feat: embed wireguard-go as a library and manage tunnels directly

Replace external wireguard-go/wg binaries and the Windows WireGuard MSI
with wireguard-go embedded as a Go library. The helper now creates TUN
devices, configures peers via wgctrl, and manages routes through native
OS APIs (BSD routing sockets, netlink, winipcfg) instead of shelling
out. Migrate key handling from custom crypto wrappers to wgtypes.Key
with automatic legacy key migration. Add WireGuard public key validation
at enrollment time, an iputil package for CIDR parsing, and cross-
platform post-install smoke tests. Remove wireguard-go/wireguard-tools
from all package dependencies (Homebrew, nix, deb).

Author: sechmann

.github/workflows/controlplane.yaml

@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
         with:
           cache: false
       - run: mise run ${{ matrix.mise_task }}
@@ -44,7 +44,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
 
       - name: "Build controlplane"
         run: |
@@ -87,22 +87,18 @@ jobs:
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # ratchet:docker/setup-buildx-action@v4.0.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # ratchet:docker/setup-buildx-action@v4
 
       - name: Login to registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # ratchet:docker/login-action@v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # ratchet:docker/login-action@v4
         with:
           registry: ${{ env.REGISTRY }}
           username: "oauth2accesstoken"
           password: "${{ steps.auth.outputs.access_token }}"
 
-      - name: Get Go version from go.mod
-        id: go-version
-        run: echo "version=$(awk '/^go /{print $2}' go.mod)" >> "$GITHUB_OUTPUT"
-
       - name: Docker meta enroller
         id: metadata
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # ratchet:docker/metadata-action@v5
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # ratchet:docker/metadata-action@v6
         with:
           images: ${{ env.REGISTRY }}/naisdevice-enroller
           # Docker tags based on the following events/attributes
@@ -116,7 +112,7 @@ jobs:
             type=sha
 
       - name: Build and push enroller
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # ratchet:docker/build-push-action@v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # ratchet:docker/build-push-action@v7
         env:
           cache_ref: ${{ env.REGISTRY }}/naisdevice-enroller:main
         with:
@@ -125,8 +121,6 @@ jobs:
           push: true
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
-          build-args: |
-            GO_VERSION=${{ steps.go-version.outputs.version }}
           cache-from: type=registry,ref=${{ env.cache_ref }}
           cache-to: type=registry,ref=${{ env.cache_ref }},mode=max
 
@@ -152,22 +146,18 @@ jobs:
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # ratchet:docker/setup-buildx-action@v4.0.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # ratchet:docker/setup-buildx-action@v4
 
       - name: Login to registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # ratchet:docker/login-action@v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # ratchet:docker/login-action@v4
         with:
           registry: ${{ env.REGISTRY }}
           username: "oauth2accesstoken"
           password: "${{ steps.auth.outputs.access_token }}"
 
-      - name: Get Go version from go.mod
-        id: go-version
-        run: echo "version=$(awk '/^go /{print $2}' go.mod)" >> "$GITHUB_OUTPUT"
-
       - name: Docker meta auth-server
         id: metadata
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # ratchet:docker/metadata-action@v5
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # ratchet:docker/metadata-action@v6
         with:
           images: ${{ env.REGISTRY }}/naisdevice-auth-server
           # Docker tags based on the following events/attributes
@@ -181,7 +171,7 @@ jobs:
             type=sha
 
       - name: Build and push auth-server
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # ratchet:docker/build-push-action@v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # ratchet:docker/build-push-action@v7
         env:
           cache_ref: ${{ env.REGISTRY }}/naisdevice-auth-server:main
         with:
@@ -190,7 +180,5 @@ jobs:
           push: true
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
-          build-args: |
-            GO_VERSION=${{ steps.go-version.outputs.version }}
           cache-from: type=registry,ref=${{ env.cache_ref }}
           cache-to: type=gha,ref=${{ env.cache_ref }},mode=max

.github/workflows/naisdevice.yaml

@@ -2,7 +2,7 @@ name: Naisdevice
 
 on:
   pull_request:
-    types: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize, labeled]
   push:
     branches: [main]
     paths:
@@ -30,8 +30,9 @@ on:
       - "pkg/pb/**"
 
 env:
+  PRE_RELEASE: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'pre-release') && 'true' || 'false' }}
   # some mise tasks use this to determine how they package/sign stuff.
-  RELEASE: ${{ (github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]') && 'true' || 'false' }}
+  RELEASE: ${{ ((github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]') || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'pre-release'))) && 'true' || 'false' }}
 
 concurrency:
   group: ${{ github.ref }}
@@ -50,14 +51,18 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
         with:
           fetch-depth: 0
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
       - id: generate
         run: mise run ci:release-info
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PRE_RELEASE: ${{ env.PRE_RELEASE }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
     outputs:
       version: ${{ steps.generate.outputs.version }}
       changelog: ${{ steps.generate.outputs.changelog }}
+      pre_release: ${{ env.PRE_RELEASE }}
 
   checks:
     strategy:
@@ -76,7 +81,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
       - run: mise run ${{ matrix.mise_task }}
 
   builds:
@@ -109,7 +114,7 @@ jobs:
       OUTFILE: ./release_artifacts/naisdevice${{ matrix.gotags == 'tenant' && '-tenant' || '' }}_${{ matrix.platform.os }}_${{ matrix.arch }}.${{ matrix.platform.ext }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
       - if: matrix.platform.os == 'windows'
         run: sudo apt-get update && sudo apt-get install --yes nsis osslsigncode
       - if: matrix.platform.os == 'macos'
@@ -129,34 +134,83 @@ jobs:
         run: |
           mkdir -p "$(dirname $OUTFILE)"
           mise run "package:${{ matrix.platform.os }}"
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # ratchet:actions/upload-artifact@v5
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # ratchet:actions/upload-artifact@v7
         with:
           name: installer-${{ matrix.platform.os }}-${{ matrix.arch }}-${{ matrix.gotags || 'nav' }}
           path: ${{ env.OUTFILE }}
 
+  smoke-tests:
+    name: smoke test ${{ matrix.artifact }}
+    needs: [builds]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos
+            runner: macos-latest
+            artifact: installer-macos-arm64-nav
+            installer_glob: "*.pkg"
+          - os: macos
+            runner: macos-latest
+            artifact: installer-macos-arm64-tenant
+            installer_glob: "*.pkg"
+          - os: linux
+            runner: ubuntu-latest
+            artifact: installer-linux-amd64-nav
+            installer_glob: "*.deb"
+          - os: linux
+            runner: ubuntu-latest
+            artifact: installer-linux-amd64-tenant
+            installer_glob: "*.deb"
+          - os: windows
+            runner: windows-latest
+            artifact: installer-windows-amd64-nav
+            installer_glob: "*.exe"
+          - os: windows
+            runner: windows-latest
+            artifact: installer-windows-amd64-tenant
+            installer_glob: "*.exe"
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
+        with:
+          name: ${{ matrix.artifact }}
+          path: ./downloaded-artifact/
+      - name: run smoke test
+        shell: bash
+        run: mise run smoke-test:${{ matrix.os }} ./downloaded-artifact/${{ matrix.installer_glob }}
+
   # Used by GitHub to determine if all checks/builds have passed
   branch-protection-checkpoint:
-    needs: [checks, builds]
+    needs: [checks, builds, smoke-tests]
     if: ${{ always() }}
     runs-on: ubuntu-latest
     steps:
-      - if: ${{ needs.checks.result != 'success' || needs.builds.result != 'success' }}
+      - if: ${{ needs.checks.result != 'success' || needs.builds.result != 'success' || needs.smoke-tests.result != 'success' }}
         run: exit 1
-      - run: echo "All checks and builds passed."
+      - run: echo "All checks, builds, and smoke tests passed."
 
   release-github:
-    if: github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]' && needs.release-info.outputs.changelog != '' && needs.release-info.outputs.version != ''
+    if: >-
+      needs.release-info.outputs.changelog != '' && needs.release-info.outputs.version != '' &&
+      (
+        (github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]') ||
+        needs.release-info.outputs.pre_release == 'true'
+      )
     needs: [release-info, branch-protection-checkpoint]
     runs-on: ubuntu-latest
     permissions:
       contents: write
+    env:
+      RELEASE_TARGET_COMMIT: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
         with:
-          fetch-depth: 0
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
-      - run: git tag ${{ needs.release-info.outputs.version }}
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # ratchet:actions/download-artifact@v6
+          ref: ${{ env.RELEASE_TARGET_COMMIT }}
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
         with:
           merge-multiple: true
           path: release_artifacts
@@ -165,15 +219,18 @@ jobs:
         id: release
         with:
           tag_name: ${{ needs.release-info.outputs.version }}
+          target_commitish: ${{ env.RELEASE_TARGET_COMMIT }}
           body: ${{ needs.release-info.outputs.changelog }}
-          prerelease: false
+          prerelease: ${{ needs.release-info.outputs.pre_release == 'true' }}
           files: ./release_artifacts/*
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - env:
+      - if: needs.release-info.outputs.pre_release != 'true'
+        env:
           VERSION: ${{ needs.release-info.outputs.version }}
         run: mise run ci:prepare-template-vars ./release_artifacts/checksums.txt -v > template.vars
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # ratchet:actions/upload-artifact@v5
+      - if: needs.release-info.outputs.pre_release != 'true'
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # ratchet:actions/upload-artifact@v7
         with:
           name: template-vars
           path: ./template.vars
@@ -182,12 +239,13 @@ jobs:
           echo "A new release is available over at https://github.com/${{ github.repository }}/releases/tag/${{ needs.release-info.outputs.version }}." >> $GITHUB_STEP_SUMMARY
 
   release-gar:
+    if: needs.release-info.outputs.pre_release != 'true'
     strategy:
       fail-fast: false
       matrix:
         arch: [arm64, amd64]
         suffix: [nav, tenant]
-    needs: [release-github]
+    needs: [release-info, release-github]
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -201,15 +259,16 @@ jobs:
           service_account: gh-naisdevice@nais-io.iam.gserviceaccount.com
           token_format: access_token
       - uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # ratchet:google-github-actions/setup-gcloud@v3
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # ratchet:actions/download-artifact@v6
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
         with:
           name: installer-linux-${{ matrix.arch }}-${{ matrix.suffix }}
           path: ./downloaded-artifact/
       - run: |
           gcloud artifacts apt upload nais-ppa --project nais-io --quiet --location europe-north1 --source ./downloaded-artifact/*
 
   release-external-repos:
-    needs: [release-github]
+    if: needs.release-info.outputs.pre_release != 'true'
+    needs: [release-info, release-github]
     strategy:
       fail-fast: false
       matrix:
@@ -234,8 +293,8 @@ jobs:
           private-key: ${{ secrets.NAIS_APP_PRIVATE_KEY }}
           app-id: ${{ secrets.NAIS_APP_ID }}
           repo: ${{ matrix.target.repo }}
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # ratchet:actions/download-artifact@v6
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
         with:
           name: template-vars
       - name: update ${{ matrix.target.repo }}

.github/workflows/templates/naisdevice-tenant.rb

@@ -5,11 +5,6 @@
   desc "naisdevice is a mechanism enabling developers to connect to internal resources in a secure and friendly manner."
   homepage "https://docs.nais.io/operate/naisdevice/how-to/install/"
 
-  depends_on formula: [
-    "wireguard-go",
-    "wireguard-tools",
-  ]
-
   if Hardware::CPU.intel?
     url "https://github.com/nais/device/releases/download/#{version}/$NAISDEVICE_TENANT_MACOS_AMD64_FILENAME", verified: "github.com/nais/device/"
     sha256 "$NAISDEVICE_TENANT_MACOS_AMD64_HASH_BASE16"

.github/workflows/templates/naisdevice.rb

@@ -5,11 +5,6 @@
   desc "naisdevice is a mechanism enabling developers to connect to internal resources in a secure and friendly manner."
   homepage "https://docs.nais.io/operate/naisdevice/how-to/install/"
 
-  depends_on formula: [
-    "wireguard-go",
-    "wireguard-tools",
-  ]
-
   if Hardware::CPU.intel?
     url "https://github.com/nais/device/releases/download/#{version}/$NAISDEVICE_MACOS_AMD64_FILENAME", verified: "github.com/nais/device/"
     sha256 "$NAISDEVICE_MACOS_AMD64_HASH_BASE16"

.gitignore

@@ -5,8 +5,6 @@ bin
 .DS_Store
 *.pkg
 *.app
-wireguard-go-*
-wireguard-tools-*
 cmd/device-agent/main_windows.syso
 cmd/helper/main_windows.syso
 packaging/windows/obj

AGENTS.md

@@ -0,0 +1,32 @@
+# Project instructions for AI coding agents
+
+## Commands
+
+### After all changes are made, run
+
+- `mise run test`
+- `mise run check`
+- `go fix [changed_files]...`
+
+## Tech stack
+
+- go (look at go.mod for version)
+- gRPC
+- protobuf
+- wireguard
+- sqlite
+
+## Code style
+
+- Write obvious code instead of clever code.
+- Favor self-explanatory code over code comments.
+- If you really have to add a comment, make sure it's short and concise.
+- Wrap errors with context: `fmt.Errorf("short description: %w", err)`.
+- Use `testify/require` and `testify/assert` for tests. Prefer table-driven tests.
+- Platform-specific code goes in files with build-tag suffixes (`_darwin.go`, `_linux.go`, `_windows.go`).
+
+## Git
+
+- Use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) for all commit messages.
+- Never commit unless explicitly told to.
+- Never push unless explicitly told to.

assets/linux/nfpm.yaml

@@ -13,7 +13,7 @@ license: "MIT"
 depends:
   - "jq"
   - "sed"
-  - "wireguard"
+  - "wireguard | wireguard-tools"
 scripts:
   postinstall: "./assets/linux/postinstall"
   postremove: "./assets/linux/postrm"