roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: WG address change now queues pending restart + heals cell connections

Browse Source 
Three issues fixed together:

1. WireGuard address changes now go through the pending-restart queue
   (shown in the UI banner) instead of restarting cell-wireguard immediately.
   Only private_key changes still restart immediately; address and port
   changes both defer to the user-initiated Apply flow.  Previously the
   address change was silently applied and never appeared in Settings →
   Pending Configuration.

2. When the WG address changes, the API spawns a background thread that
   pushes the updated invite to all connected cells (over LAN, before the
   WG tunnel is back up).  This lets remote cells automatically update
   their dns_ip, AllowedIPs, and CoreDNS forwarding rules without manual
   re-pairing.

3. accept_invite now handles the "already connected but changed" case:
   if the remote cell re-sends an invite with a different dns_ip, vpn_subnet
   or endpoint, we update the stored link, the WG AllowedIPs, and the
   CoreDNS forward rule in place — no delete/re-add required.  Previously
   the endpoint was ignored and returned the stale record unchanged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-05-02 08:29:18 -04:00
parent 0e16d6968a
commit 960a4ecc51
4 changed files with 128 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/wireguard_manager.py
+5 -3
View File
@@ -426,9 +426,11 @@ class WireGuardManager(BaseServiceManager):
if changed:
with open(cf, 'w') as f:
f.writelines(lines)
# Port-only changes: docker binding must be updated first via pending restart.
# Non-port changes (address, private_key) can restart immediately.
if not port_only_change:
# private_key changes require an immediate restart (new key takes effect only
# after the WireGuard interface is recreated).
# address and port changes go through the pending-restart queue so the admin
# can review before the tunnel is bounced — callers must set _pending_restart.
if 'private_key' in config and config['private_key']:
self._restart_container('cell-wireguard')
restarted.append('cell-wireguard')
except Exception as e: