pkg/cluster/cluster_scan.go

@@ -73,6 +73,10 @@ func (m *Cluster) scanMachines(opts *ScanOptions) error {
 		err = p.scan(opts)
 		return err != nil
 	})
+	m.ForEachMachine(func(p *Machine) bool {
+		err = p.scanWrapUp(opts)
+		return err != nil
+	})
 	return err
 }
 

pkg/cluster/machine_rings.go

@@ -118,21 +118,31 @@ func (m *Machine) tryApplyWireguardConfig(ring int) error {
 	}
 }
 
-func (m *Machine) applyWireguardConfig(ring int, wg *wireguard.Config) error {
+func (m *Machine) applyWireguardConfigNode(ring int, wg *wireguard.Config) error {
 	addr := wg.GetAddress()
-	zoneID, nodeID, ok := Rings[ring].Decode(addr)
-	if !ok {
-		return fmt.Errorf("%s: invalid address", addr)
-	}
+	if !core.IsZero(addr) {
+		zoneID, nodeID, ok := Rings[ring].Decode(addr)
+		if !ok {
+			return fmt.Errorf("%s: invalid address", addr)
+		}
 
-	if err := m.applyZoneNodeID(zoneID, nodeID); err != nil {
-		return core.Wrap(err, "%s: invalid address", addr)
+		if err := m.applyZoneNodeID(zoneID, nodeID); err != nil {
+			return core.Wrap(err, "%s: invalid address", addr)
+		}
 	}
 
 	if err := m.applyWireguardInterfaceConfig(ring, wg.Interface); err != nil {
 		return core.Wrap(err, "interface")
 	}
 
+	return nil
+}
+
+func (m *Machine) applyWireguardConfig(ring int, wg *wireguard.Config) error {
+	if err := m.applyWireguardConfigNode(ring, wg); err != nil {
+		return err
+	}
+
 	for _, peer := range wg.Peer {
 		err := m.applyWireguardPeerConfig(ring, peer)
 		switch {
@@ -230,6 +240,23 @@ func (m *Machine) applyZoneNodeID(zoneID, nodeID int) error {
 	return nil
 }
 
+func (m *Machine) setRingDefaults(ri *RingInfo) error {
+	if ri.Keys.PrivateKey.IsZero() {
+		m.info().
+			WithField("subsystem", "wireguard").
+			WithField("node", m.Name).
+			WithField("ring", ri.Ring).
+			Print("generating key pair")
+
+		kp, err := wireguard.NewKeyPair()
+		if err != nil {
+			return err
+		}
+		ri.Keys = kp
+	}
+	return nil
+}
+
 // RemoveWireguardConfig deletes wgN.conf from the machine's
 // config directory.
 func (m *Machine) RemoveWireguardConfig(ring int) error {

pkg/cluster/machine_scan.go

@@ -68,7 +68,8 @@ func (m *Machine) setID() error {
 	return nil
 }
 
-func (m *Machine) scan(opts *ScanOptions) error {
+// scan is called once we know about all zones and machine names
+func (m *Machine) scan(_ *ScanOptions) error {
 	for i := 0; i < RingsCount; i++ {
 		if err := m.tryApplyWireguardConfig(i); err != nil {
 			m.error(err).
@@ -80,6 +81,22 @@ func (m *Machine) scan(opts *ScanOptions) error {
 		}
 	}
 
+	return nil
+}
+
+// scanWrapUp is called once all machines have been scanned
+func (m *Machine) scanWrapUp(opts *ScanOptions) error {
+	for _, ri := range m.Rings {
+		if err := m.setRingDefaults(ri); err != nil {
+			m.error(err).
+				WithField("subsystem", "wireguard").
+				WithField("node", m.Name).
+				WithField("ring", ri.Ring).
+				Print()
+			return err
+		}
+	}
+
 	if !opts.DontResolvePublicAddresses {
 		return m.UpdatePublicAddresses()
 	}

pkg/cluster/rings.go

@@ -41,7 +41,7 @@ func (ri *RingInfo) Merge(alter *RingInfo) error {
 		// can't disable via Merge
 		return fmt.Errorf("invalid %s: %v → %v", "enabled", ri.Enabled, alter.Enabled)
 	case !canMergeKeyPairs(ri.Keys, alter.Keys):
-		// incompatible keypairs
+		// incompatible key pairs
 		return fmt.Errorf("invalid %s: %s ≠ %s", "keys", ri.Keys, alter.Keys)
 	}
 

pkg/wireguard/config.go

@@ -175,10 +175,12 @@ func (p interfaceConfig) Export() (InterfaceConfig, error) {
 		ListenPort: p.ListenPort,
 	}
 
-	out.PrivateKey, err = PrivateKeyFromBase64(p.PrivateKey)
-	if err != nil {
-		err = core.Wrap(err, "PrivateKey")
-		return InterfaceConfig{}, err
+	if p.PrivateKey != "" {
+		out.PrivateKey, err = PrivateKeyFromBase64(p.PrivateKey)
+		if err != nil {
+			err = core.Wrap(err, "PrivateKey")
+			return InterfaceConfig{}, err
+		}
 	}
 
 	return out, nil