feat: embed wireguard-go as a library, removing client-side external binary dependencies

.github/workflows/controlplane.yaml

@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
         with:
           cache: false
       - run: mise run ${{ matrix.mise_task }}
@@ -44,7 +44,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
 
       - name: "Build controlplane"
         run: |
@@ -75,7 +75,6 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
-
       - name: Get Go version from go.mod
         id: go-version
         run: echo "version=$(awk '/^go /{print $2}' go.mod)" >> "$GITHUB_OUTPUT"

.github/workflows/naisdevice.yaml

@@ -2,7 +2,7 @@ name: Naisdevice
 
 on:
   pull_request:
-    types: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize, labeled]
   push:
     branches: [main]
     paths:
@@ -30,8 +30,9 @@ on:
       - "pkg/pb/**"
 
 env:
+  PRE_RELEASE: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'pre-release') && 'true' || 'false' }}
   # some mise tasks use this to determine how they package/sign stuff.
-  RELEASE: ${{ (github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]') && 'true' || 'false' }}
+  RELEASE: ${{ ((github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]') || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'pre-release'))) && 'true' || 'false' }}
 
 concurrency:
   group: ${{ github.ref }}
@@ -50,14 +51,18 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
         with:
           fetch-depth: 0
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
       - id: generate
         run: mise run ci:release-info
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PRE_RELEASE: ${{ env.PRE_RELEASE }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
     outputs:
       version: ${{ steps.generate.outputs.version }}
       changelog: ${{ steps.generate.outputs.changelog }}
+      pre_release: ${{ env.PRE_RELEASE }}
 
   checks:
     strategy:
@@ -76,7 +81,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
       - run: mise run ${{ matrix.mise_task }}
 
   builds:
@@ -109,7 +114,7 @@ jobs:
       OUTFILE: ./release_artifacts/naisdevice${{ matrix.gotags == 'tenant' && '-tenant' || '' }}_${{ matrix.platform.os }}_${{ matrix.arch }}.${{ matrix.platform.ext }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
       - if: matrix.platform.os == 'windows'
         run: sudo apt-get update && sudo apt-get install --yes nsis osslsigncode
       - if: matrix.platform.os == 'macos'
@@ -129,34 +134,83 @@ jobs:
         run: |
           mkdir -p "$(dirname $OUTFILE)"
           mise run "package:${{ matrix.platform.os }}"
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v5
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # ratchet:actions/upload-artifact@v7
         with:
           name: installer-${{ matrix.platform.os }}-${{ matrix.arch }}-${{ matrix.gotags || 'nav' }}
           path: ${{ env.OUTFILE }}
 
+  smoke-tests:
+    name: smoke test ${{ matrix.artifact }}
+    needs: [builds]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos
+            runner: macos-latest
+            artifact: installer-macos-arm64-nav
+            installer_glob: "*.pkg"
+          - os: macos
+            runner: macos-latest
+            artifact: installer-macos-arm64-tenant
+            installer_glob: "*.pkg"
+          - os: linux
+            runner: ubuntu-latest
+            artifact: installer-linux-amd64-nav
+            installer_glob: "*.deb"
+          - os: linux
+            runner: ubuntu-latest
+            artifact: installer-linux-amd64-tenant
+            installer_glob: "*.deb"
+          - os: windows
+            runner: windows-latest
+            artifact: installer-windows-amd64-nav
+            installer_glob: "*.exe"
+          - os: windows
+            runner: windows-latest
+            artifact: installer-windows-amd64-tenant
+            installer_glob: "*.exe"
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
+        with:
+          name: ${{ matrix.artifact }}
+          path: ./downloaded-artifact/
+      - name: run smoke test
+        shell: bash
+        run: mise run smoke-test:${{ matrix.os }} ./downloaded-artifact/${{ matrix.installer_glob }}
+
   # Used by GitHub to determine if all checks/builds have passed
   branch-protection-checkpoint:
-    needs: [checks, builds]
+    needs: [checks, builds, smoke-tests]
     if: ${{ always() }}
     runs-on: ubuntu-latest
     steps:
-      - if: ${{ needs.checks.result != 'success' || needs.builds.result != 'success' }}
+      - if: ${{ needs.checks.result != 'success' || needs.builds.result != 'success' || needs.smoke-tests.result != 'success' }}
         run: exit 1
-      - run: echo "All checks and builds passed."
+      - run: echo "All checks, builds, and smoke tests passed."
 
   release-github:
-    if: github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]' && needs.release-info.outputs.changelog != '' && needs.release-info.outputs.version != ''
+    if: >-
+      needs.release-info.outputs.changelog != '' && needs.release-info.outputs.version != '' &&
+      (
+        (github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]') ||
+        needs.release-info.outputs.pre_release == 'true'
+      )
     needs: [release-info, branch-protection-checkpoint]
     runs-on: ubuntu-latest
     permissions:
       contents: write
+    env:
+      RELEASE_TARGET_COMMIT: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
         with:
-          fetch-depth: 0
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
-      - run: git tag ${{ needs.release-info.outputs.version }}
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # ratchet:actions/download-artifact@v6
+          ref: ${{ env.RELEASE_TARGET_COMMIT }}
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
         with:
           merge-multiple: true
           path: release_artifacts
@@ -165,15 +219,18 @@ jobs:
         id: release
         with:
           tag_name: ${{ needs.release-info.outputs.version }}
+          target_commitish: ${{ env.RELEASE_TARGET_COMMIT }}
           body: ${{ needs.release-info.outputs.changelog }}
-          prerelease: false
+          prerelease: ${{ needs.release-info.outputs.pre_release == 'true' }}
           files: ./release_artifacts/*
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - env:
+      - if: needs.release-info.outputs.pre_release != 'true'
+        env:
           VERSION: ${{ needs.release-info.outputs.version }}
         run: mise run ci:prepare-template-vars ./release_artifacts/checksums.txt -v > template.vars
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v5
+      - if: needs.release-info.outputs.pre_release != 'true'
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # ratchet:actions/upload-artifact@v7
         with:
           name: template-vars
           path: ./template.vars
@@ -182,12 +239,13 @@ jobs:
           echo "A new release is available over at https://github.com/${{ github.repository }}/releases/tag/${{ needs.release-info.outputs.version }}." >> $GITHUB_STEP_SUMMARY
 
   release-gar:
+    if: needs.release-info.outputs.pre_release != 'true'
     strategy:
       fail-fast: false
       matrix:
         arch: [arm64, amd64]
         suffix: [nav, tenant]
-    needs: [release-github]
+    needs: [release-info, release-github]
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -201,15 +259,16 @@ jobs:
           service_account: gh-naisdevice@nais-io.iam.gserviceaccount.com
           token_format: access_token
       - uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # ratchet:google-github-actions/setup-gcloud@v3
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # ratchet:actions/download-artifact@v6
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
         with:
           name: installer-linux-${{ matrix.arch }}-${{ matrix.suffix }}
           path: ./downloaded-artifact/
       - run: |
           gcloud artifacts apt upload nais-ppa --project nais-io --quiet --location europe-north1 --source ./downloaded-artifact/*
 
   release-external-repos:
-    needs: [release-github]
+    if: needs.release-info.outputs.pre_release != 'true'
+    needs: [release-info, release-github]
     strategy:
       fail-fast: false
       matrix:
@@ -234,8 +293,8 @@ jobs:
           private-key: ${{ secrets.NAIS_APP_PRIVATE_KEY }}
           app-id: ${{ secrets.NAIS_APP_ID }}
           repo: ${{ matrix.target.repo }}
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v3
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # ratchet:actions/download-artifact@v6
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # ratchet:jdx/mise-action@v4
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
         with:
           name: template-vars
       - name: update ${{ matrix.target.repo }}

.github/workflows/templates/naisdevice-tenant.rb

@@ -5,11 +5,6 @@
   desc "naisdevice is a mechanism enabling developers to connect to internal resources in a secure and friendly manner."
   homepage "https://docs.nais.io/operate/naisdevice/how-to/install/"
 
-  depends_on formula: [
-    "wireguard-go",
-    "wireguard-tools",
-  ]
-
   if Hardware::CPU.intel?
     url "https://github.com/nais/device/releases/download/#{version}/$NAISDEVICE_TENANT_MACOS_AMD64_FILENAME", verified: "github.com/nais/device/"
     sha256 "$NAISDEVICE_TENANT_MACOS_AMD64_HASH_BASE16"

.github/workflows/templates/naisdevice.rb

@@ -5,11 +5,6 @@
   desc "naisdevice is a mechanism enabling developers to connect to internal resources in a secure and friendly manner."
   homepage "https://docs.nais.io/operate/naisdevice/how-to/install/"
 
-  depends_on formula: [
-    "wireguard-go",
-    "wireguard-tools",
-  ]
-
   if Hardware::CPU.intel?
     url "https://github.com/nais/device/releases/download/#{version}/$NAISDEVICE_MACOS_AMD64_FILENAME", verified: "github.com/nais/device/"
     sha256 "$NAISDEVICE_MACOS_AMD64_HASH_BASE16"

.gitignore

@@ -5,8 +5,6 @@ bin
 .DS_Store
 *.pkg
 *.app
-wireguard-go-*
-wireguard-tools-*
 cmd/device-agent/main_windows.syso
 cmd/helper/main_windows.syso
 packaging/windows/obj

AGENTS.md

@@ -0,0 +1,32 @@
+# Project instructions for AI coding agents
+
+## Commands
+
+### After all changes are made, run
+
+- `mise run test`
+- `mise run check`
+- `go fix [changed_files]...`
+
+## Tech stack
+
+- go (look at go.mod for version)
+- gRPC
+- protobuf
+- wireguard
+- sqlite
+
+## Code style
+
+- Write obvious code instead of clever code.
+- Favor self-explanatory code over code comments.
+- If you really have to add a comment, make sure it's short and concise.
+- Wrap errors with context: `fmt.Errorf("short description: %w", err)`.
+- Use `testify/require` and `testify/assert` for tests. Prefer table-driven tests.
+- Platform-specific code goes in files with build-tag suffixes (`_darwin.go`, `_linux.go`, `_windows.go`).
+
+## Git
+
+- Use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) for all commit messages.
+- Never commit unless explicitly told to.
+- Never push unless explicitly told to.

assets/linux/nfpm.yaml

@@ -13,7 +13,7 @@ license: "MIT"
 depends:
   - "jq"
   - "sed"
-  - "wireguard"
+  - "wireguard | wireguard-tools"
 scripts:
   postinstall: "./assets/linux/postinstall"
   postremove: "./assets/linux/postrm"

assets/linux/postinstall

@@ -28,7 +28,14 @@ make_user_dirs() {
 		user_accounts=$(loginctl list-users --output json | jq '[.[] | select(.uid >= 1000)]')
 	fi
 
-	if echo "$user_accounts" | jq -e 'length != 1' >/dev/null; then
+	num_accounts=$(echo "$user_accounts" | jq 'length')
+
+	if [ "$num_accounts" -eq 0 ]; then
+		echo "No logged-in user accounts found, skipping user directory setup"
+		return 0
+	fi
+
+	if [ "$num_accounts" -gt 1 ]; then
 		printf "\nMore than 1 user account logged in! naisdevice only permits _one_ user account!\n"
 		exit 1
 	fi
@@ -44,7 +51,9 @@ make_user_dirs() {
 		chmod 700 "$directory"
 	done
 
-	cp /sys/devices/virtual/dmi/id/product_serial "${config_dir}"
+	if [ -f /sys/devices/virtual/dmi/id/product_serial ]; then
+		cp /sys/devices/virtual/dmi/id/product_serial "${config_dir}"
+	fi
 
 	chown -R "${user}:" "${config_dir}"
 }

assets/macos/postinstall

@@ -5,14 +5,17 @@ daemon_name="io.nais.device.helper"
 destination="/Library/LaunchDaemons/${daemon_name}.plist"
 launchctl list | grep -q "$daemon_name" && launchctl unload "$destination"
 
-config_dir="/Users/${user}/Library/Application Support/naisdevice"
-log_dir="${config_dir}/logs"
+if [ -n "$user" ]; then
+    config_dir="/Users/${user}/Library/Application Support/naisdevice"
+    log_dir="${config_dir}/logs"
 
-mkdir -p -m 0700 "${config_dir}"
-mkdir -p -m 0700 "${log_dir}"
-
-chown -R "${user}:staff" "${config_dir}"
+    mkdir -p -m 0700 "${config_dir}"
+    mkdir -p -m 0700 "${log_dir}"
 
+    chown -R "${user}:staff" "${config_dir}"
+else
+    echo "No console user detected, skipping user config directory setup"
+fi
 
 cat << EOF > "$destination"
 <?xml version="1.0" encoding="UTF-8"?>
@@ -49,4 +52,3 @@ launchctl load "$destination"
 echo "Installed service $daemon_name"
 
 killall -9 -m "naisdevice.*" || true
-killall -9 "wireguard-go" || true