zones: extend WriteWireguardConfig to include a Name indicating the ring ID

Signed-off-by: Alejandro Mery <amery@jpi.io>

cmd/jpictl/config.go

@@ -1,5 +1,7 @@
 package main
 
+import "git.jpi.io/amery/jpictl/pkg/zones"
+
 // Config describes the repository
 type Config struct {
 	Base   string
@@ -10,3 +12,8 @@ var cfg = &Config{
 	Base:   "./m",
 	Domain: "m.jpi.cloud",
 }
+
+// LoadZones loads all zones and machines in the config directory
+func (cfg *Config) LoadZones() (*zones.Zones, error) {
+	return zones.New(cfg.Base, cfg.Domain)
+}

cmd/jpictl/dump.go

@@ -2,27 +2,76 @@ package main
 
 import (
 	"bytes"
+	"encoding/json"
+	"io"
 	"os"
 
 	"github.com/burntSushi/toml"
 	"github.com/spf13/cobra"
-
-	"git.jpi.io/amery/jpictl/pkg/zones"
+	"gopkg.in/yaml.v3"
 )
 
+// Encoder represents an object that encodes another internally
+type Encoder interface {
+	Encode(any) error
+}
+
+// Encoding represents a type of [Encoder]
+type Encoding int
+
+const (
+	// TOMLEncoding represents TOML encoding
+	TOMLEncoding Encoding = iota
+	// JSONEncoding represents JSON encoding
+	JSONEncoding
+	// YAMLEncoding represents YAML encoding
+	YAMLEncoding
+)
+
+// NewJSONEncoder returns a JSON [Encoder] to work on the given [io.Writer]
+func NewJSONEncoder(w io.Writer) Encoder {
+	enc := json.NewEncoder(w)
+	enc.SetIndent(``, `  `)
+	return enc
+}
+
+// NewYAMLEncoder returns a YAML [Encoder] to work on the given [io.Writer]
+func NewYAMLEncoder(w io.Writer) Encoder {
+	enc := yaml.NewEncoder(w)
+	enc.SetIndent(2)
+	return enc
+}
+
+// NewTOMLEncoder returns a TOML [Encoder] to work on the given [io.Writer]
+func NewTOMLEncoder(w io.Writer) Encoder {
+	enc := toml.NewEncoder(w)
+	return enc
+}
+
+const encoding = YAMLEncoding
+
 // Command
 var dumpCmd = &cobra.Command{
 	Use:   "dump",
-	Short: "generates a toml representation of the config",
+	Short: "generates a text representation of the config",
 	RunE: func(_ *cobra.Command, _ []string) error {
 		var buf bytes.Buffer
+		var enc Encoder
 
-		m, err := zones.New(cfg.Base, cfg.Domain)
+		m, err := cfg.LoadZones()
 		if err != nil {
 			return err
 		}
 
-		enc := toml.NewEncoder(&buf)
+		switch encoding {
+		case JSONEncoding:
+			enc = NewJSONEncoder(&buf)
+		case YAMLEncoding:
+			enc = NewYAMLEncoder(&buf)
+		default:
+			enc = NewTOMLEncoder(&buf)
+		}
+
 		if err = enc.Encode(m); err != nil {
 			return err
 		}

cmd/jpictl/env.go

@@ -4,8 +4,6 @@ import (
 	"os"
 
 	"github.com/spf13/cobra"
-
-	"git.jpi.io/amery/jpictl/pkg/zones"
 )
 
 // Command
@@ -13,7 +11,7 @@ var envCmd = &cobra.Command{
 	Use:   "env",
 	Short: "generates environment variables for shell scripts",
 	RunE: func(_ *cobra.Command, _ []string) error {
-		m, err := zones.New(cfg.Base, cfg.Domain)
+		m, err := cfg.LoadZones()
 		if err != nil {
 			return err
 		}

cmd/jpictl/write.go

@@ -0,0 +1,23 @@
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// Command
+var writeCmd = &cobra.Command{
+	Use:   "write",
+	Short: "rewrites all config files",
+	RunE: func(_ *cobra.Command, _ []string) error {
+		m, err := cfg.LoadZones()
+		if err != nil {
+			return err
+		}
+
+		return m.SyncAll()
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(writeCmd)
+}

go.mod

@@ -13,6 +13,7 @@ require (
 	github.com/spf13/cobra v1.7.0
 	golang.org/x/crypto v0.12.0
 	gopkg.in/gcfg.v1 v1.2.3
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (

go.sum

@@ -90,6 +90,7 @@ golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss=
 golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/gcfg.v1 v1.2.3 h1:m8OOJ4ccYHnx2f4gQwpno8nAX5OGOh7RLaaz0pj3Ogs=
 gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=

pkg/wireguard/config.go

@@ -1,17 +1,44 @@
 package wireguard
 
 import (
+	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"net/netip"
 	"strconv"
 	"strings"
+	"text/template"
 
 	"darvaza.org/core"
 	"gopkg.in/gcfg.v1"
 )
 
+var configTemplate = template.Must(template.New("config").Funcs(template.FuncMap{
+	"PrefixJoin": func(a []netip.Prefix, sep string) string {
+		s := make([]string, len(a))
+		for i, p := range a {
+			s[i] = p.String()
+		}
+		return strings.Join(s, sep)
+	},
+}).Parse(`[Interface]
+{{if .Interface.Name}}# Name: {{.Interface.Name}}
+{{end -}}
+Address = {{.Interface.Address}}
+PrivateKey = {{.Interface.PrivateKey}}
+ListenPort = {{.Interface.ListenPort}}
+{{- range .Peer }}
+
+[Peer]
+{{if .Name}}# Name: {{.Name}}
+{{end -}}
+PublicKey = {{.PublicKey}}
+Endpoint = {{.Endpoint}}
+AllowedIPs = {{ PrefixJoin .AllowedIPs ", "}}
+{{- end }}
+`))
+
 // Config represents a wgN.conf file
 type Config struct {
 	Interface InterfaceConfig
@@ -28,8 +55,20 @@ func (f *Config) Peers() int {
 	return len(f.Peer)
 }
 
+// WriteTo writes a Wireguard [Config] onto the provided [io.Writer]
+func (f *Config) WriteTo(w io.Writer) (int64, error) {
+	var buf bytes.Buffer
+
+	if err := configTemplate.Execute(&buf, f); err != nil {
+		return 0, err
+	}
+
+	return buf.WriteTo(w)
+}
+
 // InterfaceConfig represents the [Interface] section
 type InterfaceConfig struct {
+	Name       string
 	Address    netip.Addr
 	PrivateKey PrivateKey
 	ListenPort uint16
@@ -37,6 +76,7 @@ type InterfaceConfig struct {
 
 // PeerConfig represents a [Peer] section
 type PeerConfig struct {
+	Name       string
 	PublicKey  PublicKey
 	Endpoint   EndpointAddress
 	AllowedIPs []netip.Prefix

pkg/wireguard/keys.go

@@ -5,6 +5,7 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"errors"
+	"fmt"
 
 	"golang.org/x/crypto/curve25519"
 )
@@ -50,6 +51,43 @@ func (pub PublicKey) String() string {
 	}
 }
 
+// MarshalJSON encodes the key for JSON, omiting empty.
+func (key PrivateKey) MarshalJSON() ([]byte, error) {
+	return encodeKeyJSON(key.String())
+}
+
+// MarshalJSON encodes the key for JSON, omiting empty.
+func (pub PublicKey) MarshalJSON() ([]byte, error) {
+	return encodeKeyJSON(pub.String())
+}
+
+func encodeKeyJSON(s string) ([]byte, error) {
+	var out []byte
+	if s != "" {
+		out = []byte(fmt.Sprintf("%q", s))
+	}
+
+	return out, nil
+}
+
+// MarshalYAML encodes the key for YAML, omiting empty.
+func (key PrivateKey) MarshalYAML() (any, error) {
+	return encodeKeyYAML(key.String())
+}
+
+// MarshalYAML encodes the key for YAML, omiting empty.
+func (pub PublicKey) MarshalYAML() (any, error) {
+	return encodeKeyYAML(pub.String())
+}
+
+func encodeKeyYAML(s string) (any, error) {
+	if s == "" {
+		return nil, nil
+	}
+
+	return s, nil
+}
+
 // IsZero tells if the key hasn't been set
 func (key PrivateKey) IsZero() bool {
 	var zero PrivateKey

pkg/zones/machine.go

@@ -5,16 +5,20 @@ import (
 	"strings"
 )
 
+// revive:disable:line-length-limit
+
 // A Machine is a machine on a Zone
 type Machine struct {
 	zone *Zone
-	ID   int
-	Name string `toml:"name"`
+	ID   int    `toml:"id"`
+	Name string `toml:"-" json:"-" yaml:"-"`
 
-	PublicAddresses []netip.Addr `toml:"public,omitempty"`
-	Rings           []*RingInfo  `toml:"rings,omitempty"`
+	PublicAddresses []netip.Addr `toml:"public,omitempty" json:"public,omitempty" yaml:"public,omitempty"`
+	Rings           []*RingInfo  `toml:"rings,omitempty"  json:"rings,omitempty"  yaml:"rings,omitempty"`
 }
 
+// revive:enable:line-length-limit
+
 func (m *Machine) String() string {
 	return m.Name
 }
@@ -39,6 +43,11 @@ func (m *Machine) IsGateway() bool {
 	return ok
 }
 
+// Zone indicates the [Zone] this machine belongs to
+func (m *Machine) Zone() int {
+	return m.zone.ID
+}
+
 func (m *Machine) getPeerByName(name string) (*Machine, bool) {
 	return m.zone.zones.GetMachineByName(name)
 }

pkg/zones/machine_rings.go

@@ -3,7 +3,6 @@ package zones
 import (
 	"bytes"
 	"fmt"
-	"io/fs"
 	"os"
 
 	"darvaza.org/core"
@@ -73,38 +72,6 @@ func (m *Machine) tryReadWireguardKeys(ring int) error {
 	}
 }
 
-// WriteWireguardKeys writes the wgN.key/wgN.pub files
-func (m *Machine) WriteWireguardKeys(ring int) error {
-	var err error
-	var key, pub string
-	var ri *RingInfo
-
-	ri, _ = m.getRingInfo(ring)
-	if ri != nil {
-		key = ri.Keys.PrivateKey.String()
-		pub = ri.Keys.PublicKey.String()
-	}
-
-	switch {
-	case key == "":
-		return fs.ErrNotExist
-	case pub == "":
-		pub = ri.Keys.PrivateKey.Public().String()
-	}
-
-	err = m.WriteStringFile(key, "wg%v.key", ring)
-	if err != nil {
-		return err
-	}
-
-	err = m.WriteStringFile(pub, "wg%v.pub", ring)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
 // RemoveWireguardKeys deletes wgN.key and wgN.pub from
 // the machine's config directory
 func (m *Machine) RemoveWireguardKeys(ring int) error {

pkg/zones/rings.go

@@ -2,6 +2,7 @@ package zones
 
 import (
 	"fmt"
+	"io/fs"
 	"net/netip"
 
 	"git.jpi.io/amery/jpictl/pkg/wireguard"
@@ -175,7 +176,174 @@ func RingOneAddress(zoneID, nodeID int) (netip.Addr, bool) {
 	case !ValidZoneID(zoneID) || !ValidNodeID(nodeID):
 		return netip.Addr{}, false
 	default:
-		a4 := [4]uint8{10, 0, uint8(zoneID << 4), uint8(nodeID)}
+		a4 := [4]uint8{10, uint8(zoneID << 4), 0, uint8(nodeID)}
 		return netip.AddrFrom4(a4), true
 	}
 }
+
+var (
+	_ MachineIterator = (*Ring)(nil)
+	_ ZoneIterator    = (*Ring)(nil)
+)
+
+// A Ring describes all peers on a ring
+type Ring struct {
+	RingAddressEncoder
+	ZoneIterator
+
+	Peers []*RingPeer
+}
+
+// AddPeer adds a [Machine] to the ring
+func (r *Ring) AddPeer(p *Machine) bool {
+	ri, ok := p.getRingInfo(r.ID)
+	if !ok {
+		return false
+	}
+
+	nodeID := p.ID
+	zoneID := p.Zone()
+	addr, _ := r.Encode(zoneID, nodeID)
+
+	rp := &RingPeer{
+		Node:       p,
+		Address:    addr,
+		PrivateKey: ri.Keys.PrivateKey,
+		PeerConfig: wireguard.PeerConfig{
+			Name:      fmt.Sprintf("%s-%v", p.Name, r.ID),
+			PublicKey: ri.Keys.PublicKey,
+			Endpoint: wireguard.EndpointAddress{
+				Host: p.FullName(),
+				Port: r.Port,
+			},
+		},
+	}
+
+	switch {
+	case r.ID == 0:
+		r.setRingZeroAllowedIPs(rp)
+	case p.IsGateway():
+		r.setRingOneGatewayAllowedIPs(rp)
+	default:
+		r.setRingOneNodeAllowedIPs(rp)
+	}
+
+	r.Peers = append(r.Peers, rp)
+	return true
+}
+
+func (r *Ring) setRingZeroAllowedIPs(rp *RingPeer) {
+	zoneID, _, _ := r.Decode(rp.Address)
+
+	// everyone on ring0 is a gateway to ring1
+	addr, _ := RingOneAddress(zoneID, 0)
+	rp.AllowCIDR(addr, 12)
+
+	// peer
+	rp.AllowCIDR(rp.Address, 32)
+}
+
+func (r *Ring) setRingOneGatewayAllowedIPs(rp *RingPeer) {
+	zoneID, _, _ := r.Decode(rp.Address)
+
+	// peer
+	rp.AllowCIDR(rp.Address, 32)
+
+	// ring1 gateways connect to all other ring1 networks
+	r.ForEachZone(func(z *Zone) bool {
+		if z.ID != zoneID {
+			addr, _ := r.Encode(z.ID, 0)
+			rp.AllowCIDR(addr, 12)
+		}
+		return false
+	})
+
+	// ring1 gateways also connect to all ring0 addresses
+	r.ForEachZone(func(z *Zone) bool {
+		z.ForEachMachine(func(p *Machine) bool {
+			if p.IsGateway() {
+				addr, _ := RingZeroAddress(z.ID, p.ID)
+				rp.AllowCIDR(addr, 32)
+			}
+			return false
+		})
+		return false
+	})
+}
+
+func (*Ring) setRingOneNodeAllowedIPs(rp *RingPeer) {
+	// only to the peer itself
+	rp.AllowCIDR(rp.Address, 32)
+}
+
+// ForEachMachine calls a function for each Machine in the ring
+// until instructed to terminate the loop
+func (r *Ring) ForEachMachine(fn func(*Machine) bool) {
+	for _, pp := range r.Peers {
+		if fn(pp.Node) {
+			return
+		}
+	}
+}
+
+// ExportConfig builds a wgN.conf for the specified machine on the ring
+func (r *Ring) ExportConfig(p *Machine) (*wireguard.Config, error) {
+	var found bool
+
+	out := &wireguard.Config{
+		Interface: wireguard.InterfaceConfig{
+			ListenPort: r.Port,
+		},
+	}
+
+	for _, pp := range r.Peers {
+		switch {
+		case pp.Node == p:
+			// current
+			found = true
+			out.Interface.Name = pp.PeerConfig.Name
+			out.Interface.Address = pp.Address
+			out.Interface.PrivateKey = pp.PrivateKey
+		default:
+			// peer
+			pc := pp.PeerConfig
+			out.Peer = append(out.Peer, pc)
+		}
+	}
+
+	if !found {
+		return nil, fs.ErrNotExist
+	}
+
+	return out, nil
+}
+
+// A RingPeer is a node on a [Ring]
+type RingPeer struct {
+	Node *Machine
+
+	Address    netip.Addr
+	PrivateKey wireguard.PrivateKey
+	PeerConfig wireguard.PeerConfig
+}
+
+// AllowCIDR allows an IP range via this peer
+func (rp *RingPeer) AllowCIDR(addr netip.Addr, bits int) {
+	cidr := netip.PrefixFrom(addr, bits)
+	rp.PeerConfig.AllowedIPs = append(rp.PeerConfig.AllowedIPs, cidr)
+}
+
+// NewRing composes a new Ring for Wireguard setup
+func NewRing(z ZoneIterator, m MachineIterator, ring int) (*Ring, error) {
+	r := &Ring{
+		RingAddressEncoder: Rings[ring],
+		ZoneIterator:       z,
+	}
+
+	m.ForEachMachine(func(p *Machine) bool {
+		r.AddPeer(p)
+		return false
+	})
+
+	return r, nil
+}

pkg/zones/sync.go

@@ -0,0 +1,33 @@
+package zones
+
+// SyncAll updates all config files
+func (m *Zones) SyncAll() error {
+	for _, fn := range []func() error{
+		m.SyncAllWireguard,
+	} {
+		if err := fn(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// SyncAllWireguard updates all wireguard config files
+func (m *Zones) SyncAllWireguard() error {
+	var err error
+
+	for ring := 0; ring < RingsCount; ring++ {
+		err = m.WriteWireguardKeys(ring)
+		if err != nil {
+			return err
+		}
+
+		err = m.SyncWireguardConfig(ring)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

pkg/zones/wireguard.go

@@ -0,0 +1,265 @@
+package zones
+
+import (
+	"io/fs"
+	"os"
+)
+
+var (
+	_ WireguardConfigPruner = (*Zones)(nil)
+	_ WireguardConfigPruner = (*Zone)(nil)
+	_ WireguardConfigPruner = (*Machine)(nil)
+
+	_ WireguardConfigWriter = (*Zones)(nil)
+	_ WireguardConfigWriter = (*Zone)(nil)
+	_ WireguardConfigWriter = (*Machine)(nil)
+
+	_ WireguardConfigSyncer = (*Zones)(nil)
+	_ WireguardConfigSyncer = (*Zone)(nil)
+
+	_ WireguardKeysWriter = (*Zones)(nil)
+	_ WireguardKeysWriter = (*Zone)(nil)
+	_ WireguardKeysWriter = (*Machine)(nil)
+)
+
+// A WireguardConfigPruner deletes wgN.conf on all machines under
+// its scope with the specified ring disabled
+type WireguardConfigPruner interface {
+	PruneWireguardConfig(ring int) error
+}
+
+// PruneWireguardConfig removes wgN.conf files of machines with
+// the corresponding ring disabled on all zones
+func (m *Zones) PruneWireguardConfig(ring int) error {
+	return pruneWireguardConfig(m, ring)
+}
+
+// PruneWireguardConfig removes wgN.conf files of machines with
+// the corresponding ring disabled.
+func (z *Zone) PruneWireguardConfig(ring int) error {
+	return pruneWireguardConfig(z, ring)
+}
+
+func pruneWireguardConfig(m MachineIterator, ring int) error {
+	var err error
+
+	m.ForEachMachine(func(p *Machine) bool {
+		err = p.zone.PruneWireguardConfig(ring)
+		if os.IsNotExist(err) {
+			// ignore
+			err = nil
+		}
+
+		return err != nil
+	})
+
+	return err
+}
+
+// PruneWireguardConfig deletes the wgN.conf file if its
+// presence on the ring is disabled
+func (m *Machine) PruneWireguardConfig(ring int) error {
+	_, ok := m.getRingInfo(ring)
+	if !ok {
+		return m.RemoveWireguardConfig(ring)
+	}
+
+	return nil
+}
+
+// A WireguardConfigWriter rewrites all wgN.conf on all machines under
+// its scope attached to that ring
+type WireguardConfigWriter interface {
+	WriteWireguardConfig(ring int) error
+}
+
+// WriteWireguardConfig rewrites all wgN.conf on all machines
+// attached to that ring
+func (m *Zones) WriteWireguardConfig(ring int) error {
+	switch ring {
+	case 0:
+		return writeWireguardConfig(m, m, ring)
+	case 1:
+		var err error
+		m.ForEachZone(func(z *Zone) bool {
+			err = writeWireguardConfig(m, z, ring)
+			return err != nil
+		})
+		return err
+	default:
+		return fs.ErrInvalid
+	}
+}
+
+// WriteWireguardConfig rewrites all wgN.conf on all machines
+// on the Zone attached to that ring
+func (z *Zone) WriteWireguardConfig(ring int) error {
+	switch ring {
+	case 0:
+		return writeWireguardConfig(z.zones, z.zones, ring)
+	case 1:
+		return writeWireguardConfig(z.zones, z, ring)
+	default:
+		return fs.ErrInvalid
+	}
+}
+
+func writeWireguardConfig(z ZoneIterator, m MachineIterator, ring int) error {
+	r, err := NewRing(z, m, ring)
+	if err != nil {
+		return err
+	}
+
+	r.ForEachMachine(func(p *Machine) bool {
+		err = p.writeWireguardRingConfig(r)
+		return err != nil
+	})
+
+	return err
+}
+
+// WriteWireguardConfig rewrites the wgN.conf file of this Machine
+// if enabled
+func (m *Machine) WriteWireguardConfig(ring int) error {
+	r, err := NewRing(m.zone.zones, m.zone, ring)
+	if err != nil {
+		return err
+	}
+
+	return m.writeWireguardRingConfig(r)
+}
+
+func (m *Machine) writeWireguardRingConfig(r *Ring) error {
+	wg, err := r.ExportConfig(m)
+	if err != nil {
+		return nil
+	}
+
+	f, err := m.CreateTruncFile("wg%v.conf", r.ID)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	_, err = wg.WriteTo(f)
+	return err
+}
+
+// A WireguardConfigSyncer updates all wgN.conf on all machines under
+// its scope reflecting the state of the ring
+type WireguardConfigSyncer interface {
+	SyncWireguardConfig(ring int) error
+}
+
+// SyncWireguardConfig updates all wgN.conf files for the specified
+// ring
+func (m *Zones) SyncWireguardConfig(ring int) error {
+	switch ring {
+	case 0:
+		return syncWireguardConfig(m, m, ring)
+	case 1:
+		var err error
+		m.ForEachZone(func(z *Zone) bool {
+			err = syncWireguardConfig(m, z, ring)
+			return err != nil
+		})
+		return err
+	default:
+		return fs.ErrInvalid
+	}
+}
+
+// SyncWireguardConfig updates all wgN.conf files for the specified
+// ring
+func (z *Zone) SyncWireguardConfig(ring int) error {
+	switch ring {
+	case 0:
+		return syncWireguardConfig(z.zones, z.zones, ring)
+	case 1:
+		return syncWireguardConfig(z.zones, z, ring)
+	default:
+		return fs.ErrInvalid
+	}
+}
+
+func syncWireguardConfig(z ZoneIterator, m MachineIterator, ring int) error {
+	r, err := NewRing(z, m, ring)
+	if err != nil {
+		return err
+	}
+
+	r.ForEachMachine(func(p *Machine) bool {
+		if _, ok := p.getRingInfo(ring); ok {
+			err = p.writeWireguardRingConfig(r)
+		} else {
+			err = p.RemoveWireguardConfig(ring)
+		}
+		return err != nil
+	})
+
+	return err
+}
+
+// A WireguardKeysWriter writes the Wireguard Keys for all machines
+// under its scope for the specified ring
+type WireguardKeysWriter interface {
+	WriteWireguardKeys(ring int) error
+}
+
+// WriteWireguardKeys rewrites all wgN.{key,pub} files
+func (m *Zones) WriteWireguardKeys(ring int) error {
+	return writeWireguardKeys(m, ring)
+}
+
+// WriteWireguardKeys rewrites all wgN.{key,pub} files on this zone
+func (z *Zone) WriteWireguardKeys(ring int) error {
+	return writeWireguardKeys(z, ring)
+}
+
+func writeWireguardKeys(m MachineIterator, ring int) error {
+	var err error
+
+	m.ForEachMachine(func(p *Machine) bool {
+		err = p.WriteWireguardKeys(ring)
+		if os.IsNotExist(err) {
+			// ignore
+			err = nil
+		}
+
+		return err != nil
+	})
+
+	return err
+}
+
+// WriteWireguardKeys writes the wgN.key/wgN.pub files
+func (m *Machine) WriteWireguardKeys(ring int) error {
+	var err error
+	var key, pub string
+	var ri *RingInfo
+
+	ri, _ = m.getRingInfo(ring)
+	if ri != nil {
+		key = ri.Keys.PrivateKey.String()
+		pub = ri.Keys.PublicKey.String()
+	}
+
+	switch {
+	case key == "":
+		return fs.ErrNotExist
+	case pub == "":
+		pub = ri.Keys.PrivateKey.Public().String()
+	}
+
+	err = m.WriteStringFile(key+"\n", "wg%v.key", ring)
+	if err != nil {
+		return err
+	}
+
+	err = m.WriteStringFile(pub+"\n", "wg%v.pub", ring)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/zones/zones.go

@@ -10,12 +10,28 @@ import (
 	"darvaza.org/resolver"
 )
 
+var (
+	_ MachineIterator = (*Zone)(nil)
+	_ MachineIterator = (*Zones)(nil)
+	_ ZoneIterator    = (*Zones)(nil)
+)
+
+// A MachineIterator is a set of Machines we can iterate on
+type MachineIterator interface {
+	ForEachMachine(func(*Machine) bool)
+}
+
+// A ZoneIterator is a set of Zones we can iterate on
+type ZoneIterator interface {
+	ForEachZone(func(*Zone) bool)
+}
+
 // Zone represents one zone in a cluster
 type Zone struct {
 	zones *Zones
 
-	ID   int
-	Name string
+	ID   int    `toml:"id"`
+	Name string `toml:"name"`
 
 	Machines []*Machine `toml:"machines"`
 }