func writeGlobalToBuffer(w *bytes.Buffer, c *GlobalConfig) {
+	_, _ = w.WriteString("[global]\n")
+	_, _ = fmt.Fprintf(w, "%s = %s\n", "fsid", c.FSID.String())
+	_, _ = fmt.Fprintf(w, "%s = %s\n", "mon_initial_members", strings.Join(c.Monitors, ", "))
+	_, _ = fmt.Fprintf(w, "%s = %s\n", "mon_host", joinAddrs(c.MonitorsAddr, ", "))
+	_, _ = fmt.Fprintf(w, "%s = %s\n", "cluster_network", c.ClusterNetwork.String())
+
+	_, _ = fmt.Fprintf(w, "\n; %s\n", "don't rewrite labels on startup")
+	_, _ = fmt.Fprintf(w, "%s = %s\n", "osd_class_update_on_start", "false")
+}
+
+func joinAddrs(addrs []netip.Addr, sep string) string {
+	s := make([]string, len(addrs))
+
+	for i, addr := range addrs {
+		s[i] = addr.String()
+	}
+
+	return strings.Join(s, sep)
+}
+
+// NewConfigFromReader parses the ceph.conf file
+func NewConfigFromReader(r io.Reader) (*Config, error) {
+	doc, err := basic.Decode(r)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg, err := newConfigFromDocument(doc)
+	if err != nil {
+		return nil, err
+	}
+
+	return cfg, nil
+}
@@ -0,0 +1,110 @@
+package ceph
+
+import (
+	"io/fs"
+	"net/netip"
+
+	"asciigoat.org/ini/basic"
+	"asciigoat.org/ini/parser"
+
+	"darvaza.org/core"
+)
+
+var sectionMap = map[string]func(*Config, *basic.Section) error{
+	"global": loadGlobalConfSection,
+}
+
+func loadConfSection(out *Config, src *basic.Section) error {
+	h, ok := sectionMap[src.Key]
+	if !ok {
+		return core.Wrap(fs.ErrInvalid, "unknown section %q", src.Key)
+	}
+
+	return h(out, src)
+}
+
+func loadGlobalConfSection(out *Config, src *basic.Section) error {
+	var cfg GlobalConfig
+
+	for _, field := range src.Fields {
+		if err := loadGlobalConfField(&cfg, field); err != nil {
+			return core.Wrap(err, "global")
+		}
+	}
+
+	out.Global = cfg
+	return nil
+}
+
+// revive:disable:cyclomatic
+// revive:disable:cognitive-complexity
+
+func loadGlobalConfField(cfg *GlobalConfig, field basic.Field) error {
+	// revive:enable:cyclomatic
+	// revive:enable:cognitive-complexity
+
+	// TODO: refactor when asciigoat's ini parser learns to do reflection
+
+	switch field.Key {
+	case "fsid":
+		if !core.IsZero(cfg.FSID) {
+			return core.Wrap(fs.ErrInvalid, "duplicate field %q", field.Key)
+		}
+
+		err := cfg.FSID.UnmarshalText([]byte(field.Value))
+		switch {
+		case err != nil:
+			return core.Wrap(err, field.Key)
+		default:
+			return nil
+		}
+	case "mon_host":
+		entries, _ := parser.SplitCommaArray(field.Value)
+		for _, s := range entries {
+			var addr netip.Addr
+
+			if err := addr.UnmarshalText([]byte(s)); err != nil {
+				return core.Wrap(err, field.Key)
+			}
+
+			cfg.MonitorsAddr = append(cfg.MonitorsAddr, addr)
+		}
+		return nil
+	case "mon_initial_members":
+		entries, _ := parser.SplitCommaArray(field.Value)
+		cfg.Monitors = append(cfg.Monitors, entries...)
+		return nil
+	case "cluster_network":
+		if !core.IsZero(cfg.ClusterNetwork) {
+			err := core.Wrap(fs.ErrInvalid, "fields before the first section")
+			return err
+		}
+
+		err := cfg.ClusterNetwork.UnmarshalText([]byte(field.Value))
+		switch {
+		case err != nil:
+			return core.Wrap(err, field.Key)
+		default:
+			return nil
+		}
+	}
+	return nil
+}
+
+func newConfigFromDocument(doc *basic.Document) (*Config, error) {
+	var out Config
+
+	if len(doc.Global) > 0 {
+		err := core.Wrap(fs.ErrInvalid, "fields before the first section")
+		return nil, err
+	}
+
+	for i := range doc.Sections {
+		src := &doc.Sections[i]
+		if err := loadConfSection(&out, src); err != nil {
+			return nil, err
+		}
+	}
+
+	return &out, nil
+}
@@ -0,0 +1,43 @@
+package cluster
+
+import (
+	"net/netip"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
+)
+
+// RingOnePrefix returns the ring 1 subnet of this [Zone].
+func (z *Zone) RingOnePrefix() netip.Prefix {
+	subnet, err := rings.RingOnePrefix(z.RegionID(), z.ID)
+	if err != nil {
+		panic(err)
+	}
+	return subnet
+}
+
+// RingOnePrefix returns the ring 1 subnet this [Machine] belongs
+// to.
+func (m *Machine) RingOnePrefix() netip.Prefix {
+	return m.zone.RingOnePrefix()
+}
+
+// RingZeroAddress returns the ring 0 address of the [Machine]
+// if it can act as gateway.
+func (m *Machine) RingZeroAddress() (netip.Addr, bool) {
+	addr, err := rings.RingZeroAddress(m.Region(), m.Zone(), m.ID)
+	if err != nil {
+		return netip.Addr{}, false
+	}
+
+	return addr, true
+}
+
+// RingOneAddress returns the ring 1 address of the [Machine]
+func (m *Machine) RingOneAddress() netip.Addr {
+	addr, err := rings.RingOneAddress(m.Region(), m.Zone(), m.ID)
+	if err != nil {
+		panic(err)
+	}
+
+	return addr
+}
@@ -0,0 +1,122 @@
+package cluster
+
+import (
+	"bytes"
+	"net/netip"
+	"sort"
+
+	"darvaza.org/core"
+	"github.com/gofrs/uuid/v5"
+
+	"git.jpi.io/amery/jpictl/pkg/ceph"
+)
+
+// GetCephFSID returns our Ceph's FSID
+func (m *Cluster) GetCephFSID() (uuid.UUID, error) {
+	if core.IsZero(m.CephFSID) {
+		// generate one
+		v, err := uuid.NewV4()
+		if err != nil {
+			return uuid.Nil, err
+		}
+		m.CephFSID = v
+	}
+	return m.CephFSID, nil
+}
+
+// GetCephConfig reads the ceph.conf file
+func (m *Cluster) GetCephConfig() (*ceph.Config, error) {
+	data, err := m.ReadFile("ceph.conf")
+	if err != nil {
+		return nil, err
+	}
+
+	r := bytes.NewReader(data)
+	return ceph.NewConfigFromReader(r)
+}
+
+// WriteCephConfig writes the ceph.conf file
+func (m *Cluster) WriteCephConfig(cfg *ceph.Config) error {
+	f, err := m.CreateTruncFile("ceph.conf")
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	_, err = cfg.WriteTo(f)
+	return err
+}
+
+// GenCephConfig prepares a ceph.Config using the cluster information
+func (m *Cluster) GenCephConfig() (*ceph.Config, error) {
+	fsid, err := m.GetCephFSID()
+	if err != nil {
+		return nil, err
+	}
+
+	cfg := &ceph.Config{
+		Global: ceph.GlobalConfig{
+			FSID: fsid,
+			ClusterNetwork: netip.PrefixFrom(
+				netip.AddrFrom4([4]byte{10, 0, 0, 0}),
+				8,
+			),
+		},
+	}
+
+	m.ForEachZone(func(z *Zone) bool {
+		for _, p := range z.GetCephMonitors() {
+			addr := p.RingOneAddress()
+
+			cfg.Global.Monitors = append(cfg.Global.Monitors, p.Name)
+			cfg.Global.MonitorsAddr = append(cfg.Global.MonitorsAddr, addr)
+		}
+		return false
+	})
+
+	return cfg, nil
+}
+
+// GetCephMonitors returns the set of Ceph monitors on
+// the zone
+func (z *Zone) GetCephMonitors() Machines {
+	var mons Machines
+	var first, second *Machine
+
+	z.ForEachMachine(func(p *Machine) bool {
+		switch {
+		case p.CephMonitor:
+			// it is a monitor
+			mons = append(mons, p)
+		case len(mons) > 0:
+			// zone has a monitor
+		case first == nil && !p.IsGateway():
+			// first option for monitor
+			first = p
+		case second == nil:
+			// second option for monitor
+			second = p
+		}
+
+		return false
+	})
+
+	switch {
+	case len(mons) > 0:
+		// ready
+	case first != nil:
+		// make first option our monitor
+		first.CephMonitor = true
+		mons = append(mons, first)
+	case second != nil:
+		// make second option our monitor
+		second.CephMonitor = true
+		mons = append(mons, second)
+	default:
+		// zone without machines??
+		panic("unreachable")
+	}
+
+	sort.Sort(mons)
+	return mons
+}
@@ -0,0 +1,107 @@
+package cluster
+
+import (
+	"os"
+
+	"darvaza.org/slog"
+
+	"git.jpi.io/amery/jpictl/pkg/ceph"
+)
+
+type cephScanTODO struct {
+	names map[string]bool
+	addrs map[string]bool
+}
+
+func (todo *cephScanTODO) checkMachine(p *Machine) bool {
+	// on ceph all addresses are ring1
+	addr := p.RingOneAddress().String()
+
+	if _, found := todo.names[p.Name]; found {
+		// found on the TODO by name
+		todo.names[p.Name] = true
+		todo.addrs[addr] = true
+		return true
+	}
+
+	if _, found := todo.addrs[addr]; found {
+		// found on the TODO by address
+		todo.names[p.Name] = true
+		todo.addrs[addr] = true
+		return true
+	}
+
+	return false
+}
+
+func (todo *cephScanTODO) LogMissing(log slog.Logger) {
+	for name, found := range todo.names {
+		if !found {
+			log.Warn().
+				WithField("subsystem", "ceph").
+				WithField("monitor", name).
+				Print("unknown monitor")
+		}
+	}
+
+	for addr, found := range todo.addrs {
+		if !found {
+			log.Warn().
+				WithField("subsystem", "ceph").
+				WithField("monitor", addr).
+				Print("unknown monitor")
+		}
+	}
+}
+
+func newCephScanTODO(cfg *ceph.Config) *cephScanTODO {
+	todo := &cephScanTODO{
+		names: make(map[string]bool),
+		addrs: make(map[string]bool),
+	}
+
+	for _, name := range cfg.Global.Monitors {
+		todo.names[name] = false
+	}
+
+	for _, addr := range cfg.Global.MonitorsAddr {
+		todo.addrs[addr.String()] = false
+	}
+
+	return todo
+}
+
+func (m *Cluster) scanCephMonitors(opts *ScanOptions) error {
+	cfg, err := m.GetCephConfig()
+	switch {
+	case os.IsNotExist(err):
+		err = nil
+	case err != nil:
+		return err
+	}
+
+	if cfg != nil {
+		// store FSID
+		m.CephFSID = cfg.Global.FSID
+
+		// flag monitors based on config
+		todo := newCephScanTODO(cfg)
+		m.ForEachMachine(func(p *Machine) bool {
+			p.CephMonitor = todo.checkMachine(p)
+			return false
+		})
+
+		todo.LogMissing(m.log)
+	}
+
+	return m.initCephMonitors(opts)
+}
+
+func (m *Cluster) initCephMonitors(_ *ScanOptions) error {
+	// make sure every zone has one
+	m.ForEachZone(func(z *Zone) bool {
+		_ = z.GetCephMonitors()
+		return false
+	})
+	return nil
+}
@@ -0,0 +1,78 @@
+// Package cluster contains information about the cluster
+package cluster
+
+import (
+	"io/fs"
+
+	"darvaza.org/resolver"
+	"darvaza.org/slog"
+	"github.com/gofrs/uuid/v5"
+)
+
+var (
+	_ MachineIterator = (*Cluster)(nil)
+	_ ZoneIterator    = (*Cluster)(nil)
+)
+
+// revive:disable:line-length-limit
+
+// Cluster represents all zones in a cluster
+type Cluster struct {
+	dir      fs.FS
+	log      slog.Logger
+	resolver resolver.Resolver
+
+	BaseDir string `json:"dir,omitempty"    yaml:"dir,omitempty"`
+	Name    string `json:"name,omitempty"   yaml:"name,omitempty"`
+	Domain  string `json:"domain,omitempty" yaml:"domain,omitempty"`
+
+	CephFSID uuid.UUID `json:"ceph_fsid,omitempty" yaml:"ceph_fsid,omitempty"`
+	Regions  []Region  `json:",omitempty"          yaml:",omitempty"`
+	Zones    []*Zone   `json:",omitempty"          yaml:",omitempty"`
+}
+
+// revive:enable:line-length-limit
+
+// ForEachMachine calls a function for each Machine in the cluster
+// until instructed to terminate the loop
+func (m *Cluster) ForEachMachine(fn func(*Machine) bool) {
+	m.ForEachZone(func(z *Zone) bool {
+		var term bool
+
+		z.ForEachMachine(func(p *Machine) bool {
+			term = fn(p)
+			return term
+		})
+
+		return term
+	})
+}
+
+// ForEachZone calls a function for each Zone in the cluster
+// until instructed to terminate the loop
+func (m *Cluster) ForEachZone(fn func(*Zone) bool) {
+	for _, p := range m.Zones {
+		if fn(p) {
+			// terminate
+			return
+		}
+	}
+}
+
+// GetMachineByName looks for a machine with the specified
+// name on any zone
+func (m *Cluster) GetMachineByName(name string) (*Machine, bool) {
+	var out *Machine
+
+	if name != "" {
+		m.ForEachMachine(func(p *Machine) bool {
+			if p.Name == name {
+				out = p
+			}
+
+			return out != nil
+		})
+	}
+
+	return out, out != nil
+}
@@ -0,0 +1,115 @@
+package cluster
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	fs "github.com/hack-pad/hackpadfs"
+)
+
+// OpenFile opens a file on the cluster's config directory with the specified flags
+func (m *Cluster) OpenFile(name string, flags int, args ...any) (fs.File, error) {
+	if len(args) > 0 {
+		name = fmt.Sprintf(name, args...)
+	}
+
+	return fs.OpenFile(m.dir, name, flags, 0644)
+}
+
+// CreateTruncFile creates or truncates a file on the cluster's config directory
+func (m *Cluster) CreateTruncFile(name string, args ...any) (io.WriteCloser, error) {
+	return m.openWriter(name, os.O_CREATE|os.O_TRUNC, args...)
+}
+
+// CreateFile creates a file on the cluster's config directory
+func (m *Cluster) CreateFile(name string, args ...any) (io.WriteCloser, error) {
+	return m.openWriter(name, os.O_CREATE, args...)
+}
+
+func (m *Cluster) openWriter(name string, flags int, args ...any) (io.WriteCloser, error) {
+	f, err := m.OpenFile(name, os.O_WRONLY|flags, args...)
+	if err != nil {
+		return nil, err
+	}
+
+	if f, ok := f.(io.WriteCloser); ok {
+		return f, nil
+	}
+
+	panic("unreachable")
+}
+
+// RemoveFile deletes a file from the cluster's config directory
+func (m *Cluster) RemoveFile(name string, args ...any) error {
+	if len(args) > 0 {
+		name = fmt.Sprintf(name, args...)
+	}
+
+	err := fs.Remove(m.dir, name)
+	switch {
+	case os.IsNotExist(err):
+		return nil
+	default:
+		return err
+	}
+}
+
+// ReadFile reads a file from the cluster's config directory
+func (m *Cluster) ReadFile(name string, args ...any) ([]byte, error) {
+	if len(args) > 0 {
+		name = fmt.Sprintf(name, args...)
+	}
+
+	return fs.ReadFile(m.dir, name)
+}
+
+// ReadLines reads a file from the cluster's config directory,
+// split by lines, trimmed, and accepting `#` to comment lines out.
+func (m *Cluster) ReadLines(name string, args ...any) ([]string, error) {
+	var out []string
+
+	data, err := m.ReadFile(name, args...)
+	if err != nil {
+		return nil, err
+	}
+
+	sc := bufio.NewScanner(bytes.NewReader(data))
+	for sc.Scan() {
+		s := strings.TrimSpace(sc.Text())
+		switch {
+		case s == "", strings.HasPrefix(s, "#"):
+			// ignore
+		default:
+			// accepted
+			out = append(out, s)
+		}
+	}
+
+	return out, nil
+}
+
+// WriteStringFile writes the given content to a file on the machine's config directory
+func (m *Cluster) WriteStringFile(value string, name string, args ...any) error {
+	f, err := m.CreateTruncFile(name, args...)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	buf := bytes.NewBufferString(value)
+	_, err = buf.WriteTo(f)
+	return err
+}
+
+// MkdirAll creates directories relative to the cluster's config directory
+func (m *Cluster) MkdirAll(name string, args ...any) error {
+	if len(args) > 0 {
+		name = fmt.Sprintf(name, args...)
+	}
+
+	return fs.MkdirAll(m.dir, name, 0755)
+}
@@ -0,0 +1,25 @@
+package cluster
+
+import (
+	"io/fs"
+	"path/filepath"
+
+	"github.com/hack-pad/hackpadfs/os"
+)
+
+// DirFS returns a file system (an [fs.FS]) for the tree
+// of files rooted at the directory dir.
+func DirFS(dir string) (fs.FS, error) {
+	dir = filepath.Clean(dir)
+	fullPath, err := filepath.Abs(dir)
+	if err != nil {
+		return nil, err
+	}
+
+	sub, err := os.NewFS().Sub(fullPath[1:])
+	if err != nil {
+		return nil, err
+	}
+
+	return sub, nil
+}
@@ -0,0 +1,141 @@
+package cluster
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"gopkg.in/yaml.v3"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
+)
+
+func (m *Cluster) init(opts *ScanOptions) error {
+	for _, fn := range []func(*ScanOptions) error{
+		m.initZones,
+		m.initRegions,
+		m.scanZoneIDs,
+		m.scanSort,
+		m.scanGateways,
+		m.initCephMonitors,
+	} {
+		if err := fn(opts); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Cluster) initZones(opts *ScanOptions) error {
+	var err error
+
+	sub, err := DirFS(m.BaseDir)
+	if err != nil {
+		return err
+	}
+
+	m.dir = sub
+
+	m.ForEachZone(func(z *Zone) bool {
+		err = m.initZone(z, opts)
+		return err != nil
+	})
+
+	return err
+}
+
+func (m *Cluster) initZone(z *Zone, _ *ScanOptions) error {
+	var hasMissing bool
+	var lastMachineID rings.NodeID
+
+	z.zones = m
+	z.logger = m
+
+	z.ForEachMachine(func(p *Machine) bool {
+		p.zone = z
+		p.logger = z
+
+		switch {
+		case p.ID == 0:
+			hasMissing = true
+		case p.ID > lastMachineID:
+			lastMachineID = p.ID
+		}
+
+		return false
+	})
+
+	if hasMissing {
+		next := lastMachineID + 1
+
+		z.ForEachMachine(func(p *Machine) bool {
+			if p.ID == 0 {
+				p.ID, next = next, next+1
+			}
+
+			return false
+		})
+	}
+
+	z.ForEachMachine(func(p *Machine) bool {
+		p.Name = fmt.Sprintf("%s-%v", z.Name, p.ID)
+		return false
+	})
+
+	return nil
+}
+
+func decodeConfigData(data []byte) (out *Cluster, err error) {
+	// try JSON first
+	out = new(Cluster)
+	err = json.Unmarshal(data, out)
+	if err == nil {
+		// good json
+		return out, nil
+	} else if _, ok := err.(*json.SyntaxError); !ok {
+		// bad json
+		return nil, err
+	}
+
+	out = new(Cluster)
+	err = yaml.Unmarshal(data, out)
+	if err != nil {
+		// bad yaml too
+		return nil, err
+	}
+
+	// good yaml
+	return out, nil
+}
+
+// NewFromConfig loads the cluster data from the given file
+func NewFromConfig(filename string, opts ...ScanOption) (*Cluster, error) {
+	var scanOptions ScanOptions
+
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+
+	m, err := decodeConfigData(data)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, opt := range opts {
+		if err = opt(m, &scanOptions); err != nil {
+			return nil, err
+		}
+	}
+
+	if err = m.setScanDefaults(&scanOptions); err != nil {
+		return nil, err
+	}
+
+	if err := m.init(&scanOptions); err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
@@ -0,0 +1,317 @@
+package cluster
+
+import (
+	"io/fs"
+	"path"
+	"sort"
+	"strings"
+
+	"darvaza.org/core"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
+)
+
+const (
+	// ZoneRegionsFileName indicates the file containing
+	// region names as references
+	ZoneRegionsFileName = "regions"
+
+	// RegionClusterTokenFileName contains the kubernetes
+	// token of the cluster this region represents
+	RegionClusterTokenFileName = "k8s_token"
+)
+
+func (m *Cluster) scan(opts *ScanOptions) error {
+	for _, fn := range []func(*ScanOptions) error{
+		m.scanDirectory,
+		m.scanMachines,
+		m.initRegions,
+		m.scanZoneIDs,
+		m.scanSort,
+		m.scanGateways,
+		m.scanCephMonitors,
+	} {
+		if err := fn(opts); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Cluster) scanDirectory(opts *ScanOptions) error {
+	// each directory is a zone
+	entries, err := fs.ReadDir(m.dir, ".")
+	if err != nil {
+		return err
+	}
+
+	for _, e := range entries {
+		if e.IsDir() {
+			ok, err := m.scanSubdirectory(opts, e.Name())
+			switch {
+			case err != nil:
+				return core.Wrap(err, e.Name())
+			case !ok:
+				m.warn(nil).
+					WithField("zone", e.Name()).
+					Print("empty")
+			}
+		}
+	}
+
+	return nil
+}
+
+func (m *Cluster) scanSubdirectory(_ *ScanOptions, name string) (bool, error) {
+	z, err := m.newZone(name)
+	switch {
+	case err != nil:
+		// somewhere went wrong scanning the subdirectory
+		return false, err
+	case z.Machines.Len() > 0:
+		// zones have machines and the regions they belong
+		m.Zones = append(m.Zones, z)
+		return true, nil
+	case len(z.Regions) > 0:
+		// regions have no machines but can include
+		// other regions
+		m.appendRegionRegions(name, z.Regions...)
+		return true, nil
+	default:
+		// empty
+		return false, nil
+	}
+}
+
+func (m *Cluster) newZone(name string) (*Zone, error) {
+	z := &Zone{
+		zones:  m,
+		logger: m,
+		Name:   name,
+	}
+
+	z.debug().
+		WithField("zone", z.Name).
+		Print("found")
+
+	if err := z.scan(); err != nil {
+		return nil, err
+	}
+	return z, nil
+}
+
+func (m *Cluster) scanMachines(opts *ScanOptions) error {
+	var err error
+	m.ForEachMachine(func(p *Machine) bool {
+		err = p.scan(opts)
+		return err != nil
+	})
+	m.ForEachMachine(func(p *Machine) bool {
+		err = p.scanWrapUp(opts)
+		return err != nil
+	})
+	return err
+}
+
+func (m *Cluster) scanZoneIDs(_ *ScanOptions) error {
+	var hasMissing bool
+	var lastZoneID rings.ZoneID
+
+	m.ForEachZone(func(z *Zone) bool {
+		switch {
+		case z.ID == 0:
+			hasMissing = true
+		case z.ID > lastZoneID:
+			lastZoneID = z.ID
+		}
+
+		return false
+	})
+
+	if hasMissing {
+		next := lastZoneID + 1
+
+		m.ForEachZone(func(z *Zone) bool {
+			if z.ID == 0 {
+				z.ID, next = next, next+1
+			}
+
+			return false
+		})
+	}
+
+	return nil
+}
+
+func (m *Cluster) scanSort(_ *ScanOptions) error {
+	sort.SliceStable(m.Zones, func(i, j int) bool {
+		id1 := m.Zones[i].ID
+		id2 := m.Zones[j].ID
+		return id1 < id2
+	})
+
+	m.ForEachZone(func(z *Zone) bool {
+		sort.Sort(z)
+		return false
+	})
+
+	m.ForEachMachine(func(p *Machine) bool {
+		sort.SliceStable(p.Rings, func(i, j int) bool {
+			ri1 := p.Rings[i]
+			ri2 := p.Rings[j]
+
+			return ri1.Ring < ri2.Ring
+		})
+
+		return false
+	})
+
+	return nil
+}
+
+func (m *Cluster) scanGateways(_ *ScanOptions) error {
+	var err error
+
+	m.ForEachZone(func(z *Zone) bool {
+		_, _, err = z.GetGateway()
+		return err != nil
+	})
+	return err
+}
+
+func (z *Zone) scan() error {
+	// each directory is a machine
+	entries, err := fs.ReadDir(z.zones.dir, z.Name)
+	if err != nil {
+		return err
+	}
+
+	for _, e := range entries {
+		name := e.Name()
+
+		switch {
+		case name == ZoneRegionsFileName:
+			err = z.loadRegions()
+		case name == RegionClusterTokenFileName:
+			err = z.loadClusterToken()
+		case e.IsDir():
+			err = z.scanSubdirectory(name)
+		default:
+			z.warn(nil).
+				WithField("zone", z.Name).
+				WithField("filename", name).
+				Print("unknown")
+		}
+
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (z *Zone) loadRegions() error {
+	filename := path.Join(z.Name, ZoneRegionsFileName)
+	regions, err := z.zones.ReadLines(filename)
+
+	if err == nil {
+		// parsed
+		err = z.appendRegions(regions...)
+		if err != nil {
+			err = core.Wrap(err, filename)
+		}
+	}
+
+	return err
+}
+
+func (z *Zone) loadClusterToken() error {
+	var token string
+
+	filename := path.Join(z.Name, RegionClusterTokenFileName)
+	lines, err := z.zones.ReadLines(filename)
+	if err != nil {
+		return err
+	}
+
+	// first non-empty line
+	for _, s := range lines {
+		s = strings.TrimSpace(s)
+		if s != "" {
+			token = s
+			break
+		}
+	}
+
+	err = z.zones.setRegionClusterToken(z.Name, token)
+	if err != nil {
+		err = core.Wrap(err, filename)
+	}
+
+	return err
+}
+
+func (z *Zone) scanSubdirectory(name string) error {
+	m := &Machine{
+		zone:   z,
+		logger: z,
+		Name:   name,
+	}
+
+	m.debug().
+		WithField("node", m.Name).
+		WithField("zone", z.Name).
+		Print("found")
+
+	if err := m.init(); err != nil {
+		m.error(err).
+			WithField("node", m.Name).
+			WithField("zone", z.Name).
+			Print()
+
+		return err
+	}
+
+	z.Machines = append(z.Machines, m)
+	return nil
+}
+
+// GetGateway returns the first gateway found, if none
+// files will be created to enable the first [Machine] to
+// be one
+func (z *Zone) GetGateway() (*Machine, bool, error) {
+	var first *Machine
+	var gateway *Machine
+
+	z.zones.ForEachMachine(func(p *Machine) bool {
+		switch {
+		case p.IsGateway():
+			// found
+			gateway = p
+		case first == nil:
+			// remember
+			first = p
+		default:
+			// keep looking
+		}
+
+		return gateway != nil
+	})
+
+	switch {
+	case gateway != nil:
+		// found one
+		return gateway, false, nil
+	case first != nil:
+		// make one
+		if err := first.SetGateway(true); err != nil {
+			return first, false, err
+		}
+		return first, true, nil
+	default:
+		// Zone without nodes?
+		panic("unreachable")
+	}
+}
@@ -1,15 +1,15 @@
-package zones
+package cluster

 import (
 	"io/fs"
 	"path/filepath"

 	"darvaza.org/resolver"
-	"github.com/hack-pad/hackpadfs/os"
+	"darvaza.org/slog"
 )

-// A ScanOption preconfigures the Zones before scanning
-type ScanOption func(*Zones, *ScanOptions) error
+// A ScanOption pre-configures the Zones before scanning
+type ScanOption func(*Cluster, *ScanOptions) error

 // ScanOptions contains flags used by the initial scan
 type ScanOptions struct {
@@ -17,13 +17,17 @@ type ScanOptions struct {
 	// pre-populate Machine.PublicAddresses during the
 	// initial scan
 	DontResolvePublicAddresses bool
+
+	// Logger specifies the logger to be used. otherwise
+	// the scanner will be mute
+	slog.Logger
 }

 // ResolvePublicAddresses instructs the scanner to use
 // the DNS resolver to get PublicAddresses of nodes.
 // Default is true
 func ResolvePublicAddresses(resolve bool) ScanOption {
-	return func(m *Zones, opt *ScanOptions) error {
+	return func(_ *Cluster, opt *ScanOptions) error {
 		opt.DontResolvePublicAddresses = !resolve
 		return nil
 	}
@@ -32,7 +36,7 @@ func ResolvePublicAddresses(resolve bool) ScanOption {
 // WithLookuper specifies what resolver.Lookuper to use to
 // find public addresses
 func WithLookuper(h resolver.Lookuper) ScanOption {
-	return func(m *Zones, opt *ScanOptions) error {
+	return func(m *Cluster, _ *ScanOptions) error {
 		if h == nil {
 			return fs.ErrInvalid
 		}
@@ -45,7 +49,7 @@ func WithLookuper(h resolver.Lookuper) ScanOption {
 // public addresses. if nil is passed, the [net.Resolver] will be used.
 // The default is using Cloudflare's 1.1.1.1.
 func WithResolver(h resolver.Resolver) ScanOption {
-	return func(m *Zones, opt *ScanOptions) error {
+	return func(m *Cluster, _ *ScanOptions) error {
 		if h == nil {
 			h = resolver.SystemResolver(true)
 		}
@@ -55,55 +59,72 @@ func WithResolver(h resolver.Resolver) ScanOption {
 	}
 }

-func (m *Zones) setDefaults(opt *ScanOptions) error {
+// WithLogger specifies what to use for logging
+func WithLogger(log slog.Logger) ScanOption {
+	return func(m *Cluster, opt *ScanOptions) error {
+		if log == nil {
+			log = DefaultLogger()
+		}
+
+		opt.Logger = log
+		m.log = log
+		return nil
+	}
+}
+
+func (m *Cluster) setScanDefaults(opt *ScanOptions) error {
 	if m.resolver == nil {
-		h := resolver.NewCloudflareLookuper()
+		h := DefaultLookuper()

 		if err := WithLookuper(h)(m, opt); err != nil {
 			return err
 		}
 	}

+	if opt.Logger == nil {
+		if err := WithLogger(nil)(m, opt); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }

-// NewFS builds a [Zones] tree using the given directory
-func NewFS(dir fs.FS, domain string, opts ...ScanOption) (*Zones, error) {
+// NewFromDirectory builds a [Cluster] tree using the given directory
+func NewFromDirectory(dir, domain string, opts ...ScanOption) (*Cluster, error) {
 	var scanOptions ScanOptions

-	z := &Zones{
-		dir:    dir,
-		domain: domain,
+	dir = filepath.Clean(dir)
+	fullPath, err := filepath.Abs(dir)
+	if err != nil {
+		return nil, err
+	}
+
+	sub, err := DirFS(dir)
+	if err != nil {
+		return nil, err
+	}
+
+	m := &Cluster{
+		dir:     sub,
+		BaseDir: dir,
+		Name:    filepath.Base(fullPath),
+		Domain:  domain,
 	}

 	for _, opt := range opts {
-		if err := opt(z, &scanOptions); err != nil {
+		if err := opt(m, &scanOptions); err != nil {
 			return nil, err
 		}
 	}

-	if err := z.setDefaults(&scanOptions); err != nil {
+	if err := m.setScanDefaults(&scanOptions); err != nil {
 		return nil, err
 	}

-	if err := z.scan(&scanOptions); err != nil {
+	if err := m.scan(&scanOptions); err != nil {
 		return nil, err
 	}

-	return z, nil
-}
-
-// New builds a [Zones] tree using the given directory
-func New(dir, domain string, opts ...ScanOption) (*Zones, error) {
-	dir, err := filepath.Abs(dir)
-	if err != nil {
-		return nil, err
-	}
-
-	base, err := os.NewFS().Sub(dir[1:])
-	if err != nil {
-		return nil, err
-	}
-
-	return NewFS(base, domain, opts...)
+	return m, nil
 }
@@ -0,0 +1,17 @@
+package cluster
+
+import (
+	"darvaza.org/resolver"
+	"darvaza.org/slog"
+	"darvaza.org/slog/handlers/discard"
+)
+
+// DefaultLogger returns a logger that doesn't log anything
+func DefaultLogger() slog.Logger {
+	return discard.New()
+}
+
+// DefaultLookuper returns a [resolver.Lookuper] using Cloudflare's 1.1.1.1
+func DefaultLookuper() resolver.Lookuper {
+	return resolver.NewCloudflareLookuper()
+}
@@ -0,0 +1,258 @@
+package cluster
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"strings"
+
+	"darvaza.org/core"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
+)
+
+// Env is a shell environment factory for this cluster
+type Env struct {
+	ZoneIterator
+	RegionIterator
+
+	cephFSID string
+	export   bool
+}
+
+// Env returns a shell environment factory
+func (m *Cluster) Env(export bool) (*Env, error) {
+	fsid, err := m.GetCephFSID()
+	if err != nil {
+		return nil, err
+	}
+
+	env := &Env{
+		ZoneIterator:   m,
+		RegionIterator: m,
+		cephFSID:       fsid.String(),
+		export:         export,
+	}
+
+	return env, nil
+}
+
+// Zones returns the list of Zone IDs of a region,
+// or from all if none is specified.
+func (m *Env) Zones(r *Region) []rings.ZoneID {
+	var zones []rings.ZoneID
+
+	iter := core.IIf[ZoneIterator](r != nil, r, m)
+
+	iter.ForEachZone(func(z *Zone) bool {
+		zones = append(zones, z.ID)
+		return false
+	})
+
+	core.SliceSortOrdered(zones)
+	return zones
+}
+
+// RegionsNames returns a sorted list of primary regions names
+func (m *Env) RegionsNames() []string {
+	var regions []string
+
+	m.ForEachRegion(func(r *Region) bool {
+		if r.IsPrimary() {
+			regions = append(regions, r.Name)
+		}
+
+		return false
+	})
+
+	core.SliceSortOrdered(regions)
+	return regions
+}
+
+// Regions returns a sorted list of primary regions IDs
+func (m *Env) Regions() (regions []rings.RegionID) {
+	m.ForEachRegion(func(r *Region) bool {
+		if r.IsPrimary() {
+			regions = append(regions, r.ID)
+		}
+
+		return false
+	})
+
+	core.SliceSortOrdered(regions)
+	return regions
+}
+
+// WriteTo generates environment variables for shell scripts
+func (m *Env) WriteTo(w io.Writer) (int64, error) {
+	var buf bytes.Buffer
+
+	if m.cephFSID != "" {
+		m.writeEnvVar(&buf, m.cephFSID, "FSID")
+	}
+
+	regions := m.getRegions()
+	ids := core.SliceMap(regions, func(_ []rings.RegionID, r *Region) (out []rings.RegionID) {
+		return append(out, r.ID)
+	})
+	names := core.SliceMap(regions, func(_ []string, r *Region) (out []string) {
+		return append(out, r.Name)
+	})
+
+	m.writeEnvVar(&buf, genEnvInts(ids), "REGIONS")
+	m.writeEnvVar(&buf, genEnvStrings(names), "REGIONS_NAMES")
+
+	for _, r := range regions {
+		m.writeEnvRegion(&buf, r)
+	}
+
+	return buf.WriteTo(w)
+}
+
+func (m *Env) getRegions() (out []*Region) {
+	m.ForEachRegion(func(r *Region) bool {
+		if r.IsPrimary() {
+			out = append(out, r)
+		}
+		return false
+	})
+
+	core.SliceSortFn(out, func(a, b *Region) bool {
+		return a.ID < b.ID
+	})
+
+	return out
+}
+func (m *Env) writeEnvRegion(w io.Writer, r *Region) {
+	regionID := r.ID
+
+	// REGION{regionID}_NAME
+	m.writeEnvVar(w, r.Name, "REGION%v_%s", regionID, "NAME")
+
+	// REGION{regionID}_ZONES
+	m.writeEnvVar(w, genEnvInts(m.Zones(r)), "REGION%v_%s", regionID, "ZONES")
+
+	r.ForEachZone(func(z *Zone) bool {
+		m.writeEnvZone(w, r, z)
+		return false
+	})
+}
+
+func (m *Env) writeEnvZone(w io.Writer, r *Region, z *Zone) {
+	zonePrefix := fmt.Sprintf("REGION%v_ZONE%v", r.ID, z.ID)
+	monPrefix := zonePrefix + "_MON"
+
+	// REGION{regionID}_ZONE{zoneID}
+	m.writeEnvVar(w, genEnvZoneNodes(z), zonePrefix)
+
+	// REGION{regionID}_ZONE{zoneID}_NAME
+	m.writeEnvVar(w, z.Name, zonePrefix+"_NAME")
+
+	// REGION{regionID}_ZONE{zoneID}_GW
+	gateways, _ := z.GatewayIDs()
+	m.writeEnvVar(w, genEnvInts(gateways), zonePrefix+"_GW")
+
+	// Ceph
+	monitors := z.GetCephMonitors()
+	// REGION{regionID}_MON{zone_ID}
+	m.writeEnvVar(w, genEnvZoneCephMonNames(monitors), monPrefix)
+	// REGION{regionID}_MON{zone_ID}_IP
+	m.writeEnvVar(w, genEnvZoneCephMonIPs(monitors), monPrefix+"_IP")
+	// REGION{regionID}_MON{zone_ID}_ID
+	m.writeEnvVar(w, genEnvZoneCephMonIDs(monitors), monPrefix+"_ID")
+}
+
+func (m *Env) writeEnvVar(w io.Writer, value string, name string, args ...any) {
+	var prefix string
+
+	if m.export {
+		prefix = "export "
+	}
+
+	if len(args) > 0 {
+		name = fmt.Sprintf(name, args...)
+	}
+
+	if name != "" {
+		value = strings.TrimSpace(value)
+
+		if value == "" {
+			_, _ = fmt.Fprintf(w, "%s%s=\n", prefix, name)
+		} else {
+			_, _ = fmt.Fprintf(w, "%s%s=%q\n", prefix, name, value)
+		}
+	}
+}
+
+func genEnvInts[T core.Signed](values []T) string {
+	var buf bytes.Buffer
+
+	for _, v := range values {
+		if buf.Len() > 0 {
+			_, _ = buf.WriteRune(' ')
+		}
+
+		_, _ = buf.WriteString(fmt.Sprintf("%v", int64(v)))
+	}
+
+	return buf.String()
+}
+
+func genEnvStrings(values []string) string {
+	return strings.Join(values, " ")
+}
+
+func genEnvZoneNodes(z *Zone) string {
+	if n := z.Len(); n > 0 {
+		s := make([]string, 0, n)
+
+		z.ForEachMachine(func(p *Machine) bool {
+			s = append(s, p.Name)
+			return false
+		})
+
+		return genEnvStrings(s)
+	}
+	return ""
+}
+
+func genEnvZoneCephMonNames(m Machines) string {
+	var buf strings.Builder
+	m.ForEachMachine(func(p *Machine) bool {
+		if buf.Len() > 0 {
+			_, _ = buf.WriteRune(' ')
+		}
+		_, _ = buf.WriteString(p.Name)
+
+		return false
+	})
+	return buf.String()
+}
+
+func genEnvZoneCephMonIPs(m Machines) string {
+	var buf strings.Builder
+	m.ForEachMachine(func(p *Machine) bool {
+		addr := p.RingOneAddress()
+
+		if buf.Len() > 0 {
+			_, _ = buf.WriteRune(' ')
+		}
+		_, _ = buf.WriteString(addr.String())
+
+		return false
+	})
+	return buf.String()
+}
+
+func genEnvZoneCephMonIDs(m Machines) string {
+	var buf strings.Builder
+	m.ForEachMachine(func(p *Machine) bool {
+		if buf.Len() > 0 {
+			_, _ = buf.WriteRune(' ')
+		}
+		_, _ = fmt.Fprintf(&buf, "%v", p.ID)
+
+		return false
+	})
+	return buf.String()
+}
@@ -0,0 +1,29 @@
+package cluster
+
+import (
+	"errors"
+	"io/fs"
+
+	"darvaza.org/core"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
+)
+
+var (
+	// ErrInvalidName indicates the name isn't valid
+	ErrInvalidName = errors.New("invalid name")
+
+	// ErrUnknownNode indicates there is a reference to a node
+	// we don't have on the tree
+	ErrUnknownNode = errors.New("node does not exist")
+
+	// ErrInvalidNode indicates the nodes can't be used for
+	// the intended purpose
+	ErrInvalidNode = errors.New("invalid node")
+)
+
+// ErrInvalidRing returns an error indicating the [rings.RingID]
+// can't be used for the intended purpose
+func ErrInvalidRing(ringID rings.RingID) error {
+	return core.QuietWrap(fs.ErrInvalid, "invalid ring %v", ringID)
+}
@@ -0,0 +1,128 @@
+package cluster
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"text/template"
+)
+
+type hostsFile struct {
+	Ring0 []hostsEntry
+	Ring1 []hostsEntry
+}
+
+type hostsEntry struct {
+	Addr  string
+	Names []string
+}
+
+var hostsTemplate = template.Must(template.New("hosts").Funcs(template.FuncMap{
+	"StringsJoin": strings.Join,
+}).Parse(`127.0.0.1 localhost
+
+# The following lines are desirable for IPv6 capable hosts
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+{{range .Ring1 -}}
+{{.Addr}}  {{StringsJoin .Names " "}}
+{{end}}
+{{range .Ring0 -}}
+{{.Addr}}  {{StringsJoin .Names " "}}
+{{end -}}
+`))
+
+// WriteHosts rewrites all hosts files on the tree
+func (m *Cluster) WriteHosts() error {
+	var err error
+
+	m.ForEachZone(func(z *Zone) bool {
+		err = z.WriteHosts()
+		return err != nil
+	})
+
+	return err
+}
+
+// WriteHosts rewrites all hosts files in the zone
+func (z *Zone) WriteHosts() error {
+	var err error
+
+	s := z.Hosts()
+	z.ForEachMachine(func(p *Machine) bool {
+		err = p.WriteStringFile(s, "hosts")
+		return err != nil
+	})
+
+	return err
+}
+
+// WriteHosts rewrites the hosts file
+func (p *Machine) WriteHosts() error {
+	s := p.zone.Hosts()
+	return p.WriteStringFile(s, "hosts")
+}
+
+func (z *Zone) genHosts(out *hostsFile, p *Machine) {
+	var names []string
+
+	ip := p.RingOneAddress()
+	names = append(names, p.Name)
+
+	if p.CephMonitor {
+		names = append(names, fmt.Sprintf("%s-%s", p.zone.Name, "ceph"))
+		names = append(names, fmt.Sprintf("%s-%s", p.zone.Name, "k3s"))
+
+		if z.Is(p.Region(), p.Zone()) {
+			names = append(names, "ceph")
+			names = append(names, "k3s")
+		}
+	}
+
+	entry := hostsEntry{
+		Addr:  ip.String(),
+		Names: names,
+	}
+
+	out.Ring1 = append(out.Ring1, entry)
+
+	if p.IsGateway() {
+		var s string
+
+		ip, _ = p.RingZeroAddress()
+		s = fmt.Sprintf("%s-%v", p.Name, 0)
+
+		entry = hostsEntry{
+			Addr:  ip.String(),
+			Names: []string{s},
+		}
+
+		out.Ring0 = append(out.Ring0, entry)
+	}
+}
+
+// Hosts renders the /etc/hosts to be used on this zone
+func (z *Zone) Hosts() string {
+	var buf bytes.Buffer
+	var out hostsFile
+
+	z.zones.ForEachZone(func(z2 *Zone) bool {
+		z2.ForEachMachine(func(p *Machine) bool {
+			z.genHosts(&out, p)
+
+			return false
+		})
+		return false
+	})
+
+	if err := hostsTemplate.Execute(&buf, &out); err != nil {
+		panic(err)
+	}
+
+	return buf.String()
+}
@@ -0,0 +1,49 @@
+package cluster
+
+import "darvaza.org/slog"
+
+type logger interface {
+	withDebug() (slog.Logger, bool)
+	withInfo() (slog.Logger, bool)
+
+	debug() slog.Logger
+	info() slog.Logger
+	warn(error) slog.Logger
+	error(error) slog.Logger
+}
+
+var (
+	_ logger = (*Cluster)(nil)
+)
+
+func (z *Cluster) withDebug() (slog.Logger, bool) {
+	return z.debug().WithEnabled()
+}
+
+func (z *Cluster) withInfo() (slog.Logger, bool) {
+	return z.debug().WithEnabled()
+}
+
+func (z *Cluster) debug() slog.Logger {
+	return z.log.Debug()
+}
+
+func (z *Cluster) info() slog.Logger {
+	return z.log.Info()
+}
+
+func (z *Cluster) warn(err error) slog.Logger {
+	l := z.log.Warn()
+	if err != nil {
+		l = l.WithField(slog.ErrorFieldName, err)
+	}
+	return l
+}
+
+func (z *Cluster) error(err error) slog.Logger {
+	l := z.log.Error()
+	if err != nil {
+		l = l.WithField(slog.ErrorFieldName, err)
+	}
+	return l
+}
@@ -0,0 +1,90 @@
+package cluster
+
+import (
+	"net/netip"
+	"strings"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
+)
+
+// revive:disable:line-length-limit
+
+// A Machine is a machine on a Zone
+type Machine struct {
+	zone   *Zone
+	logger `json:"-" yaml:"-"`
+
+	ID   rings.NodeID
+	Name string `json:"-" yaml:"-"`
+
+	Inactive        bool         `json:"inactive,omitempty"     yaml:"inactive,omitempty"`
+	CephMonitor     bool         `json:"ceph_monitor,omitempty" yaml:"ceph_monitor,omitempty"`
+	PublicAddresses []netip.Addr `json:"public,omitempty"       yaml:"public,omitempty"`
+	Rings           []*RingInfo  `json:"rings,omitempty"        yaml:"rings,omitempty"`
+}
+
+// revive:enable:line-length-limit
+
+func (m *Machine) String() string {
+	return m.Name
+}
+
+// FullName returns the Name of the machine including domain name
+func (m *Machine) FullName() string {
+	var name []string
+
+	for _, s := range []string{
+		m.Name,
+		m.zone.zones.Name,
+		m.zone.zones.Domain,
+	} {
+		if s != "" {
+			name = append(name, s)
+		}
+	}
+
+	return strings.Join(name, ".")
+}
+
+// IsActive indicates the machine is to be included in regions' DNS entries
+func (m *Machine) IsActive() bool {
+	return !m.Inactive
+}
+
+// IsGateway tells if the Machine is a ring0 gateway
+func (m *Machine) IsGateway() bool {
+	_, ok := m.getRingInfo(rings.RingZeroID)
+	return ok
+}
+
+// SetGateway enables/disables a Machine ring0 integration
+func (m *Machine) SetGateway(enabled bool) error {
+	ri, found := m.getRingInfo(rings.RingZeroID)
+	switch {
+	case !found && !enabled:
+		return nil
+	case !found:
+		var err error
+
+		if ri, err = m.createRingInfo(0, false); err != nil {
+			return err
+		}
+	}
+
+	ri.Enabled = enabled
+	return m.SyncWireguardConfig(rings.RingZeroID)
+}
+
+// Zone indicates the [Zone] this machine belongs to
+func (m *Machine) Zone() rings.ZoneID {
+	return m.zone.ID
+}
+
+// Region indicates the [Region] this machine belongs to
+func (m *Machine) Region() rings.RegionID {
+	return m.zone.RegionID()
+}
+
+func (m *Machine) getPeerByName(name string) (*Machine, bool) {
+	return m.zone.zones.GetMachineByName(name)
+}
@@ -1,7 +1,6 @@
-package zones
+package cluster

 import (
-	"bytes"
 	"fmt"
 	"io"
 	"os"
@@ -12,10 +11,9 @@ import (

 // OpenFile opens a file on the machine's config directory with the specified flags
 func (m *Machine) OpenFile(name string, flags int, args ...any) (fs.File, error) {
-	base := m.zone.zones.dir
 	fullName := m.getFilename(name, args...)

-	return fs.OpenFile(base, fullName, flags, 0644)
+	return m.zone.zones.OpenFile(fullName, flags)
 }

 // CreateTruncFile creates or truncates a file on the machine's config directory
@@ -34,42 +32,47 @@ func (m *Machine) openWriter(name string, flags int, args ...any) (io.WriteClose
 		return nil, err
 	}

-	return f.(io.WriteCloser), nil
+	if f, ok := f.(io.WriteCloser); ok {
+		return f, nil
+	}
+
+	panic("unreachable")
 }

 // RemoveFile deletes a file from the machine's config directory
 func (m *Machine) RemoveFile(name string, args ...any) error {
-	base := m.zone.zones.dir
 	fullName := m.getFilename(name, args...)
-	err := fs.Remove(base, fullName)

-	switch {
-	case os.IsNotExist(err):
-		return nil
-	default:
-		return err
-	}
+	return m.zone.zones.RemoveFile(fullName)
 }

 // ReadFile reads a file from the machine's config directory
 func (m *Machine) ReadFile(name string, args ...any) ([]byte, error) {
-	base := m.zone.zones.dir
 	fullName := m.getFilename(name, args...)

-	return fs.ReadFile(base, fullName)
+	return m.zone.zones.ReadFile(fullName)
+}
+
+// ReadLines reads a file from the machine's config directory,
+// split by lines, trimmed, and accepting `#` to comment lines out.
+func (m *Machine) ReadLines(name string, args ...any) ([]string, error) {
+	fullName := m.getFilename(name, args...)
+
+	return m.zone.zones.ReadLines(fullName)
 }

 // WriteStringFile writes the given content to a file on the machine's config directory
 func (m *Machine) WriteStringFile(value string, name string, args ...any) error {
-	f, err := m.CreateTruncFile(name, args...)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
+	fullName := m.getFilename(name, args...)

-	buf := bytes.NewBufferString(value)
-	_, err = buf.WriteTo(f)
-	return err
+	return m.zone.zones.WriteStringFile(value, fullName)
+}
+
+// MkdirAll creates directories relative to the machine's config directory
+func (m *Machine) MkdirAll(name string, args ...any) error {
+	fullName := m.getFilename(name, args...)
+
+	return m.zone.zones.MkdirAll(fullName)
 }

 func (m *Machine) getFilename(name string, args ...any) string {
@@ -0,0 +1,329 @@
+package cluster
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"os"
+
+	"darvaza.org/core"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
+	"git.jpi.io/amery/jpictl/pkg/wireguard"
+)
+
+// GetWireguardKeys reads a wgN.key/wgN.pub files
+func (m *Machine) GetWireguardKeys(ringID rings.RingID) (wireguard.KeyPair, error) {
+	var (
+		data []byte
+		out  wireguard.KeyPair
+	)
+
+	ring, err := AsWireguardInterfaceID(ringID)
+	if err != nil {
+		// invalid ring
+		return out, err
+	}
+
+	keyFile, pubFile, _ := ring.Files()
+
+	data, err = m.ReadFile(keyFile)
+	if err != nil {
+		// failed to read
+		return out, err
+	}
+
+	out.PrivateKey, err = wireguard.PrivateKeyFromBase64(string(data))
+	if err != nil {
+		// bad key
+		err = core.Wrap(err, keyFile)
+		return out, err
+	}
+
+	data, err = m.ReadFile(pubFile)
+	switch {
+	case os.IsNotExist(err):
+		// no wgN.pub is fine
+	case err != nil:
+		// failed to read
+		return out, err
+	default:
+		// good read
+		out.PublicKey, err = wireguard.PublicKeyFromBase64(string(data))
+		if err != nil {
+			// bad key
+			err = core.Wrap(err, pubFile)
+			return out, err
+		}
+	}
+
+	err = out.Validate()
+	return out, err
+}
+
+func (m *Machine) tryReadWireguardKeys(ringID rings.RingID) error {
+	kp, err := m.GetWireguardKeys(ringID)
+	switch {
+	case os.IsNotExist(err):
+		// ignore
+		return nil
+	case err != nil:
+		// something went wrong
+		return err
+	default:
+		// import keys
+		ri := &RingInfo{
+			Ring: MustWireguardInterfaceID(ringID),
+			Keys: kp,
+		}
+
+		return m.applyRingInfo(ringID, ri)
+	}
+}
+
+// RemoveWireguardKeys deletes wgN.key and wgN.pub from
+// the machine's config directory
+func (m *Machine) RemoveWireguardKeys(ringID rings.RingID) error {
+	ring, err := AsWireguardInterfaceID(ringID)
+	if err != nil {
+		return err
+	}
+
+	keyFile, pubFile, _ := ring.Files()
+
+	err = m.RemoveFile(pubFile)
+	switch {
+	case os.IsNotExist(err):
+		// ignore
+	case err != nil:
+		return err
+	}
+
+	err = m.RemoveFile(keyFile)
+	if os.IsNotExist(err) {
+		// ignore
+		err = nil
+	}
+
+	return err
+}
+
+// GetWireguardConfig reads a wgN.conf file
+func (m *Machine) GetWireguardConfig(ringID rings.RingID) (*wireguard.Config, error) {
+	ring, err := AsWireguardInterfaceID(ringID)
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := m.ReadFile(ring.ConfFile())
+	if err != nil {
+		return nil, err
+	}
+
+	r := bytes.NewReader(data)
+	return wireguard.NewConfigFromReader(r)
+}
+
+func (m *Machine) tryApplyWireguardConfig(ring rings.RingID) error {
+	wg, err := m.GetWireguardConfig(ring)
+	switch {
+	case os.IsNotExist(err):
+		return nil
+	case err != nil:
+		return err
+	default:
+		return m.applyWireguardConfig(ring, wg)
+	}
+}
+
+func (m *Machine) applyWireguardConfigNode(ring rings.RingID, wg *wireguard.Config) error {
+	addr := wg.GetAddress()
+	if !core.IsZero(addr) {
+		regionID, zoneID, nodeID, ok := Rings[ring].Decode(addr)
+		if !ok {
+			return fmt.Errorf("%s: invalid address", addr)
+		}
+
+		if err := m.applyZoneNodeID(regionID, zoneID, nodeID); err != nil {
+			return core.Wrap(err, "%s: invalid address", addr)
+		}
+	}
+
+	if err := m.applyWireguardInterfaceConfig(ring, wg.Interface); err != nil {
+		return core.Wrap(err, "interface")
+	}
+
+	return nil
+}
+
+func (m *Machine) applyWireguardConfig(ring rings.RingID, wg *wireguard.Config) error {
+	if err := m.applyWireguardConfigNode(ring, wg); err != nil {
+		return err
+	}
+
+	for _, peer := range wg.Peer {
+		err := m.applyWireguardPeerConfig(ring, peer)
+		switch {
+		case errors.Is(err, ErrUnknownNode):
+			// ignore unknown peers
+			m.warn(nil).
+				WithField("subsystem", "wireguard").
+				WithField("node", m.Name).
+				WithField("peer", peer.Endpoint.Host).
+				WithField("ring", MustWireguardInterfaceID(ring)).
+				Print("ignoring unknown endpoint")
+		case err != nil:
+			return core.Wrap(err, "peer")
+		}
+	}
+
+	return nil
+}
+
+func (m *Machine) getRingInfo(ring rings.RingID) (*RingInfo, bool) {
+	for _, ri := range m.Rings {
+		if ri.RingID() == ring {
+			return ri, ri.Enabled
+		}
+	}
+
+	return nil, false
+}
+
+func (m *Machine) applyRingInfo(ring rings.RingID, new *RingInfo) error {
+	cur, _ := m.getRingInfo(ring)
+	if cur == nil {
+		// first, append
+		m.debug().
+			WithField("node", m.Name).
+			WithField("ring", MustWireguardInterfaceID(ring)).
+			Print("found")
+		m.Rings = append(m.Rings, new)
+		return nil
+	}
+
+	// extra, merge
+	return cur.Merge(new)
+}
+
+func (m *Machine) applyWireguardInterfaceConfig(ring rings.RingID,
+	data wireguard.InterfaceConfig) error {
+	//
+	ri := &RingInfo{
+		Ring:    MustWireguardInterfaceID(ring),
+		Enabled: true,
+		Keys: wireguard.KeyPair{
+			PrivateKey: data.PrivateKey,
+		},
+	}
+
+	return m.applyRingInfo(ring, ri)
+}
+
+func (m *Machine) applyWireguardPeerConfig(ring rings.RingID,
+	pc wireguard.PeerConfig) error {
+	//
+	peer, found := m.getPeerByName(pc.Endpoint.Name())
+	switch {
+	case !found:
+		// unknown
+		return core.Wrap(ErrUnknownNode, pc.Endpoint.Host)
+	case ring == 1 && m.zone != peer.zone:
+		// invalid zone
+		return core.Wrap(ErrInvalidNode, peer.Name)
+	default:
+		// apply RingInfo
+		ri := &RingInfo{
+			Ring:    MustWireguardInterfaceID(ring),
+			Enabled: true,
+			Keys: wireguard.KeyPair{
+				PublicKey: pc.PublicKey,
+			},
+		}
+
+		return peer.applyRingInfo(ring, ri)
+	}
+}
+
+func (m *Machine) applyZoneNodeID(regionID rings.RegionID,
+	zoneID rings.ZoneID, nodeID rings.NodeID) error {
+	//
+	switch {
+	case !regionID.Valid():
+		return fmt.Errorf("invalid %s", "regionID")
+	case !zoneID.Valid():
+		return fmt.Errorf("invalid %s", "zoneID")
+	case !nodeID.Valid():
+		return fmt.Errorf("invalid %s", "nodeID")
+	case m.ID != nodeID:
+		return fmt.Errorf("invalid %s: %v ≠ %v", "nodeID", m.ID, nodeID)
+	case m.zone.ID != 0 && m.zone.ID != zoneID:
+		return fmt.Errorf("invalid %s: %v ≠ %v", "zoneID", m.zone.ID, zoneID)
+	case m.Region() != regionID:
+		return fmt.Errorf("invalid %s: %v ≠ %v", "regionID", m.Region(), regionID)
+	default:
+		if m.zone.ID == 0 {
+			m.zone.ID = zoneID
+		}
+
+		return nil
+	}
+}
+
+func (m *Machine) setRingDefaults(ri *RingInfo) error {
+	if ri.Keys.PrivateKey.IsZero() {
+		m.info().
+			WithField("subsystem", "wireguard").
+			WithField("node", m.Name).
+			WithField("ring", ri.Ring).
+			Print("generating key pair")
+
+		kp, err := wireguard.NewKeyPair()
+		if err != nil {
+			return err
+		}
+		ri.Keys = kp
+	}
+	return nil
+}
+
+// RemoveWireguardConfig deletes wgN.conf from the machine's
+// config directory.
+func (m *Machine) RemoveWireguardConfig(ringID rings.RingID) error {
+	ring, err := AsWireguardInterfaceID(ringID)
+	if err != nil {
+		return err
+	}
+
+	err = m.RemoveFile(ring.ConfFile())
+	if os.IsNotExist(err) {
+		err = nil
+	}
+
+	return err
+}
+
+func (m *Machine) createRingInfo(ringID rings.RingID, enabled bool) (*RingInfo, error) {
+	ring, err := AsWireguardInterfaceID(ringID)
+	if err != nil {
+		return nil, err
+	}
+
+	keys, err := wireguard.NewKeyPair()
+	if err != nil {
+		return nil, err
+	}
+
+	ri := &RingInfo{
+		Ring:    ring,
+		Enabled: enabled,
+		Keys:    keys,
+	}
+
+	err = m.applyRingInfo(ringID, ri)
+	if err != nil {
+		return nil, err
+	}
+
+	return ri, nil
+}
@@ -0,0 +1,131 @@
+package cluster
+
+import (
+	"context"
+	"net/netip"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"darvaza.org/core"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
+)
+
+// LookupNetIP uses the DNS Resolver to get the public addresses associated
+// to a Machine
+func (m *Machine) LookupNetIP(timeout time.Duration) ([]netip.Addr, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+
+	defer cancel()
+
+	return m.zone.zones.resolver.LookupNetIP(ctx, "ip", m.FullName())
+}
+
+// UpdatePublicAddresses uses the DNS Resolver to set Machine.PublicAddresses
+func (m *Machine) UpdatePublicAddresses() error {
+	addrs, err := m.LookupNetIP(2 * time.Second)
+	if err != nil {
+		return err
+	}
+
+	m.PublicAddresses = addrs
+	return nil
+}
+
+func (m *Machine) init() error {
+	if err := m.setID(); err != nil {
+		return core.Wrap(err, m.Name)
+	}
+
+	for _, ring := range Rings {
+		if err := m.tryReadWireguardKeys(ring.ID); err != nil {
+			return core.Wrap(err, m.Name)
+		}
+	}
+
+	return nil
+}
+
+func (m *Machine) setID() error {
+	zoneName := m.zone.Name
+
+	l := len(zoneName)
+	switch {
+	case len(m.Name) < l+2:
+		return ErrInvalidName
+	case !strings.HasPrefix(m.Name, zoneName):
+		return ErrInvalidName
+	case m.Name[l] != '-':
+		return ErrInvalidName
+	}
+
+	suffix := m.Name[l+1:]
+	id, err := strconv.ParseInt(suffix, 10, 8)
+	if err != nil {
+		return err
+	}
+
+	m.ID = rings.NodeID(id)
+	return nil
+}
+
+// scan is called once we know about all zones and machine names
+func (m *Machine) scan(_ *ScanOptions) error {
+	for _, ring := range Rings {
+		if err := m.tryApplyWireguardConfig(ring.ID); err != nil {
+			m.error(err).
+				WithField("subsystem", "wireguard").
+				WithField("node", m.Name).
+				WithField("ring", MustWireguardInterfaceID(ring.ID)).
+				Print()
+			return err
+		}
+	}
+
+	return m.loadInactive()
+}
+
+func (m *Machine) loadInactive() error {
+	data, err := m.ReadLines("region")
+	switch {
+	case os.IsNotExist(err):
+		// no file
+		return nil
+	case err != nil:
+		// read error
+		return err
+	default:
+		// look for "none"
+		for _, r := range data {
+			switch r {
+			case "none":
+				m.Inactive = true
+			default:
+				m.Inactive = false
+			}
+		}
+		return nil
+	}
+}
+
+// scanWrapUp is called once all machines have been scanned
+func (m *Machine) scanWrapUp(opts *ScanOptions) error {
+	for _, ri := range m.Rings {
+		if err := m.setRingDefaults(ri); err != nil {
+			m.error(err).
+				WithField("subsystem", "wireguard").
+				WithField("node", m.Name).
+				WithField("ring", ri.Ring).
+				Print()
+			return err
+		}
+	}
+
+	if !opts.DontResolvePublicAddresses {
+		return m.UpdatePublicAddresses()
+	}
+
+	return nil
+}
@@ -0,0 +1,69 @@
+package cluster
+
+import "sort"
+
+var (
+	_ MachineIterator = Machines(nil)
+	_ sort.Interface  = Machines(nil)
+)
+
+// A MachineIterator is a set of Machines we can iterate on
+type MachineIterator interface {
+	ForEachMachine(func(*Machine) bool)
+}
+
+// Machines is a list of Machine objects
+type Machines []*Machine
+
+// ForEachMachine calls a function for each Machine in the list
+// until instructed to terminate the loop
+func (m Machines) ForEachMachine(fn func(*Machine) bool) {
+	for _, p := range m {
+		if fn(p) {
+			return
+		}
+	}
+}
+
+// Len returns the number of machines in the list
+func (m Machines) Len() int {
+	return len(m)
+}
+
+// Less implements sort.Interface to sort the list
+func (m Machines) Less(i, j int) bool {
+	a, b := m[i], m[j]
+	za, zb := a.Zone(), b.Zone()
+
+	switch {
+	case za == zb:
+		return a.ID < b.ID
+	default:
+		return za < zb
+	}
+}
+
+// Swap implements sort.Interface to sort the list
+func (m Machines) Swap(i, j int) {
+	m[i], m[j] = m[j], m[i]
+}
+
+// FilterMachines produces a subset of the machines offered by the given
+// iterator fulfilling a condition
+func FilterMachines(m MachineIterator, cond func(*Machine) bool) (Machines, int) {
+	var out []*Machine
+
+	if cond == nil {
+		// unconditional
+		cond = func(*Machine) bool { return true }
+	}
+
+	m.ForEachMachine(func(p *Machine) bool {
+		if cond(p) {
+			out = append(out, p)
+		}
+		return false
+	})
+
+	return out, len(out)
+}
@@ -0,0 +1,431 @@
+package cluster
+
+import (
+	"bytes"
+	"path/filepath"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
+)
+
+var (
+	_ MachineIterator = (*Region)(nil)
+	_ ZoneIterator    = (*Region)(nil)
+
+	_ RegionIterator = (*Zone)(nil)
+	_ RegionIterator = (*Cluster)(nil)
+)
+
+// A RegionIterator is a set of Regions we can iterate on
+type RegionIterator interface {
+	ForEachRegion(func(*Region) bool)
+}
+
+// Region represents a group of zones geographically related
+type Region struct {
+	m     *Cluster
+	zones []*Zone
+
+	Name    string
+	ID      rings.RegionID `json:",omitempty" yaml:",omitempty"`
+	Cluster *string        `json:",omitempty" yaml:",omitempty"`
+	Regions []string       `json:",omitempty" yaml:",omitempty"`
+}
+
+// IsPrimary indicates the region is primary and corresponds
+// to a kubernetes cluster.
+func (r *Region) IsPrimary() bool {
+	return r != nil && r.Cluster != nil
+}
+
+// ForEachRegion calls a function for each Region of the cluster
+// until instructed to terminate the loop
+func (m *Cluster) ForEachRegion(fn func(r *Region) bool) {
+	for i := range m.Regions {
+		r := &m.Regions[i]
+		if fn(r) {
+			return
+		}
+	}
+}
+
+// ForEachMachine calls a function for each Machine in the region
+// until instructed to terminate the loop
+func (r *Region) ForEachMachine(fn func(*Machine) bool) {
+	r.ForEachZone(func(z *Zone) bool {
+		var term bool
+
+		z.ForEachMachine(func(p *Machine) bool {
+			if p.IsActive() {
+				term = fn(p)
+			}
+			return term
+		})
+
+		return term
+	})
+}
+
+// ForEachZone calls a function for each Zone in the region
+// until instructed to terminate the loop
+func (r *Region) ForEachZone(fn func(*Zone) bool) {
+	for _, p := range r.zones {
+		if fn(p) {
+			// terminate
+			return
+		}
+	}
+}
+
+func (m *Cluster) initRegions(_ *ScanOptions) error {
+	regions := make(map[string][]*Zone)
+
+	// first regions defined by zones
+	m.ForEachZone(func(z *Zone) bool {
+		SortRegions(z.Regions)
+		for _, region := range z.Regions {
+			regions[region] = append(regions[region], z)
+		}
+
+		return false
+	})
+
+	// bind first level regions and their zones
+	for name, zones := range regions {
+		m.setRegionZones(name, zones...)
+	}
+
+	// and combine zones to produce larger regions
+	for i := range m.Regions {
+		r := &m.Regions[i]
+		m.finishRegion(r)
+	}
+
+	m.sortRegions()
+	m.scanRegionID()
+	m.computeZonesRegion()
+	return nil
+}
+
+func (m *Cluster) setRegionZones(name string, zones ...*Zone) {
+	for i := range m.Regions {
+		r := &m.Regions[i]
+
+		if r.Name == name {
+			// found
+			r.m = m
+			r.zones = zones
+			return
+		}
+	}
+
+	// new
+	m.Regions = append(m.Regions, Region{
+		m:     m,
+		zones: zones,
+		Name:  name,
+	})
+}
+
+func (m *Cluster) setRegionClusterToken(name string, token string) error {
+	for i := range m.Regions {
+		r := &m.Regions[i]
+
+		if r.Name == name {
+			// found
+			r.Cluster = &token
+			return nil
+		}
+	}
+
+	// new
+	m.Regions = append(m.Regions, Region{
+		m:       m,
+		Name:    name,
+		Cluster: &token,
+	})
+	return nil
+}
+
+func (m *Cluster) appendRegionRegions(name string, subs ...string) {
+	for i := range m.Regions {
+		r := &m.Regions[i]
+
+		if name == r.Name {
+			// found
+			r.Regions = append(r.Regions, subs...)
+			return
+		}
+	}
+
+	// new
+	m.Regions = append(m.Regions, Region{
+		Name:    name,
+		Regions: subs,
+	})
+}
+
+// ForEachRegion calls a function on all regions this zone belongs to.
+func (z *Zone) ForEachRegion(fn func(*Region) bool) {
+	if fn == nil {
+		return
+	}
+
+	z.zones.ForEachRegion(func(r *Region) bool {
+		var match bool
+
+		r.ForEachZone(func(z2 *Zone) bool {
+			match = (z == z2)
+			return match
+		})
+
+		if match && fn(r) {
+			return true
+		}
+
+		return false
+	})
+}
+
+func (z *Zone) appendRegions(regions ...string) error {
+	for _, s := range regions {
+		// TODO: validate
+		z.debug().
+			WithField("zone", z.Name).
+			WithField("region", s).
+			Print("attached")
+
+		z.Regions = append(z.Regions, s)
+	}
+
+	return nil
+}
+
+func (m *Cluster) finishRegion(r *Region) {
+	if r.m != nil {
+		// ready
+		return
+	}
+
+	r.m = m
+	sub := []string{}
+	for _, name := range r.Regions {
+		r2, ok := m.getFinishRegion(name)
+		if !ok {
+			m.warn(nil).WithField("region", name).Print("unknown region")
+			continue
+		}
+
+		sub = append(sub, r2.Name)
+		r.zones = append(r.zones, r2.zones...)
+	}
+	r.Regions = sub
+}
+
+// revive:disable:cognitive-complexity
+func (m *Cluster) scanRegionID() {
+	// revive:enable:cognitive-complexity
+	var max rings.RegionID
+	var missing bool
+
+	// check IDs
+	ids := make(map[rings.RegionID]bool)
+	fn := func(r *Region) bool {
+		var term bool
+
+		switch {
+		case !r.IsPrimary():
+			// secondary, no ID.
+			r.ID = 0
+		case !r.ID.Valid():
+			// primary without ID
+			missing = true
+		case ids[r.ID]:
+			// duplicate
+			m.error(nil).WithField("region", r.Name).Print("duplicate ID")
+			missing = true
+			r.ID = 0
+		default:
+			ids[r.ID] = true
+
+			if r.ID > max {
+				max = r.ID
+			}
+		}
+
+		return term
+	}
+	m.ForEachRegion(fn)
+
+	if missing {
+		// assign missing IDs
+		fn := func(r *Region) bool {
+			var term bool
+
+			switch {
+			case !r.IsPrimary():
+				// ignore secondary
+			case r.ID.Valid():
+				// already has an ID
+			default:
+				r.ID = max + 1
+				max = r.ID
+			}
+
+			return term
+		}
+
+		m.ForEachRegion(fn)
+	}
+}
+
+func (m *Cluster) computeZonesRegion() {
+	fn := func(r *Region, z *Zone) {
+		if z.region != nil {
+			m.error(nil).
+				WithField("zone", z.Name).
+				WithField("region", []string{
+					z.region.Name,
+					r.Name,
+				}).
+				Print("zone in two regions")
+		} else {
+			z.region = r
+		}
+	}
+
+	m.ForEachRegion(func(r *Region) bool {
+		var term bool
+
+		if r.IsPrimary() {
+			r.ForEachZone(func(z *Zone) bool {
+				fn(r, z)
+				return term
+			})
+		}
+
+		return term
+	})
+}
+
+func (m *Cluster) getRegion(name string) (*Region, bool) {
+	for i := range m.Regions {
+		r := &m.Regions[i]
+		if name == r.Name {
+			return r, true
+		}
+	}
+
+	return nil, false
+}
+
+func (m *Cluster) getFinishRegion(name string) (*Region, bool) {
+	if r, ok := m.getRegion(name); ok {
+		m.finishRegion(r)
+		return r, true
+	}
+
+	return nil, false
+}
+
+// SyncRegions writes to the file system the regions this [Zone]
+// belongs to.
+func (z *Zone) SyncRegions() error {
+	err := z.syncZoneRegions()
+	if err == nil {
+		z.ForEachMachine(func(p *Machine) bool {
+			err = z.syncMachineRegions(p)
+			return err != nil
+		})
+	}
+
+	return err
+}
+
+func (*Zone) syncMachineRegions(p *Machine) error {
+	var err error
+
+	if p.IsActive() {
+		err = p.RemoveFile("region")
+	} else {
+		err = p.WriteStringFile("none\n", "region")
+	}
+
+	if err == nil {
+		err = p.RemoveFile(RegionClusterTokenFileName)
+	}
+
+	return err
+}
+
+func (z *Zone) syncZoneRegions() error {
+	name := filepath.Join(z.Name, ZoneRegionsFileName)
+
+	if len(z.Regions) > 0 {
+		var buf bytes.Buffer
+
+		for _, s := range z.Regions {
+			_, _ = buf.WriteString(s)
+			_, _ = buf.WriteRune('\n')
+		}
+
+		return z.zones.WriteStringFile(buf.String(), name)
+	}
+
+	return z.zones.RemoveFile(name)
+}
+
+// SyncRegions writes to the file system the regions covered
+// by this meta-region
+func (r *Region) SyncRegions() error {
+	if err := r.syncRegionsFile(); err != nil {
+		return err
+	}
+
+	return r.syncClusterFile()
+}
+
+func (r *Region) mkdir() error {
+	return r.m.MkdirAll(r.Name)
+}
+
+func (r *Region) syncRegionsFile() error {
+	var err error
+
+	name := filepath.Join(r.Name, ZoneRegionsFileName)
+
+	if len(r.Regions) == 0 {
+		err = r.m.RemoveFile(name)
+	} else if err = r.mkdir(); err == nil {
+		var buf bytes.Buffer
+
+		for _, s := range r.Regions {
+			_, _ = buf.WriteString(s)
+			_, _ = buf.WriteRune('\n')
+		}
+
+		err = r.m.WriteStringFile(buf.String(), name)
+	}
+
+	return err
+}
+
+func (r *Region) syncClusterFile() error {
+	var err error
+
+	name := filepath.Join(r.Name, RegionClusterTokenFileName)
+
+	if r.Cluster == nil {
+		err = r.m.RemoveFile(name)
+	} else if err = r.mkdir(); err == nil {
+		var buf bytes.Buffer
+
+		_, _ = buf.WriteString(*r.Cluster)
+		if buf.Len() > 0 {
+			_, _ = buf.WriteRune('\n')
+		}
+
+		err = r.m.WriteStringFile(buf.String(), name)
+	}
+
+	return err
+}
@@ -0,0 +1,41 @@
+package cluster
+
+import "sort"
+
+// SortRegions sorts regions. first by length those 3-character
+// or shorter, and then by length. It's mostly aimed at
+// supporting ISO-3166 order
+func SortRegions(regions []string) []string {
+	sort.Slice(regions, func(i, j int) bool {
+		r1, r2 := regions[i], regions[j]
+		return regionLess(r1, r2)
+	})
+
+	return regions
+}
+
+func regionLess(r1, r2 string) bool {
+	switch {
+	case len(r1) < 4:
+		switch {
+		case len(r1) < len(r2):
+			return true
+		case len(r1) > len(r2):
+			return false
+		default:
+			return r1 < r2
+		}
+	case len(r2) < 4:
+		return false
+	default:
+		return r1 < r2
+	}
+}
+
+func (m *Cluster) sortRegions() {
+	sort.Slice(m.Regions, func(i, j int) bool {
+		r1 := m.Regions[i].Name
+		r2 := m.Regions[j].Name
+		return regionLess(r1, r2)
+	})
+}
@@ -1,32 +1,87 @@
-package zones
+package cluster

 import (
 	"fmt"
 	"io/fs"
 	"net/netip"
+	"strconv"

+	"git.jpi.io/amery/jpictl/pkg/rings"
 	"git.jpi.io/amery/jpictl/pkg/wireguard"
 )

 const (
-	// MaxZoneID indicates the highest ID allowed for a Zone
-	MaxZoneID = 0xf
-	// MaxNodeID indicates the highest Machine ID allowed within a Zone
-	MaxNodeID = 0xff - 1
-	// RingsCount indicates how many wireguard rings we have
-	RingsCount = 2
 	// RingZeroPort is the port wireguard uses for ring0
 	RingZeroPort = 51800
 	// RingOnePort is the port wireguard uses for ring1
 	RingOnePort = 51810
 )

+// WireguardInterfaceID represents the number in the `wg%v`
+// interface name.
+type WireguardInterfaceID uint
+
+// AsWireguardInterfaceID returns the [WireguardInterfaceID] for
+// a valid [rings.RingID].
+func AsWireguardInterfaceID(ring rings.RingID) (WireguardInterfaceID, error) {
+	switch ring {
+	case rings.RingZeroID:
+		return 0, nil
+	case rings.RingOneID:
+		return 1, nil
+	default:
+		return 0, ErrInvalidRing(ring)
+	}
+}
+
+// MustWireguardInterfaceID returns the [WireguardInterfaceID] for
+// a valid [rings.RingID], and panics if it's not.
+func MustWireguardInterfaceID(ring rings.RingID) WireguardInterfaceID {
+	id, err := AsWireguardInterfaceID(ring)
+	if err != nil {
+		panic(err)
+	}
+	return id
+}
+
+// RingID tells the [rings.RingID] of the [WireguardInterfaceID].
+func (wi WireguardInterfaceID) RingID() rings.RingID {
+	return rings.RingID(wi + 1)
+}
+
+// PubFile returns "wgN.pub"
+func (wi WireguardInterfaceID) PubFile() string {
+	return fmt.Sprintf("wg%v.pub", wi)
+}
+
+// KeyFile returns "wgN.key"
+func (wi WireguardInterfaceID) KeyFile() string {
+	return fmt.Sprintf("wg%v.key", wi)
+}
+
+// ConfFile returns "wgN.conf"
+func (wi WireguardInterfaceID) ConfFile() string {
+	return fmt.Sprintf("wg%v.conf", wi)
+}
+
+// Files returns all wgN.ext file names.
+func (wi WireguardInterfaceID) Files() (keyFile, pubFile, confFile string) {
+	prefix := "wg" + strconv.Itoa(int(wi))
+
+	return prefix + ".key", prefix + ".pub", prefix + ".conf"
+}
+
 // RingInfo contains represents the Wireguard endpoint details
 // for a Machine on a particular ring
 type RingInfo struct {
-	Ring    int               `toml:"ring"`
-	Enabled bool              `toml:"enabled,omitempty"`
-	Keys    wireguard.KeyPair `toml:"keys,omitempty"`
+	Ring    WireguardInterfaceID
+	Enabled bool
+	Keys    wireguard.KeyPair
+}
+
+// RingID returns the [rings.RingID] for this [RingInfo].
+func (ri *RingInfo) RingID() rings.RingID {
+	return rings.RingID(ri.Ring + 1)
 }

 // Merge attempts to combine two RingInfo structs
@@ -41,7 +96,7 @@ func (ri *RingInfo) Merge(alter *RingInfo) error {
 		// can't disable via Merge
 		return fmt.Errorf("invalid %s: %v → %v", "enabled", ri.Enabled, alter.Enabled)
 	case !canMergeKeyPairs(ri.Keys, alter.Keys):
-		// incompatible keypairs
+		// incompatible key pairs
 		return fmt.Errorf("invalid %s: %s ≠ %s", "keys", ri.Keys, alter.Keys)
 	}

@@ -54,7 +109,7 @@ func (ri *RingInfo) unsafeMerge(alter *RingInfo) error {
 		ri.Enabled = true
 	}

-	// fill the gaps on our keypair
+	// fill the gaps on our key pair
 	if ri.Keys.PrivateKey.IsZero() {
 		ri.Keys.PrivateKey = alter.Keys.PrivateKey
 	}
@@ -79,108 +134,34 @@ func canMergeKeyPairs(p1, p2 wireguard.KeyPair) bool {
 // RingAddressEncoder provides encoder/decoder access for a particular
 // Wireguard ring
 type RingAddressEncoder struct {
-	ID     int
+	ID     rings.RingID
 	Port   uint16
-	Encode func(zoneID, nodeID int) (netip.Addr, bool)
-	Decode func(addr netip.Addr) (zoneID, nodeID int, ok bool)
+	Encode func(rings.RegionID, rings.ZoneID, rings.NodeID) (netip.Addr, error)
+	Decode func(addr netip.Addr) (rings.RegionID, rings.ZoneID, rings.NodeID, bool)
 }

 var (
 	// RingZero is a wg0 address encoder/decoder
 	RingZero = RingAddressEncoder{
-		ID:     0,
+		ID:     rings.RingZeroID,
 		Port:   RingZeroPort,
-		Decode: ParseRingZeroAddress,
-		Encode: RingZeroAddress,
+		Decode: rings.DecodeRingZeroAddress,
+		Encode: rings.RingZeroAddress,
 	}
 	// RingOne is a wg1 address encoder/decoder
 	RingOne = RingAddressEncoder{
-		ID:     1,
+		ID:     rings.RingOneID,
 		Port:   RingOnePort,
-		Decode: ParseRingOneAddress,
-		Encode: RingOneAddress,
+		Decode: rings.DecodeRingOneAddress,
+		Encode: rings.RingOneAddress,
 	}
 	// Rings provides indexed access to the ring address encoders
-	Rings = [RingsCount]RingAddressEncoder{
+	Rings = []RingAddressEncoder{
 		RingZero,
 		RingOne,
 	}
 )

-// ValidZoneID checks if the given zoneID is a valid 4 bit zone number.
-//
-// 0 is reserved, and only allowed when composing CIDRs.
-func ValidZoneID(zoneID int) bool {
-	switch {
-	case zoneID < 0 || zoneID > MaxZoneID:
-		return false
-	default:
-		return true
-	}
-}
-
-// ValidNodeID checks if the given nodeID is a valid 8 bit number.
-// nodeID is unique within a Zone.
-// 0 is reserved, and only allowed when composing CIDRs.
-func ValidNodeID(nodeID int) bool {
-	switch {
-	case nodeID < 0 || nodeID > MaxNodeID:
-		return false
-	default:
-		return true
-	}
-}
-
-// ParseRingZeroAddress extracts zone and node ID from a wg0 [netip.Addr]
-// wg0 addresses are of the form `10.0.{{zoneID}}.{{nodeID}}`
-func ParseRingZeroAddress(addr netip.Addr) (zoneID int, nodeID int, ok bool) {
-	if addr.IsValid() {
-		a4 := addr.As4()
-
-		if a4[0] == 10 && a4[1] == 0 {
-			return int(a4[2]), int(a4[3]), true
-		}
-	}
-	return 0, 0, false
-}
-
-// RingZeroAddress returns a wg0 IP address
-func RingZeroAddress(zoneID, nodeID int) (netip.Addr, bool) {
-	switch {
-	case !ValidZoneID(zoneID) || !ValidNodeID(nodeID):
-		return netip.Addr{}, false
-	default:
-		a4 := [4]uint8{10, 0, uint8(zoneID), uint8(nodeID)}
-		return netip.AddrFrom4(a4), true
-	}
-}
-
-// ParseRingOneAddress extracts zone and node ID from a wg1 [netip.Addr]
-// wg1 addresses are of the form `10.{{zoneID << 4}}.{{nodeID}}`
-func ParseRingOneAddress(addr netip.Addr) (zoneID int, nodeID int, ok bool) {
-	if addr.IsValid() {
-		a4 := addr.As4()
-
-		if a4[0] == 10 && a4[2] == 0 {
-			zoneID = int(a4[1] >> 4)
-			nodeID = int(a4[3])
-			return zoneID, nodeID, true
-		}
-	}
-	return 0, 0, false
-}
-
-// RingOneAddress returns a wg1 IP address
-func RingOneAddress(zoneID, nodeID int) (netip.Addr, bool) {
-	switch {
-	case !ValidZoneID(zoneID) || !ValidNodeID(nodeID):
-		return netip.Addr{}, false
-	default:
-		a4 := [4]uint8{10, uint8(zoneID << 4), 0, uint8(nodeID)}
-		return netip.AddrFrom4(a4), true
-	}
-}
-
 var (
 	_ MachineIterator = (*Ring)(nil)
 	_ ZoneIterator    = (*Ring)(nil)
@@ -203,14 +184,15 @@ func (r *Ring) AddPeer(p *Machine) bool {

 	nodeID := p.ID
 	zoneID := p.Zone()
-	addr, _ := r.Encode(zoneID, nodeID)
+	regionID := p.Region()
+	addr, _ := r.Encode(regionID, zoneID, nodeID)

 	rp := &RingPeer{
 		Node:       p,
 		Address:    addr,
 		PrivateKey: ri.Keys.PrivateKey,
 		PeerConfig: wireguard.PeerConfig{
-			Name:      fmt.Sprintf("%s-%v", p.Name, r.ID),
+			Name:      fmt.Sprintf("%s-%v", p.Name, ri.Ring),
 			PublicKey: ri.Keys.PublicKey,
 			Endpoint: wireguard.EndpointAddress{
 				Host: p.FullName(),
@@ -220,7 +202,7 @@ func (r *Ring) AddPeer(p *Machine) bool {
 	}

 	switch {
-	case r.ID == 0:
+	case r.ID == rings.RingZeroID:
 		r.setRingZeroAllowedIPs(rp)
 	case p.IsGateway():
 		r.setRingOneGatewayAllowedIPs(rp)
@@ -233,27 +215,27 @@ func (r *Ring) AddPeer(p *Machine) bool {
 }

 func (r *Ring) setRingZeroAllowedIPs(rp *RingPeer) {
-	zoneID, _, _ := r.Decode(rp.Address)
+	regionID, zoneID, _, _ := r.Decode(rp.Address)

 	// everyone on ring0 is a gateway to ring1
-	addr, _ := RingOneAddress(zoneID, 0)
-	rp.AllowCIDR(addr, 12)
+	subnet, _ := rings.RingOnePrefix(regionID, zoneID)
+	rp.AllowSubnet(subnet)

 	// peer
 	rp.AllowCIDR(rp.Address, 32)
 }

 func (r *Ring) setRingOneGatewayAllowedIPs(rp *RingPeer) {
-	zoneID, _, _ := r.Decode(rp.Address)
+	regionID, zoneID, _, _ := r.Decode(rp.Address)

 	// peer
 	rp.AllowCIDR(rp.Address, 32)

 	// ring1 gateways connect to all other ring1 networks
 	r.ForEachZone(func(z *Zone) bool {
-		if z.ID != zoneID {
-			addr, _ := r.Encode(z.ID, 0)
-			rp.AllowCIDR(addr, 12)
+		if !z.Is(regionID, zoneID) {
+			subnet := z.RingOnePrefix()
+			rp.AllowSubnet(subnet)
 		}
 		return false
 	})
@@ -262,7 +244,7 @@ func (r *Ring) setRingOneGatewayAllowedIPs(rp *RingPeer) {
 	r.ForEachZone(func(z *Zone) bool {
 		z.ForEachMachine(func(p *Machine) bool {
 			if p.IsGateway() {
-				addr, _ := RingZeroAddress(z.ID, p.ID)
+				addr, _ := p.RingZeroAddress()
 				rp.AllowCIDR(addr, 32)
 			}
 			return false
@@ -329,15 +311,29 @@ type RingPeer struct {

 // AllowCIDR allows an IP range via this peer
 func (rp *RingPeer) AllowCIDR(addr netip.Addr, bits int) {
-	cidr := netip.PrefixFrom(addr, bits)
-	rp.PeerConfig.AllowedIPs = append(rp.PeerConfig.AllowedIPs, cidr)
+	rp.AllowSubnet(netip.PrefixFrom(addr, bits))
+}
+
+// AllowSubnet allows an IP range via this peer
+func (rp *RingPeer) AllowSubnet(subnet netip.Prefix) {
+	rp.PeerConfig.AllowedIPs = append(rp.PeerConfig.AllowedIPs, subnet)
 }

 // NewRing composes a new Ring for Wireguard setup
-func NewRing(z ZoneIterator, m MachineIterator, ring int) (*Ring, error) {
-	r := &Ring{
-		RingAddressEncoder: Rings[ring],
-		ZoneIterator:       z,
+func NewRing(z ZoneIterator, m MachineIterator, ringID rings.RingID) (*Ring, error) {
+	var r *Ring
+	for _, ring := range Rings {
+		if ringID == ring.ID {
+			r = &Ring{
+				RingAddressEncoder: ring,
+				ZoneIterator:       z,
+			}
+			break
+		}
+	}
+
+	if r == nil {
+		return nil, ErrInvalidRing(ringID)
 	}

 	m.ForEachMachine(func(p *Machine) bool {
@@ -0,0 +1,82 @@
+package cluster
+
+// SyncAll updates all config files
+func (m *Cluster) SyncAll() error {
+	for _, fn := range []func() error{
+		m.SyncMkdirAll,
+		m.SyncAllWireguard,
+		m.SyncAllCeph,
+		m.SyncAllRegions,
+		m.WriteHosts,
+	} {
+		if err := fn(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// SyncMkdirAll creates the directories needed to store files
+// required to represent the cluster.
+func (m *Cluster) SyncMkdirAll() error {
+	err := m.MkdirAll(".")
+	if err == nil {
+		m.ForEachMachine(func(p *Machine) bool {
+			err = p.MkdirAll(".")
+			return err != nil
+		})
+	}
+
+	return err
+}
+
+// SyncAllWireguard updates all wireguard config files
+func (m *Cluster) SyncAllWireguard() error {
+	var err error
+
+	for _, ring := range Rings {
+		err = m.WriteWireguardKeys(ring.ID)
+		if err != nil {
+			return err
+		}
+
+		err = m.SyncWireguardConfig(ring.ID)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// SyncAllCeph updates the ceph.conf file
+func (m *Cluster) SyncAllCeph() error {
+	cfg, err := m.GenCephConfig()
+	if err != nil {
+		return err
+	}
+
+	return m.WriteCephConfig(cfg)
+}
+
+// SyncAllRegions rewrites all region data
+func (m *Cluster) SyncAllRegions() error {
+	var err error
+
+	m.ForEachZone(func(z *Zone) bool {
+		err := z.SyncRegions()
+		return err != nil
+	})
+
+	if err != nil {
+		return err
+	}
+
+	m.ForEachRegion(func(r *Region) bool {
+		err = r.SyncRegions()
+		return err != nil
+	})
+
+	return err
+}
@@ -1,24 +1,26 @@
-package zones
+package cluster

 import (
 	"io/fs"
 	"os"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
 )

 var (
-	_ WireguardConfigPruner = (*Zones)(nil)
+	_ WireguardConfigPruner = (*Cluster)(nil)
 	_ WireguardConfigPruner = (*Zone)(nil)
 	_ WireguardConfigPruner = (*Machine)(nil)

-	_ WireguardConfigWriter = (*Zones)(nil)
+	_ WireguardConfigWriter = (*Cluster)(nil)
 	_ WireguardConfigWriter = (*Zone)(nil)
 	_ WireguardConfigWriter = (*Machine)(nil)

-	_ WireguardConfigSyncer = (*Zones)(nil)
+	_ WireguardConfigSyncer = (*Cluster)(nil)
 	_ WireguardConfigSyncer = (*Zone)(nil)
 	_ WireguardConfigSyncer = (*Machine)(nil)

-	_ WireguardKeysWriter = (*Zones)(nil)
+	_ WireguardKeysWriter = (*Cluster)(nil)
 	_ WireguardKeysWriter = (*Zone)(nil)
 	_ WireguardKeysWriter = (*Machine)(nil)
 )
@@ -26,22 +28,22 @@ var (
 // A WireguardConfigPruner deletes wgN.conf on all machines under
 // its scope with the specified ring disabled
 type WireguardConfigPruner interface {
-	PruneWireguardConfig(ring int) error
+	PruneWireguardConfig(ring rings.RingID) error
 }

 // PruneWireguardConfig removes wgN.conf files of machines with
 // the corresponding ring disabled on all zones
-func (m *Zones) PruneWireguardConfig(ring int) error {
+func (m *Cluster) PruneWireguardConfig(ring rings.RingID) error {
 	return pruneWireguardConfig(m, ring)
 }

 // PruneWireguardConfig removes wgN.conf files of machines with
 // the corresponding ring disabled.
-func (z *Zone) PruneWireguardConfig(ring int) error {
+func (z *Zone) PruneWireguardConfig(ring rings.RingID) error {
 	return pruneWireguardConfig(z, ring)
 }

-func pruneWireguardConfig(m MachineIterator, ring int) error {
+func pruneWireguardConfig(m MachineIterator, ring rings.RingID) error {
 	var err error

 	m.ForEachMachine(func(p *Machine) bool {
@@ -59,7 +61,7 @@ func pruneWireguardConfig(m MachineIterator, ring int) error {

 // PruneWireguardConfig deletes the wgN.conf file if its
 // presence on the ring is disabled
-func (m *Machine) PruneWireguardConfig(ring int) error {
+func (m *Machine) PruneWireguardConfig(ring rings.RingID) error {
 	_, ok := m.getRingInfo(ring)
 	if !ok {
 		return m.RemoveWireguardConfig(ring)
@@ -71,16 +73,16 @@ func (m *Machine) PruneWireguardConfig(ring int) error {
 // A WireguardConfigWriter rewrites all wgN.conf on all machines under
 // its scope attached to that ring
 type WireguardConfigWriter interface {
-	WriteWireguardConfig(ring int) error
+	WriteWireguardConfig(ring rings.RingID) error
 }

 // WriteWireguardConfig rewrites all wgN.conf on all machines
 // attached to that ring
-func (m *Zones) WriteWireguardConfig(ring int) error {
+func (m *Cluster) WriteWireguardConfig(ring rings.RingID) error {
 	switch ring {
-	case 0:
+	case rings.RingZeroID:
 		return writeWireguardConfig(m, m, ring)
-	case 1:
+	case rings.RingOneID:
 		var err error
 		m.ForEachZone(func(z *Zone) bool {
 			err = writeWireguardConfig(m, z, ring)
@@ -88,24 +90,24 @@ func (m *Zones) WriteWireguardConfig(ring int) error {
 		})
 		return err
 	default:
-		return fs.ErrInvalid
+		return ErrInvalidRing(ring)
 	}
 }

 // WriteWireguardConfig rewrites all wgN.conf on all machines
 // on the Zone attached to that ring
-func (z *Zone) WriteWireguardConfig(ring int) error {
+func (z *Zone) WriteWireguardConfig(ring rings.RingID) error {
 	switch ring {
-	case 0:
+	case rings.RingZeroID:
 		return writeWireguardConfig(z.zones, z.zones, ring)
-	case 1:
+	case rings.RingOneID:
 		return writeWireguardConfig(z.zones, z, ring)
 	default:
-		return fs.ErrInvalid
+		return ErrInvalidRing(ring)
 	}
 }

-func writeWireguardConfig(z ZoneIterator, m MachineIterator, ring int) error {
+func writeWireguardConfig(z ZoneIterator, m MachineIterator, ring rings.RingID) error {
 	r, err := NewRing(z, m, ring)
 	if err != nil {
 		return err
@@ -121,7 +123,7 @@ func writeWireguardConfig(z ZoneIterator, m MachineIterator, ring int) error {

 // WriteWireguardConfig rewrites the wgN.conf file of this Machine
 // if enabled
-func (m *Machine) WriteWireguardConfig(ring int) error {
+func (m *Machine) WriteWireguardConfig(ring rings.RingID) error {
 	r, err := NewRing(m.zone.zones, m.zone, ring)
 	if err != nil {
 		return err
@@ -131,12 +133,17 @@ func (m *Machine) WriteWireguardConfig(ring int) error {
 }

 func (m *Machine) writeWireguardRingConfig(r *Ring) error {
+	ring, err := AsWireguardInterfaceID(r.ID)
+	if err != nil {
+		return err
+	}
+
 	wg, err := r.ExportConfig(m)
 	if err != nil {
 		return nil
 	}

-	f, err := m.CreateTruncFile("wg%v.conf", r.ID)
+	f, err := m.CreateTruncFile(ring.ConfFile())
 	if err != nil {
 		return err
 	}
@@ -149,16 +156,16 @@ func (m *Machine) writeWireguardRingConfig(r *Ring) error {
 // A WireguardConfigSyncer updates all wgN.conf on all machines under
 // its scope reflecting the state of the ring
 type WireguardConfigSyncer interface {
-	SyncWireguardConfig(ring int) error
+	SyncWireguardConfig(ring rings.RingID) error
 }

 // SyncWireguardConfig updates all wgN.conf files for the specified
 // ring
-func (m *Zones) SyncWireguardConfig(ring int) error {
+func (m *Cluster) SyncWireguardConfig(ring rings.RingID) error {
 	switch ring {
-	case 0:
+	case rings.RingZeroID:
 		return syncWireguardConfig(m, m, ring)
-	case 1:
+	case rings.RingOneID:
 		var err error
 		m.ForEachZone(func(z *Zone) bool {
 			err = syncWireguardConfig(m, z, ring)
@@ -166,24 +173,24 @@ func (m *Zones) SyncWireguardConfig(ring int) error {
 		})
 		return err
 	default:
-		return fs.ErrInvalid
+		return ErrInvalidRing(ring)
 	}
 }

 // SyncWireguardConfig updates all wgN.conf files for the specified
 // ring
-func (z *Zone) SyncWireguardConfig(ring int) error {
+func (z *Zone) SyncWireguardConfig(ring rings.RingID) error {
 	switch ring {
-	case 0:
+	case rings.RingZeroID:
 		return syncWireguardConfig(z.zones, z.zones, ring)
-	case 1:
+	case rings.RingOneID:
 		return syncWireguardConfig(z.zones, z, ring)
 	default:
-		return fs.ErrInvalid
+		return ErrInvalidRing(ring)
 	}
 }

-func syncWireguardConfig(z ZoneIterator, m MachineIterator, ring int) error {
+func syncWireguardConfig(z ZoneIterator, m MachineIterator, ring rings.RingID) error {
 	r, err := NewRing(z, m, ring)
 	if err != nil {
 		return err
@@ -203,27 +210,27 @@ func syncWireguardConfig(z ZoneIterator, m MachineIterator, ring int) error {

 // SyncWireguardConfig updates all wgN.conf files for the specified
 // ring
-func (m *Machine) SyncWireguardConfig(ring int) error {
+func (m *Machine) SyncWireguardConfig(ring rings.RingID) error {
 	return m.zone.SyncWireguardConfig(ring)
 }

 // A WireguardKeysWriter writes the Wireguard Keys for all machines
 // under its scope for the specified ring
 type WireguardKeysWriter interface {
-	WriteWireguardKeys(ring int) error
+	WriteWireguardKeys(ring rings.RingID) error
 }

 // WriteWireguardKeys rewrites all wgN.{key,pub} files
-func (m *Zones) WriteWireguardKeys(ring int) error {
+func (m *Cluster) WriteWireguardKeys(ring rings.RingID) error {
 	return writeWireguardKeys(m, ring)
 }

 // WriteWireguardKeys rewrites all wgN.{key,pub} files on this zone
-func (z *Zone) WriteWireguardKeys(ring int) error {
+func (z *Zone) WriteWireguardKeys(ring rings.RingID) error {
 	return writeWireguardKeys(z, ring)
 }

-func writeWireguardKeys(m MachineIterator, ring int) error {
+func writeWireguardKeys(m MachineIterator, ring rings.RingID) error {
 	var err error

 	m.ForEachMachine(func(p *Machine) bool {
@@ -240,12 +247,12 @@ func writeWireguardKeys(m MachineIterator, ring int) error {
 }

 // WriteWireguardKeys writes the wgN.key/wgN.pub files
-func (m *Machine) WriteWireguardKeys(ring int) error {
+func (m *Machine) WriteWireguardKeys(ringID rings.RingID) error {
 	var err error
 	var key, pub string
 	var ri *RingInfo

-	ri, _ = m.getRingInfo(ring)
+	ri, _ = m.getRingInfo(ringID)
 	if ri != nil {
 		key = ri.Keys.PrivateKey.String()
 		pub = ri.Keys.PublicKey.String()
@@ -258,12 +265,13 @@ func (m *Machine) WriteWireguardKeys(ring int) error {
 		pub = ri.Keys.PrivateKey.Public().String()
 	}

-	err = m.WriteStringFile(key+"\n", "wg%v.key", ring)
+	keyFile, pubFile, _ := ri.Ring.Files()
+	err = m.WriteStringFile(key+"\n", keyFile)
 	if err != nil {
 		return err
 	}

-	err = m.WriteStringFile(pub+"\n", "wg%v.pub", ring)
+	err = m.WriteStringFile(pub+"\n", pubFile)
 	if err != nil {
 		return err
 	}
@@ -0,0 +1,107 @@
+package cluster
+
+import (
+	"io/fs"
+
+	"git.jpi.io/amery/jpictl/pkg/rings"
+)
+
+var (
+	_ MachineIterator = (*Zone)(nil)
+)
+
+// A ZoneIterator is a set of Zones we can iterate on
+type ZoneIterator interface {
+	ForEachZone(func(*Zone) bool)
+}
+
+// A Zone is a set of machines in close proximity and strong
+// affinity.
+type Zone struct {
+	zones  *Cluster
+	region *Region
+	logger `json:"-" yaml:"-"`
+
+	ID      rings.ZoneID
+	Name    string
+	Regions []string `json:",omitempty" yaml:",omitempty"`
+
+	Machines
+}
+
+func (z *Zone) String() string {
+	return z.Name
+}
+
+// SetGateway configures a machine to be the zone's ring0 gateway
+func (z *Zone) SetGateway(gatewayID rings.NodeID, enabled bool) error {
+	var err error
+	var found bool
+
+	z.ForEachMachine(func(p *Machine) bool {
+		if p.ID == gatewayID {
+			found = true
+			err = p.SetGateway(enabled)
+
+			return true
+		}
+		return false
+	})
+
+	switch {
+	case err != nil:
+		return err
+	case !found:
+		return fs.ErrNotExist
+	default:
+		return nil
+	}
+}
+
+// GatewayIDs returns the list of IDs of machines that act as ring0 gateways
+func (z *Zone) GatewayIDs() ([]rings.NodeID, int) {
+	var out []rings.NodeID
+	z.ForEachMachine(func(p *Machine) bool {
+		if p.IsGateway() {
+			out = append(out, p.ID)
+		}
+		return false
+	})
+
+	return out, len(out)
+}
+
+// RegionID returns the primary [Region] of a [Zone].
+func (z *Zone) RegionID() rings.RegionID {
+	if z != nil && z.region != nil {
+		return z.region.ID
+	}
+	return 0
+}
+
+// Is checks if the given [rings.RegionID] and [rings.ZoneID] match
+// the [Zone].
+func (z *Zone) Is(regionID rings.RegionID, zoneID rings.ZoneID) bool {
+	switch {
+	case z.ID != zoneID:
+		return false
+	case z.RegionID() != regionID:
+		return false
+	default:
+		return true
+	}
+}
+
+// Eq checks if two [Zone]s are the same.
+func (z *Zone) Eq(z2 *Zone) bool {
+	switch {
+	case z == nil, z2 == nil:
+		return false
+	case z.ID != z2.ID:
+		return false
+	case z.RegionID() != z2.RegionID():
+		return false
+	default:
+		return true
+	}
+}
@@ -0,0 +1,69 @@
+package dns
+
+import (
+	"context"
+	"net/netip"
+	"os"
+	"time"
+
+	"darvaza.org/core"
+	"github.com/libdns/libdns"
+)
+
+// Add adds a machine to the DNS records
+func (mgr *Manager) Add(ctx context.Context, name string, addrs ...netip.Addr) error {
+	// TODO: validate name
+
+	cur, err := mgr.GetRecords(ctx, name)
+	if err != nil {
+		return core.Wrap(err, "GetRecords")
+	}
+
+	// merge []SyncAddr for name
+	s := mgr.asSyncRecordsMap(cur)[name+mgr.suffix]
+	for _, addr := range addrs {
+		s = AppendSyncAddr(s, addr)
+	}
+
+	return mgr.addSyncAddr(ctx, name, s)
+}
+
+func (mgr *Manager) addSyncAddr(ctx context.Context, name string, s []SyncAddr) error {
+	var recs []libdns.Record
+
+	for _, a := range s {
+		recs = append(recs, libdns.Record{
+			ID:    a.ID,
+			Name:  name + mgr.suffix,
+			Type:  core.IIf(a.Addr.Is6(), "AAAA", "A"),
+			TTL:   time.Second,
+			Value: a.Addr.String(),
+		})
+	}
+
+	SortRecords(recs)
+	err := writeRecords(recs, os.Stdout)
+	if err != nil {
+		return err
+	}
+
+	_, err = mgr.p.SetRecords(ctx, mgr.domain, recs)
+	return err
+}
+
+// AppendSyncAddr appends a [netip.Addr] to a [SyncAddr] slice
+// if the address is new.
+func AppendSyncAddr(s []SyncAddr, addr netip.Addr) []SyncAddr {
+	for _, se := range s {
+		if se.Addr.Compare(addr) == 0 {
+			// found
+			return s
+		}
+	}
+
+	s = append(s, SyncAddr{
+		Addr: addr,
+		TTL:  time.Second,
+	})
+	return s
+}
@@ -0,0 +1,38 @@
+// Package dns manages DNS entries for the cluster
+package dns
+
+import (
+	"fmt"
+	"net/netip"
+)
+
+// Zone represents a set of hosts with high affinity
+type Zone struct {
+	Name string
+
+	Hosts map[int]*Host
+}
+
+func (z *Zone) String() string {
+	if z == nil {
+		return "undetermined"
+	}
+	return z.Name
+}
+
+// Host represents a member of the cluster
+type Host struct {
+	zone *Zone
+
+	ID     int
+	Active bool
+	Addrs  []netip.Addr
+}
+
+func (p *Host) String() string {
+	if p == nil {
+		return "undetermined"
+	}
+
+	return fmt.Sprintf("%s-%v", p.zone, p.ID)
+}
@@ -0,0 +1,12 @@
+package dns
+
+import "errors"
+
+var (
+	// ErrNoDNSProvider indicates a [libdns.Provider] wasn't assigned
+	// to the [Manager]
+	ErrNoDNSProvider = errors.New("dns provider not specified")
+
+	// ErrNoDomain indicates a domain wasn't specified
+	ErrNoDomain = errors.New("domain not specified")
+)
@@ -0,0 +1,230 @@
+package dns
+
+import (
+	"context"
+	"io/fs"
+	"net/netip"
+	"strings"
+
+	"darvaza.org/core"
+	"darvaza.org/slog"
+	"github.com/libdns/libdns"
+	"golang.org/x/net/publicsuffix"
+
+	"git.jpi.io/amery/jpictl/pkg/cluster"
+)
+
+// Manager is a DNS Manager instance
+type Manager struct {
+	domain  string
+	suffix  string
+	zones   map[string]*Zone
+	regions map[string][]string
+
+	p Provider
+	l slog.Logger
+}
+
+// ManagerOption configures a Manager
+type ManagerOption func(*Manager) error
+
+func newErrorManagerOption(err error, hint string) ManagerOption {
+	return func(*Manager) error {
+		return core.Wrap(err, hint)
+	}
+}
+
+// WithProvider attaches a libdns Provider to the Manager
+func WithProvider(p Provider) ManagerOption {
+	var err error
+
+	if p == nil {
+		p, err = DefaultDNSProvider()
+	}
+
+	if err != nil {
+		return newErrorManagerOption(err, "WithProvider")
+	}
+
+	return func(mgr *Manager) error {
+		mgr.p = p
+		return nil
+	}
+}
+
+// WithLogger attaches a logger to the Manager
+func WithLogger(log slog.Logger) ManagerOption {
+	if log == nil {
+		log = cluster.DefaultLogger()
+	}
+
+	return func(mgr *Manager) error {
+		mgr.l = log
+		return nil
+	}
+}
+
+func (mgr *Manager) setDefaults() error {
+	var opts []ManagerOption
+
+	if mgr.l == nil {
+		opts = append(opts, WithLogger(nil))
+	}
+
+	if mgr.domain == "" || mgr.suffix == "" {
+		return ErrNoDomain
+	}
+
+	for _, opt := range opts {
+		if err := opt(mgr); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// WithDomain specifies where the manager operates
+func WithDomain(domain string) ManagerOption {
+	base, err := publicsuffix.EffectiveTLDPlusOne(domain)
+	if err != nil {
+		return newErrorManagerOption(err, "publicsuffix")
+	}
+
+	suffix := strings.TrimSuffix(domain, base)
+	if suffix != "" {
+		suffix = "." + suffix[:len(suffix)-1]
+	}
+
+	return func(mgr *Manager) error {
+		mgr.domain = base
+		mgr.suffix = suffix
+		return nil
+	}
+}
+
+// NewManager creates a DNS manager with the
+func NewManager(opts ...ManagerOption) (*Manager, error) {
+	mgr := &Manager{
+		zones:   make(map[string]*Zone),
+		regions: make(map[string][]string),
+	}
+
+	for _, opt := range opts {
+		if err := opt(mgr); err != nil {
+			return nil, err
+		}
+	}
+
+	if err := mgr.setDefaults(); err != nil {
+		return nil, err
+	}
+	return mgr, nil
+}
+
+// GetRecords pulls all the address records on DNS for our domain,
+// optionally only those matching the given names.
+func (mgr *Manager) GetRecords(ctx context.Context, names ...string) ([]libdns.Record, error) {
+	if mgr.p == nil {
+		return nil, ErrNoDNSProvider
+	}
+
+	recs, err := mgr.p.GetRecords(ctx, mgr.domain)
+	switch {
+	case err != nil:
+		// failed
+		return nil, err
+	case len(recs) == 0:
+		// empty
+		return []libdns.Record{}, nil
+	case mgr.suffix == "" && len(names) == 0:
+		// unfiltered
+		return recs, nil
+	default:
+		// filtered
+		recs = mgr.filterRecords(recs, names...)
+		return recs, nil
+	}
+}
+
+func (mgr *Manager) filterRecords(recs []libdns.Record, names ...string) []libdns.Record {
+	out := make([]libdns.Record, 0, len(recs))
+	for _, rr := range recs {
+		name, ok := mgr.matchSuffix(rr)
+		switch {
+		case !ok:
+			// skip, wrong subdomain
+			continue
+		case len(names) == 0:
+			// unfiltered, take it
+		case !core.SliceContains(names, name):
+			// skip, not one of the requested names
+			continue
+		}
+
+		out = append(out, rr)
+	}
+
+	return out
+}
+
+func (mgr *Manager) matchSuffix(rr libdns.Record) (string, bool) {
+	if mgr.suffix == "" {
+		// no suffix
+		return rr.Name, true
+	}
+
+	// remove suffix
+	return strings.CutSuffix(rr.Name, mgr.suffix)
+}
+
+// AddHost registers a host
+func (mgr *Manager) AddHost(_ context.Context, zone string, id int,
+	active bool, addrs ...netip.Addr) error {
+	//
+	if zone == "" || id <= 0 {
+		return fs.ErrInvalid
+	}
+
+	z, ok := mgr.zones[zone]
+	if !ok {
+		z = &Zone{
+			Name:  zone,
+			Hosts: make(map[int]*Host),
+		}
+
+		mgr.zones[zone] = z
+	}
+
+	p := &Host{
+		zone:   z,
+		ID:     id,
+		Active: active,
+		Addrs:  SortAddrSlice(addrs),
+	}
+	z.Hosts[id] = p
+
+	if log, ok := mgr.l.Debug().WithEnabled(); ok {
+		log.WithField("subsystem", "dns").
+			WithField("zone", zone).
+			WithField("host", p.String()).
+			WithField("active", active).
+			Print()
+	}
+
+	return nil
+}
+
+// AddRegion specifies a new region and the zones it contains
+func (mgr *Manager) AddRegion(_ context.Context, region string, zones ...string) error {
+	mgr.regions[region] = append(mgr.regions[region], zones...)
+
+	if log, ok := mgr.l.Debug().WithEnabled(); ok {
+		for _, zoneName := range zones {
+			log.WithField("subsystem", "dns").
+				WithField("region", region).
+				WithField("zone", zoneName).Print()
+		}
+	}
+
+	return nil
+}
@@ -0,0 +1,38 @@
+package dns
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/libdns/cloudflare"
+	"github.com/libdns/libdns"
+)
+
+const (
+	// CloudflareAPIToken is the environment variable
+	// containing the API Token
+	CloudflareAPIToken = "CLOUDFLARE_DNS_API_TOKEN"
+)
+
+// Provider manages DNS entries
+type Provider interface {
+	libdns.RecordGetter
+	libdns.RecordDeleter
+	libdns.RecordSetter
+	libdns.RecordAppender
+}
+
+// DefaultDNSProvider returns a cloudflare DNS provider
+// using an API Token from env [CloudflareAPIToken]
+func DefaultDNSProvider() (*cloudflare.Provider, error) {
+	s := os.Getenv(CloudflareAPIToken)
+	if s == "" {
+		return nil, fmt.Errorf("%q: %s", CloudflareAPIToken, "not found")
+	}
+
+	p := &cloudflare.Provider{
+		APIToken: s,
+	}
+
+	return p, nil
+}
@@ -0,0 +1,247 @@
+package dns
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/netip"
+	"sort"
+	"strings"
+	"time"
+
+	"darvaza.org/core"
+	"github.com/libdns/libdns"
+
+	"git.jpi.io/amery/jpictl/pkg/cluster"
+)
+
+func (mgr *Manager) fqdn(name string) string {
+	return fmt.Sprintf("%s.%s.", name, mgr.domain)
+}
+
+// SortAddrSlice sorts a slice of [netip.Addr]
+func SortAddrSlice(s []netip.Addr) []netip.Addr {
+	sort.Slice(s, func(i, j int) bool {
+		return s[i].Less(s[j])
+	})
+	return s
+}
+
+// SortAddrRecords sorts a slice of [AddrRecord]
+// by Name and Address
+func SortAddrRecords(s []AddrRecord) []AddrRecord {
+	sort.Slice(s, func(i, j int) bool {
+		return s[i].Name < s[j].Name
+	})
+
+	for _, p := range s {
+		SortAddrSlice(p.Addr)
+	}
+
+	return s
+}
+
+// SortRecords sorts a slice of [libdns.Record], by Name, Type and Value
+func SortRecords(s []libdns.Record) []libdns.Record {
+	sort.Slice(s, func(i, j int) bool {
+		return lessRecord(s[i], s[j])
+	})
+	return s
+}
+
+func lessRecord(a, b libdns.Record) bool {
+	aName := strings.ToLower(a.Name)
+	bName := strings.ToLower(b.Name)
+
+	switch {
+	case aName < bName:
+		return true
+	case aName > bName:
+		return false
+	}
+
+	aType := strings.ToUpper(a.Type)
+	bType := strings.ToUpper(b.Type)
+
+	switch {
+	case aType < bType:
+		return true
+	case aType > bType:
+		return false
+	case aType == "A", aType == "AAAA":
+		// IP Addresses
+		var aa, ba netip.Addr
+
+		switch {
+		case aa.UnmarshalText([]byte(a.Value)) != nil:
+			// bad address on a
+			return true
+		case ba.UnmarshalText([]byte(b.Value)) != nil:
+			// bad address on b
+			return false
+		default:
+			return aa.Less(ba)
+		}
+	default:
+		// text
+		return a.Value < b.Value
+	}
+}
+
+// AddrRecord represents an A or AAAA record
+type AddrRecord struct {
+	Name string
+	Addr []netip.Addr
+}
+
+// Sort sorts the addresses of the record
+func (rr *AddrRecord) Sort() {
+	SortAddrSlice(rr.Addr)
+}
+
+// Export converts the record into libdns.Record
+func (rr *AddrRecord) Export() []libdns.Record {
+	out := make([]libdns.Record, len(rr.Addr))
+	for i, addr := range rr.Addr {
+		out[i] = libdns.Record{
+			Name:  rr.Name,
+			TTL:   time.Second * 1,
+			Type:  core.IIf(addr.Is6(), "AAAA", "A"),
+			Value: addr.String(),
+		}
+	}
+
+	return out
+}
+
+// WriteTo writes the record in BIND notation
+func (rr *AddrRecord) WriteTo(w io.Writer) (int64, error) {
+	var total int
+	for _, addr := range rr.Addr {
+		n, err := fmt.Fprint(w,
+			rr.Name, "\t",
+			1, "\t",
+			core.IIf(addr.Is6(), "AAAA", "A"), "\t",
+			addr.String(), "\n")
+
+		switch {
+		case err != nil:
+			return 0, err
+		case n > 0:
+			total += n
+		}
+	}
+
+	return int64(total), nil
+}
+
+// String converts the record into BIND entries
+func (rr *AddrRecord) String() string {
+	var buf bytes.Buffer
+	_, _ = rr.WriteTo(&buf)
+	return buf.String()
+}
+
+func (mgr *Manager) genRegionsSorted() []string {
+	regions := make([]string, 0, len(mgr.regions))
+	for name := range mgr.regions {
+		regions = append(regions, name)
+	}
+
+	return cluster.SortRegions(regions)
+}
+
+func (mgr *Manager) genZonesSorted() []string {
+	zones := make([]string, 0, len(mgr.zones))
+	for name := range mgr.zones {
+		zones = append(zones, name)
+	}
+
+	sort.Strings(zones)
+	return zones
+}
+
+func (mgr *Manager) genAllAddrRecords() []AddrRecord {
+	var out []AddrRecord
+
+	cache := make(map[string][]netip.Addr)
+
+	// zones
+	for _, z := range mgr.zones {
+		// hosts
+		s := mgr.genZoneHostRecords(z)
+		out = append(out, s...)
+
+		// zone alias
+		addrs := mgr.genZoneAddresses(z)
+		name := z.Name
+
+		out = append(out, AddrRecord{
+			Name: name + mgr.suffix,
+			Addr: addrs,
+		})
+
+		// and cache for regions
+		cache[name] = addrs
+	}
+
+	for _, name := range mgr.genRegionsSorted() {
+		var addrs []netip.Addr
+
+		for _, z := range mgr.regions[name] {
+			addrs = append(addrs, cache[z]...)
+		}
+
+		rec := AddrRecord{
+			Name: name + mgr.suffix,
+			Addr: addrs,
+		}
+		rec.Sort()
+
+		out = append(out, rec)
+	}
+
+	SortAddrRecords(out)
+	return out
+}
+
+func (*Manager) genZoneAddresses(z *Zone) []netip.Addr {
+	var out []netip.Addr
+
+	for _, p := range z.Hosts {
+		if p.Active {
+			out = append(out, p.Addrs...)
+		}
+	}
+
+	SortAddrSlice(out)
+	return out
+}
+
+func (mgr *Manager) genZoneHostRecords(z *Zone) []AddrRecord {
+	out := make([]AddrRecord, 0, len(z.Hosts))
+
+	for _, p := range z.Hosts {
+		rec := AddrRecord{
+			Name: p.String() + mgr.suffix,
+			Addr: p.Addrs,
+		}
+		out = append(out, rec)
+	}
+
+	SortAddrRecords(out)
+	return out
+}
+
+func (mgr *Manager) genRegionAddressesCached(name string,
+	zones map[string][]netip.Addr) []netip.Addr {
+	//
+	var addrs []netip.Addr
+
+	for _, zoneName := range mgr.regions[name] {
+		addrs = append(addrs, zones[zoneName]...)
+	}
+
+	SortAddrSlice(addrs)
+	return addrs
+}
@@ -0,0 +1,58 @@
+package dns
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"time"
+
+	"darvaza.org/core"
+	"github.com/libdns/libdns"
+)
+
+// Show shows current DNS entries
+func (mgr *Manager) Show(ctx context.Context, names ...string) error {
+	recs, err := mgr.GetRecords(ctx, names...)
+	if err != nil {
+		return core.Wrap(err, "GetRecords")
+	}
+
+	SortRecords(recs)
+	return writeRecords(recs, os.Stdout)
+}
+
+func writeRecords(recs []libdns.Record, w io.Writer) error {
+	var buf bytes.Buffer
+
+	for _, rr := range recs {
+		_ = fmtRecord(&buf, rr)
+		_, _ = buf.WriteRune('\n')
+	}
+	_, _ = fmt.Fprintf(&buf, "; %v records\n", len(recs))
+
+	_, err := buf.WriteTo(w)
+	return err
+}
+
+func fmtRecord(w io.Writer, rr libdns.Record) error {
+	ttl := int(rr.TTL / time.Second)
+	if ttl < 1 {
+		ttl = 1
+	}
+
+	_, err := fmt.Fprintf(w, "%s\t%v\tIN\t%s\t%s",
+		rr.Name,
+		ttl,
+		rr.Type,
+		rr.Value)
+
+	if err == nil {
+		if rr.ID != "" {
+			_, err = fmt.Fprintf(w, "\t; %s", rr.ID)
+		}
+	}
+
+	return err
+}
@@ -0,0 +1,347 @@
+package dns
+
+import (
+	"context"
+	"net/netip"
+	"sort"
+	"strings"
+	"time"
+
+	"darvaza.org/core"
+	"darvaza.org/slog"
+	"github.com/libdns/libdns"
+)
+
+// SyncAddrRecord is similar to AddrRecord but include libdns.Record details
+// fetched from the Provider
+type SyncAddrRecord struct {
+	Name  string
+	Addrs []SyncAddr
+}
+
+// SyncAddr extends netip.Addr with ID and TTL fetched from the Provider
+type SyncAddr struct {
+	ID   string
+	Addr netip.Addr
+	TTL  time.Duration
+}
+
+// Export assembles a libdns.Record
+func (rec *SyncAddr) Export(name string) libdns.Record {
+	return libdns.Record{
+		ID:    rec.ID,
+		Name:  name,
+		Type:  core.IIf(rec.Addr.Is6(), "AAAA", "A"),
+		TTL:   time.Second,
+		Value: rec.Addr.String(),
+	}
+}
+
+// SortSyncAddrSlice sorts a slice of [SyncAddr] by its address
+func SortSyncAddrSlice(s []SyncAddr) []SyncAddr {
+	sort.Slice(s, func(i, j int) bool {
+		a1 := s[i].Addr
+		a2 := s[j].Addr
+		return a1.Less(a2)
+	})
+	return s
+}
+
+// GetSyncRecords pulls all the address records on DNS for our domain
+func (mgr *Manager) GetSyncRecords(ctx context.Context) ([]SyncAddrRecord, error) {
+	recs, err := mgr.GetRecords(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return mgr.asSyncRecords(recs)
+}
+
+// AsSyncAddr converts a A or AAAA [libdns.Record] into a [SyncAddr]
+func (mgr *Manager) AsSyncAddr(rr libdns.Record) (SyncAddr, bool, error) {
+	var out SyncAddr
+	var addr netip.Addr
+
+	// skip non-address types
+	if rr.Type != "A" && rr.Type != "AAAA" {
+		return out, false, nil
+	}
+
+	// skip entries not containing our suffix
+	if mgr.suffix != "" {
+		if !strings.HasSuffix(rr.Name, mgr.suffix) {
+			return out, false, nil
+		}
+	}
+
+	err := addr.UnmarshalText([]byte(rr.Value))
+	if err != nil {
+		// invalid address on A or AAAA record
+		return out, false, err
+	}
+
+	out = SyncAddr{
+		ID:   rr.ID,
+		TTL:  rr.TTL,
+		Addr: addr,
+	}
+
+	return out, true, nil
+}
+
+func (mgr *Manager) asSyncRecordsMap(recs []libdns.Record) map[string][]SyncAddr {
+	// filter and convert
+	out := make(map[string][]SyncAddr)
+	for _, rr := range recs {
+		addr, ok, err := mgr.AsSyncAddr(rr)
+		switch {
+		case err != nil:
+			// skip invalid addresses
+			mgr.l.Error().
+				WithField("subsystem", "dns").
+				WithField(slog.ErrorFieldName, err).
+				WithField("name", rr.Name).
+				WithField("type", rr.Type).
+				WithField("addr", rr.Value).
+				Print()
+		case ok:
+			// store
+			out[rr.Name] = append(out[rr.Name], addr)
+		}
+	}
+	return out
+}
+
+func (mgr *Manager) asSyncRecords(recs []libdns.Record) ([]SyncAddrRecord, error) {
+	cache := mgr.asSyncRecordsMap(recs)
+
+	// prepare records
+	out := make([]SyncAddrRecord, len(cache))
+	names := make([]string, 0, len(cache))
+	for name := range cache {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+
+	for i, name := range names {
+		addrs := cache[name]
+
+		out[i] = SyncAddrRecord{
+			Name:  name,
+			Addrs: SortSyncAddrSlice(addrs),
+		}
+	}
+
+	return out, nil
+}
+
+// Sync updates all the address records on DNS for our domain
+func (mgr *Manager) Sync(ctx context.Context) error {
+	current, err := mgr.GetSyncRecords(ctx)
+	if err != nil {
+		return core.Wrap(err, "GetRecords")
+	}
+
+	goal := mgr.genAllAddrRecords()
+	for _, p := range makeSyncMap(current, goal) {
+		err := mgr.doSync(ctx, p.Name, p.Before, p.After)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (mgr *Manager) doSync(ctx context.Context, name string,
+	before []SyncAddr, after []netip.Addr) error {
+	//
+	var err error
+
+	for _, a := range after {
+		before, err = mgr.doSyncUpdateOrInsert(ctx, name, a, before)
+		if err != nil {
+			return err
+		}
+	}
+
+	for _, b := range before {
+		err = mgr.doSyncRemove(ctx, name, b)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (mgr *Manager) doSyncUpdateOrInsert(ctx context.Context, name string,
+	addr netip.Addr, addrs []SyncAddr) ([]SyncAddr, error) {
+	//
+	var err error
+
+	i, ok := findSyncAddrSorted(addr, addrs)
+	if ok {
+		rec := addrs[i]
+
+		addrs = append(addrs[:i], addrs[i+1:]...)
+		err = mgr.doSyncUpdate(ctx, name, addr, rec)
+	} else {
+		err = mgr.doSyncInsert(ctx, name, addr)
+	}
+
+	return addrs, err
+}
+
+func (mgr *Manager) doSyncUpdate(ctx context.Context, name string,
+	addr netip.Addr, rec SyncAddr) error {
+	//
+	var log slog.Logger
+	var msg string
+	var err error
+
+	if rec.TTL != time.Second {
+		// amend TTL
+
+		// TODO: batch updates
+		_, err = mgr.p.SetRecords(ctx, mgr.domain, []libdns.Record{
+			rec.Export(name),
+		})
+
+		if err == nil {
+			log = mgr.l.Info()
+			msg = "Updated"
+		} else {
+			log = mgr.l.Error().
+				WithField(slog.ErrorFieldName, err)
+			msg = "Failed"
+		}
+	} else {
+		log = mgr.l.Info()
+		msg = "OK"
+	}
+
+	log.
+		WithField("subsystem", "dns").
+		WithField("name", name).
+		WithField("addr", addr).
+		Print(msg)
+
+	return err
+}
+
+func (mgr *Manager) doSyncInsert(ctx context.Context, name string,
+	addr netip.Addr) error {
+	//
+	var log slog.Logger
+	var msg string
+
+	rec := libdns.Record{
+		Name:  name,
+		Type:  core.IIf(addr.Is6(), "AAAA", "A"),
+		TTL:   time.Second,
+		Value: addr.String(),
+	}
+
+	_, err := mgr.p.AppendRecords(ctx, mgr.domain, []libdns.Record{
+		rec,
+	})
+
+	if err != nil {
+		log = mgr.l.Error().
+			WithField(slog.ErrorFieldName, err)
+		msg = "Failed to Add"
+	} else {
+		log = mgr.l.Info()
+		msg = "Added"
+	}
+
+	log.
+		WithField("subsystem", "dns").
+		WithField("name", name).
+		WithField("addr", addr).
+		Print(msg)
+	return err
+}
+
+func (mgr *Manager) doSyncRemove(ctx context.Context, name string,
+	rec SyncAddr) error {
+	//
+	var log slog.Logger
+	var msg string
+
+	// TODO: batch deletes
+	_, err := mgr.p.DeleteRecords(ctx, mgr.domain, []libdns.Record{
+		rec.Export(name),
+	})
+
+	if err != nil {
+		log = mgr.l.Error().
+			WithField(slog.ErrorFieldName, err)
+		msg = "Failed to Delete"
+	} else {
+		log = mgr.l.Warn()
+		msg = "Deleted"
+	}
+
+	log.
+		WithField("subsystem", "dns").
+		WithField("name", name).
+		WithField("addr", rec.Addr).
+		Print(msg)
+	return err
+}
+
+func findSyncAddrSorted(target netip.Addr, addrs []SyncAddr) (int, bool) {
+	for i, a := range addrs {
+		switch target.Compare(a.Addr) {
+		case 0:
+			// match
+			return i, true
+		case -1:
+			// miss
+			return -1, false
+		default:
+			// next
+		}
+	}
+
+	return -1, false
+}
+
+type syncMapEntry struct {
+	Name   string
+	Before []SyncAddr
+	After  []netip.Addr
+}
+
+func makeSyncMap(current []SyncAddrRecord,
+	goal []AddrRecord) map[string]syncMapEntry {
+	//
+	data := make(map[string]syncMapEntry)
+
+	for _, cur := range current {
+		me, ok := data[cur.Name]
+		if !ok {
+			me = syncMapEntry{
+				Name: cur.Name,
+			}
+		}
+
+		me.Before = append(me.Before, cur.Addrs...)
+		data[cur.Name] = me
+	}
+
+	for _, rr := range goal {
+		me, ok := data[rr.Name]
+		if !ok {
+			me = syncMapEntry{
+				Name: rr.Name,
+			}
+		}
+		me.After = append(me.After, rr.Addr...)
+		data[rr.Name] = me
+	}
+
+	return data
+}
@@ -0,0 +1,63 @@
+package dns
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/netip"
+)
+
+// WriteTo writes the DNS data for the cluster
+func (mgr *Manager) WriteTo(w io.Writer) (int64, error) {
+	var buf bytes.Buffer
+
+	cache := make(map[string][]netip.Addr)
+
+	// zones
+	for _, zoneName := range mgr.genZonesSorted() {
+		z := mgr.zones[zoneName]
+
+		mgr.writeZoneHosts(&buf, z)
+
+		// zone alias
+		addrs := mgr.genZoneAddresses(z)
+
+		rr := AddrRecord{
+			Name: mgr.fqdn(zoneName + mgr.suffix),
+			Addr: addrs,
+		}
+		_, _ = rr.WriteTo(&buf)
+
+		// and cache for regions
+		cache[zoneName] = addrs
+	}
+
+	// regions, sorted
+	for _, name := range mgr.genRegionsSorted() {
+		addrs := mgr.genRegionAddressesCached(name, cache)
+
+		mgr.writeRegionAddresses(&buf, name, addrs)
+	}
+
+	return buf.WriteTo(w)
+}
+
+func (mgr *Manager) writeZoneHosts(w io.Writer, z *Zone) {
+	_, _ = fmt.Fprintf(w, ";\n; %s\n;\n", z.Name)
+
+	for _, rr := range mgr.genZoneHostRecords(z) {
+		rr.Name = mgr.fqdn(rr.Name)
+		_, _ = rr.WriteTo(w)
+	}
+}
+
+func (mgr *Manager) writeRegionAddresses(w io.Writer, name string, addrs []netip.Addr) {
+	_, _ = fmt.Fprintf(w, "; %s\n", name)
+
+	rr := AddrRecord{
+		Name: mgr.fqdn(name + mgr.suffix),
+		Addr: addrs,
+	}
+
+	_, _ = rr.WriteTo(w)
+}
@@ -0,0 +1,77 @@
+package rings
+
+import "net/netip"
+
+// AddrFromU32 converts a 32bit value into an IPv4
+// address.
+func AddrFromU32(v uint32) netip.Addr {
+	return AddrFrom4(
+		uint(v>>24),
+		uint(v>>16),
+		uint(v>>8),
+		uint(v),
+	)
+}
+
+// AddrFrom4 assembles an IPv4 address for 4 numbers.
+// each number is truncated to 8-bits.
+func AddrFrom4(a, b, c, d uint) netip.Addr {
+	return netip.AddrFrom4([4]byte{
+		byte(a & 0xff),
+		byte(b & 0xff),
+		byte(c & 0xff),
+		byte(d & 0xff),
+	})
+}
+
+// AddrToU32 converts a valid IPv4 address into it's
+// 32bit numeric representation.
+func AddrToU32(addr netip.Addr) (v uint32, ok bool) {
+	if addr.IsValid() {
+		if addr.Is4() || addr.Is4In6() {
+			a4 := addr.As4()
+
+			v = uint32(a4[0])<<24 +
+				uint32(a4[1])<<16 +
+				uint32(a4[2])<<8 +
+				uint32(a4[3])
+			return v, true
+		}
+	}
+
+	return 0, false
+}
+
+// PrefixToRange returns the beginning and end of a
+// [netip.Prefix] (aka CIDR or subnet).
+func PrefixToRange(subnet netip.Prefix) (from, to netip.Addr, ok bool) {
+	var u uint32
+
+	addr := subnet.Addr()
+	if u, ok = AddrToU32(addr); ok {
+		bits := subnet.Bits()
+
+		switch {
+		case bits > 32, bits < 0:
+			// bad
+		case bits == 32:
+			// single
+			from, to, ok = addr, addr, true
+		default:
+			// subnet
+			shift := 32 - bits
+
+			m1 := uint32((1 << shift) - 1)
+			m0 := uint32(0xffffffff) & ^m1
+
+			u0 := u & m0
+			u1 := u0 + m1
+
+			ok = true
+			from = AddrFromU32(u0)
+			to = AddrFromU32(u1)
+		}
+	}
+
+	return from, to, ok
+}
@@ -0,0 +1,178 @@
+package rings
+
+import (
+	"fmt"
+	"net/netip"
+	"testing"
+)
+
+func TestAddrFrom4(t *testing.T) {
+	cases := []struct {
+		v [4]uint
+		s string
+	}{
+		{[4]uint{0, 0, 0, 0}, "0.0.0.0"},
+		{[4]uint{127, 0, 0, 1}, "127.0.0.1"},
+		{[4]uint{4096 + 127, 0, 0, 1}, "127.0.0.1"},
+		{[4]uint{257, 258, 259, 260}, "1.2.3.4"},
+		{[4]uint{255, 255, 255, 255}, "255.255.255.255"},
+	}
+
+	for i, tc := range cases {
+		fn := fmt.Sprintf("%v.%v.%v.%v", tc.v[0], tc.v[1], tc.v[2], tc.v[3])
+		addr := AddrFrom4(tc.v[0], tc.v[1], tc.v[2], tc.v[3])
+		s := addr.String()
+
+		if s == tc.s {
+			t.Logf("[%v/%v]: %s → %s", i, len(cases), fn, s)
+		} else {
+			t.Errorf("ERROR: [%v/%v]: %s → %s (expected %s)", i, len(cases), fn, s, tc.s)
+		}
+	}
+}
+
+func TestAddrU32Invalid(t *testing.T) {
+	cases := []netip.Addr{
+		{},
+		netip.IPv6Unspecified(),
+		netip.IPv6Loopback(),
+	}
+
+	for i, tc := range cases {
+		v, ok := AddrToU32(tc)
+		switch {
+		case !ok && v == 0:
+			t.Logf("[%v/%v]: %s → %v %v", i, len(cases), tc, 0, false)
+		default:
+			t.Errorf("ERROR: [%v/%v]: %s → %v %v (expected %v %v)", i, len(cases),
+				tc, v, ok, 0, false)
+		}
+	}
+}
+
+func TestAddrU32Valid(t *testing.T) {
+	cases := []netip.Addr{
+		netip.IPv4Unspecified(),
+		AddrFrom4(0, 0, 0, 0),
+		AddrFrom4(1, 2, 3, 4),
+		AddrFrom4(10, 20, 30, 40),
+		AddrFrom4(127, 0, 0, 1),
+		AddrFrom4(255, 255, 255, 255),
+		MustParseAddr("::ffff:1.2.3.4"),
+	}
+
+	for i, tc := range cases {
+		u32, ok := AddrToU32(tc)
+		if !ok {
+			t.Errorf("ERROR: [%v/%v]: %s → %v %v", i, len(cases), tc, u32, ok)
+			continue
+		}
+
+		addr := AddrFromU32(u32)
+		if tc.Is4In6() {
+			ok = addr.Compare(tc.Unmap()) == 0
+		} else {
+			ok = addr.Compare(tc) == 0
+		}
+
+		if ok {
+			t.Logf("[%v/%v]: %s → %v → %s", i, len(cases), tc, u32, addr)
+		} else {
+			t.Errorf("ERROR: [%v/%v]: %s → %v → %s", i, len(cases), tc, u32, addr)
+		}
+	}
+}
+
+func MustParseAddr(s string) netip.Addr {
+	addr, err := netip.ParseAddr(s)
+	if err != nil {
+		panic(err)
+	}
+	return addr
+}
+
+func MustParsePrefix(s string) netip.Prefix {
+	subnet, err := netip.ParsePrefix(s)
+	if err != nil {
+		panic(err)
+	}
+	return subnet
+}
+
+func TestPrefixToRangeValid(t *testing.T) {
+	cases := []struct {
+		subnet netip.Prefix
+		from   netip.Addr
+		to     netip.Addr
+	}{
+		{
+			MustParsePrefix("127.0.0.1/32"),
+			MustParseAddr("127.0.0.1"),
+			MustParseAddr("127.0.0.1"),
+		},
+		{
+			MustParsePrefix("127.0.0.1/24"),
+			MustParseAddr("127.0.0.0"),
+			MustParseAddr("127.0.0.255"),
+		},
+		{
+			MustParsePrefix("127.0.1.2/16"),
+			MustParseAddr("127.0.0.0"),
+			MustParseAddr("127.0.255.255"),
+		},
+		{
+			MustParsePrefix("127.1.2.3/8"),
+			MustParseAddr("127.0.0.0"),
+			MustParseAddr("127.255.255.255"),
+		},
+		{
+			MustParsePrefix("10.20.30.40/12"),
+			MustParseAddr("10.16.0.0"),
+			MustParseAddr("10.31.255.255"),
+		},
+		{
+			MustParsePrefix("10.20.30.40/20"),
+			MustParseAddr("10.20.16.0"),
+			MustParseAddr("10.20.31.255"),
+		},
+		{
+			MustParsePrefix("10.0.0.0/12"),
+			MustParseAddr("10.0.0.0"),
+			MustParseAddr("10.15.255.255"),
+		},
+		{
+			MustParsePrefix("10.16.0.0/12"),
+			MustParseAddr("10.16.0.0"),
+			MustParseAddr("10.31.255.255"),
+		},
+		{
+			MustParsePrefix("10.32.0.0/12"),
+			MustParseAddr("10.32.0.0"),
+			MustParseAddr("10.47.255.255"),
+		},
+		{
+			MustParsePrefix("10.48.0.0/12"),
+			MustParseAddr("10.48.0.0"),
+			MustParseAddr("10.63.255.255"),
+		},
+	}
+
+	for i, tc := range cases {
+		from, to, ok := PrefixToRange(tc.subnet)
+		if ok && from.IsValid() && to.IsValid() &&
+			from.Compare(tc.from) == 0 &&
+			to.Compare(tc.to) == 0 {
+			//
+			t.Logf("[%v/%v]: %s → %s - %s",
+				i, len(cases),
+				tc.subnet,
+				from, to)
+		} else {
+			t.Errorf("ERROR: [%v/%v]: %q → %s - %s %v (expected %s - %s %v)",
+				i, len(cases),
+				tc.subnet,
+				from, to, ok,
+				tc.from, tc.to, true)
+		}
+	}
+}
@@ -0,0 +1,122 @@
+package rings
+
+import (
+	"net/netip"
+)
+
+// DecodeAddress extracts ring address fields from a given 10.0.0.0/8
+// address.
+//
+// revive:disable:function-result-limit
+func DecodeAddress[T ~uint | NodeID](addr netip.Addr) (RingID, RegionID, ZoneID, T) {
+	// revive:enable:function-result-limit
+	if addr.IsValid() {
+		if addr.Is4In6() {
+			addr = addr.Unmap()
+		}
+
+		if addr.Is4() {
+			a4 := addr.As4()
+			return unsafeDecodeAddress[T](a4[0], a4[1], a4[2], a4[3])
+		}
+	}
+
+	return UnspecifiedRingID, 0, 0, 0
+}
+
+// revive:disable:function-result-limit
+func unsafeDecodeAddress[T ~uint | NodeID](a, b, c, d byte) (RingID, RegionID, ZoneID, T) {
+	// revive:enable:function-result-limit
+	switch {
+	case a != 10:
+		return UnspecifiedRingID, 0, 0, 0
+	case b == 0x00:
+		// 10.00.RZ.dd
+		k := RingZeroID
+		r := RegionID(c >> 4)
+		z := ZoneID(c & 0xf)
+		n := T(d)
+
+		return k, r, z, n
+	case b&0xf0 != 0:
+		// 10.Rb.cc.dd
+		k := RingThreeID
+		r := RegionID(b >> 4)
+
+		n2 := T(b & 0x0f)
+		n1 := T(c)
+		n0 := T(d)
+		n := n0 + n1<<8 + n2<<16
+
+		return k, r, 0, n
+	case c&0xf0 != 0:
+		// 10.0R.Zc.dd
+		k := RingOneID
+		r := RegionID(b)
+		z := ZoneID(c >> 4)
+
+		n1 := T(c & 0x0f)
+		n0 := T(d)
+		n := n0 + n1<<8
+
+		return k, r, z, n
+	default:
+		// 10.0R.0c.dd
+		k := RingTwoID
+		r := RegionID(b)
+
+		n1 := T(c & 0x0f)
+		n0 := T(d)
+		n := n0 + n1<<8
+
+		return k, r, 0, n
+	}
+}
+
+// DecodeRingZeroAddress attempts to extract region, zone and node identifiers
+// from a given ring 0 address.
+//
+// revive:disable:function-result-limit
+func DecodeRingZeroAddress(addr netip.Addr) (RegionID, ZoneID, NodeID, bool) {
+	// revive:enable:function-result-limit
+	k, r, z, n := DecodeAddress[NodeID](addr)
+	if k == RingZeroID {
+		return r, z, n, true
+	}
+
+	return 0, 0, 0, false
+}
+
+// DecodeRingOneAddress attempts to extract region, zone and node identifiers
+// from a given ring 1 address.
+//
+// revive:disable:function-result-limit
+func DecodeRingOneAddress(addr netip.Addr) (RegionID, ZoneID, NodeID, bool) {
+	// revive:enable:function-result-limit
+	k, r, z, n := DecodeAddress[NodeID](addr)
+	if k == RingOneID {
+		return r, z, n, true
+	}
+
+	return 0, 0, 0, false
+}
+
+// DecodeRingTwoAddress attempts to extract region and unique identifier for
+// a kubernetes service from a given ring 2 address.
+func DecodeRingTwoAddress(addr netip.Addr) (RegionID, uint, bool) {
+	k, r, _, n := DecodeAddress[uint](addr)
+	if k == RingTwoID {
+		return r, n, true
+	}
+	return 0, 0, false
+}
+
+// DecodeRingThreeAddress attempts to extract region and unique identifier for
+// a kubernetes pod from a given ring 3 address.
+func DecodeRingThreeAddress(addr netip.Addr) (RegionID, uint, bool) {
+	k, r, _, n := DecodeAddress[uint](addr)
+	if k == RingThreeID {
+		return r, n, true
+	}
+	return 0, 0, false
+}
@@ -0,0 +1,53 @@
+package rings
+
+import (
+	"fmt"
+	"net/netip"
+	"testing"
+)
+
+func TestDecodeRingZeroAddress(t *testing.T) {
+	RZNDecodeTest(t, "DecodeRingZeroAddress", DecodeRingZeroAddress, []RZNDecodeTestCase{
+		{1, 1, 50, MustParseAddr("10.0.17.50"), true},
+		{1, 2, 50, MustParseAddr("10.0.18.50"), true},
+		{2, 3, 1, MustParseAddr("10.0.35.1"), true},
+	})
+}
+
+func TesDecodetRingOneAddress(t *testing.T) {
+	RZNDecodeTest(t, "DecodeRingOneAddress", DecodeRingOneAddress, []RZNDecodeTestCase{
+		{1, 1, 50, MustParseAddr("10.1.16.50"), true},
+		{1, 2, 50, MustParseAddr("10.1.32.50"), true},
+		{2, 3, 300, MustParseAddr("10.2.49.44"), true},
+	})
+}
+
+type RZNDecodeTestCase struct {
+	region RegionID
+	zone   ZoneID
+	node   NodeID
+	addr   netip.Addr
+	ok     bool
+}
+
+func RZNDecodeTest(t *testing.T,
+	fnName string, fn func(netip.Addr) (RegionID, ZoneID, NodeID, bool),
+	cases []RZNDecodeTestCase) {
+	//
+	for i, tc := range cases {
+		s := fmt.Sprintf("%s(%q)", fnName, tc.addr)
+
+		r, z, n, ok := fn(tc.addr)
+
+		switch {
+		case ok != tc.ok, r != tc.region, z != tc.zone, n != tc.node:
+			t.Errorf("ERROR: [%v/%v]: %s → %v %v %v %v (expected %v %v %v %v)",
+				i, len(cases), s,
+				r, z, n, ok,
+				tc.region, tc.zone, tc.node, tc.ok)
+		default:
+			t.Logf("[%v/%v]: %s → %v %v %v %v", i, len(cases), s,
+				r, z, n, ok)
+		}
+	}
+}
@@ -0,0 +1,145 @@
+package rings
+
+import "net/netip"
+
+// RingZeroPrefix represents the backbone that connects gateways
+// of the different Ring 1 networks.
+//
+// The ring 0 network corresponds to what would be ring 2 for region_id 0.
+// 10.0.0.0-10.0.255.255
+func RingZeroPrefix(region RegionID, zone ZoneID) (cidr netip.Prefix, err error) {
+	switch {
+	case !region.Valid():
+		err = ErrOutOfRange(region, "region")
+	case !zone.Valid():
+		err = ErrOutOfRange(zone, "zone")
+	default:
+		addr := unsafeRingZeroAddress(region, zone, 0)
+		cidr = netip.PrefixFrom(addr, RingZeroBits)
+	}
+
+	return cidr, err
+}
+
+// RingZeroAddress returns a Ring 0 address for a particular node.
+//
+// A ring 0 address looks like 10.0.(region_id << 4 + zone_id).(node_id)/20
+func RingZeroAddress(region RegionID, zone ZoneID, node NodeID) (addr netip.Addr, err error) {
+	switch {
+	case !region.Valid():
+		err = ErrOutOfRange(region, "region")
+	case !zone.Valid():
+		err = ErrOutOfRange(zone, "zone")
+	case !node.ValidZero():
+		err = ErrOutOfRange(node, "node")
+	default:
+		addr = unsafeRingZeroAddress(region, zone, node)
+	}
+
+	return addr, err
+}
+
+// RingOnePrefix represents a (virtual) local network of a zone.
+//
+// Ring 1 is `10.(region_id).(zone_id << 4).(node_id)/20` network
+// grouped under what would be Ring 2 for region_id 0.
+// There are 12 bits worth of nodes but nodes under 255 are special
+// as they also get a slot on Ring 0.
+func RingOnePrefix(region RegionID, zone ZoneID) (cidr netip.Prefix, err error) {
+	switch {
+	case !region.Valid():
+		err = ErrOutOfRange(region, "region")
+	case !zone.Valid():
+		err = ErrOutOfRange(zone, "zone")
+	default:
+		addr := unsafeRingOneAddress(region, zone, 0)
+		cidr = netip.PrefixFrom(addr, RingOneBits)
+	}
+	return cidr, err
+}
+
+// RingOneAddress returns a Ring 1 address for a particular node.
+//
+// A ring 1 address is `10.(region_id).(zone_id << 4).(node_id)/20`
+// but the node_id can take up to 12 bits.
+func RingOneAddress(region RegionID, zone ZoneID, node NodeID) (addr netip.Addr, err error) {
+	switch {
+	case !region.Valid():
+		err = ErrOutOfRange(region, "region")
+	case !zone.Valid():
+		err = ErrOutOfRange(zone, "zone")
+	case !node.Valid():
+		err = ErrOutOfRange(node, "node")
+	default:
+		addr = unsafeRingOneAddress(region, zone, node)
+	}
+	return addr, err
+}
+
+// RingTwoPrefix represents the services of a cluster
+//
+// Ring 2 subnets are of the form `10.(region_id).0.0/20`,
+// using the address space that would belong to the ring 3
+// region_id 0.
+func RingTwoPrefix(region RegionID) (cidr netip.Prefix, err error) {
+	switch {
+	case !region.Valid():
+		err = ErrOutOfRange(region, "region")
+	default:
+		addr := unsafeRingTwoAddress(region, 0)
+		cidr = netip.PrefixFrom(addr, RingTwoBits)
+	}
+	return cidr, err
+}
+
+// RingThreePrefix returns the subnet corresponding to
+// the pods of a cluster.
+//
+// Ring 3 is a `10.(region_id << 4).0.0/12` network
+func RingThreePrefix(region RegionID) (subnet netip.Prefix, err error) {
+	switch {
+	case !region.Valid():
+		err = ErrOutOfRange(region, "region")
+	default:
+		addr := unsafeRingThreeAddress(region, 0)
+		subnet = netip.PrefixFrom(addr, RingThreeBits)
+	}
+	return subnet, err
+}
+
+func unsafeRingZeroAddress(region RegionID, zone ZoneID, node NodeID) netip.Addr {
+	r := uint(region)
+	z := uint(zone)
+	n := uint(node)
+
+	return AddrFrom4(10, 0, r<<4+z, n)
+}
+func unsafeRingOneAddress(region RegionID, zone ZoneID, node NodeID) netip.Addr {
+	r := uint(region)
+	z := uint(zone)
+	n := uint(node)
+
+	n1 := n >> 8
+	n0 := n >> 0
+
+	return AddrFrom4(10, r, z<<4+n1, n0)
+}
+
+func unsafeRingTwoAddress(region RegionID, n uint) netip.Addr {
+	r := uint(region)
+
+	n1 := n >> 8
+	n0 := n >> 0
+
+	return AddrFrom4(10, r, n1, n0)
+}
+
+func unsafeRingThreeAddress(region RegionID, n uint) netip.Addr {
+	r := uint(region)
+
+	n2 := n >> 16
+	n1 := n >> 8
+	n0 := n >> 0
+
+	return AddrFrom4(10, r<<4+n2, n1, n0)
+}
@@ -0,0 +1,63 @@
+package rings
+
+import (
+	"fmt"
+	"net/netip"
+	"testing"
+)
+
+func TestRingZeroAddress(t *testing.T) {
+	RZNTest(t, "RingZeroAddress", RingZeroAddress, []RZNTestCase{
+		{1, 1, 50, MustParseAddr("10.0.17.50")},
+		{1, 2, 50, MustParseAddr("10.0.18.50")},
+		{2, 3, 1, MustParseAddr("10.0.35.1")},
+		{2, 3, 300, netip.Addr{}},
+	})
+}
+
+func TestRingOneAddress(t *testing.T) {
+	RZNTest(t, "RingOneAddress", RingOneAddress, []RZNTestCase{
+		{1, 1, 50, MustParseAddr("10.1.16.50")},
+		{1, 2, 50, MustParseAddr("10.1.32.50")},
+		{2, 3, 300, MustParseAddr("10.2.49.44")},
+		{1, 20, 50, netip.Addr{}},
+	})
+}
+
+type RZNTestCase struct {
+	region RegionID
+	zone   ZoneID
+	node   NodeID
+	addr   netip.Addr
+}
+
+func RZNTest(t *testing.T,
+	fnName string, fn func(RegionID, ZoneID, NodeID) (netip.Addr, error),
+	cases []RZNTestCase) {
+	//
+	for i, tc := range cases {
+		s := fmt.Sprintf("%s(%v, %v, %v)", fnName,
+			tc.region,
+			tc.zone,
+			tc.node,
+		)
+
+		addr, err := fn(tc.region, tc.zone, tc.node)
+
+		switch {
+		case !tc.addr.IsValid():
+			// expect error
+			if err != nil {
+				t.Logf("[%v/%v]: %s → %s", i, len(cases), s, err)
+			} else {
+				t.Errorf("ERROR: [%v/%v]: %s → %s (expected %s)", i, len(cases), s, addr, "error")
+			}
+		case err != nil:
+			t.Errorf("ERROR: [%v/%v]: %s → %s (expected %s)", i, len(cases), s, err, tc.addr)
+		case addr.Compare(tc.addr) != 0:
+			t.Errorf("ERROR: [%v/%v]: %s → %s (expected %s)", i, len(cases), s, addr, tc.addr)
+		default:
+			t.Logf("[%v/%v]: %s → %s", i, len(cases), s, addr)
+		}
+	}
+}
@@ -0,0 +1,116 @@
+// Package rings provides logic to work with the four rings
+// of a cluster
+package rings
+
+import (
+	"fmt"
+	"strconv"
+	"syscall"
+
+	"darvaza.org/core"
+)
+
+const (
+	// UnspecifiedRingID is the zero value of RingID and not considered
+	// valid.
+	UnspecifiedRingID RingID = iota
+	RingZeroID               // RingZeroID is the RingID for RingZero (backbone)
+	RingOneID                // RingOneID is the RingID for RingOne (local zone)
+	RingTwoID                // RingTwoID is the RingID for RingTwo (region services)
+	RingThreeID              // RingThreeID is the RingID for RingThree (region cluster pods)
+
+	// RingMax indicates the highest [Ring] identifier
+	RingMax = RingThreeID
+
+	// RegionMax indicates the highest number that can be used for a [RegionID].
+	RegionMax = (1 << 4) - 1
+	// ZoneMax indicates the highest number that can be used for a [ZoneID].
+	ZoneMax = (1 << 4) - 1
+	// NodeMax indicates the highest number that can be used for a [NodeID].
+	NodeMax = (1 << 12) - 2
+	// NodeZeroMax indicates the highest number that can be used for a [NodeID]
+	// when its a gateway connected to Ring 0 (backbone).
+	NodeZeroMax = (1 << 8) - 2
+
+	// RingZeroBits indicates the size of the prefix on the ring 0 (backbone) network.
+	RingZeroBits = 16
+	// RingOneBits indicates the size of the prefix on the ring 1 (lan) network.
+	RingOneBits = 20
+	// RingTwoBits indicates the size of the prefix on the ring 2 (services) network
+	// of all kubernetes clusters.
+	RingTwoBits = 20
+	// RingThreeBits indicates the size of the prefix on the ring 3 (pods) network
+	// of the kubernetes cluster of a region.
+	RingThreeBits = 12
+)
+
+// RingID identifies a Ring
+type RingID int
+
+// Valid tells a [RingID] is within the valid range.
+func (n RingID) Valid() bool { return n > 0 && n <= RingMax }
+
+func (n RingID) String() string {
+	return idString(n)
+}
+
+// A Ring identifies what ring an address belongs to
+type Ring interface {
+	ID() RingID
+}
+
+// RegionID is the identifier of a region, valid between 1 and [RegionMax].
+type RegionID int
+
+// Valid tells a [RegionID] is within the valid range.
+func (n RegionID) Valid() bool { return n > 0 && n <= RegionMax }
+
+func (n RegionID) String() string {
+	return idString(n)
+}
+
+// ZoneID is the identifier of a zone within a region, valid between 1 and [ZoneMax].
+type ZoneID int
+
+// Valid tells a [ZoneID] is within the valid range.
+func (n ZoneID) Valid() bool { return n > 0 && n <= ZoneMax }
+
+func (n ZoneID) String() string {
+	return idString(n)
+}
+
+// NodeID is the identifier of a machine within a zone of a region, valid between
+// 1 and [NodeMax], but between 1 and [NodeZeroMax] if it will be a zone gateway.
+type NodeID int
+
+// Valid tells a [NodeID] is within the valid range.
+func (n NodeID) Valid() bool { return n > 0 && n <= NodeMax }
+
+// ValidZero tells a [NodeID] is within the valid range for a gateway.
+func (n NodeID) ValidZero() bool { return n > 0 && n <= NodeZeroMax }
+
+func (n NodeID) String() string {
+	return idString(n)
+}
+
+// ErrOutOfRange is an error indicating the value of a field
+// is out of range.
+func ErrOutOfRange[T ~int | ~uint32](value T, field string) error {
+	return core.Wrap(syscall.EINVAL, "%s out of range (%v)", field, value)
+}
+
+type intID interface {
+	~int
+	Valid() bool
+}
+
+func idString[T intID](p T) string {
+	switch {
+	case p == 0:
+		return "unspecified"
+	case p.Valid():
+		return strconv.Itoa(int(p))
+	default:
+		return fmt.Sprintf("invalid (%v)", int(p))
+	}
+}
@@ -2,7 +2,6 @@ package wireguard

 import (
 	"bytes"
-	"errors"
 	"fmt"
 	"io"
 	"net/netip"
@@ -10,8 +9,8 @@ import (
 	"strings"
 	"text/template"

+	"asciigoat.org/ini/basic"
 	"darvaza.org/core"
-	"gopkg.in/gcfg.v1"
 )

 var configTemplate = template.Must(template.New("config").Funcs(template.FuncMap{
@@ -107,6 +106,11 @@ func (ep EndpointAddress) String() string {
 	}
 }

+// UnmarshalText loads an endpoint address from text data
+func (ep *EndpointAddress) UnmarshalText(b []byte) error {
+	return ep.FromString(string(b))
+}
+
 // FromString sets the EndpointAddress from a given "[host]:port"
 func (ep *EndpointAddress) FromString(s string) error {
 	host, port, err := core.SplitHostPort(s)
@@ -127,98 +131,6 @@ func (ep *EndpointAddress) FromString(s string) error {
 	return nil
 }

-type intermediateConfig struct {
-	Interface interfaceConfig
-	Peer      peersConfig
-}
-
-func (v *intermediateConfig) Export() (*Config, error) {
-	var out Config
-	var err error
-
-	// Interface
-	out.Interface, err = v.Interface.Export()
-	if err != nil {
-		return nil, err
-	}
-
-	// Peers
-	peers, ok := v.PeersCount()
-	if !ok {
-		return nil, errors.New("inconsistent Peer data")
-	}
-
-	for i := 0; i < peers; i++ {
-		p, err := v.ExportPeer(i)
-		if err != nil {
-			err = core.Wrapf(err, "Peer[%v]:", i)
-			return nil, err
-		}
-
-		out.Peer = append(out.Peer, p)
-	}
-
-	return &out, nil
-}
-
-type interfaceConfig struct {
-	Address    netip.Addr
-	PrivateKey string
-	ListenPort uint16
-}
-
-func (p interfaceConfig) Export() (InterfaceConfig, error) {
-	var err error
-
-	out := InterfaceConfig{
-		Address:    p.Address,
-		ListenPort: p.ListenPort,
-	}
-
-	out.PrivateKey, err = PrivateKeyFromBase64(p.PrivateKey)
-	if err != nil {
-		err = core.Wrap(err, "PrivateKey")
-		return InterfaceConfig{}, err
-	}
-
-	return out, nil
-}
-
-type peersConfig struct {
-	PublicKey  []string
-	Endpoint   []string
-	AllowedIPs []string
-}
-
-func (v *intermediateConfig) ExportPeer(i int) (PeerConfig, error) {
-	var out PeerConfig
-
-	// Endpoint
-	s := v.Peer.Endpoint[i]
-	err := out.Endpoint.FromString(s)
-	if err != nil {
-		err = core.Wrap(err, "Endpoint")
-		return out, err
-	}
-
-	// PublicKey
-	out.PublicKey, err = PublicKeyFromBase64(v.Peer.PublicKey[i])
-	if err != nil {
-		err = core.Wrap(err, "PublicKey")
-		return out, err
-	}
-
-	// AllowedIPs
-	s = v.Peer.AllowedIPs[i]
-	out.AllowedIPs, err = parseAllowedIPs(s)
-	if err != nil {
-		err = core.Wrap(err, "AllowedIPs")
-		return out, err
-	}
-
-	return out, nil
-}
-
 func parseAllowedIPs(data string) ([]netip.Prefix, error) {
 	var out []netip.Prefix

@@ -235,25 +147,17 @@ func parseAllowedIPs(data string) ([]netip.Prefix, error) {
 	return out, nil
 }

-func (v *intermediateConfig) PeersCount() (int, bool) {
-	c0 := len(v.Peer.Endpoint)
-	c1 := len(v.Peer.PublicKey)
-	c2 := len(v.Peer.AllowedIPs)
-
-	if c0 != c1 || c1 != c2 {
-		return 0, false
-	}
-
-	return c0, true
-}
-
 // NewConfigFromReader parses a wgN.conf file
 func NewConfigFromReader(r io.Reader) (*Config, error) {
-	temp := &intermediateConfig{}
-
-	if err := gcfg.ReadInto(temp, r); err != nil {
+	doc, err := basic.Decode(r)
+	if err != nil {
 		return nil, err
 	}

-	return temp.Export()
+	cfg, err := newConfigFromDocument(doc)
+	if err != nil {
+		return nil, err
+	}
+
+	return cfg, nil
 }
@@ -0,0 +1,169 @@
+package wireguard
+
+import (
+	"io/fs"
+	"strconv"
+
+	"asciigoat.org/ini/basic"
+	"darvaza.org/core"
+)
+
+type sectionHandler func(*Config, *basic.Section) error
+
+var sectionMap = map[string]func(*Config, *basic.Section) error{
+	"Interface": loadInterfaceConfSection,
+	"Peer":      loadPeerConfSection,
+}
+
+func loadConfSection(out *Config, src *basic.Section) error {
+	h, ok := sectionMap[src.Key]
+	if !ok {
+		return core.Wrap(fs.ErrInvalid, "unknown section %q", src.Key)
+	}
+
+	return h(out, src)
+}
+
+func loadInterfaceConfSection(out *Config, src *basic.Section) error {
+	var cfg InterfaceConfig
+
+	for _, field := range src.Fields {
+		if err := loadInterfaceConfField(&cfg, field); err != nil {
+			return core.Wrap(err, "Interface")
+		}
+	}
+
+	out.Interface = cfg
+	return nil
+}
+
+func loadPeerConfSection(out *Config, src *basic.Section) error {
+	var cfg PeerConfig
+
+	for _, field := range src.Fields {
+		if err := loadPeerConfField(&cfg, field); err != nil {
+			return core.Wrap(err, "Peer[%v]", len(out.Peer))
+		}
+	}
+
+	out.Peer = append(out.Peer, cfg)
+	return nil
+}
+
+// revive:disable:cyclomatic
+// revive:disable:cognitive-complexity
+
+func loadInterfaceConfField(cfg *InterfaceConfig, field basic.Field) error {
+	// revive:enable:cyclomatic
+	// revive:enable:cognitive-complexity
+
+	// TODO: refactor when asciigoat's ini parser learns to do reflection
+	switch field.Key {
+	case "Address":
+		if !core.IsZero(cfg.Address) {
+			return core.Wrap(fs.ErrInvalid, "duplicate field %q", field.Key)
+		}
+
+		err := cfg.Address.UnmarshalText([]byte(field.Value))
+		switch {
+		case err != nil:
+			return core.Wrap(err, field.Key)
+		default:
+			return nil
+		}
+	case "PrivateKey":
+		if !core.IsZero(cfg.PrivateKey) {
+			return core.Wrap(fs.ErrInvalid, "duplicate field %q", field.Key)
+		}
+
+		err := cfg.PrivateKey.UnmarshalText([]byte(field.Value))
+		switch {
+		case err != nil:
+			return core.Wrap(err, field.Key)
+		default:
+			return nil
+		}
+	case "ListenPort":
+		if cfg.ListenPort > 0 {
+			return core.Wrap(fs.ErrInvalid, "duplicate field %q", field.Key)
+		}
+
+		u64, err := strconv.ParseUint(field.Value, 10, 16)
+		switch {
+		case err != nil:
+			return core.Wrap(err, field.Key)
+		case u64 == 0:
+			return core.Wrap(fs.ErrInvalid, "invalid %q value", field.Key)
+		default:
+			cfg.ListenPort = uint16(u64)
+			return nil
+		}
+	default:
+		return core.Wrap(fs.ErrInvalid, "unknown field %q", field.Key)
+	}
+}
+
+// revive:disable:cyclomatic
+// revive:disable:cognitive-complexity
+
+func loadPeerConfField(cfg *PeerConfig, field basic.Field) error {
+	// revive:enable:cyclomatic
+	// revive:enable:cognitive-complexity
+
+	switch field.Key {
+	case "PublicKey":
+		if !core.IsZero(cfg.PublicKey) {
+			return core.Wrap(fs.ErrInvalid, "duplicate field %q", field.Key)
+		}
+
+		err := cfg.PublicKey.UnmarshalText([]byte(field.Value))
+		switch {
+		case err != nil:
+			return core.Wrap(err, field.Key)
+		default:
+			return nil
+		}
+	case "Endpoint":
+		if cfg.Endpoint.String() != "" {
+			return core.Wrap(fs.ErrInvalid, "duplicate field %q", field.Key)
+		}
+
+		err := cfg.Endpoint.UnmarshalText([]byte(field.Value))
+		switch {
+		case err != nil:
+			return core.Wrap(err, field.Key)
+		default:
+			return nil
+		}
+	case "AllowedIPs":
+		s, err := parseAllowedIPs(field.Value)
+		switch {
+		case err != nil:
+			return core.Wrap(err, field.Key)
+		case len(s) > 0:
+			cfg.AllowedIPs = append(cfg.AllowedIPs, s...)
+			return nil
+		}
+	default:
+		return core.Wrap(fs.ErrInvalid, "unknown field %q", field.Key)
+	}
+	return nil
+}
+
+func newConfigFromDocument(doc *basic.Document) (*Config, error) {
+	var out Config
+
+	if len(doc.Global) > 0 {
+		err := core.Wrap(fs.ErrInvalid, "fields before the first section")
+		return nil, err
+	}
+
+	for i := range doc.Sections {
+		src := &doc.Sections[i]
+		if err := loadConfSection(&out, src); err != nil {
+			return nil, err
+		}
+	}
+
+	return &out, nil
+}
@@ -51,6 +51,28 @@ func (pub PublicKey) String() string {
 	}
 }

+// UnmarshalText loads the value from base64
+func (key *PrivateKey) UnmarshalText(b []byte) error {
+	v, err := PrivateKeyFromBase64(string(b))
+	if err != nil {
+		return err
+	}
+
+	*key = v
+	return nil
+}
+
+// UnmarshalText loads the value from base64
+func (pub *PublicKey) UnmarshalText(b []byte) error {
+	v, err := PublicKeyFromBase64(string(b))
+	if err != nil {
+		return err
+	}
+
+	*pub = v
+	return nil
+}
+
 // MarshalJSON encodes the key for JSON, omitting empty.
 func (key PrivateKey) MarshalJSON() ([]byte, error) {
 	return encodeKeyJSON(key.String())
@@ -183,20 +205,14 @@ type KeyPair struct {
 // Validate checks the PublicKey matches the PrivateKey,
 // and sets the PublicKey if missing
 func (kp *KeyPair) Validate() error {
-	keyLen := len(kp.PrivateKey)
-	pubLen := len(kp.PublicKey)
-
 	switch {
-	case keyLen != PrivateKeySize:
-		// bad private key
+	case kp.PrivateKey.IsZero():
+		// no private key
 		return ErrInvalidPrivateKey
-	case pubLen == 0:
+	case kp.PublicKey.IsZero():
 		// no public key, set it
 		kp.PublicKey = kp.PrivateKey.Public()
 		return nil
-	case pubLen != PublicKeySize:
-		// bad public key
-		return ErrInvalidPublicKey
 	case !kp.PrivateKey.Public().Equal(kp.PublicKey):
 		// wrong public key
 		return ErrInvalidPublicKey
@@ -1,113 +0,0 @@
-package zones
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"strings"
-)
-
-// Env is a shell environment factory for this cluster
-type Env struct {
-	ZoneIterator
-
-	export bool
-}
-
-// Env returns a shell environment factory
-func (m *Zones) Env(export bool) *Env {
-	return &Env{
-		ZoneIterator: m,
-		export:       export,
-	}
-}
-
-// Zones returns the list of Zone IDs
-func (m *Env) Zones() []int {
-	var zones []int
-
-	m.ForEachZone(func(z *Zone) bool {
-		zones = append(zones, z.ID)
-		return false
-	})
-
-	return zones
-}
-
-// WriteTo generates environment variables for shell scripts
-func (m *Env) WriteTo(w io.Writer) (int64, error) {
-	var buf bytes.Buffer
-
-	m.writeEnvVarInts(&buf, m.Zones(), "ZONES")
-	m.ForEachZone(func(z *Zone) bool {
-		m.writeEnvZone(&buf, z)
-		return false
-	})
-
-	return buf.WriteTo(w)
-}
-
-func (m *Env) writeEnvZone(w io.Writer, z *Zone) {
-	zoneID := z.ID
-
-	// ZONE{zoneID}
-	m.writeEnvVar(w, genEnvZoneNodes(z), "ZONE%v", zoneID)
-
-	// ZONE{zoneID}_NAME
-	m.writeEnvVar(w, z.Name, "ZONE%v_%s", zoneID, "NAME")
-
-	// ZONE{zoneID}_GW
-	gateways, _ := z.GatewayIDs()
-	m.writeEnvVarInts(w, gateways, "ZONE%v_%s", zoneID, "GW")
-}
-
-func (m *Env) writeEnvVarInts(w io.Writer, value []int, name string, args ...any) {
-	var s string
-
-	if n := len(value); n > 0 {
-		var buf bytes.Buffer
-
-		for i, v := range value {
-			if i != 0 {
-				_, _ = fmt.Fprint(&buf, " ")
-			}
-			_, _ = fmt.Fprintf(&buf, "%v", v)
-		}
-
-		s = buf.String()
-	}
-
-	m.writeEnvVar(w, s, name, args...)
-}
-
-func (m *Env) writeEnvVar(w io.Writer, value string, name string, args ...any) {
-	var prefix string
-
-	if m.export {
-		prefix = "export "
-	}
-
-	if len(args) > 0 {
-		name = fmt.Sprintf(name, args...)
-	}
-
-	if name != "" {
-		value = strings.TrimSpace(value)
-
-		_, _ = fmt.Fprintf(w, "%s%s=%q\n", prefix, name, value)
-	}
-}
-
-func genEnvZoneNodes(z *Zone) string {
-	if n := z.Len(); n > 0 {
-		s := make([]string, 0, n)
-
-		z.ForEachMachine(func(p *Machine) bool {
-			s = append(s, p.Name)
-			return false
-		})
-
-		return strings.Join(s, " ")
-	}
-	return ""
-}
@@ -1,71 +0,0 @@
-package zones
-
-import (
-	"net/netip"
-	"strings"
-)
-
-// revive:disable:line-length-limit
-
-// A Machine is a machine on a Zone
-type Machine struct {
-	zone *Zone
-	ID   int    `toml:"id"`
-	Name string `toml:"-" json:"-" yaml:"-"`
-
-	PublicAddresses []netip.Addr `toml:"public,omitempty" json:"public,omitempty" yaml:"public,omitempty"`
-	Rings           []*RingInfo  `toml:"rings,omitempty"  json:"rings,omitempty"  yaml:"rings,omitempty"`
-}
-
-// revive:enable:line-length-limit
-
-func (m *Machine) String() string {
-	return m.Name
-}
-
-// FullName returns the Name of the machine including domain name
-func (m *Machine) FullName() string {
-	if domain := m.zone.zones.domain; domain != "" {
-		var s = []string{
-			m.Name,
-			domain,
-		}
-
-		return strings.Join(s, ".")
-	}
-
-	return m.Name
-}
-
-// IsGateway tells if the Machine is a ring0 gateway
-func (m *Machine) IsGateway() bool {
-	_, ok := m.getRingInfo(0)
-	return ok
-}
-
-// SetGateway enables/disables a Machine ring0 integration
-func (m *Machine) SetGateway(enabled bool) error {
-	ri, found := m.getRingInfo(0)
-	switch {
-	case !found && !enabled:
-		return nil
-	case !found:
-		var err error
-
-		if ri, err = m.createRingInfo(0, false); err != nil {
-			return err
-		}
-	}
-
-	ri.Enabled = enabled
-	return m.SyncWireguardConfig(0)
-}
-
-// Zone indicates the [Zone] this machine belongs to
-func (m *Machine) Zone() int {
-	return m.zone.ID
-}
-
-func (m *Machine) getPeerByName(name string) (*Machine, bool) {
-	return m.zone.zones.GetMachineByName(name)
-}
@@ -1,250 +0,0 @@
-package zones
-
-import (
-	"bytes"
-	"fmt"
-	"os"
-
-	"darvaza.org/core"
-
-	"git.jpi.io/amery/jpictl/pkg/wireguard"
-)
-
-// GetWireguardKeys reads a wgN.key/wgN.pub files
-func (m *Machine) GetWireguardKeys(ring int) (wireguard.KeyPair, error) {
-	var (
-		data []byte
-		err  error
-		out  wireguard.KeyPair
-	)
-
-	data, err = m.ReadFile("wg%v.key", ring)
-	if err != nil {
-		// failed to read
-		return out, err
-	}
-
-	out.PrivateKey, err = wireguard.PrivateKeyFromBase64(string(data))
-	if err != nil {
-		// bad key
-		err = core.Wrapf(err, "wg%v.key", ring)
-		return out, err
-	}
-
-	data, err = m.ReadFile("wg%v.pub", ring)
-	switch {
-	case os.IsNotExist(err):
-		// no wgN.pub is fine
-	case err != nil:
-		// failed to read
-		return out, err
-	default:
-		// good read
-		out.PublicKey, err = wireguard.PublicKeyFromBase64(string(data))
-		if err != nil {
-			// bad key
-			err = core.Wrapf(err, "wg%v.pub", ring)
-			return out, err
-		}
-	}
-
-	err = out.Validate()
-	return out, err
-}
-
-func (m *Machine) tryReadWireguardKeys(ring int) error {
-	kp, err := m.GetWireguardKeys(ring)
-	switch {
-	case os.IsNotExist(err):
-		// ignore
-		return nil
-	case err != nil:
-		// something went wrong
-		return err
-	default:
-		// import keys
-		ri := &RingInfo{
-			Ring: ring,
-			Keys: kp,
-		}
-
-		return m.applyRingInfo(ring, ri)
-	}
-}
-
-// RemoveWireguardKeys deletes wgN.key and wgN.pub from
-// the machine's config directory
-func (m *Machine) RemoveWireguardKeys(ring int) error {
-	var err error
-
-	err = m.RemoveFile("wg%v.pub", ring)
-	switch {
-	case os.IsNotExist(err):
-		// ignore
-	case err != nil:
-		return err
-	}
-
-	err = m.RemoveFile("wg%v.key", ring)
-	if os.IsNotExist(err) {
-		// ignore
-		err = nil
-	}
-
-	return err
-}
-
-// GetWireguardConfig reads a wgN.conf file
-func (m *Machine) GetWireguardConfig(ring int) (*wireguard.Config, error) {
-	data, err := m.ReadFile("wg%v.conf", ring)
-	if err != nil {
-		return nil, err
-	}
-
-	r := bytes.NewReader(data)
-	return wireguard.NewConfigFromReader(r)
-}
-
-func (m *Machine) tryApplyWireguardConfig(ring int) error {
-	wg, err := m.GetWireguardConfig(ring)
-	switch {
-	case os.IsNotExist(err):
-		return nil
-	case err != nil:
-		return err
-	default:
-		return m.applyWireguardConfig(ring, wg)
-	}
-}
-
-func (m *Machine) applyWireguardConfig(ring int, wg *wireguard.Config) error {
-	addr := wg.GetAddress()
-	zoneID, nodeID, ok := Rings[ring].Decode(addr)
-	if !ok {
-		return fmt.Errorf("%s: invalid wg%v address: %s", m.Name, ring, addr)
-	}
-
-	if err := m.applyZoneNodeID(zoneID, nodeID); err != nil {
-		err = core.Wrapf(err, "%s: wg%v:%s", m.Name, ring, addr)
-		return err
-	}
-
-	if err := m.applyWireguardInterfaceConfig(ring, wg.Interface); err != nil {
-		err = core.Wrapf(err, "%s: wg%v:%s", m.Name, ring, addr)
-		return err
-	}
-
-	for _, peer := range wg.Peer {
-		if err := m.applyWireguardPeerConfig(ring, peer); err != nil {
-			err = core.Wrapf(err, "%s: wg%v:%s", m.Name, ring, addr)
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (m *Machine) getRingInfo(ring int) (*RingInfo, bool) {
-	for _, ri := range m.Rings {
-		if ri.Ring == ring {
-			return ri, ri.Enabled
-		}
-	}
-
-	return nil, false
-}
-
-func (m *Machine) applyRingInfo(ring int, new *RingInfo) error {
-	cur, _ := m.getRingInfo(ring)
-	if cur == nil {
-		// first, append
-		m.Rings = append(m.Rings, new)
-		return nil
-	}
-
-	// extra, merge
-	return cur.Merge(new)
-}
-
-func (m *Machine) applyWireguardInterfaceConfig(ring int, data wireguard.InterfaceConfig) error {
-	ri := &RingInfo{
-		Ring:    ring,
-		Enabled: true,
-		Keys: wireguard.KeyPair{
-			PrivateKey: data.PrivateKey,
-		},
-	}
-
-	return m.applyRingInfo(ring, ri)
-}
-
-func (m *Machine) applyWireguardPeerConfig(ring int, pc wireguard.PeerConfig) error {
-	peer, found := m.getPeerByName(pc.Endpoint.Name())
-	switch {
-	case !found:
-		// unknown
-	case ring == 1 && m.zone != peer.zone:
-		// invalid zone
-	default:
-		// apply RingInfo
-		ri := &RingInfo{
-			Ring:    ring,
-			Enabled: true,
-			Keys: wireguard.KeyPair{
-				PublicKey: pc.PublicKey,
-			},
-		}
-
-		return peer.applyRingInfo(ring, ri)
-	}
-
-	return fmt.Errorf("%q: invalid peer endpoint", pc.Endpoint.Host)
-}
-
-func (m *Machine) applyZoneNodeID(zoneID, nodeID int) error {
-	switch {
-	case zoneID == 0:
-		return fmt.Errorf("invalid %s", "zoneID")
-	case nodeID == 0:
-		return fmt.Errorf("invalid %s", "nodeID")
-	case m.ID != nodeID:
-		return fmt.Errorf("invalid %s: %v ≠ %v", "zoneID", m.ID, nodeID)
-	case m.zone.ID != 0 && m.zone.ID != zoneID:
-		return fmt.Errorf("invalid %s: %v ≠ %v", "zoneID", m.zone.ID, zoneID)
-	case m.zone.ID == 0:
-		m.zone.ID = zoneID
-	}
-
-	return nil
-}
-
-// RemoveWireguardConfig deletes wgN.conf from the machine's
-// config directory.
-func (m *Machine) RemoveWireguardConfig(ring int) error {
-	err := m.RemoveFile("wg%v.conf", ring)
-	if os.IsNotExist(err) {
-		err = nil
-	}
-
-	return err
-}
-
-func (m *Machine) createRingInfo(ring int, enabled bool) (*RingInfo, error) {
-	keys, err := wireguard.NewKeyPair()
-	if err != nil {
-		return nil, err
-	}
-
-	ri := &RingInfo{
-		Ring:    ring,
-		Enabled: enabled,
-		Keys:    keys,
-	}
-
-	err = m.applyRingInfo(ring, ri)
-	if err != nil {
-		return nil, err
-	}
-
-	return ri, nil
-}
@@ -1,69 +0,0 @@
-package zones
-
-import (
-	"context"
-	"net/netip"
-	"strconv"
-	"time"
-)
-
-// LookupNetIP uses the DNS Resolver to get the public addresses associated
-// to a Machine
-func (m *Machine) LookupNetIP(timeout time.Duration) ([]netip.Addr, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-
-	defer cancel()
-
-	return m.zone.zones.resolver.LookupNetIP(ctx, "ip", m.FullName())
-}
-
-// UpdatePublicAddresses uses the DNS Resolver to set Machine.PublicAddresses
-func (m *Machine) UpdatePublicAddresses() error {
-	addrs, err := m.LookupNetIP(2 * time.Second)
-	if err != nil {
-		return err
-	}
-
-	m.PublicAddresses = addrs
-	return nil
-}
-
-func (m *Machine) init() error {
-	if err := m.setID(); err != nil {
-		return err
-	}
-
-	for i := 0; i < RingsCount; i++ {
-		if err := m.tryReadWireguardKeys(i); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (m *Machine) setID() error {
-	zoneName := m.zone.Name
-	suffix := m.Name[len(zoneName)+1:]
-
-	id, err := strconv.ParseInt(suffix, 10, 8)
-	if err != nil {
-		return err
-	}
-
-	m.ID = int(id)
-	return nil
-}
-
-func (m *Machine) scan(opts *ScanOptions) error {
-	for i := 0; i < RingsCount; i++ {
-		if err := m.tryApplyWireguardConfig(i); err != nil {
-			return err
-		}
-	}
-
-	if !opts.DontResolvePublicAddresses {
-		return m.UpdatePublicAddresses()
-	}
-
-	return nil
-}
@@ -1,185 +0,0 @@
-package zones
-
-import (
-	"io/fs"
-	"sort"
-)
-
-func (m *Zones) scan(opts *ScanOptions) error {
-	for _, fn := range []func(*ScanOptions) error{
-		m.scanDirectory,
-		m.scanMachines,
-		m.scanZoneIDs,
-		m.scanSort,
-		m.scanGateways,
-	} {
-		if err := fn(opts); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (m *Zones) scanDirectory(_ *ScanOptions) error {
-	// each directory is a zone
-	entries, err := fs.ReadDir(m.dir, ".")
-	if err != nil {
-		return err
-	}
-
-	for _, e := range entries {
-		if e.IsDir() {
-			z := &Zone{
-				zones: m,
-				Name:  e.Name(),
-			}
-
-			if err := z.scan(); err != nil {
-				return err
-			}
-
-			m.Zones = append(m.Zones, z)
-		}
-	}
-
-	return nil
-}
-
-func (m *Zones) scanMachines(opts *ScanOptions) error {
-	var err error
-	m.ForEachMachine(func(p *Machine) bool {
-		err = p.scan(opts)
-		return err != nil
-	})
-	return err
-}
-
-func (m *Zones) scanZoneIDs(_ *ScanOptions) error {
-	var hasMissing bool
-	var lastZoneID int
-
-	m.ForEachZone(func(z *Zone) bool {
-		switch {
-		case z.ID == 0:
-			hasMissing = true
-		case z.ID > lastZoneID:
-			lastZoneID = z.ID
-		}
-
-		return false
-	})
-
-	if hasMissing {
-		next := lastZoneID + 1
-
-		m.ForEachZone(func(z *Zone) bool {
-			if z.ID == 0 {
-				z.ID, next = next, next+1
-			}
-
-			return false
-		})
-	}
-
-	return nil
-}
-
-func (m *Zones) scanSort(_ *ScanOptions) error {
-	sort.SliceStable(m.Zones, func(i, j int) bool {
-		id1 := m.Zones[i].ID
-		id2 := m.Zones[j].ID
-		return id1 < id2
-	})
-
-	m.ForEachZone(func(z *Zone) bool {
-		sort.Sort(z)
-		return false
-	})
-
-	m.ForEachMachine(func(p *Machine) bool {
-		sort.SliceStable(p.Rings, func(i, j int) bool {
-			ri1 := p.Rings[i]
-			ri2 := p.Rings[j]
-
-			return ri1.Ring < ri2.Ring
-		})
-
-		return false
-	})
-
-	return nil
-}
-
-func (m *Zones) scanGateways(_ *ScanOptions) error {
-	var err error
-
-	m.ForEachZone(func(z *Zone) bool {
-		_, _, err = z.GetGateway()
-		return err != nil
-	})
-	return err
-}
-
-func (z *Zone) scan() error {
-	// each directory is a machine
-	entries, err := fs.ReadDir(z.zones.dir, z.Name)
-	if err != nil {
-		return err
-	}
-
-	for _, e := range entries {
-		if e.IsDir() {
-			m := &Machine{
-				zone: z,
-				Name: e.Name(),
-			}
-
-			if err := m.init(); err != nil {
-				return err
-			}
-
-			z.Machines = append(z.Machines, m)
-		}
-	}
-
-	return nil
-}
-
-// GetGateway returns the first gateway found, if none
-// files will be created to enable the first [Machine] to
-// be one
-func (z *Zone) GetGateway() (*Machine, bool, error) {
-	var first *Machine
-	var gateway *Machine
-
-	z.zones.ForEachMachine(func(p *Machine) bool {
-		switch {
-		case p.IsGateway():
-			// found
-			gateway = p
-		case first == nil:
-			// remember
-			first = p
-		default:
-			// keep looking
-		}
-
-		return gateway != nil
-	})
-
-	switch {
-	case gateway != nil:
-		// found one
-		return gateway, false, nil
-	case first != nil:
-		// make one
-		if err := first.SetGateway(true); err != nil {
-			return first, false, err
-		}
-		return first, true, nil
-	default:
-		// Zone without nodes?
-		panic("unreachable")
-	}
-}
@@ -1,33 +0,0 @@
-package zones
-
-// SyncAll updates all config files
-func (m *Zones) SyncAll() error {
-	for _, fn := range []func() error{
-		m.SyncAllWireguard,
-	} {
-		if err := fn(); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-// SyncAllWireguard updates all wireguard config files
-func (m *Zones) SyncAllWireguard() error {
-	var err error
-
-	for ring := 0; ring < RingsCount; ring++ {
-		err = m.WriteWireguardKeys(ring)
-		if err != nil {
-			return err
-		}
-
-		err = m.SyncWireguardConfig(ring)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
@@ -1,189 +0,0 @@
-// Package zones contains information about the cluster
-package zones
-
-import (
-	"io/fs"
-	"sort"
-
-	"darvaza.org/resolver"
-)
-
-var (
-	_ MachineIterator = Machines(nil)
-	_ sort.Interface  = Machines(nil)
-
-	_ MachineIterator = (*Zone)(nil)
-	_ MachineIterator = (*Zones)(nil)
-	_ ZoneIterator    = (*Zones)(nil)
-)
-
-// A MachineIterator is a set of Machines we can iterate on
-type MachineIterator interface {
-	ForEachMachine(func(*Machine) bool)
-}
-
-// A ZoneIterator is a set of Zones we can iterate on
-type ZoneIterator interface {
-	ForEachZone(func(*Zone) bool)
-}
-
-// Machines is a list of Machine objects
-type Machines []*Machine
-
-// ForEachMachine calls a function for each Machine in the list
-// until instructed to terminate the loop
-func (m Machines) ForEachMachine(fn func(*Machine) bool) {
-	for _, p := range m {
-		if fn(p) {
-			return
-		}
-	}
-}
-
-// Len returns the number of machines in the list
-func (m Machines) Len() int {
-	return len(m)
-}
-
-// Less implements sort.Interface to sort the list
-func (m Machines) Less(i, j int) bool {
-	a, b := m[i], m[j]
-	za, zb := a.Zone(), b.Zone()
-
-	switch {
-	case za == zb:
-		return a.ID < b.ID
-	default:
-		return za < zb
-	}
-}
-
-// Swap implements sort.Interface to sort the list
-func (m Machines) Swap(i, j int) {
-	m[i], m[j] = m[j], m[i]
-}
-
-// FilterMachines produces a subset of the machines offered by the given
-// iterator fulfilling a condition
-func FilterMachines(m MachineIterator, cond func(*Machine) bool) (Machines, int) {
-	var out []*Machine
-
-	if cond == nil {
-		// unconditional
-		cond = func(*Machine) bool { return true }
-	}
-
-	m.ForEachMachine(func(p *Machine) bool {
-		if cond(p) {
-			out = append(out, p)
-		}
-		return false
-	})
-
-	return out, len(out)
-}
-
-// Zone represents one zone in a cluster
-type Zone struct {
-	zones *Zones
-
-	ID   int    `toml:"id"`
-	Name string `toml:"name"`
-
-	Machines `toml:"machines"`
-}
-
-func (z *Zone) String() string {
-	return z.Name
-}
-
-// SetGateway configures a machine to be the zone's ring0 gateway
-func (z *Zone) SetGateway(gatewayID int, enabled bool) error {
-	var err error
-	var found bool
-
-	z.ForEachMachine(func(p *Machine) bool {
-		if p.ID == gatewayID {
-			found = true
-			err = p.SetGateway(enabled)
-
-			return true
-		}
-		return false
-	})
-
-	switch {
-	case err != nil:
-		return err
-	case !found:
-		return fs.ErrNotExist
-	default:
-		return nil
-	}
-}
-
-// GatewayIDs returns the list of IDs of machines that act as ring0 gateways
-func (z *Zone) GatewayIDs() ([]int, int) {
-	var out []int
-	z.ForEachMachine(func(p *Machine) bool {
-		if p.IsGateway() {
-			out = append(out, p.ID)
-		}
-		return false
-	})
-
-	return out, len(out)
-}
-
-// Zones represents all zones in a cluster
-type Zones struct {
-	dir      fs.FS
-	resolver resolver.Resolver
-	domain   string
-
-	Zones []*Zone `toml:"zones"`
-}
-
-// ForEachMachine calls a function for each Machine in the cluster
-// until instructed to terminate the loop
-func (m *Zones) ForEachMachine(fn func(*Machine) bool) {
-	m.ForEachZone(func(z *Zone) bool {
-		var term bool
-
-		z.ForEachMachine(func(p *Machine) bool {
-			term = fn(p)
-			return term
-		})
-
-		return term
-	})
-}
-
-// ForEachZone calls a function for each Zone in the cluster
-// until instructed to terminate the loop
-func (m *Zones) ForEachZone(fn func(*Zone) bool) {
-	for _, p := range m.Zones {
-		if fn(p) {
-			// terminate
-			return
-		}
-	}
-}
-
-// GetMachineByName looks for a machine with the specified
-// name on any zone
-func (m *Zones) GetMachineByName(name string) (*Machine, bool) {
-	var out *Machine
-
-	if name != "" {
-		m.ForEachMachine(func(p *Machine) bool {
-			if p.Name == name {
-				out = p
-			}
-
-			return out != nil
-		})
-	}
-
-	return out, out != nil
-}
@@ -1,46 +0,0 @@
-package zones
-
-import (
-	"fmt"
-	"io"
-	"os"
-
-	fs "github.com/hack-pad/hackpadfs"
-)
-
-// OpenFile opens a file on the cluster's config directory with the specified flags
-func (m *Zones) OpenFile(name string, flags int, args ...any) (fs.File, error) {
-	if len(args) > 0 {
-		name = fmt.Sprintf(name, args...)
-	}
-
-	return fs.OpenFile(m.dir, name, flags, 0644)
-}
-
-// CreateTruncFile creates or truncates a file on the cluster's config directory
-func (m *Zones) CreateTruncFile(name string, args ...any) (io.WriteCloser, error) {
-	return m.openWriter(name, os.O_CREATE|os.O_TRUNC, args...)
-}
-
-// CreateFile creates a file on the cluster's config directory
-func (m *Zones) CreateFile(name string, args ...any) (io.WriteCloser, error) {
-	return m.openWriter(name, os.O_CREATE, args...)
-}
-
-func (m *Zones) openWriter(name string, flags int, args ...any) (io.WriteCloser, error) {
-	f, err := m.OpenFile(name, os.O_WRONLY|flags, args...)
-	if err != nil {
-		return nil, err
-	}
-
-	return f.(io.WriteCloser), nil
-}
-
-// ReadFile reads a file from the cluster's config directory
-func (m *Zones) ReadFile(name string, args ...any) ([]byte, error) {
-	if len(args) > 0 {
-		name = fmt.Sprintf(name, args...)
-	}
-
-	return fs.ReadFile(m.dir, name)
-}