From 6ed7d362848f9a69c939f5987b360ef2667e0c39 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 11 Aug 2025 11:40:39 -0400
Subject: [PATCH 01/40] chore: removed unused files

---
 .testcoverage.yml | 50 -----------------------------------------------
 1 file changed, 50 deletions(-)
 delete mode 100644 .testcoverage.yml

diff --git a/.testcoverage.yml b/.testcoverage.yml
deleted file mode 100644
index 015bdd9..0000000
--- a/.testcoverage.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-# (mandatory) 
-# Path to coverprofile file (output of `go test -coverprofile` command).
-#
-# For cases where there are many coverage profiles, such as when running 
-# unit tests and integration tests separately, you can combine all those
-# profiles into one. In this case, the profile should have a comma-separated list 
-# of profile files, e.g., 'cover_unit.out,cover_integration.out'.
-profile: cover.out
-
-# (optional; but recommended to set) 
-# When specified reported file paths will not contain local prefix in the output
-#local-prefix: "github.com/org/project"
-
-# Holds coverage thresholds percentages, values should be in range [0-100]
-threshold:
-  # (optional; default 0) 
-  # The minimum coverage that each file should have
-  #file: 70
-
-  # (optional; default 0) 
-  # The minimum coverage that each package should have
-  #package: 80
-
-  # (optional; default 0) 
-  # The minimum total coverage project should have
-  total: 85
-
-# Holds regexp rules which will override thresholds for matched files or packages 
-# using their paths.
-#
-# First rule from this list that matches file or package is going to apply 
-# new threshold to it. If project has multiple rules that match same path, 
-# override rules should be listed in order from specific to more general rules.
-#override:
-  # Increase coverage threshold to 100% for `foo` package 
-  # (default is 80, as configured above in this example)
-#- threshold: 100
-#    path: ^pkg/lib/foo$
-
-# Holds regexp rules which will exclude matched files or packages 
-# from coverage statistics
-exclude:
-  # Exclude files or packages matching their paths
-  paths:
-    - \.pb\.go$    # excludes all protobuf generated files
-    #    - ^pkg/bar     # exclude package `pkg/bar`
- 
-# NOTES:
-# - symbol `/` in all path regexps will be replaced by current OS file path separator
-#   to properly work on Windows

From 54eaa27475b35093c6bd6de05a85ba039ab68f74 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 11 Aug 2025 13:07:55 -0400
Subject: [PATCH 02/40] chore: simplified docs generation

---
 .github/workflows/deploy-docs.yml |  4 +-
 Makefile                          | 18 ++-----
 scripts/generate-docs.sh          | 87 +++++++++++++++++++++++++++++--
 scripts/install-docs-deps.sh      | 15 ------
 scripts/preview-docs.sh           |  4 --
 5 files changed, 88 insertions(+), 40 deletions(-)
 mode change 100644 => 100755 scripts/generate-docs.sh
 delete mode 100755 scripts/install-docs-deps.sh
 delete mode 100644 scripts/preview-docs.sh

diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
index 2cac7a9..b494d3c 100644
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -30,10 +30,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Install docs dependencies
-        run: make install-docs-dependencies
       - name: Generate docs
-        run: make generate-docs
+        run: make docs
       - name: Setup Pages
         id: pages
         uses: actions/configure-pages@v5
diff --git a/Makefile b/Makefile
index bb825a7..fbbf363 100644
--- a/Makefile
+++ b/Makefile
@@ -1,13 +1,5 @@
 GOBIN ?= $$(go env GOPATH)/bin
 
-.PHONY: install-docs-dependencies
-install-docs-dependencies:
-	./scripts/install-docs-deps.sh
-
-.phony: install-dependencies
-install-dependencies: install-docs-dependencies
-	go mod tidy
-
 .PHONY: test
 test:
 	go test -v ./...
@@ -16,13 +8,13 @@ test:
 coverage:
 	./scripts/coverage.sh
 
-.PHONY: generate-docs
-generate-docs: install-docs-dependencies
-	bash ./scripts/generate-docs.sh
+.PHONY: docs
+docs:
+	./scripts/generate-docs.sh
 
 .PHONY: preview-docs
-preview-docs: install-docs-dependencies generate-docs
-	bash ./scripts/preview-docs.sh
+preview-docs: 
+	./scripts/generate-docs.sh -p
 
 .PHONY: build
 build: install-dependencies
diff --git a/scripts/generate-docs.sh b/scripts/generate-docs.sh
old mode 100644
new mode 100755
index c6b8d72..e588492
--- a/scripts/generate-docs.sh
+++ b/scripts/generate-docs.sh
@@ -1,8 +1,85 @@
+#!/bin/bash
+
+# set opts
+PREVIEW=false
+while getopts ":p" opt; do
+  case $opt in
+    p)
+      PREVIEW=true
+      ;;
+    \?)
+      echo "Invalid option: -$OPTARG" >&2
+      exit 1
+      ;;
+  esac
+done
+
+# set a variable to know this script path
+SCRIPT_PATH="$( cd "$(dirname "$0")" ; pwd -P )"
+ROOT="$(realpath $SCRIPT_PATH/..)"
+
+################################################################################
+## Build api-wrapper docs
+################################################################################
+which swag &> /dev/null
+if [ "$?" -ne "0" ]; then
+	set -e
+	echo "info: installing swag"
+    	go install github.com/swaggo/swag/cmd/swag@v1.16.6
+	set +e
+fi
+swag init \
+	-d $ROOT \
+	-g ./cmd/pve_api_wrapper/pve_api_wrapper.go \
+	--exclude ./ \
+	--parseInternal \
+	-o $ROOT/docs/api-wrapper \
+
+################################################################################
+## Build go-client docs and generate site
+################################################################################
+# Check if $TMPDIR is set
+if [ -z "$TMPDIR" ]; then
+    echo "warn: TMPDIR is not set, using /tmp"
+    TMPDIR="/tmp"
+fi
+
+# check if TMPDIR is exists
+if [ ! -d "$TMPDIR" ]; then
+    echo "error: TMPDIR '$TMPDIR' does not exist"
+    exit 1
+fi
+
 VENV="${TMPDIR}/venv/go-proxmox"
+mkdir -p $VENV
 
+python3 -m venv ${VENV}
 source "${VENV}/bin/activate"
-rm -rf ./docs/go-client/pkg
-mkdir -p ./docs/go-client/pkg/
-go run ./cmd/gomarkdoc/main.go
-swag init -g ./cmd/pve_api_wrapper/pve_api_wrapper.go --parseInternal -o ./docs/api-wrapper
-mkdocs build
+
+PIP_DEPS=" \
+	mkdocs-material \
+	pymdown-extensions \
+	markdown-callouts \
+	mkdocs-render-swagger-plugin \
+"
+
+# iterate over the list of dependencies
+for dep in $PIP_DEPS; do
+	pip3 show $dep &> /dev/null
+	if [ "$?" -ne "0" ]; then
+		echo "info: installing $dep"
+		pip3 install $dep
+	fi
+done
+
+rm -rf $ROOT/docs/go-client/pkg
+mkdir -p $ROOT/docs/go-client/pkg
+go run $ROOT/cmd/gomarkdoc/main.go
+mkdocs build -f $ROOT/mkdocs.yml
+
+################################################################################
+## Preview docs
+################################################################################
+if [ "$PREVIEW" == "true" ]; then
+	mkdocs serve -f $ROOT/mkdocs.yml
+fi
diff --git a/scripts/install-docs-deps.sh b/scripts/install-docs-deps.sh
deleted file mode 100755
index 5999003..0000000
--- a/scripts/install-docs-deps.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-VENV="${TMPDIR}/venv/go-proxmox"
-mkdir -p $VENV
-
-python3 -m venv ${VENV}
-source "${VENV}/bin/activate"
-
-pip3 install \
-    mkdocs \
-    mkdocs-material \
-    pymdown-extensions \
-    markdown-callouts \
-    mkdocs-render-swagger-plugin
-
-go install github.com/swaggo/swag/cmd/swag@latest
-
diff --git a/scripts/preview-docs.sh b/scripts/preview-docs.sh
deleted file mode 100644
index f85367b..0000000
--- a/scripts/preview-docs.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-VENV="${TMPDIR}/venv/go-proxmox"
-
-source "${VENV}/bin/activate"
-mkdocs serve

From cf5d068442f691bf3cd67530721ab4b0fc4853f0 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 11 Aug 2025 13:10:07 -0400
Subject: [PATCH 03/40] docs: renamed install script to install-paw

---
 docs/api-wrapper/index.md              | 6 +++---
 mkdocs.yml                             | 2 +-
 scripts/{install.sh => install-paw.sh} | 0
 3 files changed, 4 insertions(+), 4 deletions(-)
 rename scripts/{install.sh => install-paw.sh} (100%)

diff --git a/docs/api-wrapper/index.md b/docs/api-wrapper/index.md
index 4991483..e6ad466 100644
--- a/docs/api-wrapper/index.md
+++ b/docs/api-wrapper/index.md
@@ -10,10 +10,10 @@ The pve api wrapper is an http server ment to be installed on the proxmox host s
 
 ## Installation
 ### Latest release
-The installation script installs the `pve-api-wrapper` binary into `/usr/local/bin`.
+The installation script installs the latest `pve-api-wrapper` binary into `/usr/local/bin`.
 
 ```bash
-curl https://raw.githubusercontent.com/iolave/go-proxmox/refs/tags/latest/scripts/install.sh | bash
+curl https://raw.githubusercontent.com/iolave/go-proxmox/refs/tags/latest/scripts/install-paw.sh | bash
 ```
 
 _Inspect the installation script code [here]._
@@ -51,7 +51,7 @@ pve-api-wrapper [--version] [--pve-host PVE-HOST] [--pve-port PVE-PORT] [--host
 sudo pve-api-wrapper service install
 ```
 
-[here]: https://github.com/iolave/go-proxmox/blob/latest/scripts/install.sh
+[here]: https://github.com/iolave/go-proxmox/blob/latest/scripts/install-paw.sh
 [reference]: https://go-proxmox.iolave.com/api-wrapper/reference/
 <!--
     TODO: host the shell script within the docs https://github.com/squidfunk/mkdocs-material/discussions/3458
diff --git a/mkdocs.yml b/mkdocs.yml
index cf2be76..280cb97 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -3,7 +3,7 @@ site_url: https://go-proxmox.iolave.com/
 repo_url: https://github.com/iolave/go-proxmox
 repo_name: iolave/go-proxmox
 plugins:
-  - render_swagger
+  - render_swagger:
 markdown_extensions:
   - abbr
   - attr_list
diff --git a/scripts/install.sh b/scripts/install-paw.sh
similarity index 100%
rename from scripts/install.sh
rename to scripts/install-paw.sh

From 2db8bd1d0a028523b98e7fe004337d2a04fcc7dc Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 11 Aug 2025 13:45:43 -0400
Subject: [PATCH 04/40] chore: make build doesn't have any deps now

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index fbbf363..54a305c 100644
--- a/Makefile
+++ b/Makefile
@@ -17,7 +17,7 @@ preview-docs:
 	./scripts/generate-docs.sh -p
 
 .PHONY: build
-build: install-dependencies
+build: 
 	$(eval $@GOOS = linux)
 	$(eval $@GOARCH = amd64)
 	CGO_ENABLED=0 GOOS=$($@GOOS) GOARCH=$($@GOARCH) go build -ldflags="-extldflags=-static" -o "bin/pve-api-wrapper-$($@GOOS)-$($@GOARCH)" ./cmd/pve_api_wrapper/pve_api_wrapper.go

From ad1d9ad377604b3244ae30cd0218ea5374aefec4 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 11 Aug 2025 13:49:30 -0400
Subject: [PATCH 05/40] refactor: moved api wrapper code into it's own internal
 dir

---
 cmd/pve_api_wrapper/pve_api_wrapper.go                      | 2 +-
 internal/{ => api_wrapper}/api_def/lxc.go                   | 0
 internal/{ => api_wrapper}/models/cmd_execution.go          | 0
 internal/{ => api_wrapper}/models/models.go                 | 0
 internal/{ => api_wrapper}/pve_utils/host.go                | 0
 internal/{ => api_wrapper}/pve_utils/lxc.go                 | 0
 internal/{ => api_wrapper}/server/cli.go                    | 0
 internal/{ => api_wrapper}/server/server.go                 | 2 +-
 internal/{ => api_wrapper}/server/server_client.go          | 0
 internal/{ => api_wrapper}/server/server_custom_handlers.go | 4 ++--
 internal/{ => api_wrapper}/server/server_pve_handler.go     | 0
 internal/{ => api_wrapper}/server/systemd.service           | 0
 internal/{ => api_wrapper}/server/utils.go                  | 0
 pkg/pve/pve_lxc.go                                          | 4 ++--
 14 files changed, 6 insertions(+), 6 deletions(-)
 rename internal/{ => api_wrapper}/api_def/lxc.go (100%)
 rename internal/{ => api_wrapper}/models/cmd_execution.go (100%)
 rename internal/{ => api_wrapper}/models/models.go (100%)
 rename internal/{ => api_wrapper}/pve_utils/host.go (100%)
 rename internal/{ => api_wrapper}/pve_utils/lxc.go (100%)
 rename internal/{ => api_wrapper}/server/cli.go (100%)
 rename internal/{ => api_wrapper}/server/server.go (94%)
 rename internal/{ => api_wrapper}/server/server_client.go (100%)
 rename internal/{ => api_wrapper}/server/server_custom_handlers.go (98%)
 rename internal/{ => api_wrapper}/server/server_pve_handler.go (100%)
 rename internal/{ => api_wrapper}/server/systemd.service (100%)
 rename internal/{ => api_wrapper}/server/utils.go (100%)

diff --git a/cmd/pve_api_wrapper/pve_api_wrapper.go b/cmd/pve_api_wrapper/pve_api_wrapper.go
index 9a320f4..13a3d12 100644
--- a/cmd/pve_api_wrapper/pve_api_wrapper.go
+++ b/cmd/pve_api_wrapper/pve_api_wrapper.go
@@ -7,7 +7,7 @@ import (
 
 	"github.com/alexflint/go-arg"
 	_ "github.com/iolave/go-proxmox/docs/api-wrapper"
-	"github.com/iolave/go-proxmox/internal/server"
+	"github.com/iolave/go-proxmox/internal/api_wrapper/server"
 )
 
 // @title			Proxmox API Wrapper
diff --git a/internal/api_def/lxc.go b/internal/api_wrapper/api_def/lxc.go
similarity index 100%
rename from internal/api_def/lxc.go
rename to internal/api_wrapper/api_def/lxc.go
diff --git a/internal/models/cmd_execution.go b/internal/api_wrapper/models/cmd_execution.go
similarity index 100%
rename from internal/models/cmd_execution.go
rename to internal/api_wrapper/models/cmd_execution.go
diff --git a/internal/models/models.go b/internal/api_wrapper/models/models.go
similarity index 100%
rename from internal/models/models.go
rename to internal/api_wrapper/models/models.go
diff --git a/internal/pve_utils/host.go b/internal/api_wrapper/pve_utils/host.go
similarity index 100%
rename from internal/pve_utils/host.go
rename to internal/api_wrapper/pve_utils/host.go
diff --git a/internal/pve_utils/lxc.go b/internal/api_wrapper/pve_utils/lxc.go
similarity index 100%
rename from internal/pve_utils/lxc.go
rename to internal/api_wrapper/pve_utils/lxc.go
diff --git a/internal/server/cli.go b/internal/api_wrapper/server/cli.go
similarity index 100%
rename from internal/server/cli.go
rename to internal/api_wrapper/server/cli.go
diff --git a/internal/server/server.go b/internal/api_wrapper/server/server.go
similarity index 94%
rename from internal/server/server.go
rename to internal/api_wrapper/server/server.go
index 8eceede..6ee4b83 100644
--- a/internal/server/server.go
+++ b/internal/api_wrapper/server/server.go
@@ -6,7 +6,7 @@ import (
 	"log"
 	"net/http"
 
-	"github.com/iolave/go-proxmox/internal/models"
+	"github.com/iolave/go-proxmox/internal/api_wrapper/models"
 )
 
 type server struct {
diff --git a/internal/server/server_client.go b/internal/api_wrapper/server/server_client.go
similarity index 100%
rename from internal/server/server_client.go
rename to internal/api_wrapper/server/server_client.go
diff --git a/internal/server/server_custom_handlers.go b/internal/api_wrapper/server/server_custom_handlers.go
similarity index 98%
rename from internal/server/server_custom_handlers.go
rename to internal/api_wrapper/server/server_custom_handlers.go
index 6852db2..2c09c32 100644
--- a/internal/server/server_custom_handlers.go
+++ b/internal/api_wrapper/server/server_custom_handlers.go
@@ -8,8 +8,8 @@ import (
 	"net/http"
 	"strconv"
 
-	apidef "github.com/iolave/go-proxmox/internal/api_def"
-	"github.com/iolave/go-proxmox/internal/pve_utils"
+	apidef "github.com/iolave/go-proxmox/internal/api_wrapper/api_def"
+	"github.com/iolave/go-proxmox/internal/api_wrapper/pve_utils"
 	"github.com/iolave/go-proxmox/pkg/errors"
 )
 
diff --git a/internal/server/server_pve_handler.go b/internal/api_wrapper/server/server_pve_handler.go
similarity index 100%
rename from internal/server/server_pve_handler.go
rename to internal/api_wrapper/server/server_pve_handler.go
diff --git a/internal/server/systemd.service b/internal/api_wrapper/server/systemd.service
similarity index 100%
rename from internal/server/systemd.service
rename to internal/api_wrapper/server/systemd.service
diff --git a/internal/server/utils.go b/internal/api_wrapper/server/utils.go
similarity index 100%
rename from internal/server/utils.go
rename to internal/api_wrapper/server/utils.go
diff --git a/pkg/pve/pve_lxc.go b/pkg/pve/pve_lxc.go
index 13dc15c..2b6d4f3 100644
--- a/pkg/pve/pve_lxc.go
+++ b/pkg/pve/pve_lxc.go
@@ -7,8 +7,8 @@ import (
 	"path"
 	"strconv"
 
-	"github.com/iolave/go-proxmox/internal/api_def"
-	"github.com/iolave/go-proxmox/internal/models"
+	"github.com/iolave/go-proxmox/internal/api_wrapper/api_def"
+	"github.com/iolave/go-proxmox/internal/api_wrapper/models"
 	"github.com/iolave/go-proxmox/pkg/helpers"
 )
 

From 5847cc622cf0e9094c822f8d1e949fe7a1d83445 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 11 Aug 2025 18:17:20 -0400
Subject: [PATCH 06/40] refactor: added new core service and new http client

---
 CHANGELOG.md                |   8 ++
 go.mod                      |  13 ++-
 go.sum                      |  32 ++++--
 internal/api_client/http.go | 189 ++++++++++++++++++++++++++++++++++++
 pkg/pve/core/core.go        |  13 +++
 pkg/pve/core/version.go     |  31 ++++++
 pkg/pve/pve.go              |  56 ++++++-----
 pkg/pve/pve_creds.go        |  18 ++++
 pkg/pve/pve_version.go      |  20 ----
 pkg/pve/pve_version_test.go |  51 ----------
 10 files changed, 323 insertions(+), 108 deletions(-)
 create mode 100644 internal/api_client/http.go
 create mode 100644 pkg/pve/core/core.go
 create mode 100644 pkg/pve/core/version.go
 delete mode 100644 pkg/pve/pve_version.go
 delete mode 100644 pkg/pve/pve_version_test.go

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5c05dfc..0707c76 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### PVE API client
+#### Added
+- Added a Core Service to the client:
+    - Implements `GET /api2/json/version` as `GetVersion`.
+
+#### Removed
+- Removed client `GetVersion` method.
+
 
 ## [v0.7.1]
 ### PVE API client
diff --git a/go.mod b/go.mod
index 5fc9b1a..09f5e57 100644
--- a/go.mod
+++ b/go.mod
@@ -5,6 +5,7 @@ go 1.22.2
 require (
 	github.com/alexflint/go-arg v1.5.1
 	github.com/ggicci/httpin v0.19.0
+	github.com/go-playground/validator/v10 v10.27.0
 	github.com/google/uuid v1.6.0
 	github.com/princjef/gomarkdoc v1.1.0
 	github.com/swaggo/swag v1.16.4
@@ -22,6 +23,7 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/fatih/color v1.11.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/ggicci/owl v0.8.2 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.3.1 // indirect
@@ -30,10 +32,13 @@ require (
 	github.com/go-openapi/jsonreference v0.19.6 // indirect
 	github.com/go-openapi/spec v0.20.4 // indirect
 	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kevinburke/ssh_config v1.1.0 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
@@ -50,12 +55,12 @@ require (
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/x-cray/logrus-prefixed-formatter v0.5.2 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
-	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
 	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 // indirect
-	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/term v0.22.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
 	golang.org/x/tools v0.23.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
diff --git a/go.sum b/go.sum
index 6a7bd23..0165e0c 100644
--- a/go.sum
+++ b/go.sum
@@ -41,6 +41,8 @@ github.com/fatih/color v1.11.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGE
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
+github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
+github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
 github.com/ggicci/httpin v0.19.0 h1:p0B3SWLVgg770VirYiHB14M5wdRx3zR8mCTzM/TkTQ8=
 github.com/ggicci/httpin v0.19.0/go.mod h1:hzsQHcbqLabmGOycf7WNw6AAzcVbsMeoOp46bWAbIWc=
 github.com/ggicci/owl v0.8.2 h1:og+lhqpzSMPDdEB+NJfzoAJARP7qCG3f8uUC3xvGukA=
@@ -67,6 +69,14 @@ github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
 github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
+github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -94,6 +104,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
@@ -169,8 +181,8 @@ github.com/xanzy/ssh-agent v0.3.0 h1:wUMzuKtKilRgBAD1sUb8gOwwRr2FGoBVumcjoOACClI
 github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
-golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 h1:pVgRXcIictcr+lBQIFeiwuwtDIs4eL21OuM9nyAADmo=
 golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
@@ -178,10 +190,10 @@ golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k=
 golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -204,13 +216,13 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
-golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
+golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
 golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
diff --git a/internal/api_client/http.go b/internal/api_client/http.go
new file mode 100644
index 0000000..87aeee6
--- /dev/null
+++ b/internal/api_client/http.go
@@ -0,0 +1,189 @@
+package apiclient
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/ggicci/httpin"
+	"github.com/go-playground/validator/v10"
+)
+
+// HTTPClient is the http client used to send requests
+// to the proxmox api.
+type HTTPClient struct {
+	// httpc is the underlying http client used
+	// to send requests to the proxmox api.
+	httpc *http.Client
+
+	// CustomHeaders is a map of custom headers
+	// to be sent with each request, authorization
+	// should be added to this map.
+	CustomHeaders http.Header
+
+	// Proto is the protocol used to send requests
+	// to the proxmox api.
+	Proto string `validate:"required,oneof=http https"`
+
+	// Host is the host used to send requests
+	// to the proxmox api.
+	Host string `validate:"required"`
+
+	// Port is the port used to send requests
+	// to the proxmox api.
+	Port int `validate:"required"`
+}
+
+// NewHTTPClient returns a new HTTPClient.
+//
+// proto is the protocol used to send requests
+// and it's allowed values are http or https.
+//
+// It returns an error when the proto is not
+// supported or when the host or port is not
+// set/valid.
+func NewHTTPClient(
+	proto string,
+	host string,
+	port int,
+	insecureSkipVerify bool,
+) (*HTTPClient, error) {
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: insecureSkipVerify,
+		},
+	}
+	httpc := &http.Client{Transport: transport}
+
+	c := &HTTPClient{
+		httpc:         httpc,
+		CustomHeaders: http.Header{},
+		Proto:         proto,
+		Host:          host,
+		Port:          port,
+	}
+
+	validate := validator.New(
+		validator.WithRequiredStructEnabled(),
+	)
+	if err := validate.Struct(c); err != nil {
+		return nil, err
+	}
+
+	return c, nil
+}
+
+// PVERequest is the proxmox api request struct.
+type PVERequest struct {
+	// Method is the http method.
+	//
+	// eg: GET, POST, PUT, DELETE
+	Method string
+
+	// Path is the http path.
+	//
+	// eg: /api2/json/nodes/{node}
+	Path string
+
+	// Payload is the request payload.
+	//
+	// It uses the httpin [Struct Tags] feature
+	// to easily encode the form request.
+	//
+	// [Struct Tags]: https://github.com/ggicci/httpin/tree/62858140ae3d12b723a7ad8fa7bbf17c50a46d62?tab=readme-ov-file#add-httpin-directives-by-tagging-the-struct-fields-with-in
+	Payload any
+
+	// AdditionalPayload is an additional payload
+	// that will be added to the request form data.
+	AdditionalPayload map[string]string
+
+	// Result is a pointer to a variable that will
+	// be populated with the response. Passing nil
+	// will prevent the response from being stored.
+	Result any
+}
+
+// SendPVERequest sends a request to the proxmox api. It returns
+// an error when the request fails.
+func (c HTTPClient) SendPVERequest(pvereq PVERequest) error {
+	base := fmt.Sprintf("%s://%s:%d", c.Proto, c.Host, c.Port)
+	url, err := url.JoinPath(base, pvereq.Path)
+	if err != nil {
+		return err
+	}
+
+	if pvereq.Payload == nil {
+		pvereq.Payload = struct{}{}
+	}
+	req, err := httpin.NewRequest(
+		pvereq.Method,
+		url, pvereq.Payload,
+		httpin.Option.WithNestedDirectivesEnabled(true),
+	)
+	if err != nil {
+		return err
+	}
+
+	// Add the custom headers to the request
+	for k, v := range c.CustomHeaders {
+		req.Header[k] = v
+	}
+
+	// If the request has additional payload,
+	// a clone of the request is created in
+	// order to parse the form data and populate
+	// the additional payload. Then, a new reader
+	// is created from the populated form data
+	// and the original request body is set to it.
+	if pvereq.AdditionalPayload != nil {
+		ctx := req.Context()
+		reqClone := req.Clone(ctx)
+		err := reqClone.ParseForm()
+		if err != nil {
+			return err
+		}
+
+		for k, v := range pvereq.AdditionalPayload {
+			reqClone.Form.Add(k, v)
+		}
+
+		newBody := io.NopCloser(strings.NewReader(reqClone.Form.Encode()))
+		req.Body = newBody
+	}
+
+	// Send the request
+	res, err := c.httpc.Do(req)
+	if err != nil {
+		return err
+	}
+
+	b, err := io.ReadAll(res.Body)
+	if err != nil {
+		return err
+	}
+
+	if res.StatusCode != http.StatusOK {
+		return fmt.Errorf("%s", res.Status)
+	}
+
+	if pvereq.Result == nil {
+		return nil
+	}
+
+	pveres := struct {
+		Data any `json:"data"`
+	}{}
+	err = json.Unmarshal(b, &pveres)
+	if err != nil {
+		return err
+	}
+
+	b, _ = json.Marshal(pveres.Data)
+	json.Unmarshal(b, &pvereq.Result)
+
+	return nil
+}
diff --git a/pkg/pve/core/core.go b/pkg/pve/core/core.go
new file mode 100644
index 0000000..e0d6284
--- /dev/null
+++ b/pkg/pve/core/core.go
@@ -0,0 +1,13 @@
+package core
+
+import apiclient "github.com/iolave/go-proxmox/internal/api_client"
+
+type Service struct {
+	httpc *apiclient.HTTPClient
+}
+
+func New(httpclient *apiclient.HTTPClient) Service {
+	return Service{
+		httpc: httpclient,
+	}
+}
diff --git a/pkg/pve/core/version.go b/pkg/pve/core/version.go
new file mode 100644
index 0000000..dbbc20f
--- /dev/null
+++ b/pkg/pve/core/version.go
@@ -0,0 +1,31 @@
+package core
+
+import (
+	"net/http"
+
+	apiclient "github.com/iolave/go-proxmox/internal/api_client"
+)
+
+type GetVersionResponse struct {
+	// The current Proxmox VE point release in `x.y` format.
+	Release string `json:"release"`
+
+	// The short git revision from which this version was build.
+	RepoID string `json:"repoid"`
+
+	// The full pve-manager package version of this node.
+	Version string `json:"version"`
+}
+
+// GetVersion returns API version details, including some
+// parts of the global datacenter config.
+func (s Service) GetVersion() (GetVersionResponse, error) {
+	res := GetVersionResponse{}
+	err := s.httpc.SendPVERequest(apiclient.PVERequest{
+		Path:   "/api2/json/version",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
diff --git a/pkg/pve/pve.go b/pkg/pve/pve.go
index 7abceba..8ed8be7 100644
--- a/pkg/pve/pve.go
+++ b/pkg/pve/pve.go
@@ -3,7 +3,9 @@ package pve
 import (
 	"fmt"
 
+	apiclient "github.com/iolave/go-proxmox/internal/api_client"
 	"github.com/iolave/go-proxmox/pkg/cloudflare"
+	"github.com/iolave/go-proxmox/pkg/pve/core"
 )
 
 type Config struct {
@@ -15,6 +17,10 @@ type Config struct {
 }
 
 type PVE struct {
+	// httpc is the underlying http client used
+	// to send requests to the proxmox api.
+	httpc *apiclient.HTTPClient
+
 	config Config
 	creds  *Credentials
 	client *httpClient
@@ -24,41 +30,44 @@ type PVE struct {
 	Node    *PVENodeService
 	Cluster *PVEClusterService
 	LXC     *PVELxcService
+
+	// v1.0.0 API implementations
+	Core core.Service
 }
 
 func New(config Config) (*PVE, error) {
 	creds, err := NewEnvCreds()
-
 	if err != nil {
 		return nil, err
 	}
+	return NewWithCredentials(config, creds)
 
-	api := &PVE{
-		config: config,
-		creds:  creds,
-		client: newHttpClient(
-			creds,
-			config.CfServiceToken,
-			config.Host,
-			config.Port,
-			config.InsecureSkipVerify,
-			config.APIWrapper,
-		),
-	}
-
-	_, err = api.GetVersion()
+}
 
+func NewWithCredentials(config Config, creds *Credentials) (*PVE, error) {
+	httpc, err := apiclient.NewHTTPClient(
+		"https",
+		config.Host,
+		config.Port,
+		config.InsecureSkipVerify,
+	)
 	if err != nil {
-		return nil, fmt.Errorf("Unable to comunicate with proxmox api, %v\n", err)
+		return nil, err
 	}
 
-	initializeServices(api)
+	auth, err := creds.getAuthorization()
+	if err != nil {
+		return nil, err
+	}
+	httpc.CustomHeaders.Set("Authorization", auth)
 
-	return api, nil
-}
+	if config.CfServiceToken != nil {
+		httpc.CustomHeaders.Set("CF-Access-Client-Id", config.CfServiceToken.ClientId)
+		httpc.CustomHeaders.Set("CF-Access-Client-Secret", config.CfServiceToken.ClientSecret)
+	}
 
-func NewWithCredentials(config Config, creds *Credentials) (*PVE, error) {
 	api := &PVE{
+		httpc:  httpc,
 		config: config,
 		creds:  creds,
 		client: newHttpClient(
@@ -71,14 +80,15 @@ func NewWithCredentials(config Config, creds *Credentials) (*PVE, error) {
 		),
 	}
 
-	_, err := api.GetVersion()
+	initializeServices(api)
+
+	api.Core = core.New(api.httpc)
 
+	_, err = api.Core.GetVersion()
 	if err != nil {
 		return nil, fmt.Errorf("Unable to comunicate with proxmox api, %v\n", err)
 	}
 
-	initializeServices(api)
-
 	return api, nil
 }
 
diff --git a/pkg/pve/pve_creds.go b/pkg/pve/pve_creds.go
index 696c210..9304f6d 100644
--- a/pkg/pve/pve_creds.go
+++ b/pkg/pve/pve_creds.go
@@ -31,6 +31,24 @@ type Credentials struct {
 	token     string
 }
 
+// getAuthorization builds the authorization header based on the
+// credentials type.
+//
+// It returns an error if the credentials type is not supported.
+func (c Credentials) getAuthorization() (string, error) {
+	switch c.credType {
+	case CREDENTIALS_TOKEN:
+		auth := fmt.Sprintf("PVEAPIToken=%s!%s=%s",
+			c.username,
+			c.tokenName,
+			c.token,
+		)
+		return auth, nil
+	default:
+		return "", errors.New(CREDENTIALS_NOT_SUPPORTED_ERROR)
+	}
+}
+
 // Set adds the corresponding PVE authorization headers
 // to the req parameter.
 //
diff --git a/pkg/pve/pve_version.go b/pkg/pve/pve_version.go
deleted file mode 100644
index 9ed1938..0000000
--- a/pkg/pve/pve_version.go
+++ /dev/null
@@ -1,20 +0,0 @@
-package pve
-
-import "net/http"
-
-type GetVersionResponse struct {
-	Release string `json:"release"`
-	Version string `json:"version"`
-	RepoID  string `json:"repoid"`
-}
-
-// GetVersion retrieves proxmox version.
-func (api *PVE) GetVersion() (GetVersionResponse, error) {
-	path := "/version"
-	method := http.MethodGet
-
-	res := GetVersionResponse{}
-	err := api.client.sendReq(method, path, nil, &res)
-
-	return res, err
-}
diff --git a/pkg/pve/pve_version_test.go b/pkg/pve/pve_version_test.go
deleted file mode 100644
index de82630..0000000
--- a/pkg/pve/pve_version_test.go
+++ /dev/null
@@ -1,51 +0,0 @@
-package pve
-
-import (
-	"encoding/json"
-	"net/http"
-	"net/url"
-	"os"
-	"strconv"
-	"testing"
-)
-
-func buildGetVersionSuccessResponse() pveResponse[GetVersionResponse] {
-	return pveResponse[GetVersionResponse]{
-		Data: GetVersionResponse{
-			Release: "Release",
-			Version: "Version",
-			RepoID:  "RepoID",
-		},
-	}
-}
-
-func TestGetVersionSuccess(t *testing.T) {
-	apiRes := buildGetVersionSuccessResponse()
-
-	data, _ := json.Marshal(apiRes)
-	server := newProxmoxApiTestServer(data, http.StatusOK)
-	defer server.Close()
-	url, _ := url.Parse(server.URL)
-	host := url.Hostname()
-	port, _ := strconv.Atoi(url.Port())
-
-	os.Setenv("PROXMOX_USERNAME", "username")
-	os.Setenv("PROXMOX_TOKEN_NAME", "token_name")
-	os.Setenv("PROXMOX_TOKEN", "token")
-
-	api, err := New(Config{
-		Host:               host,
-		Port:               port,
-		InsecureSkipVerify: true,
-	})
-
-	if err != nil {
-		t.Logf("should create api, but error returned")
-	}
-
-	_, err = api.GetVersion()
-	if err != nil {
-		t.Logf("should not return an error")
-	}
-
-}

From fad8084dd9d68ec14b63247be683ed5d4c5c05bc Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 11 Aug 2025 18:22:15 -0400
Subject: [PATCH 07/40] refactor: renamed PVE struct to Client

---
 CHANGELOG.md                    |  3 +++
 pkg/pve/pve.go                  | 10 +++++-----
 pkg/pve/pve_access.go           |  4 ++--
 pkg/pve/pve_cluster.go          |  4 ++--
 pkg/pve/pve_cluster_firewall.go |  4 ++--
 pkg/pve/pve_lxc.go              |  4 ++--
 pkg/pve/pve_node.go             |  4 ++--
 pkg/pve/pve_node_apt.go         |  4 ++--
 pkg/pve/pve_node_firewall.go    |  4 ++--
 pkg/pve/pve_node_storage.go     |  4 ++--
 10 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0707c76..cee26b9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added a Core Service to the client:
     - Implements `GET /api2/json/version` as `GetVersion`.
 
+#### Changed
+- Renamed `pve.PVE` to `pve.Client`.
+
 #### Removed
 - Removed client `GetVersion` method.
 
diff --git a/pkg/pve/pve.go b/pkg/pve/pve.go
index 8ed8be7..e9b48eb 100644
--- a/pkg/pve/pve.go
+++ b/pkg/pve/pve.go
@@ -16,7 +16,7 @@ type Config struct {
 	APIWrapper         bool
 }
 
-type PVE struct {
+type Client struct {
 	// httpc is the underlying http client used
 	// to send requests to the proxmox api.
 	httpc *apiclient.HTTPClient
@@ -35,7 +35,7 @@ type PVE struct {
 	Core core.Service
 }
 
-func New(config Config) (*PVE, error) {
+func New(config Config) (*Client, error) {
 	creds, err := NewEnvCreds()
 	if err != nil {
 		return nil, err
@@ -44,7 +44,7 @@ func New(config Config) (*PVE, error) {
 
 }
 
-func NewWithCredentials(config Config, creds *Credentials) (*PVE, error) {
+func NewWithCredentials(config Config, creds *Credentials) (*Client, error) {
 	httpc, err := apiclient.NewHTTPClient(
 		"https",
 		config.Host,
@@ -66,7 +66,7 @@ func NewWithCredentials(config Config, creds *Credentials) (*PVE, error) {
 		httpc.CustomHeaders.Set("CF-Access-Client-Secret", config.CfServiceToken.ClientSecret)
 	}
 
-	api := &PVE{
+	api := &Client{
 		httpc:  httpc,
 		config: config,
 		creds:  creds,
@@ -92,7 +92,7 @@ func NewWithCredentials(config Config, creds *Credentials) (*PVE, error) {
 	return api, nil
 }
 
-func initializeServices(api *PVE) {
+func initializeServices(api *Client) {
 	api.Access = newPVEAccessService(api)
 	api.Node = newPVENodeService(api)
 	api.Cluster = newPVEClusterService(api)
diff --git a/pkg/pve/pve_access.go b/pkg/pve/pve_access.go
index 6431805..a450f75 100644
--- a/pkg/pve/pve_access.go
+++ b/pkg/pve/pve_access.go
@@ -5,10 +5,10 @@ import (
 )
 
 type PVEAccessService struct {
-	api *PVE
+	api *Client
 }
 
-func newPVEAccessService(api *PVE) *PVEAccessService {
+func newPVEAccessService(api *Client) *PVEAccessService {
 	service := new(PVEAccessService)
 	service.api = api
 	return service
diff --git a/pkg/pve/pve_cluster.go b/pkg/pve/pve_cluster.go
index 12eb6ed..e2c5748 100644
--- a/pkg/pve/pve_cluster.go
+++ b/pkg/pve/pve_cluster.go
@@ -8,11 +8,11 @@ import (
 )
 
 type PVEClusterService struct {
-	api      *PVE
+	api      *Client
 	Firewall *PVEClusterFirewallService
 }
 
-func newPVEClusterService(api *PVE) *PVEClusterService {
+func newPVEClusterService(api *Client) *PVEClusterService {
 	service := new(PVEClusterService)
 	service.api = api
 	service.Firewall = newPVEClusterFirewallService(api)
diff --git a/pkg/pve/pve_cluster_firewall.go b/pkg/pve/pve_cluster_firewall.go
index d1019cd..df4ccd7 100644
--- a/pkg/pve/pve_cluster_firewall.go
+++ b/pkg/pve/pve_cluster_firewall.go
@@ -7,10 +7,10 @@ import (
 )
 
 type PVEClusterFirewallService struct {
-	api *PVE
+	api *Client
 }
 
-func newPVEClusterFirewallService(api *PVE) *PVEClusterFirewallService {
+func newPVEClusterFirewallService(api *Client) *PVEClusterFirewallService {
 	service := new(PVEClusterFirewallService)
 	service.api = api
 	return service
diff --git a/pkg/pve/pve_lxc.go b/pkg/pve/pve_lxc.go
index 2b6d4f3..6c34922 100644
--- a/pkg/pve/pve_lxc.go
+++ b/pkg/pve/pve_lxc.go
@@ -13,10 +13,10 @@ import (
 )
 
 type PVELxcService struct {
-	api *PVE
+	api *Client
 }
 
-func newPVELxcService(api *PVE) *PVELxcService {
+func newPVELxcService(api *Client) *PVELxcService {
 	service := new(PVELxcService)
 	service.api = api
 	return service
diff --git a/pkg/pve/pve_node.go b/pkg/pve/pve_node.go
index 763d60b..c456274 100644
--- a/pkg/pve/pve_node.go
+++ b/pkg/pve/pve_node.go
@@ -6,13 +6,13 @@ import (
 )
 
 type PVENodeService struct {
-	api      *PVE
+	api      *Client
 	APT      *PVENodeAPTService
 	Firewall *PVENodeFirewallService
 	Storage  *PVENodeStorageService
 }
 
-func newPVENodeService(api *PVE) *PVENodeService {
+func newPVENodeService(api *Client) *PVENodeService {
 	service := new(PVENodeService)
 	service.api = api
 	service.APT = newPVENodeAPTService(api)
diff --git a/pkg/pve/pve_node_apt.go b/pkg/pve/pve_node_apt.go
index 00b58ec..d5b626a 100644
--- a/pkg/pve/pve_node_apt.go
+++ b/pkg/pve/pve_node_apt.go
@@ -10,10 +10,10 @@ import (
 )
 
 type PVENodeAPTService struct {
-	api *PVE
+	api *Client
 }
 
-func newPVENodeAPTService(api *PVE) *PVENodeAPTService {
+func newPVENodeAPTService(api *Client) *PVENodeAPTService {
 	service := new(PVENodeAPTService)
 	service.api = api
 	return service
diff --git a/pkg/pve/pve_node_firewall.go b/pkg/pve/pve_node_firewall.go
index feb0e17..7a67df1 100644
--- a/pkg/pve/pve_node_firewall.go
+++ b/pkg/pve/pve_node_firewall.go
@@ -11,10 +11,10 @@ import (
 )
 
 type PVENodeFirewallService struct {
-	api *PVE
+	api *Client
 }
 
-func newPVENodeFirewallService(api *PVE) *PVENodeFirewallService {
+func newPVENodeFirewallService(api *Client) *PVENodeFirewallService {
 	service := new(PVENodeFirewallService)
 	service.api = api
 	return service
diff --git a/pkg/pve/pve_node_storage.go b/pkg/pve/pve_node_storage.go
index e910efa..4cc7ce1 100644
--- a/pkg/pve/pve_node_storage.go
+++ b/pkg/pve/pve_node_storage.go
@@ -7,10 +7,10 @@ import (
 )
 
 type PVENodeStorageService struct {
-	api *PVE
+	api *Client
 }
 
-func newPVENodeStorageService(api *PVE) *PVENodeStorageService {
+func newPVENodeStorageService(api *Client) *PVENodeStorageService {
 	service := new(PVENodeStorageService)
 	service.api = api
 	return service

From d93dbfea340eee2e7465ff44e5867485b051ed61 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Tue, 12 Aug 2025 17:55:44 -0400
Subject: [PATCH 08/40] refactor: new api implementation now uses
 github.com/iolave/go-errors package

---
 go.mod                       |  6 +++-
 go.sum                       |  4 +++
 internal/api_client/http.go  | 53 +++++++++++++++++++++++++++-----
 internal/str_utils/format.go | 59 ++++++++++++++++++++++++++++++++++++
 pkg/pve/core/version.go      |  4 +++
 5 files changed, 117 insertions(+), 9 deletions(-)
 create mode 100644 internal/str_utils/format.go

diff --git a/go.mod b/go.mod
index 09f5e57..d2dd852 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,8 @@
 module github.com/iolave/go-proxmox
 
-go 1.22.2
+go 1.24.4
+
+toolchain go1.24.6
 
 require (
 	github.com/alexflint/go-arg v1.5.1
@@ -35,6 +37,7 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/iolave/go-errors v1.0.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kevinburke/ssh_config v1.1.0 // indirect
@@ -53,6 +56,7 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/theothertomelliott/acyclic v0.0.1 // indirect
 	github.com/x-cray/logrus-prefixed-formatter v0.5.2 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	golang.org/x/crypto v0.33.0 // indirect
diff --git a/go.sum b/go.sum
index 0165e0c..32d746e 100644
--- a/go.sum
+++ b/go.sum
@@ -86,6 +86,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
+github.com/iolave/go-errors v1.0.0 h1:vf2qiJ7/pXlR6smI5pnTTXbvoaDru6SrBtkBYy+YGyY=
+github.com/iolave/go-errors v1.0.0/go.mod h1:USFxuTyz44cf93421UWhDtSzeqo8YlkQ2fjJwm7/5kU=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
@@ -175,6 +177,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/swaggo/swag v1.16.4 h1:clWJtd9LStiG3VeijiCfOVODP6VpHtKdQy9ELFG3s1A=
 github.com/swaggo/swag v1.16.4/go.mod h1:VBsHJRsDvfYvqoiMKnsdwhNV9LEMHgEDZcyVYX0sxPg=
+github.com/theothertomelliott/acyclic v0.0.1 h1:MZ6AEpKS9owkvyNg2RKyD91eG0PVTmOTdE8lYOckWqg=
+github.com/theothertomelliott/acyclic v0.0.1/go.mod h1:Lf1fgDzzzm31NWJNN1fjs0b0ozYFgalZM/lxm2AK+68=
 github.com/x-cray/logrus-prefixed-formatter v0.5.2 h1:00txxvfBM9muc0jiLIEAkAcIMJzfthRT6usrui8uGmg=
 github.com/x-cray/logrus-prefixed-formatter v0.5.2/go.mod h1:2duySbKsL6M18s5GU7VPsoEPHyzalCE06qoARUCeBBE=
 github.com/xanzy/ssh-agent v0.3.0 h1:wUMzuKtKilRgBAD1sUb8gOwwRr2FGoBVumcjoOACClI=
diff --git a/internal/api_client/http.go b/internal/api_client/http.go
index 87aeee6..ead534e 100644
--- a/internal/api_client/http.go
+++ b/internal/api_client/http.go
@@ -11,6 +11,8 @@ import (
 
 	"github.com/ggicci/httpin"
 	"github.com/go-playground/validator/v10"
+	errors "github.com/iolave/go-errors"
+	strutils "github.com/iolave/go-proxmox/internal/str_utils"
 )
 
 // HTTPClient is the http client used to send requests
@@ -46,6 +48,10 @@ type HTTPClient struct {
 // It returns an error when the proto is not
 // supported or when the host or port is not
 // set/valid.
+//
+// Any error returned is of type [errors].Error.
+//
+// [errors]: https://pkg.go.dev/github.com/iolave/go-errors
 func NewHTTPClient(
 	proto string,
 	host string,
@@ -71,7 +77,11 @@ func NewHTTPClient(
 		validator.WithRequiredStructEnabled(),
 	)
 	if err := validate.Struct(c); err != nil {
-		return nil, err
+		return nil, errors.NewWithNameAndErr(
+			"validation error",
+			"config contains invalid values",
+			err,
+		)
 	}
 
 	return c, nil
@@ -109,11 +119,18 @@ type PVERequest struct {
 
 // SendPVERequest sends a request to the proxmox api. It returns
 // an error when the request fails.
+//
+// Any error returned is of type [errors].*HTTPError.
+//
+// [errors]: https://pkg.go.dev/github.com/iolave/go-errors
 func (c HTTPClient) SendPVERequest(pvereq PVERequest) error {
 	base := fmt.Sprintf("%s://%s:%d", c.Proto, c.Host, c.Port)
 	url, err := url.JoinPath(base, pvereq.Path)
 	if err != nil {
-		return err
+		return errors.NewInternalServerError(
+			"failed to build request url",
+			err,
+		)
 	}
 
 	if pvereq.Payload == nil {
@@ -125,7 +142,10 @@ func (c HTTPClient) SendPVERequest(pvereq PVERequest) error {
 		httpin.Option.WithNestedDirectivesEnabled(true),
 	)
 	if err != nil {
-		return err
+		return errors.NewInternalServerError(
+			"failed to create request",
+			err,
+		)
 	}
 
 	// Add the custom headers to the request
@@ -144,7 +164,10 @@ func (c HTTPClient) SendPVERequest(pvereq PVERequest) error {
 		reqClone := req.Clone(ctx)
 		err := reqClone.ParseForm()
 		if err != nil {
-			return err
+			return errors.NewInternalServerError(
+				"failed to parse form data to add additional payload",
+				err,
+			)
 		}
 
 		for k, v := range pvereq.AdditionalPayload {
@@ -158,16 +181,27 @@ func (c HTTPClient) SendPVERequest(pvereq PVERequest) error {
 	// Send the request
 	res, err := c.httpc.Do(req)
 	if err != nil {
-		return err
+		return errors.NewInternalServerError(
+			"failed to send request",
+			err,
+		)
 	}
 
 	b, err := io.ReadAll(res.Body)
 	if err != nil {
-		return err
+		return errors.NewInternalServerError(
+			"failed to read response body",
+			err,
+		)
 	}
 
 	if res.StatusCode != http.StatusOK {
-		return fmt.Errorf("%s", res.Status)
+		return errors.NewHTTPError(
+			res.StatusCode,
+			fmt.Sprintf("%s_error", strutils.ToSnakeCase(http.StatusText(res.StatusCode))),
+			string(b),
+			nil,
+		)
 	}
 
 	if pvereq.Result == nil {
@@ -179,7 +213,10 @@ func (c HTTPClient) SendPVERequest(pvereq PVERequest) error {
 	}{}
 	err = json.Unmarshal(b, &pveres)
 	if err != nil {
-		return err
+		return errors.NewInternalServerError(
+			"failed to unmarshal response body",
+			err,
+		)
 	}
 
 	b, _ = json.Marshal(pveres.Data)
diff --git a/internal/str_utils/format.go b/internal/str_utils/format.go
new file mode 100644
index 0000000..8b7bd9d
--- /dev/null
+++ b/internal/str_utils/format.go
@@ -0,0 +1,59 @@
+package strutils
+
+import (
+	"unicode"
+)
+
+// ToSnakeCase converts a string to snake case.
+func ToSnakeCase(s string) string {
+	// rs is the string as an array of runes.
+	rs := []rune(s)
+
+	// res will be the result of the conversion.
+	res := []rune{}
+
+	for _, r := range rs {
+		switch {
+		case unicode.IsLetter(r):
+			if unicode.IsLower(r) {
+				res = append(res, r)
+			} else {
+				// append an underscore if the rune is uppercase
+				// only if the previous added rune is not an underscore.
+				if len(res) > 0 && res[len(res)-1] != '_' {
+					res = append(res, '_')
+				}
+
+				// append the lowercase rune
+				res = append(res, unicode.ToLower(r))
+			}
+
+		// if a digit is found, append an underscore only if
+		// the previous rune is not a digit.
+		case unicode.IsDigit(r):
+
+			if len(res) > 0 && res[len(res)-1] != '_' && !unicode.IsDigit(res[len(res)-1]) {
+				res = append(res, '_')
+			}
+
+			res = append(res, r)
+		// if an special rune is found, append an underscore only if
+		// the previous rune is not an underscore.
+		default:
+			// if no previous rune was added, to the result
+			// we add an underscore and continue iterating.
+			if len(res) == 0 {
+				res = append(res, '_')
+				continue
+			}
+
+			// checks if the previous rune is an underscore
+			// and if it is not, we append an underscore.
+			if len(res) > 0 && res[len(res)-1] != '_' {
+				res = append(res, '_')
+			}
+		}
+	}
+
+	return string(res)
+}
diff --git a/pkg/pve/core/version.go b/pkg/pve/core/version.go
index dbbc20f..7df75d6 100644
--- a/pkg/pve/core/version.go
+++ b/pkg/pve/core/version.go
@@ -19,6 +19,10 @@ type GetVersionResponse struct {
 
 // GetVersion returns API version details, including some
 // parts of the global datacenter config.
+//
+// Any error returned is of type [errors].*HTTPError.
+//
+// [errors]: https://pkg.go.dev/github.com/iolave/go-errors
 func (s Service) GetVersion() (GetVersionResponse, error) {
 	res := GetVersionResponse{}
 	err := s.httpc.SendPVERequest(apiclient.PVERequest{

From 9f2e87d74026c522f955e76c5431db496aea621e Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Wed, 13 Aug 2025 10:51:05 -0400
Subject: [PATCH 09/40] api client will now contain raw pve requests

---
 go.mod                              |  2 +-
 internal/api_client/core_version.go | 22 ++++++++++++++++++++++
 internal/api_client/http.go         |  4 ++--
 pkg/pve/core/core.go                |  4 ++--
 pkg/pve/core/version.go             | 24 ++++++++++--------------
 5 files changed, 37 insertions(+), 19 deletions(-)
 create mode 100644 internal/api_client/core_version.go

diff --git a/go.mod b/go.mod
index d2dd852..5d930ce 100644
--- a/go.mod
+++ b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/ggicci/httpin v0.19.0
 	github.com/go-playground/validator/v10 v10.27.0
 	github.com/google/uuid v1.6.0
+	github.com/iolave/go-errors v1.0.0
 	github.com/princjef/gomarkdoc v1.1.0
 	github.com/swaggo/swag v1.16.4
 	modernc.org/sqlite v1.36.0
@@ -37,7 +38,6 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/iolave/go-errors v1.0.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kevinburke/ssh_config v1.1.0 // indirect
diff --git a/internal/api_client/core_version.go b/internal/api_client/core_version.go
new file mode 100644
index 0000000..e247e83
--- /dev/null
+++ b/internal/api_client/core_version.go
@@ -0,0 +1,22 @@
+package apiclient
+
+import "net/http"
+
+func (c HTTPClient) CoreGetVersion() (res struct {
+	Release string `json:"release"`
+	RepoID  string `json:"repoid"`
+	Version string `json:"version"`
+}, err error) {
+	type Response struct {
+		Release string `json:"release"`
+		RepoID  string `json:"repoid"`
+		Version string `json:"version"`
+	}
+	err = c.sendPVERequest(PVERequest{
+		Path:   "/api2/json/version",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
diff --git a/internal/api_client/http.go b/internal/api_client/http.go
index ead534e..0c1a9fd 100644
--- a/internal/api_client/http.go
+++ b/internal/api_client/http.go
@@ -117,13 +117,13 @@ type PVERequest struct {
 	Result any
 }
 
-// SendPVERequest sends a request to the proxmox api. It returns
+// sendPVERequest sends a request to the proxmox api. It returns
 // an error when the request fails.
 //
 // Any error returned is of type [errors].*HTTPError.
 //
 // [errors]: https://pkg.go.dev/github.com/iolave/go-errors
-func (c HTTPClient) SendPVERequest(pvereq PVERequest) error {
+func (c HTTPClient) sendPVERequest(pvereq PVERequest) error {
 	base := fmt.Sprintf("%s://%s:%d", c.Proto, c.Host, c.Port)
 	url, err := url.JoinPath(base, pvereq.Path)
 	if err != nil {
diff --git a/pkg/pve/core/core.go b/pkg/pve/core/core.go
index e0d6284..51693b1 100644
--- a/pkg/pve/core/core.go
+++ b/pkg/pve/core/core.go
@@ -3,11 +3,11 @@ package core
 import apiclient "github.com/iolave/go-proxmox/internal/api_client"
 
 type Service struct {
-	httpc *apiclient.HTTPClient
+	c *apiclient.HTTPClient
 }
 
 func New(httpclient *apiclient.HTTPClient) Service {
 	return Service{
-		httpc: httpclient,
+		c: httpclient,
 	}
 }
diff --git a/pkg/pve/core/version.go b/pkg/pve/core/version.go
index 7df75d6..d568a9f 100644
--- a/pkg/pve/core/version.go
+++ b/pkg/pve/core/version.go
@@ -1,17 +1,11 @@
 package core
 
-import (
-	"net/http"
-
-	apiclient "github.com/iolave/go-proxmox/internal/api_client"
-)
-
 type GetVersionResponse struct {
 	// The current Proxmox VE point release in `x.y` format.
 	Release string `json:"release"`
 
 	// The short git revision from which this version was build.
-	RepoID string `json:"repoid"`
+	RepoID string `json:"repoId"`
 
 	// The full pve-manager package version of this node.
 	Version string `json:"version"`
@@ -24,12 +18,14 @@ type GetVersionResponse struct {
 //
 // [errors]: https://pkg.go.dev/github.com/iolave/go-errors
 func (s Service) GetVersion() (GetVersionResponse, error) {
-	res := GetVersionResponse{}
-	err := s.httpc.SendPVERequest(apiclient.PVERequest{
-		Path:   "/api2/json/version",
-		Method: http.MethodGet,
-		Result: &res,
-	})
+	res, err := s.c.CoreGetVersion()
+	if err != nil {
+		return GetVersionResponse{}, err
+	}
 
-	return res, err
+	return GetVersionResponse{
+		Release: res.Release,
+		RepoID:  res.RepoID,
+		Version: res.Version,
+	}, nil
 }

From c17c6fc50d32d3134ef45fbebe47a3f18c8d5fa3 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Wed, 13 Aug 2025 11:32:37 -0400
Subject: [PATCH 10/40] chore: removed unused type def

---
 internal/api_client/core_version.go | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/internal/api_client/core_version.go b/internal/api_client/core_version.go
index e247e83..733bad8 100644
--- a/internal/api_client/core_version.go
+++ b/internal/api_client/core_version.go
@@ -7,11 +7,6 @@ func (c HTTPClient) CoreGetVersion() (res struct {
 	RepoID  string `json:"repoid"`
 	Version string `json:"version"`
 }, err error) {
-	type Response struct {
-		Release string `json:"release"`
-		RepoID  string `json:"repoid"`
-		Version string `json:"version"`
-	}
 	err = c.sendPVERequest(PVERequest{
 		Path:   "/api2/json/version",
 		Method: http.MethodGet,

From 21c9a689ae90a4cce37d07531c7b850117e059e8 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Sun, 17 Aug 2025 11:56:16 -0400
Subject: [PATCH 11/40] fix: api wrapper request to pve api now passthrough
 query params

---
 CHANGELOG.md                                 | 5 +++++
 internal/api_wrapper/server/server_client.go | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cee26b9..a8c4412 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### PVE API wrapper
+
+#### Fixed
+- PVE original passthrough handler now properly includes the request query params (resolves [#4](https://github.com/iolave/go-proxmox/issues/4)).
+
 ### PVE API client
 #### Added
 - Added a Core Service to the client:
diff --git a/internal/api_wrapper/server/server_client.go b/internal/api_wrapper/server/server_client.go
index 09b79a6..c75d061 100644
--- a/internal/api_wrapper/server/server_client.go
+++ b/internal/api_wrapper/server/server_client.go
@@ -12,10 +12,11 @@ import (
 
 func (s *server) sendPVERequest(sr *http.Request) (*http.Response, *errors.HTTPError) {
 	pveUrl, err := url.Parse(fmt.Sprintf(
-		"https://%s:%d%s",
+		"https://%s:%d%s?%s",
 		s.cfg.PVEHost,
 		s.cfg.PVEPort,
 		sr.URL.Path,
+		sr.URL.RawQuery,
 	))
 	b, err := io.ReadAll(sr.Body)
 	if err != nil {

From b25effb23c1e73fc8047dfef82ced9e3b6d18987 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 18 Aug 2025 17:14:57 -0400
Subject: [PATCH 12/40] refactor: internal api_client is now can be used
 importing /pkg/api

---
 internal/api_client/http.go => pkg/api/api.go | 20 +++++++++----------
 .../api_client => pkg/api}/core_version.go    |  8 +++++---
 pkg/pve/core/core.go                          |  8 ++++----
 pkg/pve/core/version.go                       |  2 +-
 pkg/pve/pve.go                                | 14 +++++++------
 5 files changed, 28 insertions(+), 24 deletions(-)
 rename internal/api_client/http.go => pkg/api/api.go (94%)
 rename {internal/api_client => pkg/api}/core_version.go (55%)

diff --git a/internal/api_client/http.go b/pkg/api/api.go
similarity index 94%
rename from internal/api_client/http.go
rename to pkg/api/api.go
index 0c1a9fd..89918c6 100644
--- a/internal/api_client/http.go
+++ b/pkg/api/api.go
@@ -1,4 +1,4 @@
-package apiclient
+package api
 
 import (
 	"crypto/tls"
@@ -15,9 +15,9 @@ import (
 	strutils "github.com/iolave/go-proxmox/internal/str_utils"
 )
 
-// HTTPClient is the http client used to send requests
+// API is an http client used to send requests
 // to the proxmox api.
-type HTTPClient struct {
+type API struct {
 	// httpc is the underlying http client used
 	// to send requests to the proxmox api.
 	httpc *http.Client
@@ -40,7 +40,7 @@ type HTTPClient struct {
 	Port int `validate:"required"`
 }
 
-// NewHTTPClient returns a new HTTPClient.
+// New returns a new HTTPClient.
 //
 // proto is the protocol used to send requests
 // and it's allowed values are http or https.
@@ -52,12 +52,12 @@ type HTTPClient struct {
 // Any error returned is of type [errors].Error.
 //
 // [errors]: https://pkg.go.dev/github.com/iolave/go-errors
-func NewHTTPClient(
+func New(
 	proto string,
 	host string,
 	port int,
 	insecureSkipVerify bool,
-) (*HTTPClient, error) {
+) (*API, error) {
 	transport := &http.Transport{
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: insecureSkipVerify,
@@ -65,7 +65,7 @@ func NewHTTPClient(
 	}
 	httpc := &http.Client{Transport: transport}
 
-	c := &HTTPClient{
+	c := &API{
 		httpc:         httpc,
 		CustomHeaders: http.Header{},
 		Proto:         proto,
@@ -123,7 +123,7 @@ type PVERequest struct {
 // Any error returned is of type [errors].*HTTPError.
 //
 // [errors]: https://pkg.go.dev/github.com/iolave/go-errors
-func (c HTTPClient) sendPVERequest(pvereq PVERequest) error {
+func (c API) SendPVERequest(pvereq PVERequest) error {
 	base := fmt.Sprintf("%s://%s:%d", c.Proto, c.Host, c.Port)
 	url, err := url.JoinPath(base, pvereq.Path)
 	if err != nil {
@@ -132,13 +132,13 @@ func (c HTTPClient) sendPVERequest(pvereq PVERequest) error {
 			err,
 		)
 	}
-
 	if pvereq.Payload == nil {
 		pvereq.Payload = struct{}{}
 	}
 	req, err := httpin.NewRequest(
 		pvereq.Method,
-		url, pvereq.Payload,
+		url,
+		pvereq.Payload,
 		httpin.Option.WithNestedDirectivesEnabled(true),
 	)
 	if err != nil {
diff --git a/internal/api_client/core_version.go b/pkg/api/core_version.go
similarity index 55%
rename from internal/api_client/core_version.go
rename to pkg/api/core_version.go
index 733bad8..f3747e7 100644
--- a/internal/api_client/core_version.go
+++ b/pkg/api/core_version.go
@@ -1,13 +1,15 @@
-package apiclient
+package api
 
 import "net/http"
 
-func (c HTTPClient) CoreGetVersion() (res struct {
+// CoreGetVersion API version details,
+// including some parts of the global datacenter config.
+func (c API) CoreGetVersion() (res struct {
 	Release string `json:"release"`
 	RepoID  string `json:"repoid"`
 	Version string `json:"version"`
 }, err error) {
-	err = c.sendPVERequest(PVERequest{
+	err = c.SendPVERequest(PVERequest{
 		Path:   "/api2/json/version",
 		Method: http.MethodGet,
 		Result: &res,
diff --git a/pkg/pve/core/core.go b/pkg/pve/core/core.go
index 51693b1..f8f90fe 100644
--- a/pkg/pve/core/core.go
+++ b/pkg/pve/core/core.go
@@ -1,13 +1,13 @@
 package core
 
-import apiclient "github.com/iolave/go-proxmox/internal/api_client"
+import "github.com/iolave/go-proxmox/pkg/api"
 
 type Service struct {
-	c *apiclient.HTTPClient
+	api *api.API
 }
 
-func New(httpclient *apiclient.HTTPClient) Service {
+func New(api *api.API) Service {
 	return Service{
-		c: httpclient,
+		api: api,
 	}
 }
diff --git a/pkg/pve/core/version.go b/pkg/pve/core/version.go
index d568a9f..24e0ba6 100644
--- a/pkg/pve/core/version.go
+++ b/pkg/pve/core/version.go
@@ -18,7 +18,7 @@ type GetVersionResponse struct {
 //
 // [errors]: https://pkg.go.dev/github.com/iolave/go-errors
 func (s Service) GetVersion() (GetVersionResponse, error) {
-	res, err := s.c.CoreGetVersion()
+	res, err := s.api.CoreGetVersion()
 	if err != nil {
 		return GetVersionResponse{}, err
 	}
diff --git a/pkg/pve/pve.go b/pkg/pve/pve.go
index e9b48eb..55f62e2 100644
--- a/pkg/pve/pve.go
+++ b/pkg/pve/pve.go
@@ -3,7 +3,7 @@ package pve
 import (
 	"fmt"
 
-	apiclient "github.com/iolave/go-proxmox/internal/api_client"
+	"github.com/iolave/go-proxmox/pkg/api"
 	"github.com/iolave/go-proxmox/pkg/cloudflare"
 	"github.com/iolave/go-proxmox/pkg/pve/core"
 )
@@ -19,7 +19,8 @@ type Config struct {
 type Client struct {
 	// httpc is the underlying http client used
 	// to send requests to the proxmox api.
-	httpc *apiclient.HTTPClient
+	APIClient *api.API
+	httpc     *api.API
 
 	config Config
 	creds  *Credentials
@@ -45,7 +46,7 @@ func New(config Config) (*Client, error) {
 }
 
 func NewWithCredentials(config Config, creds *Credentials) (*Client, error) {
-	httpc, err := apiclient.NewHTTPClient(
+	httpc, err := api.New(
 		"https",
 		config.Host,
 		config.Port,
@@ -67,9 +68,10 @@ func NewWithCredentials(config Config, creds *Credentials) (*Client, error) {
 	}
 
 	api := &Client{
-		httpc:  httpc,
-		config: config,
-		creds:  creds,
+		httpc:     httpc,
+		APIClient: httpc,
+		config:    config,
+		creds:     creds,
 		client: newHttpClient(
 			creds,
 			config.CfServiceToken,

From 5de38d692c9c391f9eac452da1ebfee2794eb732 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 18 Aug 2025 17:16:32 -0400
Subject: [PATCH 13/40] feat: added /api2/json/cluster/tasks implementations

---
 pkg/api/cluster_tasks.go | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 pkg/api/cluster_tasks.go

diff --git a/pkg/api/cluster_tasks.go b/pkg/api/cluster_tasks.go
new file mode 100644
index 0000000..d43cdcd
--- /dev/null
+++ b/pkg/api/cluster_tasks.go
@@ -0,0 +1,24 @@
+package api
+
+import "net/http"
+
+// ClusterGetTasks List recent tasks (cluster wide).
+func (c API) ClusterGetTasks() (res []struct {
+	UpID      string  `json:"upid"`
+	Node      *string `json:"node"`
+	Status    *string `json:"status"`
+	ID        *string `json:"id"`
+	StartTime *int    `json:"starttime"`
+	Saved     *string `json:"saved"`
+	User      *string `json:"user"`
+	EndTime   *int    `json:"endtime"`
+	Type      *string `json:"type"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/tasks",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}

From d08a1a8111b8a77770dc7543ea2f927be94ab297 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 18 Aug 2025 17:19:22 -0400
Subject: [PATCH 14/40] feat: added /api2/json/cluster/options implementations

---
 pkg/api/cluster_options.go | 117 +++++++++++++++++++++++++++++++++++++
 1 file changed, 117 insertions(+)
 create mode 100644 pkg/api/cluster_options.go

diff --git a/pkg/api/cluster_options.go b/pkg/api/cluster_options.go
new file mode 100644
index 0000000..485c597
--- /dev/null
+++ b/pkg/api/cluster_options.go
@@ -0,0 +1,117 @@
+package api
+
+import "net/http"
+
+// ClusterGetOptions Get datacenter options. Without 'Sys.Audit'
+// on '/' not all options are returned.
+func (c API) ClusterGetOptions() (res struct {
+	MigrationUnsecure *int      `json:"migration_unsecure"`
+	Keyboard          *string   `json:"keyboard"`
+	Description       *string   `json:"description"`
+	RegisteredTags    *[]string `json:"registered-tags"`
+	AllowedTags       *[]string `json:"allowed-tags"`
+	BWLimit           *string   `json:"bwlimit"`
+	Fencing           *string   `json:"fencing"`
+	EmailFrom         *string   `json:"email_from"`
+	Language          *string   `json:"language"`
+	HTTPProxy         *string   `json:"http_proxy"`
+	MacPrefix         *string   `json:"mac_prefix"`
+	Console           *string   `json:"console"`
+	MaxWorkers        *string   `json:"max_workers"`
+	TagStyle          struct {
+		CaseSensitive *int    `json:"case-sensitive"`
+		Ordering      *string `json:"ordering"`
+		Shape         *string `json:"shape"`
+	} `json:"tag-style"`
+	WebAuthn struct {
+		ID              *string `json:"id"`
+		RP              *string `json:"rp"`
+		AllowSubdomains *int    `json:"allow-subdomains"`
+		Origin          *string `json:"origin"`
+	} `json:"webauthn"`
+	CRS struct {
+		HARebalanceOnStart *int    `json:"ha-rebalance-on-start"`
+		HA                 *string `json:"ha"`
+	} `json:"crs"`
+	HA struct {
+		ShutdownPolicy *string `json:"shutdown_policy"`
+	} `json:"ha"`
+	Notify struct {
+		TargetPackageUpdates *string `json:"target-package-updates"`
+		Fencing              *string `json:"fencing"`
+		TargetFencing        *string `json:"target-fencing"`
+		PackageUpdates       *string `json:"package-updates"`
+		Replication          *string `json:"replication"`
+		TargetReplication    *string `json:"target-replication"`
+	} `json:"notify"`
+	U2F struct {
+		Origin *string `json:"origin"`
+		AppID  *string `json:"appid"`
+	}
+	Migration struct {
+		Type    *string `json:"type"`
+		Network *string `json:"network"`
+	} `json:"migration"`
+	NextID struct {
+		Lower *string `json:"lower"`
+		Upper *string `json:"upper"`
+	} `json:"next-id"`
+	UserTagAccess struct {
+		UserAllowList *[]string `json:"user-allow-list"`
+		UserAllow     *string   `json:"user-allow"`
+	} `json:"user-tag-access"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/options",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterPutOptionsRequest struct {
+	BWLimit string `in:"query=bwlimit;omitempty"`
+
+	// docs says this is available in API but...
+	// ¡NOT AVAILABLE IN API!
+	// ConsentText       string `in:"form;omitempty,form=consent-text"`
+
+	Console           string `in:"query=console;omitempty"`
+	CRS               string `in:"query=crs;omitempty"`
+	Delete            string `in:"query=delete;omitempty"`
+	Description       string `in:"query=description;omitempty"`
+	EmailFrom         string `in:"query=email_from;omitempty"`
+	Fencing           string `in:"query=fencing;omitempty"`
+	HA                string `in:"query=ha;omitempty"`
+	HTTPProxy         string `in:"query=http_proxy;omitempty"`
+	Keyboard          string `in:"query=keyboard;omitempty"`
+	Language          string `in:"query=language;omitempty"`
+	MacPrefix         string `in:"query=mac_prefix;omitempty"`
+	MaxWorkers        int    `in:"query=max_workers;omitempty"`
+	Migration         string `in:"query=migration;omitempty"`
+	MigrationUnsecure string `in:"query=migration_unsecure;omitempty"`
+	NextID            string `in:"query=next-id;omitempty"`
+	Notify            string `in:"query=notify;omitempty"`
+	RegisteredTags    string `in:"query=registered-tags;omitempty"`
+
+	// docs says this is available in API but...
+	// ¡NOT AVAILABLE IN API!
+	// Replication       string `in:"form;omitempty,form=replication"`
+
+	TagStyle      string `in:"query=tag-style;omitempty"`
+	U2F           string `in:"query=u2f;omitempty"`
+	UserTagAccess string `in:"query=user-tag-access;omitempty"`
+	WebAuthn      string `in:"query=webauthn;omitempty"`
+}
+
+// ClusterPutOptions Set datacenter options.
+func (c API) ClusterPutOptions(req ClusterPutOptionsRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/options",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}

From 97b5edca2c65f8d80e10bed8bf9dd3a6ea4a76b1 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 18 Aug 2025 17:20:11 -0400
Subject: [PATCH 15/40] feat: added /api2/json/cluster/resources
 implementations

---
 pkg/api/cluster_resources.go | 48 ++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 pkg/api/cluster_resources.go

diff --git a/pkg/api/cluster_resources.go b/pkg/api/cluster_resources.go
new file mode 100644
index 0000000..63fa17f
--- /dev/null
+++ b/pkg/api/cluster_resources.go
@@ -0,0 +1,48 @@
+package api
+
+import "net/http"
+
+type ClusterGetResourcesRequest struct {
+	Type string `in:"query=type"`
+}
+
+// ClusterGetResources Resources index (cluster wide).
+func (c API) ClusterGetResources(req ClusterGetResourcesRequest) (res []struct {
+	ID         string  `json:"id"`
+	Type       string  `json:"type"`
+	CGroupMode *int    `json:"cgroup-mode"`
+	Content    *string `json:"content"`
+	CPU        *int    `json:"cpu"`
+	Disk       *int    `json:"disk"`
+	DiskRead   *int    `json:"diskread"`
+	DiskWrite  *int    `json:"diskwrite"`
+	HAState    *string `json:"hastate"`
+	Level      *string `json:"level"`
+	Lock       *string `json:"lock"`
+	MaxCPU     *int    `json:"maxcpu"`
+	MaxDisk    *int    `json:"maxdisk"`
+	MaxMem     *int    `json:"maxmem"`
+	Mem        *int    `json:"mem"`
+	MemHost    *int    `json:"memhost"`
+	Name       *string `json:"name"`
+	NetIn      *int    `json:"netin"`
+	NetOut     *int    `json:"netout"`
+	Node       *string `json:"node"`
+	PluginType *string `json:"plugintype"`
+	Pool       *string `json:"pool"`
+	Status     *string `json:"status"`
+	Storage    *string `json:"storage"`
+	Tags       *string `json:"tags"`
+	Template   *int    `json:"template"`
+	Uptime     *int    `json:"uptime"`
+	VMID       *int    `json:"vmid"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/resources",
+		Method:  http.MethodGet,
+		Result:  &res,
+		Payload: &req,
+	})
+
+	return res, err
+}

From 329c0789b205b9453e03dc30ae641e03a9c0b451 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 18 Aug 2025 17:20:41 -0400
Subject: [PATCH 16/40] feat: added /api2/json/cluster/status implementations

---
 pkg/api/cluster_status.go | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 pkg/api/cluster_status.go

diff --git a/pkg/api/cluster_status.go b/pkg/api/cluster_status.go
new file mode 100644
index 0000000..5a7e7a8
--- /dev/null
+++ b/pkg/api/cluster_status.go
@@ -0,0 +1,26 @@
+package api
+
+import "net/http"
+
+// ClusterGetStatus Get cluster status information.
+func (c API) ClusterGetStatus() (res []struct {
+	ID      string  `json:"id"`
+	Name    string  `json:"name"`
+	Type    string  `json:"type"`
+	IP      *string `json:"ip"`
+	Level   *string `json:"level"`
+	Local   *int    `json:"local"`
+	NodeID  *int    `json:"nodeid"`
+	Nodes   *int    `json:"nodes"`
+	Online  *int    `json:"online"`
+	QuoRate *int    `json:"quorate"`
+	Version *int    `json:"version"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/status",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}

From a3314c5453e9e62d1f1f8e18bba8f4005cb6ad75 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 18 Aug 2025 17:24:39 -0400
Subject: [PATCH 17/40] feat: added /api2/json/cluster/nextid implementations

---
 pkg/api/cluster_next_id.go | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 pkg/api/cluster_next_id.go

diff --git a/pkg/api/cluster_next_id.go b/pkg/api/cluster_next_id.go
new file mode 100644
index 0000000..752c610
--- /dev/null
+++ b/pkg/api/cluster_next_id.go
@@ -0,0 +1,35 @@
+package api
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/iolave/go-errors"
+)
+
+type ClusterGetNextIDRequest struct {
+	VMID int `in:"query=vmid;omitempty"`
+}
+
+// ClusterGetNextID Get next free VMID. Pass a VMID
+// to assert that its free (at time of check).
+func (c API) ClusterGetNextID(req ClusterGetNextIDRequest) (int, error) {
+	res := ""
+
+	err := c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/nextid",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	vmid, err := strconv.Atoi(res)
+	if err != nil {
+		return 0, errors.NewInternalServerError(
+			"failed to parse response",
+			err,
+		)
+	}
+
+	return vmid, err
+}

From e796e0b80ec0bdcf12e5601a60ea16021dbf16ec Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 18 Aug 2025 19:39:40 -0400
Subject: [PATCH 18/40] feat: added /api2/json/cluster/log implementations

---
 pkg/api/cluster_log.go | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 pkg/api/cluster_log.go

diff --git a/pkg/api/cluster_log.go b/pkg/api/cluster_log.go
new file mode 100644
index 0000000..8f3b649
--- /dev/null
+++ b/pkg/api/cluster_log.go
@@ -0,0 +1,30 @@
+package api
+
+import "net/http"
+
+type ClusterGetLogRequest struct {
+	// Maximum number of entries (1 - N)
+	MaxEntries int `in:"query=max;omitempty"`
+}
+
+// ClusterGetLog Read cluster log.
+func (c API) ClusterGetLog(req ClusterGetLogRequest) (res []struct {
+	ID      string `json:"id"`
+	Message string `json:"msg"`
+	UID     string `json:"uid"`
+	Time    int    `json:"time"`
+	Node    string `json:"node"`
+	PID     int    `json:"pid"`
+	Pri     int    `json:"pri"`
+	User    string `json:"user"`
+	Tag     string `json:"tag"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/log",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}

From 3a8003b085357f3785bae3f46911b96356cdb2bf Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 18 Aug 2025 19:59:53 -0400
Subject: [PATCH 19/40] docs: added missing cluster implementations docs

---
 pkg/api/cluster_next_id.go   |   1 +
 pkg/api/cluster_options.go   | 117 +++++++++++++++++++++++++++++------
 pkg/api/cluster_resources.go |   3 +
 3 files changed, 102 insertions(+), 19 deletions(-)

diff --git a/pkg/api/cluster_next_id.go b/pkg/api/cluster_next_id.go
index 752c610..af1ac5e 100644
--- a/pkg/api/cluster_next_id.go
+++ b/pkg/api/cluster_next_id.go
@@ -8,6 +8,7 @@ import (
 )
 
 type ClusterGetNextIDRequest struct {
+	// The (unique) ID of the VM.
 	VMID int `in:"query=vmid;omitempty"`
 }
 
diff --git a/pkg/api/cluster_options.go b/pkg/api/cluster_options.go
index 485c597..9f20077 100644
--- a/pkg/api/cluster_options.go
+++ b/pkg/api/cluster_options.go
@@ -71,38 +71,117 @@ func (c API) ClusterGetOptions() (res struct {
 }
 
 type ClusterPutOptionsRequest struct {
+	// Set I/O bandwidth limit for various operations (in KiB/s).
+	//
+	// 	[clone=<LIMIT>] [,default=<LIMIT>] [,migration=<LIMIT>] [,move=<LIMIT>] [,restore=<LIMIT>]
 	BWLimit string `in:"query=bwlimit;omitempty"`
 
 	// docs says this is available in API but...
 	// ¡NOT AVAILABLE IN API!
 	// ConsentText       string `in:"form;omitempty,form=consent-text"`
 
-	Console           string `in:"query=console;omitempty"`
-	CRS               string `in:"query=crs;omitempty"`
-	Delete            string `in:"query=delete;omitempty"`
-	Description       string `in:"query=description;omitempty"`
-	EmailFrom         string `in:"query=email_from;omitempty"`
-	Fencing           string `in:"query=fencing;omitempty"`
-	HA                string `in:"query=ha;omitempty"`
-	HTTPProxy         string `in:"query=http_proxy;omitempty"`
-	Keyboard          string `in:"query=keyboard;omitempty"`
-	Language          string `in:"query=language;omitempty"`
-	MacPrefix         string `in:"query=mac_prefix;omitempty"`
-	MaxWorkers        int    `in:"query=max_workers;omitempty"`
-	Migration         string `in:"query=migration;omitempty"`
+	// Select the default Console viewer. You can either use the builtin java applet (VNC; deprecated and maps to html5), an external virt-viewer comtatible application (SPICE), an HTML5 based vnc viewer (noVNC), or an HTML5 based console client (xtermjs). If the selected viewer is not available (e.g. SPICE not activated for the VM), the fallback is noVNC.
+	//
+	// 	applet | vv | html5 | xtermjs
+	Console string `in:"query=console;omitempty"`
+
+	// Cluster resource scheduling settings.
+	//
+	// 	[ha=<basic|static>] [,ha-rebalance-on-start=<1|0>]
+	CRS string `in:"query=crs;omitempty"`
+
+	// A list of settings you want to delete.
+	//
+	// 	eg: bwlimit,console,crs
+	Delete string `in:"query=delete;omitempty"`
+
+	// Datacenter description. Shown in the web-interface datacenter notes panel. This is saved as comment inside the configuration file.
+	Description string `in:"query=description;omitempty"`
+
+	// Specify email address to send notification from (default is root@$hostname)
+	EmailFrom string `in:"query=email_from;omitempty"`
+
+	// Set the fencing mode of the HA cluster. Hardware mode needs a valid configuration of fence devices in /etc/pve/ha/fence.cfg. With both all two modes are used.
+	//
+	// WARNING: 'hardware' and 'both' are EXPERIMENTAL & WIP
+	// 	watchdog | hardware | both
+	Fencing string `in:"query=fencing;omitempty"`
+
+	// Cluster wide HA settings.
+	//
+	// 	shutdown_policy=<enum>
+	HA string `in:"query=ha;omitempty"`
+
+	// Specify external http proxy which is used for downloads (example: 'http://username:password@host:port/')
+	HTTPProxy string `in:"query=http_proxy;omitempty"`
+
+	// Default keybord layout for vnc server.
+	//
+	// 	de | de-ch | da | en-gb | en-us | es | fi | fr | fr-be | fr-ca | fr-ch | hu | is | it | ja | lt | mk | nl | no | pl | pt | pt-br | sv | sl | tr
+	Keyboard string `in:"query=keyboard;omitempty"`
+
+	// Default GUI language.
+	//
+	// 	ar | ca | da | de | en | es | eu | fa | fr | hr | he | it | ja | ka | kr | nb | nl | nn | pl | pt_BR | ru | sl | sv | tr | ukr | zh_CN | zh_TW
+	Language string `in:"query=language;omitempty"`
+
+	// Prefix for the auto-generated MAC addresses of virtual guests. The default `BC:24:11` is the Organizationally Unique Identifier (OUI) assigned by the IEEE to Proxmox Server Solutions GmbH for a MAC Address Block Large (MA-L). You're allowed to use this in local networks, i.e., those not directly reachable by the public (e.g., in a LAN or NAT/Masquerading).
+	//
+	// Note that when you run multiple cluster that (partially) share the networks of their virtual guests, it's highly recommended that you extend the default MAC prefix, or generate a custom (valid) one, to reduce the chance of MAC collisions. For example, add a separate extra hexadecimal to the Proxmox OUI for each cluster, like `BC:24:11:0` for the first, `BC:24:11:1` for the second, and so on.
+	// Alternatively, you can also separate the networks of the guests logically, e.g., by using VLANs.
+	//
+	// For publicly accessible guests it's recommended that you get your own https://standards.ieee.org/products-programs/regauth/[OUI from the IEEE] registered or coordinate with your, or your hosting providers, network admins.
+	MacPrefix string `in:"query=mac_prefix;omitempty"`
+
+	// Defines how many workers (per node) are maximal started  on actions like 'stopall VMs' or task from the ha-manager.
+	MaxWorkers int `in:"query=max_workers;omitempty"`
+
+	// For cluster wide migration settings.
+	//
+	// 	[type=]<secure|insecure> [,network=<CIDR>]
+	Migration string `in:"query=migration;omitempty"`
+
+	// Migration is secure using SSH tunnel by default. For secure private networks you can disable it to speed up migration. Deprecated, use the 'migration' property instead!
 	MigrationUnsecure string `in:"query=migration_unsecure;omitempty"`
-	NextID            string `in:"query=next-id;omitempty"`
-	Notify            string `in:"query=notify;omitempty"`
-	RegisteredTags    string `in:"query=registered-tags;omitempty"`
+
+	// Control the range for the free VMID auto-selection pool.
+	//
+	// 	[lower=<integer>] [,upper=<integer>]
+	NextID string `in:"query=next-id;omitempty"`
+
+	// Cluster-wide notification settings.
+	//
+	// 	[fencing=<always|never>] [,package-updates=<auto|always|never>] [,replication=<always|never>] [,target-fencing=<TARGET>] [,target-package-updates=<TARGET>] [,target-replication=<TARGET>]
+	Notify string `in:"query=notify;omitempty"`
+
+	// A list of tags that require a `Sys.Modify` on '/' to set and delete. Tags set here that are also in 'user-tag-access' also require `Sys.Modify`.
+	//
+	// 	<tag>[;<tag>...]
+	RegisteredTags string `in:"query=registered-tags;omitempty"`
 
 	// docs says this is available in API but...
 	// ¡NOT AVAILABLE IN API!
 	// Replication       string `in:"form;omitempty,form=replication"`
 
-	TagStyle      string `in:"query=tag-style;omitempty"`
-	U2F           string `in:"query=u2f;omitempty"`
+	//Tag style options.
+	//
+	// 	[case-sensitive=<1|0>] [,color-map=<tag>:<hex-color>[:<hex-color-for-text>][;<tag>=...]] [,ordering=<config|alphabetical>] [,shape=<enum>]
+	TagStyle string `in:"query=tag-style;omitempty"`
+
+	// u2f
+	//
+	// 	[appid=<APPID>] [,origin=<URL>]
+	U2F string `in:"query=u2f;omitempty"`
+
+	// Privilege options for user-settable tags
+	//
+	// 	[user-allow=<enum>] [,user-allow-list=<tag>[;<tag>...]]
 	UserTagAccess string `in:"query=user-tag-access;omitempty"`
-	WebAuthn      string `in:"query=webauthn;omitempty"`
+
+	// webauthn configuration
+	//
+	// 	[allow-subdomains=<1|0>] [,id=<DOMAINNAME>] [,origin=<URL>] [,rp=<RELYING_PARTY>]
+	WebAuthn string `in:"query=webauthn;omitempty"`
 }
 
 // ClusterPutOptions Set datacenter options.
diff --git a/pkg/api/cluster_resources.go b/pkg/api/cluster_resources.go
index 63fa17f..91d3dc0 100644
--- a/pkg/api/cluster_resources.go
+++ b/pkg/api/cluster_resources.go
@@ -3,6 +3,9 @@ package api
 import "net/http"
 
 type ClusterGetResourcesRequest struct {
+	// Resource type.
+	//
+	// 	vm | storage | node | sdn
 	Type string `in:"query=type"`
 }
 

From 1fd11f0f3fc610c20cab5e3a336dc318b9241408 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Tue, 19 Aug 2025 13:41:02 -0400
Subject: [PATCH 20/40] docs: added missing cluster required permissions

---
 pkg/api/cluster_log.go       | 4 ++++
 pkg/api/cluster_next_id.go   | 4 ++++
 pkg/api/cluster_options.go   | 8 ++++++++
 pkg/api/cluster_resources.go | 4 ++++
 pkg/api/cluster_status.go    | 4 ++++
 pkg/api/cluster_tasks.go     | 4 ++++
 6 files changed, 28 insertions(+)

diff --git a/pkg/api/cluster_log.go b/pkg/api/cluster_log.go
index 8f3b649..24652ae 100644
--- a/pkg/api/cluster_log.go
+++ b/pkg/api/cluster_log.go
@@ -8,6 +8,10 @@ type ClusterGetLogRequest struct {
 }
 
 // ClusterGetLog Read cluster log.
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
 func (c API) ClusterGetLog(req ClusterGetLogRequest) (res []struct {
 	ID      string `json:"id"`
 	Message string `json:"msg"`
diff --git a/pkg/api/cluster_next_id.go b/pkg/api/cluster_next_id.go
index af1ac5e..a3d8a25 100644
--- a/pkg/api/cluster_next_id.go
+++ b/pkg/api/cluster_next_id.go
@@ -14,6 +14,10 @@ type ClusterGetNextIDRequest struct {
 
 // ClusterGetNextID Get next free VMID. Pass a VMID
 // to assert that its free (at time of check).
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
 func (c API) ClusterGetNextID(req ClusterGetNextIDRequest) (int, error) {
 	res := ""
 
diff --git a/pkg/api/cluster_options.go b/pkg/api/cluster_options.go
index 9f20077..8464a87 100644
--- a/pkg/api/cluster_options.go
+++ b/pkg/api/cluster_options.go
@@ -4,6 +4,10 @@ import "net/http"
 
 // ClusterGetOptions Get datacenter options. Without 'Sys.Audit'
 // on '/' not all options are returned.
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
 func (c API) ClusterGetOptions() (res struct {
 	MigrationUnsecure *int      `json:"migration_unsecure"`
 	Keyboard          *string   `json:"keyboard"`
@@ -185,6 +189,10 @@ type ClusterPutOptionsRequest struct {
 }
 
 // ClusterPutOptions Set datacenter options.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
 func (c API) ClusterPutOptions(req ClusterPutOptionsRequest) (err error) {
 	err = c.SendPVERequest(PVERequest{
 		Path:    "/api2/json/cluster/options",
diff --git a/pkg/api/cluster_resources.go b/pkg/api/cluster_resources.go
index 91d3dc0..8d39c2e 100644
--- a/pkg/api/cluster_resources.go
+++ b/pkg/api/cluster_resources.go
@@ -10,6 +10,10 @@ type ClusterGetResourcesRequest struct {
 }
 
 // ClusterGetResources Resources index (cluster wide).
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
 func (c API) ClusterGetResources(req ClusterGetResourcesRequest) (res []struct {
 	ID         string  `json:"id"`
 	Type       string  `json:"type"`
diff --git a/pkg/api/cluster_status.go b/pkg/api/cluster_status.go
index 5a7e7a8..24d1434 100644
--- a/pkg/api/cluster_status.go
+++ b/pkg/api/cluster_status.go
@@ -3,6 +3,10 @@ package api
 import "net/http"
 
 // ClusterGetStatus Get cluster status information.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
 func (c API) ClusterGetStatus() (res []struct {
 	ID      string  `json:"id"`
 	Name    string  `json:"name"`
diff --git a/pkg/api/cluster_tasks.go b/pkg/api/cluster_tasks.go
index d43cdcd..55dbe29 100644
--- a/pkg/api/cluster_tasks.go
+++ b/pkg/api/cluster_tasks.go
@@ -3,6 +3,10 @@ package api
 import "net/http"
 
 // ClusterGetTasks List recent tasks (cluster wide).
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
 func (c API) ClusterGetTasks() (res []struct {
 	UpID      string  `json:"upid"`
 	Node      *string `json:"node"`

From 832e0cff7d797202cb42780465abbbd04a6074b2 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Tue, 19 Aug 2025 13:42:25 -0400
Subject: [PATCH 21/40] feat: added /api2/json/cluster/acme implementations

---
 pkg/api/cluster_acme_account.go     | 112 +++++++++++++++++
 pkg/api/cluster_acme_challschema.go |  29 +++++
 pkg/api/cluster_acme_directories.go |  21 ++++
 pkg/api/cluster_acme_meta.go        |  32 +++++
 pkg/api/cluster_acme_plugins.go     | 189 ++++++++++++++++++++++++++++
 5 files changed, 383 insertions(+)
 create mode 100644 pkg/api/cluster_acme_account.go
 create mode 100644 pkg/api/cluster_acme_challschema.go
 create mode 100644 pkg/api/cluster_acme_directories.go
 create mode 100644 pkg/api/cluster_acme_meta.go
 create mode 100644 pkg/api/cluster_acme_plugins.go

diff --git a/pkg/api/cluster_acme_account.go b/pkg/api/cluster_acme_account.go
new file mode 100644
index 0000000..da46f5b
--- /dev/null
+++ b/pkg/api/cluster_acme_account.go
@@ -0,0 +1,112 @@
+package api
+
+import "net/http"
+
+// ClusterACMEGetAccount Return existing ACME account information.
+//
+// Parameters:
+//
+//   - name is the ACME account config file name.
+//
+// Required permissions:
+//
+//	Root only.
+func (c API) ClusterACMEGetAccount(name string) (res struct {
+	Account   map[string]any `json:"account"`
+	Directory *string        `json:"directory"`
+	Location  *string        `json:"location"`
+	TOS       *string        `json:"tos"`
+}, err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/acme/account/{name}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterACMEPostAccountRequest struct {
+	// Contact email addresses.
+	Contact string `in:"query=contact;nonzero"`
+
+	// URL of ACME CA directory endpoint.
+	Directory string `in:"query=directory;omitempty"`
+
+	// HMAC key for External Account Binding.
+	EABHMACKey string `in:"query=eab-hmac-key;omitempty"`
+
+	// Key Identifier for External Account Binding.
+	EABKid string `in:"query=eab-kid;omitempty"`
+
+	// ACME account config file name.
+	Name string `in:"query=name;omitempty"`
+
+	// URL of CA TermsOfService - setting this indicates agreement.
+	TOSURL string `in:"query=tos_url;omitempty"`
+}
+
+// ClusterACMEPostAccount Register a new ACME account with CA.
+func (c API) ClusterACMEPostAccount(req ClusterACMEPostAccountRequest) (res string, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/acme/account",
+		Method:  http.MethodPost,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+// ClusterACMEDeleteAccount Deactivate existing ACME account at CA.
+//
+// Required permissions:
+//
+//	Root only.
+func (c API) ClusterACMEDeleteAccount(name string) (res string, err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/acme/account/{name}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterACMEUpdateAccountRequest struct {
+	// ACME account config file name.
+	Name string `in:"path=name;nonzero"`
+
+	// Contact email addresses.
+	Contact string `in:"query=contact;omitempty"`
+}
+
+// ClusterACMEUpdateAccount Update existing ACME account information with CA. Note: not specifying any new account information triggers a refresh.
+//
+// Required permissions:
+//
+//	Root only.
+func (c API) ClusterACMEUpdateAccount(req ClusterACMEUpdateAccountRequest) (res string, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/acme/account/{name}",
+		Method:  http.MethodPut,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
diff --git a/pkg/api/cluster_acme_challschema.go b/pkg/api/cluster_acme_challschema.go
new file mode 100644
index 0000000..f611c31
--- /dev/null
+++ b/pkg/api/cluster_acme_challschema.go
@@ -0,0 +1,29 @@
+package api
+
+import "net/http"
+
+// ClusterACMEGetChallSchema Get schema of ACME challenge types.
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (c API) ClusterACMEGetChallSchema() (res []struct {
+	ID     string `json:"id"`
+	Name   string `json:"name"`
+	Schema struct {
+		Name   string `json:"name,omitempty"`
+		Fields map[string]struct {
+			Type string `json:"type"`
+			Desc string `json:"description"`
+		} `json:"fields,omitempty"`
+	} `json:"schema"`
+	Type string `json:"type"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/acme/challenge-schema",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
diff --git a/pkg/api/cluster_acme_directories.go b/pkg/api/cluster_acme_directories.go
new file mode 100644
index 0000000..6af816c
--- /dev/null
+++ b/pkg/api/cluster_acme_directories.go
@@ -0,0 +1,21 @@
+package api
+
+import "net/http"
+
+// ClusterACMEGetDirectories Get named known ACME directory endpoints.
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (c API) ClusterACMEGetDirectories() (res []struct {
+	URL  string `json:"url"`
+	Name string `json:"name"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/acme/directories",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
diff --git a/pkg/api/cluster_acme_meta.go b/pkg/api/cluster_acme_meta.go
new file mode 100644
index 0000000..30ba601
--- /dev/null
+++ b/pkg/api/cluster_acme_meta.go
@@ -0,0 +1,32 @@
+package api
+
+import "net/http"
+
+type ClusterGetACMEMetaRequest struct {
+	// URL of ACME CA directory endpoint. Defaults to https://acme-v02.api.letsencrypt.org/directory
+	//
+	// ^https?://.*
+	Directory string `in:"query=directory;omitempty"`
+}
+
+// ClusterACMEGetMeta Retrieve ACME Directory Meta Information
+//
+// Required permissions:
+//
+//	Check: ["perm","/nodes/{node}",["Sys.Audit"]]
+func (c API) ClusterACMEGetMeta(req ClusterGetACMEMetaRequest) (res struct {
+	CAAIdentities           []string          `json:"caaIdentities"`
+	ExternalAccountRequired *bool             `json:"externalAccountRequired"`
+	TermsOfService          *string           `json:"termsOfService"`
+	Website                 *string           `json:"website"`
+	Profiles                map[string]string `json:"profiles"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/acme/meta",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
diff --git a/pkg/api/cluster_acme_plugins.go b/pkg/api/cluster_acme_plugins.go
new file mode 100644
index 0000000..d3c0532
--- /dev/null
+++ b/pkg/api/cluster_acme_plugins.go
@@ -0,0 +1,189 @@
+package api
+
+import "net/http"
+
+type ClusterACMEGetPluginsRequest struct {
+	// Only list ACME plugins of a specific type
+	//
+	// 	dns | standalone
+	Type string `in:"query=type;omitempty"`
+}
+
+type ClusterACMEGetPluginResponse struct {
+	Plugin          string  `json:"plugin"`
+	Type            *string `json:"type"`
+	Digest          *string `json:"digest"`
+	Disable         *int    `json:"disable"`
+	Nodes           *string `json:"nodes"`
+	Data            *string `json:"data"`
+	ValidationDelay *int    `json:"validation-delay"`
+	API             *string `json:"api"`
+}
+
+// ClusterACMEGetPlugins ACME plugin index.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterACMEGetPlugins() (res []ClusterACMEGetPluginResponse, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/acme/plugins",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterACMEGetPluginRequest struct {
+	// Unique identifier for ACME plugin instance.
+	ID string `in:"path=id;nonzero"`
+}
+
+// ClusterACMEGetPlugin Get ACME plugin configuration.
+//
+// Parameters:
+//
+//   - id is the unique identifier for ACME plugin instance.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterACMEGetPlugin(id string) (res ClusterACMEGetPluginResponse, err error) {
+	req := struct {
+		ID string `in:"path=id;nonzero"`
+	}{
+		ID: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/acme/plugins/{id}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterACMEPostPluginRequest struct {
+	// ACME Plugin ID name
+	ID string `in:"query=id;nonzero"`
+
+	// ACME challenge type.
+	//
+	// 	dns | standalone
+	Type string `in:"query=type;nonzero"`
+
+	// API plugin name
+	//
+	// 	1984hosting | acmedns | acmeproxy | active24 | ad | ali | alviy | anx | artfiles | arvan | aurora | autodns | aws | azion | azure | beget | bookmyname | bunny | cf | clouddns | cloudns | cn | conoha | constellix | cpanel | curanet | cyon | da | ddnss | desec | df | dgon | dnsexit | dnshome | dnsimple | dnsservices | doapi | domeneshop | dp | dpi | dreamhost | duckdns | durabledns | dyn | dynu | dynv6 | easydns | edgecenter | edgedns | euserv | exoscale | fornex | freedns | freemyip | gandi_livedns | gcloud | gcore | gd | geoscaling | googledomains | he | he_ddns | hetzner | hexonet | hostingde | huaweicloud | infoblox | infomaniak | internetbs | inwx | ionos | ionos_cloud | ipv64 | ispconfig | jd | joker | kappernet | kas | kinghost | knot | la | leaseweb | lexicon | limacity | linode | linode_v4 | loopia | lua | maradns | me | miab | mijnhost | misaka | myapi | mydevil | mydnsjp | mythic_beasts | namecheap | namecom | namesilo | nanelo | nederhost | neodigit | netcup | netlify | nic | njalla | nm | nsd | nsone | nsupdate | nw | oci | omglol | one | online | openprovider | openstack | opnsense | ovh | pdns | pleskxml | pointhq | porkbun | rackcorp | rackspace | rage4 | rcode0 | regru | scaleway | schlundtech | selectel | selfhost | servercow | simply | technitium | tele3 | tencent | timeweb | transip | udr | ultra | unoeuro | variomedia | veesp | vercel | vscale | vultr | websupport | west_cn | world4you | yandex360 | yc | zilore | zone | zoneedit | zonomi
+	API string `in:"query=api;omitempty"`
+
+	// DNS plugin data. (base64 encoded)
+	Data string `in:"query=data;omitempty"`
+
+	// Flag to disable the config.
+	//
+	// 	1 | 0
+	Disable int `in:"query=disable;omitempty"`
+
+	// List of cluster node names.
+	//
+	// 	node1,node2,node3,...
+	Nodes string `in:"query=nodes;omitempty"`
+
+	// Extra delay in seconds to wait before requesting validation. Allows to cope with a long TTL of DNS records.
+	//
+	// 	0 - 172800
+	ValidationDelay int `in:"query=validation-delay;omitempty"`
+}
+
+// ClusterACMEPostPlugin Add ACME plugin configuration.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterACMEPostPlugin(req ClusterACMEPostPluginRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/acme/plugins",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterACMEDeletePlugin Delete ACME plugin configuration.
+//
+// Parameters:
+//
+//   - id is the unique identifier for ACME plugin instance.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterACMEDeletePlugin(id string) (err error) {
+	req := struct {
+		ID string `in:"path=id;nonzero"`
+	}{
+		ID: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/acme/plugins/{id}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterACMEUpdatePluginRequest struct {
+	// ACME Plugin ID name
+	ID string `in:"path=id;nonzero"`
+
+	// API plugin name
+	//
+	// 	1984hosting | acmedns | acmeproxy | active24 | ad | ali | alviy | anx | artfiles | arvan | aurora | autodns | aws | azion | azure | beget | bookmyname | bunny | cf | clouddns | cloudns | cn | conoha | constellix | cpanel | curanet | cyon | da | ddnss | desec | df | dgon | dnsexit | dnshome | dnsimple | dnsservices | doapi | domeneshop | dp | dpi | dreamhost | duckdns | durabledns | dyn | dynu | dynv6 | easydns | edgecenter | edgedns | euserv | exoscale | fornex | freedns | freemyip | gandi_livedns | gcloud | gcore | gd | geoscaling | googledomains | he | he_ddns | hetzner | hexonet | hostingde | huaweicloud | infoblox | infomaniak | internetbs | inwx | ionos | ionos_cloud | ipv64 | ispconfig | jd | joker | kappernet | kas | kinghost | knot | la | leaseweb | lexicon | limacity | linode | linode_v4 | loopia | lua | maradns | me | miab | mijnhost | misaka | myapi | mydevil | mydnsjp | mythic_beasts | namecheap | namecom | namesilo | nanelo | nederhost | neodigit | netcup | netlify | nic | njalla | nm | nsd | nsone | nsupdate | nw | oci | omglol | one | online | openprovider | openstack | opnsense | ovh | pdns | pleskxml | pointhq | porkbun | rackcorp | rackspace | rage4 | rcode0 | regru | scaleway | schlundtech | selectel | selfhost | servercow | simply | technitium | tele3 | tencent | timeweb | transip | udr | ultra | unoeuro | variomedia | veesp | vercel | vscale | vultr | websupport | west_cn | world4you | yandex360 | yc | zilore | zone | zoneedit | zonomi
+	API string `in:"query=api;omitempty"`
+
+	// DNS plugin data. (base64 encoded)
+	Data string `in:"query=data;omitempty"`
+
+	// Flag to disable the config.
+	//
+	// 	1 | 0
+	Disable int `in:"query=disable;omitempty"`
+
+	// List of cluster node names.
+	//
+	// 	node1,node2,node3,...
+	Nodes string `in:"query=nodes;omitempty"`
+
+	// Extra delay in seconds to wait before requesting validation. Allows to cope with a long TTL of DNS records.
+	//
+	// 	0 - 172800
+	ValidationDelay int `in:"query=validation-delay;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+}
+
+// ClusterACMEUpdatePlugin Update ACME plugin configuration.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterACMEUpdatePlugin(req ClusterACMEUpdatePluginRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/acme/plugins/{id}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}

From 8f2af4112c3ce63312016ac21ee70f38366cb698 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Wed, 20 Aug 2025 12:16:35 -0400
Subject: [PATCH 22/40] fix: requests with int props are now pointers

---
 pkg/api/cluster_acme_plugins.go | 8 ++++----
 pkg/api/cluster_log.go          | 2 +-
 pkg/api/helpers.go              | 5 +++++
 3 files changed, 10 insertions(+), 5 deletions(-)
 create mode 100644 pkg/api/helpers.go

diff --git a/pkg/api/cluster_acme_plugins.go b/pkg/api/cluster_acme_plugins.go
index d3c0532..f0e3af5 100644
--- a/pkg/api/cluster_acme_plugins.go
+++ b/pkg/api/cluster_acme_plugins.go
@@ -86,7 +86,7 @@ type ClusterACMEPostPluginRequest struct {
 	// Flag to disable the config.
 	//
 	// 	1 | 0
-	Disable int `in:"query=disable;omitempty"`
+	Disable *int `in:"query=disable;omitempty"`
 
 	// List of cluster node names.
 	//
@@ -96,7 +96,7 @@ type ClusterACMEPostPluginRequest struct {
 	// Extra delay in seconds to wait before requesting validation. Allows to cope with a long TTL of DNS records.
 	//
 	// 	0 - 172800
-	ValidationDelay int `in:"query=validation-delay;omitempty"`
+	ValidationDelay *int `in:"query=validation-delay;omitempty"`
 }
 
 // ClusterACMEPostPlugin Add ACME plugin configuration.
@@ -154,7 +154,7 @@ type ClusterACMEUpdatePluginRequest struct {
 	// Flag to disable the config.
 	//
 	// 	1 | 0
-	Disable int `in:"query=disable;omitempty"`
+	Disable *int `in:"query=disable;omitempty"`
 
 	// List of cluster node names.
 	//
@@ -164,7 +164,7 @@ type ClusterACMEUpdatePluginRequest struct {
 	// Extra delay in seconds to wait before requesting validation. Allows to cope with a long TTL of DNS records.
 	//
 	// 	0 - 172800
-	ValidationDelay int `in:"query=validation-delay;omitempty"`
+	ValidationDelay *int `in:"query=validation-delay;omitempty"`
 
 	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
 	Digest string `in:"query=digest;omitempty"`
diff --git a/pkg/api/cluster_log.go b/pkg/api/cluster_log.go
index 24652ae..9ddf4e6 100644
--- a/pkg/api/cluster_log.go
+++ b/pkg/api/cluster_log.go
@@ -4,7 +4,7 @@ import "net/http"
 
 type ClusterGetLogRequest struct {
 	// Maximum number of entries (1 - N)
-	MaxEntries int `in:"query=max;omitempty"`
+	MaxEntries *int `in:"query=max;omitempty"`
 }
 
 // ClusterGetLog Read cluster log.
diff --git a/pkg/api/helpers.go b/pkg/api/helpers.go
new file mode 100644
index 0000000..2815f71
--- /dev/null
+++ b/pkg/api/helpers.go
@@ -0,0 +1,5 @@
+package api
+
+func Int(v int) *int {
+	return &v
+}

From 0126bec4358fe00f1ffdaa59d2c4d036f2b268ac Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Wed, 20 Aug 2025 12:16:55 -0400
Subject: [PATCH 23/40] feat: added /api2/json/cluster/backup implementations

---
 pkg/api/cluster_backup.go | 415 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 415 insertions(+)
 create mode 100644 pkg/api/cluster_backup.go

diff --git a/pkg/api/cluster_backup.go b/pkg/api/cluster_backup.go
new file mode 100644
index 0000000..4ae037e
--- /dev/null
+++ b/pkg/api/cluster_backup.go
@@ -0,0 +1,415 @@
+package api
+
+import "net/http"
+
+type ClusterBackupGetJobResponse struct {
+	// ID is the unique identifier of the backup job.
+	ID *string `json:"id,omitempty"`
+
+	// Backup all known guest systems on this host
+	All *int `json:"all,omitempty"`
+
+	// Limit I/O bandwidth (in KiB/s).
+	BWLimit *int `json:"bwlimit,omitempty"`
+
+	// Description for the Job.
+	Comment *string `json:"comment,omitempty"`
+
+	// Compress dump file.
+	//	0 | 1 | gzip | lzo | zstd
+	Compress *string `json:"compress,omitempty"`
+
+	// Store resulting files to specified directory.
+	DumpDir *string `json:"dumpdir,omitempty"`
+
+	// Enable or disable the job.
+	Enabled *int `json:"enabled,omitempty"`
+
+	// Exclude specified guest systems (assumes --all)
+	Exclude *string `json:"exclude,omitempty"`
+
+	// Exclude certain files/directories (shell globs). Paths starting with '/' are anchored to the container's root, other paths match relative to each subdirectory.
+	ExcludePath []string `json:"exclude-path,omitempty"`
+
+	// Options for backup fleecing (VM only).
+	Fleecing struct {
+		Enabled *string `json:"enabled,omitempty"`
+		Storage *string `json:"storage,omitempty"`
+	} `json:"fleecing"`
+
+	// Set IO priority when using the BFQ scheduler. For snapshot and suspend mode backups of VMs, this only affects the compressor. A value of 8 means the idle priority is used, otherwise the best-effort priority is used with the specified value.
+	//
+	// 	0-8
+	Ionice *int `json:"ionice,omitempty"`
+
+	// Maximal time to wait for the global lock (minutes).
+	LockWait *int `json:"lockwait,omitempty"`
+
+	// Deprecated: use notification targets/matchers instead. Specify when to send a notification mail
+	MailNotification *string `json:"mailnotification,omitempty"`
+
+	// Deprecated: Use notification targets/matchers instead. Comma-separated list of email addresses or users that should receive email notifications.
+	Mailto *string `json:"mailto,omitempty"`
+
+	// Backup mode.
+	//
+	// 	snapshot | suspend | stop
+	Mode *string `json:"mode,omitempty"`
+
+	// Time of next run (unix timestamp).
+	NextRun *int `json:"next-run,omitempty"`
+
+	// Only run if executed on this node.
+	Node *string `json:"node,omitempty"`
+
+	// Template string for generating notes for the backup(s). It can contain variables which will be replaced by their values. Currently supported are {{cluster}}, {{guestname}}, {{node}}, and {{vmid}}, but more might be added in the future. Needs to be a single line, newline and backslash need to be escaped as '\n' and '\\' respectively.
+	NotesTemplate *string `json:"notes-template,omitempty"`
+
+	// Determine which notification system to use. If set to 'legacy-sendmail', vzdump will consider the mailto/mailnotification parameters and send emails to the specified address(es) via the 'sendmail' command. If set to 'notification-system', a notification will be sent via PVE's notification system, and the mailto and mailnotification will be ignored. If set to 'auto' (default setting), an email will be sent if mailto is set, and the notification system will be used if not.
+	//
+	// 	auto | legacy-sendmail | notification-system
+	NotificationMode *string `json:"notification-mode,omitempty"`
+
+	// Other performance-related settings
+	Performance struct {
+		PbsEntriesMax *string `json:"pbs-entries-max,omitempty"`
+		MaxWorkers    *string `json:"max-workers,omitempty"`
+	} `json:"performance"`
+
+	// Use pigz instead of gzip when N>0. N=1 uses half of cores, N>1 uses N as thread count.
+	Pigz *int `json:"pigz,omitempty"`
+
+	// Backup all known guest systems included in the specified pool.
+	Pool *string `json:"pool,omitempty"`
+
+	// If true, mark backup(s) as protected.
+	Protected *int `json:"protected,omitempty"`
+
+	// Use these retention options instead of those from the storage configuration.
+	PruneBackups struct {
+		KeepLast    *string `json:"keep-last,omitempty"`
+		KeepAll     *string `json:"keep-all,omitempty"`
+		KeepDaily   *string `json:"keep-daily,omitempty"`
+		KeepHourly  *string `json:"keep-hourly,omitempty"`
+		KeepMonthly *string `json:"keep-monthly,omitempty"`
+		KeepWeekly  *string `json:"keep-weekly,omitempty"`
+		KeepYearly  *string `json:"keep-yearly,omitempty"`
+	} `json:"prune-backups"`
+
+	// Be quiet.
+	Quiet *int `json:"quiet,omitempty"`
+
+	// Prune older backups according to 'prune-backups'.
+	Remove *int `json:"remove,omitempty"`
+
+	// If true, the job will be run as soon as possible if it was missed while the scheduler was not running.
+	RepeatMissed *int `json:"repeat-missed,omitempty"`
+
+	// Backup schedule. The format is a subset of `systemd` calendar even
+	Schedule *string `json:"schedule,omitempty"`
+
+	// Use specified hook script.
+	Script *string `json:"script,omitempty"`
+
+	// Exclude temporary files and logs.
+	STDExcludes *int `json:"stdexcludes,omitempty"`
+
+	// Stop running backup jobs on this host.
+	Stop *int `json:"stop,omitempty"`
+
+	// Maximal time to wait until a guest system is stopped (minutes).
+	StopWait *int `json:"stopwait,omitempty"`
+
+	// Store resulting file to this storage.
+	Storage *string `json:"storage,omitempty"`
+
+	// Backup type.
+	Type *string `json:"type,omitempty"`
+
+	// Store temporary files to specified directory.
+	TMPDir *string `json:"tmpdir,omitempty"`
+
+	// The ID of the guest system you want to backup.
+	VMID *string `json:"vmid,omitempty"`
+
+	// Zstd threads. N=0 uses half of the available cores, if N is set to a value bigger than 0, N is used as thread count.
+	Zstd *int `json:"zstd,omitempty"`
+}
+
+// ClusterBackupGetJobs List vzdump backup schedule.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterBackupGetJobs() (res []ClusterBackupGetJobResponse, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/backup",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterBackupDeleteJob Delete vzdump backup job definition.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterBackupDeleteJob(id string) (err error) {
+	req := struct {
+		ID string `in:"path=id;nonzero"`
+	}{
+		ID: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/backup/{id}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterBackupGetJob List vzdump backup schedule.
+//
+// Parameters:
+//
+//   - id is the unique identifier of the backup job.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterBackupGetJob(id string) (res ClusterBackupGetJobResponse, err error) {
+	req := struct {
+		ID string `in:"path=id;nonzero"`
+	}{
+		ID: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/backup/{id}",
+		Method:  http.MethodGet,
+		Result:  &res,
+		Payload: &req,
+	})
+
+	return res, err
+}
+
+type ClusterBackupPostJobRequest struct {
+	// Backup all known guest systems on this host.
+	All *int `in:"query=all;omitempty"`
+
+	// Limit I/O bandwidth (in KiB/s).
+	BWLimit *int `in:"query=bwlimit;omitempty"`
+
+	// Description for the Job.
+	Comment string `in:"query=comment;omitempty"`
+
+	// Compress dump file.
+	//	0 | 1 | gzip | lzo | zstd
+	Compress string `in:"query=compress;omitempty"`
+
+	// Day of week selection.
+	//
+	// 	mon,tue,wed,thu,fri,sat,sun
+	DOW string `in:"query=dow;omitempty"`
+
+	// Store resulting files to specified directory.
+	DumpDir string `in:"query=dumpdir;omitempty"`
+
+	// Enable or disable the job.
+	Enabled *int `in:"query=enabled;omitempty"`
+
+	// Exclude specified guest systems (assumes --all).
+	Exclude string `in:"query=exclude;omitempty"`
+
+	// Exclude certain files/directories (shell globs). Paths starting with '/' are anchored to the container's root, other paths match relative to each subdirectory.
+	//
+	// 	<path>[:<type>][<string>, ...]
+	ExcludePath string `in:"query=exclude-path;omitempty"`
+
+	// Options for backup fleecing (VM only).
+	//
+	// 	[[enabled=]<1|0>] [,storage=<storage ID>]
+	Fleecing string `in:"query=fleecing;omitempty"`
+
+	// Job ID (will be autogenerated).
+	ID string `in:"query=id;omitempty"`
+
+	// Set I/O priority when using the BFQ scheduler. For snapshot and suspend mode backups of VMs, this only affects the compressor. A value of 8 means the idle priority is used, otherwise the best-effort priority is used with the specified value.
+	//
+	// 	0-8
+	Ionice *int `in:"query=ionice;omitempty"`
+
+	// Maximal time to wait for the global lock (minutes).
+	LockWait *int `in:"query=lockwait;omitempty"`
+
+	// Deprecated: use notification targets/matchers instead. Specify when to send a notification mail.
+	MailNotification string `in:"query=mailnotification;omitempty"`
+
+	// Deprecated: Use notification targets/matchers instead. Comma-separated list of email addresses or users that should receive email notifications.
+	Mailto string `in:"query=mailto;omitempty"`
+
+	// Deprecated: use 'prune-backups' instead. Maximal number of backup files per guest system.
+	MaxFiles *int `in:"query=maxfiles;omitempty"`
+
+	// Backup mode.
+	//
+	// 	snapshot | suspend | stop
+	Mode string `in:"query=mode;omitempty"`
+
+	// Only run if executed on this node.
+	Node string `in:"query=node;omitempty"`
+
+	// Template string for generating notes for the backup(s). It can contain variables which will be replaced by their values. Currently supported are {{cluster}}, {{guestname}}, {{node}}, and {{vmid}}, but more might be added in the future. Needs to be a single line, newline and backslash need to be escaped as '\n' and '\\' respectively.
+	NotesTemplate string `in:"query=notes-template;omitempty"`
+
+	// Determine which notification system to use. If set to 'legacy-sendmail', vzdump will consider the mailto/mailnotification parameters and send emails to the specified address(es) via the 'sendmail' command. If set to 'notification-system', a notification will be sent via PVE's notification system, and the mailto and mailnotification will be ignored. If set to 'auto' (default setting), an email will be sent if mailto is set, and the notification system will be used if not.
+	//
+	// 	auto | legacy-sendmail | notification-system
+	NotificationMode string `in:"query=notification-mode;omitempty"`
+
+	// PBS mode used to detect file changes and switch encoding format for container backups.
+	//
+	// 	legacy | data | metadata
+	PBSChangeDetectionMode string `in:"query=pbs-change-detection-mode;omitempty"`
+
+	// Other performance-related settings.
+	//
+	// 	[pbs-entries-max=<INTEGER>] [,max-workers=<INTEGER>]
+	Performance string `in:"query=performance;omitempty"`
+
+	// Use pigz instead of gzip when N>0. N=1 uses half of cores, N>1 uses N as thread count.
+	Pigz *int `in:"query=pigz;omitempty"`
+
+	// Backup all known guest systems included in the specified pool.
+	Pool string `in:"query=pool;omitempty"`
+
+	// If true, mark backup(s) as protected.
+	Protected *int `in:"query=protected;omitempty"`
+
+	// Use these retention options instead of those from the storage configuration.
+	//
+	// 	[keep-all=<1|0>] [,keep-daily=<N>] [,keep-hourly=<N>] [,keep-last=<N>] [,keep-monthly=<N>] [,keep-weekly=<N>] [,keep-yearly=<N>]
+	PruneBackups string `in:"query=prune-backups;omitempty"`
+
+	// Be quiet.
+	Quiet *int `in:"query=quiet;omitempty"`
+
+	// Prune older backups according to 'prune-backups'.
+	Remove *int `in:"query=remove;omitempty"`
+
+	// If true, the job will be run as soon as possible if it was missed while the scheduler was not running.
+	RepeatMissed *int `in:"query=repeat-missed;omitempty"`
+
+	// Backup schedule. The format is a subset of `systemd` calendar events.
+	Schedule string `in:"query=schedule;omitempty"`
+
+	// Use specified hook script.
+	Script string `in:"query=script;omitempty"`
+
+	// Job Start time.
+	//
+	//	HH:MM
+	StartTime string `in:"query=starttime;omitempty"`
+
+	// Exclude temporary files and logs.
+	STDExcludes string `in:"query=stdexcludes;omitempty"`
+
+	// Stop running backup jobs on this host.
+	Stop *int `in:"query=stop;omitempty"`
+
+	// Maximal time to wait until a guest system is stopped (minutes).
+	Stopwait *int `in:"query=stopwait;omitempty"`
+
+	// Store resulting file to this storage.
+	Storage string `in:"query=storage;omitempty"`
+
+	// Store temporary files to specified directory.
+	TMPDir string `in:"query=tmpdir;omitempty"`
+
+	// The ID of the guest system you want to backup.
+	VMID *int `in:"query=vmid;omitempty"`
+
+	// Zstd threads. N=0 uses half of the available cores, if N is set to a value bigger than 0, N is used as thread count.
+	Zstd *int `in:"query=zstd;omitempty"`
+}
+
+// ClusterBackupPostJob Create new vzdump backup job.
+//
+// Required permissions:
+//
+//	The 'tmpdir', 'dumpdir' and 'script' parameters are additionally restricted to the 'root@pam' user.
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterBackupPostJob(req ClusterBackupPostJobRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/backup",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterBackupUpdateJobRequest struct {
+	ClusterBackupPostJobRequest
+
+	// Job ID
+	ID string `in:"path=id;nonzero"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+}
+
+// ClusterBackupUpdateJobUpdate vzdump backup job definition.
+//
+// Required permissions:
+//
+//	The 'tmpdir', 'dumpdir' and 'script' parameters are additionally restricted to the 'root@pam' user.
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterBackupUpdateJob(req ClusterBackupUpdateJobRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/backup/{id}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterBackupGetJobIncludedVolumes Returns included guests and the backup status of their disks. Optimized to be used in ExtJS tree views.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterBackupGetJobIncludedVolumes(id string) (res struct {
+	Children []struct {
+		VMID     int    `json:"id"`
+		Name     string `json:"name"`
+		Type     string `json:"type"`
+		Children []struct {
+			ID       string `json:"id"`
+			Included int    `json:"included"`
+			Name     string `json:"name"`
+			Reason   string `json:"reason"`
+		} `json:"children"`
+	} `json:"children"`
+}, err error) {
+	req := struct {
+		ID string `in:"path=id;nonzero"`
+	}{
+		ID: id,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/backup/{id}/included_volumes",
+		Method:  http.MethodGet,
+		Result:  &res,
+		Payload: &req,
+	})
+
+	return res, err
+}

From 7cb3e0b260dc4bc0976805aa5af404975d1478a2 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Wed, 20 Aug 2025 12:26:03 -0400
Subject: [PATCH 24/40] feat: added /api2/json/cluster/backup-info
 implementations

---
 pkg/api/cluster_backup_info.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 pkg/api/cluster_backup_info.go

diff --git a/pkg/api/cluster_backup_info.go b/pkg/api/cluster_backup_info.go
new file mode 100644
index 0000000..2977466
--- /dev/null
+++ b/pkg/api/cluster_backup_info.go
@@ -0,0 +1,17 @@
+package api
+
+import "net/http"
+
+func (s API) ClusterBackupInfoNotBackedUp() (res []struct {
+	Type string  `json:"type"`
+	VMID int     `json:"vmid"`
+	Name *string `json:"name"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/backup-info/not-backed-up",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}

From 52b6805a73c82e1f4f3ccbecc7765ed9f5db42ee Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Wed, 20 Aug 2025 12:52:49 -0400
Subject: [PATCH 25/40] feat: added /api2/json/cluster/ceph implementations

---
 pkg/api/cluster_ceph.go | 173 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 173 insertions(+)
 create mode 100644 pkg/api/cluster_ceph.go

diff --git a/pkg/api/cluster_ceph.go b/pkg/api/cluster_ceph.go
new file mode 100644
index 0000000..00d9738
--- /dev/null
+++ b/pkg/api/cluster_ceph.go
@@ -0,0 +1,173 @@
+package api
+
+import "net/http"
+
+// ClusterCephGetStatus Get ceph status.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit","Datastore.Audit"],"any",1]
+func (s API) ClusterCephGetStatus() (res any, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/ceph/status",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterCephGetMetadataRequest struct {
+	// Only return metadata for this config.
+	//
+	// 	all | versions
+	Scope string `in:"query=scope;omitempty"`
+}
+
+// ClusterCephGetMetadata Get ceph metadata.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit","Datastore.Audit"],"any",1]
+func (s API) ClusterCephGetMetadata(req ClusterCephGetMetadataRequest) (res struct {
+	MDS map[string]struct {
+		Addr             string `json:"addr"`
+		CephRelease      string `json:"ceph_release"`
+		CephVersion      string `json:"ceph_version"`
+		CephVersionShort string `json:"ceph_version_short"`
+		Hostname         string `json:"hostname"`
+		MemSwapKB        int    `json:"mem_swap_kb"`
+		MemTotalKB       int    `json:"mem_total_kb"`
+		Name             string `json:"name"`
+	} `json:"mds"`
+	MGR map[string]struct {
+		Addr             string `json:"addr"`
+		CephRelease      string `json:"ceph_release"`
+		CephVersion      string `json:"ceph_version"`
+		CephVersionShort string `json:"ceph_version_short"`
+		Hostname         string `json:"hostname"`
+		MemSwapKB        int    `json:"mem_swap_kb"`
+		MemTotalKB       int    `json:"mem_total_kb"`
+		Name             string `json:"name"`
+	} `json:"mgr"`
+	MON map[string]struct {
+		Addrs            string `json:"addrs"`
+		CephRelease      string `json:"ceph_release"`
+		CephVersion      string `json:"ceph_version"`
+		CephVersionShort string `json:"ceph_version_short"`
+		Hostname         string `json:"hostname"`
+		MemSwapKB        int    `json:"mem_swap_kb"`
+		MemTotalKB       int    `json:"mem_total_kb"`
+		Name             string `json:"name"`
+	} `json:"mon"`
+	Node map[string]struct {
+		BuildCommit string `json:"buildcommit"`
+		Version     struct {
+			Parts  []string `json:"parts"`
+			String string   `json:"str"`
+		} `json:"version"`
+	} `json:"node"`
+	OSD map[string]struct {
+		BackAddr         string `json:"addrs"`
+		CephRelease      string `json:"ceph_release"`
+		CephVersion      string `json:"ceph_version"`
+		CephVersionShort string `json:"ceph_version_short"`
+		DeviceID         string `json:"device_id"`
+		FrontAddr        string `json:"front_addr"`
+		Hostname         string `json:"hostname"`
+		ID               int    `json:"id"`
+		MemSwapKB        int    `json:"mem_swap_kb"`
+		MemTotalKB       int    `json:"mem_total_kb"`
+		OSDData          string `json:"osd_data"`
+		OSDObjectStore   string `json:"osd_objectstore"`
+	} `json:"osd"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ceph/metadata",
+		Method:  http.MethodGet,
+		Result:  &res,
+		Payload: &req,
+	})
+
+	return res, err
+}
+
+// ClusterCephFlagsGetStatus get the status of all ceph flags
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterCephFlagsGetAllStatus() (res []struct {
+	Description string `json:"description"`
+	Name        string `json:"name"`
+	Value       int    `json:"value"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/ceph/flags",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterCephFlagsGetStatus Get the status of a specific ceph flag.
+//
+// Parameters:
+//
+// - flag is the ceph flag name.
+//
+//	nobackfill | nodeep-scrub | nodown | noin | noout | norebalance | norecover | noscrub | notieragent | noup | pause
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterCephFlagsGetStatus(flag string) (res int, err error) {
+	req := struct {
+		Flag string `in:"path=flag;nonzero"`
+	}{
+		Flag: flag,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ceph/flags/{flag}",
+		Method:  http.MethodGet,
+		Result:  &res,
+		Payload: &req,
+	})
+
+	return res, err
+}
+
+// ClusterCephFlagsSetStatus Set the status of a specific ceph flag.
+//
+// Parameters:
+//
+//   - flag is the ceph flag name.
+//
+//     nobackfill | nodeep-scrub | nodown | noin | noout | norebalance | norecover | noscrub | notieragent | noup | pause
+//
+//   - value is the ceph flag value.
+//
+//     0 | 1
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterCephFlagsSetStatus(flag string, value int) (err error) {
+	req := struct {
+		Flag  string `in:"path=flag;nonzero"`
+		Value int    `in:"query=value"`
+	}{
+		Flag:  flag,
+		Value: value,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ceph/flags/{flag}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}

From d1b39878024c8cb6cb19d924e2d0dc65ab134d29 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Wed, 20 Aug 2025 17:50:40 -0400
Subject: [PATCH 26/40] feat: added /api2/json/cluster/config implementations

---
 pkg/api/api.go            |   4 +
 pkg/api/cluster_config.go | 268 ++++++++++++++++++++++++++++++++++++++
 pkg/api/httpin.go         |  43 ++++++
 3 files changed, 315 insertions(+)
 create mode 100644 pkg/api/cluster_config.go
 create mode 100644 pkg/api/httpin.go

diff --git a/pkg/api/api.go b/pkg/api/api.go
index 89918c6..f9a7401 100644
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -51,6 +51,8 @@ type API struct {
 //
 // Any error returned is of type [errors].Error.
 //
+// It also initializes custom httpin directives.
+//
 // [errors]: https://pkg.go.dev/github.com/iolave/go-errors
 func New(
 	proto string,
@@ -58,6 +60,8 @@ func New(
 	port int,
 	insecureSkipVerify bool,
 ) (*API, error) {
+	httpinInit()
+
 	transport := &http.Transport{
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: insecureSkipVerify,
diff --git a/pkg/api/cluster_config.go b/pkg/api/cluster_config.go
new file mode 100644
index 0000000..c6300af
--- /dev/null
+++ b/pkg/api/cluster_config.go
@@ -0,0 +1,268 @@
+package api
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/iolave/go-errors"
+)
+
+type ClusterConfigPostConfigRequest struct {
+	// The name of the cluster.
+	ClusterName string `in:"query=clustername;nonzero"`
+
+	// Address and priority information of a single corosync link. (up to 8 links supported; link0..link7)
+	//
+	// 	[address=]<IP> [,priority=<integer>]
+	Links []string `in:"query_n=link;omitempty"`
+
+	// Node id for this node.
+	NodeID *int `in:"query=nodeid;omitempty"`
+
+	// Number of votes for this node.
+	Votes *int `in:"query=votes;omitempty"`
+}
+
+// ClusterConfigPostConfig Generate new cluster configuration. If no links given, default to local IP address as link0.
+//
+// Required permissions:
+//
+//	Root only.
+func (s API) ClusterConfigPostConfig(req ClusterConfigPostConfigRequest) (res string, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/config",
+		Method:  http.MethodPost,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+// ClusterConfigGetAPIVersion Return the version of the cluster join API available on this node.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterConfigGetAPIVersion() (int, error) {
+	res := ""
+
+	err := s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/config/apiversion",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	if err != nil {
+		return 0, err
+	}
+
+	version, err := strconv.Atoi(res)
+	if err != nil {
+		return 0, errors.NewInternalServerError(
+			"failed to parse response",
+			err,
+		)
+	}
+
+	return version, err
+}
+
+type ClusterConfigGetJoinInfoRequest struct {
+	// The node for which the joinee gets the nodeinfo.
+	Node string `in:"query=node;omitempty"`
+}
+
+// ClusterConfigGetJoinInfo Get information needed to join this cluster over the connected node.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterConfigGetJoinInfo(req ClusterConfigGetJoinInfoRequest) (res struct {
+	ConfigDigest string `json:"config_digest"`
+	NodeList     []struct {
+		Name        string `json:"name"`
+		NodeID      int    `json:"nodeid"`
+		PVEAddr     string `json:"pve_addr"`
+		PVEFP       string `json:"pve_fp"`
+		QuorumVotes int    `json:"quorum_votes"`
+		// TODO: add proper type
+		Ring0Addr string `json:"ring0_addr"`
+	} `json:"nodelist"`
+	PreferredNode string `json:"preferred_node"`
+	// TODO: add proper type
+	Totem any `json:"totem"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/config/joininfo",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterConfigJoinClusterRequest struct {
+	// Certificate SHA 256 fingerprint.
+	//
+	// 	([A-Fa-f0-9]{2}:){31}[A-Fa-f0-9]{2}
+	Fingerprint string `in:"query=fingerprint;nonzero"`
+
+	// Hostname (or IP) of an existing cluster member.
+	Hostname string `in:"query=hostname;nonzero"`
+
+	// Superuser (root) password of peer node.
+	Password string `in:"query=password;nonzero"`
+
+	// Do not throw error if node already exists.
+	Force *int `in:"query=force;omitempty"`
+
+	// Address and priority information of a single corosync link. (up to 8 links supported; link0..link7)
+	//
+	// 	[address=]<IP> [,priority=<integer>]
+	Links []string `in:"query_n=link;omitempty"`
+
+	// Node id for this node.
+	Nodeid *int `in:"query=nodeid;omitempty"`
+
+	// Number of votes for this node
+	Votes *int `in:"query=votes;omitempty"`
+}
+
+// ClusterConfigJoinCluster Joins this node into an existing cluster. If no links are given, default to IP resolved by node's hostname on single link (fallback fails for clusters with multiple links).
+//
+// Required permissions:
+//
+//	Root only.
+func (s API) ClusterConfigJoinCluster(req ClusterConfigJoinClusterRequest) (res string, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/config/join",
+		Method:  http.MethodPost,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+// ClusterConfigGetQDevice Get QDevice status
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+//
+// TODO: add proper response type
+func (s API) ClusterConfigGetQDevice() (res any, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/config/qdevice",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterConfigGetTotem Get corosync totem protocol settings.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+//
+// TODO: add proper response type
+func (s API) ClusterConfigGetTotem() (res any, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/config/totem",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterConfigGetNodes Corosync node list.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterConfigGetNodes() (res []struct {
+	Node string `json:"node"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/config/nodes",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterConfigAddNodeRequest struct {
+	// The cluster node name.
+	Node string `in:"path=node;nonzero"`
+
+	// The JOIN_API_VERSION of the new node.
+	APIVersion *int `in:"query=apiversion;omitempty"`
+
+	// Do not throw error if node already exists.
+	Force *int `in:"query=force;omitempty"`
+
+	// Address and priority information of a single corosync link. (up to 8 links supported; link0..link7)
+	//
+	// 	[address=]<IP> [,priority=<integer>]
+	Links []string `in:"query_n=link;omitempty"`
+
+	// IP Address of node to add. Used as fallback if no links are given.
+	NewNodeIP string `in:"query=new_node_ip;omitempty"`
+
+	// Node id for this node.
+	NodeID *int `in:"query=nodeid;omitempty"`
+
+	// Number of votes for this node
+	Votes *int `in:"query=votes;omitempty"`
+}
+
+// ClusterConfigAddNode Adds a node to the cluster configuration. This call is for internal use.
+//
+// Required permissions:
+//
+//	Root only.
+func (s API) ClusterConfigAddNode(req ClusterConfigAddNodeRequest) (res struct {
+	CoroSyncAuthKey string   `json:"corosync_authkey"`
+	CoroSyncConf    string   `json:"corosync_conf"`
+	Warnings        []string `json:"warnings"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/config/nodes/{node}",
+		Method:  http.MethodPost,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+// ClusterConfigDeleteNode Removes a node from the cluster configuration.
+//
+// Parameters:
+//
+//   - node is the cluster node name.
+//
+// Required permissions:
+//
+//	Root only.
+func (s API) ClusterConfigDeleteNode(node string) (err error) {
+	req := struct {
+		Node string `in:"path=node;nonzero"`
+	}{
+		Node: node,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/config/nodes/{node}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/httpin.go b/pkg/api/httpin.go
new file mode 100644
index 0000000..93c7206
--- /dev/null
+++ b/pkg/api/httpin.go
@@ -0,0 +1,43 @@
+package api
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/ggicci/httpin/core"
+	"github.com/iolave/go-errors"
+)
+
+type directiveQueryNFormatter struct{}
+
+func (f *directiveQueryNFormatter) Decode(rtm *core.DirectiveRuntime) error {
+	return errors.NewWithName("http_in_error", "query_n decoding is not supported")
+}
+
+func (f *directiveQueryNFormatter) Encode(rtm *core.DirectiveRuntime) error {
+	if len(rtm.Directive.Argv) != 1 {
+		return errors.NewWithName("http_in_error", "query_n requires exactly one argument")
+	}
+
+	prefix := rtm.Directive.Argv[0]
+
+	if rtm.Value.Type().Kind() != reflect.Slice {
+		return errors.NewWithName("http_in_error", "not a slice")
+	}
+
+	len := rtm.Value.Len()
+	currentValue := rtm.Value.Slice(0, len)
+
+	for i := range len {
+		rtm.GetRequestBuilder().Query.Set(
+			fmt.Sprintf("%s[%d]", prefix, i),
+			currentValue.Index(i).String(),
+		)
+	}
+
+	return nil
+}
+
+func httpinInit() {
+	core.RegisterDirective("query_n", &directiveQueryNFormatter{})
+}

From b235f30c4fa597a347f7e8951429d03027d1b3da Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Wed, 20 Aug 2025 21:37:12 -0400
Subject: [PATCH 27/40] refactor: api cluster/* and cluster/acme/* root methods
 were condensed into their own files

---
 pkg/api/{cluster_options.go => cluster.go} | 174 ++++++++++++++++++++-
 pkg/api/cluster_acme.go                    |  76 +++++++++
 pkg/api/cluster_acme_challschema.go        |  29 ----
 pkg/api/cluster_acme_directories.go        |  21 ---
 pkg/api/cluster_acme_meta.go               |  32 ----
 pkg/api/cluster_log.go                     |  34 ----
 pkg/api/cluster_next_id.go                 |  40 -----
 pkg/api/cluster_resources.go               |  55 -------
 pkg/api/cluster_status.go                  |  30 ----
 pkg/api/cluster_tasks.go                   |  28 ----
 10 files changed, 249 insertions(+), 270 deletions(-)
 rename pkg/api/{cluster_options.go => cluster.go} (66%)
 create mode 100644 pkg/api/cluster_acme.go
 delete mode 100644 pkg/api/cluster_acme_challschema.go
 delete mode 100644 pkg/api/cluster_acme_directories.go
 delete mode 100644 pkg/api/cluster_acme_meta.go
 delete mode 100644 pkg/api/cluster_log.go
 delete mode 100644 pkg/api/cluster_next_id.go
 delete mode 100644 pkg/api/cluster_resources.go
 delete mode 100644 pkg/api/cluster_status.go
 delete mode 100644 pkg/api/cluster_tasks.go

diff --git a/pkg/api/cluster_options.go b/pkg/api/cluster.go
similarity index 66%
rename from pkg/api/cluster_options.go
rename to pkg/api/cluster.go
index 8464a87..59a62e3 100644
--- a/pkg/api/cluster_options.go
+++ b/pkg/api/cluster.go
@@ -1,6 +1,146 @@
 package api
 
-import "net/http"
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/iolave/go-errors"
+)
+
+type ClusterGetLogRequest struct {
+	// Maximum number of entries (1 - N)
+	MaxEntries *int `in:"query=max;omitempty"`
+}
+
+// ClusterGetLog Read cluster log.
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (c API) ClusterGetLog(req ClusterGetLogRequest) (res []struct {
+	ID      string `json:"id"`
+	Message string `json:"msg"`
+	UID     string `json:"uid"`
+	Time    int    `json:"time"`
+	Node    string `json:"node"`
+	PID     int    `json:"pid"`
+	Pri     int    `json:"pri"`
+	User    string `json:"user"`
+	Tag     string `json:"tag"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/log",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+// ClusterGetTasks List recent tasks (cluster wide).
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (c API) ClusterGetTasks() (res []struct {
+	UpID      string  `json:"upid"`
+	Node      *string `json:"node"`
+	Status    *string `json:"status"`
+	ID        *string `json:"id"`
+	StartTime *int    `json:"starttime"`
+	Saved     *string `json:"saved"`
+	User      *string `json:"user"`
+	EndTime   *int    `json:"endtime"`
+	Type      *string `json:"type"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/tasks",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterGetStatus Get cluster status information.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterGetStatus() (res []struct {
+	ID      string  `json:"id"`
+	Name    string  `json:"name"`
+	Type    string  `json:"type"`
+	IP      *string `json:"ip"`
+	Level   *string `json:"level"`
+	Local   *int    `json:"local"`
+	NodeID  *int    `json:"nodeid"`
+	Nodes   *int    `json:"nodes"`
+	Online  *int    `json:"online"`
+	QuoRate *int    `json:"quorate"`
+	Version *int    `json:"version"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/status",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterGetResourcesRequest struct {
+	// Resource type.
+	//
+	// 	vm | storage | node | sdn
+	Type string `in:"query=type"`
+}
+
+// ClusterGetResources Resources index (cluster wide).
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (c API) ClusterGetResources(req ClusterGetResourcesRequest) (res []struct {
+	ID         string  `json:"id"`
+	Type       string  `json:"type"`
+	CGroupMode *int    `json:"cgroup-mode"`
+	Content    *string `json:"content"`
+	CPU        *int    `json:"cpu"`
+	Disk       *int    `json:"disk"`
+	DiskRead   *int    `json:"diskread"`
+	DiskWrite  *int    `json:"diskwrite"`
+	HAState    *string `json:"hastate"`
+	Level      *string `json:"level"`
+	Lock       *string `json:"lock"`
+	MaxCPU     *int    `json:"maxcpu"`
+	MaxDisk    *int    `json:"maxdisk"`
+	MaxMem     *int    `json:"maxmem"`
+	Mem        *int    `json:"mem"`
+	MemHost    *int    `json:"memhost"`
+	Name       *string `json:"name"`
+	NetIn      *int    `json:"netin"`
+	NetOut     *int    `json:"netout"`
+	Node       *string `json:"node"`
+	PluginType *string `json:"plugintype"`
+	Pool       *string `json:"pool"`
+	Status     *string `json:"status"`
+	Storage    *string `json:"storage"`
+	Tags       *string `json:"tags"`
+	Template   *int    `json:"template"`
+	Uptime     *int    `json:"uptime"`
+	VMID       *int    `json:"vmid"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/resources",
+		Method:  http.MethodGet,
+		Result:  &res,
+		Payload: &req,
+	})
+
+	return res, err
+}
 
 // ClusterGetOptions Get datacenter options. Without 'Sys.Audit'
 // on '/' not all options are returned.
@@ -202,3 +342,35 @@ func (c API) ClusterPutOptions(req ClusterPutOptionsRequest) (err error) {
 
 	return err
 }
+
+type ClusterGetNextIDRequest struct {
+	// The (unique) ID of the VM.
+	VMID int `in:"query=vmid;omitempty"`
+}
+
+// ClusterGetNextID Get next free VMID. Pass a VMID
+// to assert that its free (at time of check).
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (c API) ClusterGetNextID(req ClusterGetNextIDRequest) (int, error) {
+	res := ""
+
+	err := c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/nextid",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	vmid, err := strconv.Atoi(res)
+	if err != nil {
+		return 0, errors.NewInternalServerError(
+			"failed to parse response",
+			err,
+		)
+	}
+
+	return vmid, err
+}
diff --git a/pkg/api/cluster_acme.go b/pkg/api/cluster_acme.go
new file mode 100644
index 0000000..270276e
--- /dev/null
+++ b/pkg/api/cluster_acme.go
@@ -0,0 +1,76 @@
+package api
+
+import "net/http"
+
+type ClusterGetACMEMetaRequest struct {
+	// URL of ACME CA directory endpoint. Defaults to https://acme-v02.api.letsencrypt.org/directory
+	//
+	// ^https?://.*
+	Directory string `in:"query=directory;omitempty"`
+}
+
+// ClusterACMEGetMeta Retrieve ACME Directory Meta Information
+//
+// Required permissions:
+//
+//	Check: ["perm","/nodes/{node}",["Sys.Audit"]]
+func (c API) ClusterACMEGetMeta(req ClusterGetACMEMetaRequest) (res struct {
+	CAAIdentities           []string          `json:"caaIdentities"`
+	ExternalAccountRequired *bool             `json:"externalAccountRequired"`
+	TermsOfService          *string           `json:"termsOfService"`
+	Website                 *string           `json:"website"`
+	Profiles                map[string]string `json:"profiles"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/acme/meta",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+// ClusterACMEGetDirectories Get named known ACME directory endpoints.
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (c API) ClusterACMEGetDirectories() (res []struct {
+	URL  string `json:"url"`
+	Name string `json:"name"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/acme/directories",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterACMEGetChallSchema Get schema of ACME challenge types.
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (c API) ClusterACMEGetChallSchema() (res []struct {
+	ID     string `json:"id"`
+	Name   string `json:"name"`
+	Schema struct {
+		Name   string `json:"name,omitempty"`
+		Fields map[string]struct {
+			Type string `json:"type"`
+			Desc string `json:"description"`
+		} `json:"fields,omitempty"`
+	} `json:"schema"`
+	Type string `json:"type"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/acme/challenge-schema",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
diff --git a/pkg/api/cluster_acme_challschema.go b/pkg/api/cluster_acme_challschema.go
deleted file mode 100644
index f611c31..0000000
--- a/pkg/api/cluster_acme_challschema.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package api
-
-import "net/http"
-
-// ClusterACMEGetChallSchema Get schema of ACME challenge types.
-//
-// Required permissions:
-//
-//	Accessible by all authenticated users.
-func (c API) ClusterACMEGetChallSchema() (res []struct {
-	ID     string `json:"id"`
-	Name   string `json:"name"`
-	Schema struct {
-		Name   string `json:"name,omitempty"`
-		Fields map[string]struct {
-			Type string `json:"type"`
-			Desc string `json:"description"`
-		} `json:"fields,omitempty"`
-	} `json:"schema"`
-	Type string `json:"type"`
-}, err error) {
-	err = c.SendPVERequest(PVERequest{
-		Path:   "/api2/json/cluster/acme/challenge-schema",
-		Method: http.MethodGet,
-		Result: &res,
-	})
-
-	return res, err
-}
diff --git a/pkg/api/cluster_acme_directories.go b/pkg/api/cluster_acme_directories.go
deleted file mode 100644
index 6af816c..0000000
--- a/pkg/api/cluster_acme_directories.go
+++ /dev/null
@@ -1,21 +0,0 @@
-package api
-
-import "net/http"
-
-// ClusterACMEGetDirectories Get named known ACME directory endpoints.
-//
-// Required permissions:
-//
-//	Accessible by all authenticated users.
-func (c API) ClusterACMEGetDirectories() (res []struct {
-	URL  string `json:"url"`
-	Name string `json:"name"`
-}, err error) {
-	err = c.SendPVERequest(PVERequest{
-		Path:   "/api2/json/cluster/acme/directories",
-		Method: http.MethodGet,
-		Result: &res,
-	})
-
-	return res, err
-}
diff --git a/pkg/api/cluster_acme_meta.go b/pkg/api/cluster_acme_meta.go
deleted file mode 100644
index 30ba601..0000000
--- a/pkg/api/cluster_acme_meta.go
+++ /dev/null
@@ -1,32 +0,0 @@
-package api
-
-import "net/http"
-
-type ClusterGetACMEMetaRequest struct {
-	// URL of ACME CA directory endpoint. Defaults to https://acme-v02.api.letsencrypt.org/directory
-	//
-	// ^https?://.*
-	Directory string `in:"query=directory;omitempty"`
-}
-
-// ClusterACMEGetMeta Retrieve ACME Directory Meta Information
-//
-// Required permissions:
-//
-//	Check: ["perm","/nodes/{node}",["Sys.Audit"]]
-func (c API) ClusterACMEGetMeta(req ClusterGetACMEMetaRequest) (res struct {
-	CAAIdentities           []string          `json:"caaIdentities"`
-	ExternalAccountRequired *bool             `json:"externalAccountRequired"`
-	TermsOfService          *string           `json:"termsOfService"`
-	Website                 *string           `json:"website"`
-	Profiles                map[string]string `json:"profiles"`
-}, err error) {
-	err = c.SendPVERequest(PVERequest{
-		Path:    "/api2/json/cluster/acme/meta",
-		Method:  http.MethodGet,
-		Payload: &req,
-		Result:  &res,
-	})
-
-	return res, err
-}
diff --git a/pkg/api/cluster_log.go b/pkg/api/cluster_log.go
deleted file mode 100644
index 9ddf4e6..0000000
--- a/pkg/api/cluster_log.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package api
-
-import "net/http"
-
-type ClusterGetLogRequest struct {
-	// Maximum number of entries (1 - N)
-	MaxEntries *int `in:"query=max;omitempty"`
-}
-
-// ClusterGetLog Read cluster log.
-//
-// Required permissions:
-//
-//	Accessible by all authenticated users.
-func (c API) ClusterGetLog(req ClusterGetLogRequest) (res []struct {
-	ID      string `json:"id"`
-	Message string `json:"msg"`
-	UID     string `json:"uid"`
-	Time    int    `json:"time"`
-	Node    string `json:"node"`
-	PID     int    `json:"pid"`
-	Pri     int    `json:"pri"`
-	User    string `json:"user"`
-	Tag     string `json:"tag"`
-}, err error) {
-	err = c.SendPVERequest(PVERequest{
-		Path:    "/api2/json/cluster/log",
-		Method:  http.MethodGet,
-		Payload: &req,
-		Result:  &res,
-	})
-
-	return res, err
-}
diff --git a/pkg/api/cluster_next_id.go b/pkg/api/cluster_next_id.go
deleted file mode 100644
index a3d8a25..0000000
--- a/pkg/api/cluster_next_id.go
+++ /dev/null
@@ -1,40 +0,0 @@
-package api
-
-import (
-	"net/http"
-	"strconv"
-
-	"github.com/iolave/go-errors"
-)
-
-type ClusterGetNextIDRequest struct {
-	// The (unique) ID of the VM.
-	VMID int `in:"query=vmid;omitempty"`
-}
-
-// ClusterGetNextID Get next free VMID. Pass a VMID
-// to assert that its free (at time of check).
-//
-// Required permissions:
-//
-//	Accessible by all authenticated users.
-func (c API) ClusterGetNextID(req ClusterGetNextIDRequest) (int, error) {
-	res := ""
-
-	err := c.SendPVERequest(PVERequest{
-		Path:    "/api2/json/cluster/nextid",
-		Method:  http.MethodGet,
-		Payload: &req,
-		Result:  &res,
-	})
-
-	vmid, err := strconv.Atoi(res)
-	if err != nil {
-		return 0, errors.NewInternalServerError(
-			"failed to parse response",
-			err,
-		)
-	}
-
-	return vmid, err
-}
diff --git a/pkg/api/cluster_resources.go b/pkg/api/cluster_resources.go
deleted file mode 100644
index 8d39c2e..0000000
--- a/pkg/api/cluster_resources.go
+++ /dev/null
@@ -1,55 +0,0 @@
-package api
-
-import "net/http"
-
-type ClusterGetResourcesRequest struct {
-	// Resource type.
-	//
-	// 	vm | storage | node | sdn
-	Type string `in:"query=type"`
-}
-
-// ClusterGetResources Resources index (cluster wide).
-//
-// Required permissions:
-//
-//	Accessible by all authenticated users.
-func (c API) ClusterGetResources(req ClusterGetResourcesRequest) (res []struct {
-	ID         string  `json:"id"`
-	Type       string  `json:"type"`
-	CGroupMode *int    `json:"cgroup-mode"`
-	Content    *string `json:"content"`
-	CPU        *int    `json:"cpu"`
-	Disk       *int    `json:"disk"`
-	DiskRead   *int    `json:"diskread"`
-	DiskWrite  *int    `json:"diskwrite"`
-	HAState    *string `json:"hastate"`
-	Level      *string `json:"level"`
-	Lock       *string `json:"lock"`
-	MaxCPU     *int    `json:"maxcpu"`
-	MaxDisk    *int    `json:"maxdisk"`
-	MaxMem     *int    `json:"maxmem"`
-	Mem        *int    `json:"mem"`
-	MemHost    *int    `json:"memhost"`
-	Name       *string `json:"name"`
-	NetIn      *int    `json:"netin"`
-	NetOut     *int    `json:"netout"`
-	Node       *string `json:"node"`
-	PluginType *string `json:"plugintype"`
-	Pool       *string `json:"pool"`
-	Status     *string `json:"status"`
-	Storage    *string `json:"storage"`
-	Tags       *string `json:"tags"`
-	Template   *int    `json:"template"`
-	Uptime     *int    `json:"uptime"`
-	VMID       *int    `json:"vmid"`
-}, err error) {
-	err = c.SendPVERequest(PVERequest{
-		Path:    "/api2/json/cluster/resources",
-		Method:  http.MethodGet,
-		Result:  &res,
-		Payload: &req,
-	})
-
-	return res, err
-}
diff --git a/pkg/api/cluster_status.go b/pkg/api/cluster_status.go
deleted file mode 100644
index 24d1434..0000000
--- a/pkg/api/cluster_status.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package api
-
-import "net/http"
-
-// ClusterGetStatus Get cluster status information.
-//
-// Required permissions:
-//
-//	Check: ["perm","/",["Sys.Audit"]]
-func (c API) ClusterGetStatus() (res []struct {
-	ID      string  `json:"id"`
-	Name    string  `json:"name"`
-	Type    string  `json:"type"`
-	IP      *string `json:"ip"`
-	Level   *string `json:"level"`
-	Local   *int    `json:"local"`
-	NodeID  *int    `json:"nodeid"`
-	Nodes   *int    `json:"nodes"`
-	Online  *int    `json:"online"`
-	QuoRate *int    `json:"quorate"`
-	Version *int    `json:"version"`
-}, err error) {
-	err = c.SendPVERequest(PVERequest{
-		Path:   "/api2/json/cluster/status",
-		Method: http.MethodGet,
-		Result: &res,
-	})
-
-	return res, err
-}
diff --git a/pkg/api/cluster_tasks.go b/pkg/api/cluster_tasks.go
deleted file mode 100644
index 55dbe29..0000000
--- a/pkg/api/cluster_tasks.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package api
-
-import "net/http"
-
-// ClusterGetTasks List recent tasks (cluster wide).
-//
-// Required permissions:
-//
-//	Accessible by all authenticated users.
-func (c API) ClusterGetTasks() (res []struct {
-	UpID      string  `json:"upid"`
-	Node      *string `json:"node"`
-	Status    *string `json:"status"`
-	ID        *string `json:"id"`
-	StartTime *int    `json:"starttime"`
-	Saved     *string `json:"saved"`
-	User      *string `json:"user"`
-	EndTime   *int    `json:"endtime"`
-	Type      *string `json:"type"`
-}, err error) {
-	err = c.SendPVERequest(PVERequest{
-		Path:   "/api2/json/cluster/tasks",
-		Method: http.MethodGet,
-		Result: &res,
-	})
-
-	return res, err
-}

From dc870c5a121092e69f64186b67db91027fc1ee75 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Sun, 24 Aug 2025 17:18:22 -0400
Subject: [PATCH 28/40] feat: added /api2/json/cluster/firewall implementations

---
 pkg/api/cluster_firewall.go         | 122 +++++++++++++
 pkg/api/cluster_firewall_aliases.go | 141 ++++++++++++++
 pkg/api/cluster_firewall_groups.go  | 274 ++++++++++++++++++++++++++++
 pkg/api/cluster_firewall_ipset.go   | 195 ++++++++++++++++++++
 pkg/api/cluster_firewall_rules.go   | 200 ++++++++++++++++++++
 pkg/api/helpers.go                  |   1 +
 6 files changed, 933 insertions(+)
 create mode 100644 pkg/api/cluster_firewall.go
 create mode 100644 pkg/api/cluster_firewall_aliases.go
 create mode 100644 pkg/api/cluster_firewall_groups.go
 create mode 100644 pkg/api/cluster_firewall_ipset.go
 create mode 100644 pkg/api/cluster_firewall_rules.go

diff --git a/pkg/api/cluster_firewall.go b/pkg/api/cluster_firewall.go
new file mode 100644
index 0000000..93809e9
--- /dev/null
+++ b/pkg/api/cluster_firewall.go
@@ -0,0 +1,122 @@
+package api
+
+import "net/http"
+
+type ClusterFirewallGetRefsRequest struct {
+	// Only list references of specified type.
+	//
+	// 	alias | ipset
+	Type string `in:"query=type;omitempty"`
+}
+
+// ClusterFirewallGetRefs Lists possible IPSet/Alias reference which are allowed in source/dest properties.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterFirewallGetRefs(req ClusterFirewallGetRefsRequest) (res []struct {
+	Name    string `json:"name"`
+	Ref     string `json:"ref"`
+	Scope   string `json:"scope"`
+	Type    string `json:"type"`
+	Comment string `json:"comment"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/refs",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+// ClusterFirewallGetOptions Get Firewall options.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterFirewallGetOptions() (res struct {
+	EBTables      *int    `json:"ebtables"`
+	Enable        *int    `json:"enable"`
+	LogRateLimit  *string `json:"log_ratelimit"`
+	PolicyForward *int    `json:"policy_forward"`
+	PolicyIn      *int    `json:"policy_in"`
+	PolicyOut     *int    `json:"policy_out"`
+	Digest        *string `json:"digest"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/firewall/options",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterFirewallPutOptionsRequest struct {
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Enable ebtables rules cluster wide.
+	EBTables *int `in:"query=ebtables;omitempty"`
+
+	// Enable or disable the firewall cluster wide.
+	Enable *int `in:"query=enable;omitempty"`
+
+	// Log ratelimiting settings
+	//
+	// 	[enable=]<1|0> [,burst=<integer>] [,rate=<rate>]
+	LogRateLimit string `in:"query=log_ratelimit;omitempty"`
+
+	// Forward policy.
+	//
+	// 	ACCEPT | DROP
+	PolicyForward string `in:"query=policy_forward;omitempty"`
+
+	// Input policy.
+	//
+	// 	ACCEPT | REJECT | DROP
+	PolicyIn string `in:"query=policy_in;omitempty"`
+
+	// Output policy.
+	//
+	// 	ACCEPT | REJECT | DROP
+	PolicyOut string `in:"query=policy_out;omitempty"`
+}
+
+// ClusterFirewallPutOptions Set Firewall options.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterFirewallPutOptions(req ClusterFirewallPutOptionsRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/options",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterFirewallGetMacros List available macros
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (s API) ClusterFirewallGetMacros() (res []struct {
+	Description string `json:"descr"`
+	Macro       string `json:"macro"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/firewall/macros",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
diff --git a/pkg/api/cluster_firewall_aliases.go b/pkg/api/cluster_firewall_aliases.go
new file mode 100644
index 0000000..52c34ed
--- /dev/null
+++ b/pkg/api/cluster_firewall_aliases.go
@@ -0,0 +1,141 @@
+package api
+
+import "net/http"
+
+type ClusterFirewallAliasesGetResponse struct {
+	// Network/IP specification in CIDR format.
+	CIDR string `json:"cidr"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `json:"digest"`
+
+	// Alias name.
+	Name string `json:"name"`
+
+	// Descriptive comment.
+	Comment string `json:"comment"`
+}
+
+// ClusterFirewallAliasesList List aliases.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterFirewallAliasesList() (res []ClusterFirewallAliasesGetResponse, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/firewall/aliases",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterFirewallAliasesGet Get IP or Network Alias.
+//
+// Parameters:
+//
+//   - name is the alias name.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterFirewallAliasesGet(name string) (res ClusterFirewallAliasesGetResponse, err error) {
+	req := struct {
+		Name string `in:"path=name"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/aliases/{name}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterFirewallAliasesNewRequest struct {
+	// Network/IP specification in CIDR format.
+	CIDR string `in:"query=cidr;nonzero"`
+
+	// Alias name.
+	Name string `in:"query=name;nonzero"`
+
+	// Descriptive comment.
+	Comment string `in:"query=comment;omitempty"`
+}
+
+// ClusterFirewallAliasesNew Create IP or Network Alias.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterFirewallAliasesNew(req ClusterFirewallAliasesNewRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/aliases",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterFirewallAliasesUpdateRequest struct {
+	// Network/IP specification in CIDR format.
+	CIDR string `in:"query=cidr;omitempty"`
+
+	// Name of the alias.
+	Name string `in:"path=name;nonzero"`
+
+	// Descriptive comment.
+	Comment string `in:"query=comment;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Rename an existing alias.
+	Rename string `in:"query=rename;omitempty"`
+}
+
+// ClusterFirewallAliasesUpdate Update IP or Network Alias.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterFirewallAliasesUpdate(req ClusterFirewallAliasesUpdateRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/aliases/{name}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterFirewallAliasesDelete Delete IP or Network Alias.
+//
+// Parameters:
+//
+//   - name is the alias name.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterFirewallAliasesDelete(name string) (err error) {
+	req := struct {
+		Name string `in:"path=name"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/aliases/{name}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_firewall_groups.go b/pkg/api/cluster_firewall_groups.go
new file mode 100644
index 0000000..3e37e27
--- /dev/null
+++ b/pkg/api/cluster_firewall_groups.go
@@ -0,0 +1,274 @@
+package api
+
+import "net/http"
+
+// ClusterFirewallGroupsList List security groups.
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (c API) ClusterFirewallGroupsList() (res []struct {
+	Group   string `json:"group"`
+	Comment string `json:"comment"`
+	Digest  string `json:"digest"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/firewall/groups",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterFirewallGroupsPostRequest struct {
+	// Security Group name.
+	Name string `in:"query=group;omitempty"`
+
+	// Security Group comment.
+	Comment string `in:"query=comment;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Rename/update an existing security group. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing group.
+	Rename string `in:"query=rename;omitempty"`
+}
+
+// ClusterFirewallGroupsPost Create new security group.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterFirewallGroupsPost(req ClusterFirewallGroupsPostRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/groups",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterFirewallGroupsGetResponse struct {
+	Action    string  `json:"action"`
+	Pos       int     `json:"pos"`
+	Type      string  `json:"type"`
+	Comment   string  `json:"comment"`
+	Dest      *string `json:"dest"`
+	DPort     *string `json:"dport"`
+	Enable    *int    `json:"enable"`
+	ICMPType  *string `json:"icmp-type"`
+	Iface     *string `json:"iface"`
+	IPVersion *int    `json:"ipversion"`
+	Log       *string `json:"log"`
+	Macro     *string `json:"macro"`
+	Protocol  *string `json:"proto"`
+	Source    *string `json:"source"`
+	SPort     *string `json:"sport"`
+}
+
+// ClusterFirewallGroupsGet List rules.
+//
+// Parameters:
+//
+//   - name is the security group name.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterFirewallGroupsGet(name string) (res []ClusterFirewallGroupsGetResponse, err error) {
+	req := struct {
+		Group string `in:"path=group"`
+	}{
+		Group: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/groups/{group}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterFirewallGroupsNewRuleRequest struct {
+	// Security Group name.
+	Name string `in:"path=group;nonzero"`
+
+	// Rule type.
+	//
+	// 	in | out | forward | group
+	Type string `in:"query=type;nonzero"`
+
+	// Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.
+	Action string `in:"query=action;nonzero"`
+
+	// Descriptive comment.
+	Comment string `in:"query=comment;omitempty"`
+
+	// Restrict packet destination address. This can refer to a single IP address, an IP set ('+ipsetname') or an IP alias definition. You can also specify an address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists.
+	Dest string `in:"query=dest;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Restrict TCP/UDP destination port. You can use service names or simple numbers (0-65535), as defined in '/etc/services'. Port ranges can be specified with '\d+:\d+', for example '80:85', and you can use comma separated list to match several ports or ranges.
+	Dport string `in:"query=dport;omitempty"`
+
+	// Flag to enable/disable a rule.
+	Enable *int `in:"query=enable;omitempty"`
+	// Specify icmp-type. Only valid if proto equals 'icmp' or 'icmpv6'/'ipv6-icmp'.
+	ICMPType string `in:"query=icmp-type;omitempty"`
+
+	// Network interface name. You have to use network configuration key names for VMs and containers ('net\d+'). Host related rules can use arbitrary strings.
+	Iface string `in:"query=iface;omitempty"`
+
+	// Log level for firewall rule.
+	//
+	// 	emerg | alert | crit | err | warning | notice | info | debug | nolog
+	Log string `in:"query=log;omitempty"`
+
+	// Use predefined standard macro.
+	Macro string `in:"query=macro;omitempty"`
+
+	// Update rule at position <pos>.
+	Pos *int `in:"query=pos;omitempty"`
+
+	// IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as defined in '/etc/protocols'.
+	Proto string `in:"query=proto;omitempty"`
+
+	// Restrict packet source address. This can refer to a single IP address, an IP set ('+ipsetname') or an IP alias definition. You can also specify an address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists.
+	Source string `in:"query=source;omitempty"`
+
+	// Restrict TCP/UDP source port. You can use service names or simple numbers (0-65535), as defined in '/etc/services'. Port ranges can be specified with '\d+:\d+', for example '80:85', and you can use comma separated list to match several ports or ranges.
+	Sport string `in:"query=sport;omitempty"`
+}
+
+// ClusterFirewallGroupsNewRule Create new rule.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterFirewallGroupsNewRule(req ClusterFirewallGroupsNewRuleRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/groups/{group}",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterFirewallGroupsDelete Delete security group.
+//
+// Parameters:
+//
+//   - name is the security group name.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterFirewallGroupsDelete(name string) (err error) {
+	req := struct {
+		Group string `in:"path=group"`
+	}{
+		Group: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/groups/{group}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterFirewallGroupsGetRule Get single rule data.
+//
+// Parameters:
+//
+//   - name is the security group name.
+//   - pos is the rule position.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterFirewallGroupsGetRule(name string, pos int) (res ClusterFirewallGroupsGetResponse, err error) {
+	req := struct {
+		Group string `in:"path=group"`
+		Pos   int    `in:"path=pos"`
+	}{
+		Group: name,
+		Pos:   pos,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/groups/{group}/{pos}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterFirewallGroupsUpdateRuleRequest struct {
+	// Security Group name.
+	Name string `in:"path=group;nonzero"`
+
+	// Rule position.
+	Pos int `in:"path=pos"`
+
+	// Move rule to new position <moveto>. Other arguments are ignored.
+	MoveTo *int `in:"query=moveto;omitempty"`
+
+	// Name and Pos will be ignored from this property.
+	ClusterFirewallGroupsNewRuleRequest
+}
+
+// ClusterFirewallGroupsUpdateRule Modify rule data.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterFirewallGroupsUpdateRule(req ClusterFirewallGroupsUpdateRuleRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/groups/{group}/{pos}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterFirewallGroupsDeleteRule Delete rule.
+//
+// Parameters:
+//
+//   - name is the security group name.
+//   - pos is the rule position.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterFirewallGroupsDeleteRule(name string, pos int) (err error) {
+	req := struct {
+		Group string `in:"path=group"`
+		Pos   int    `in:"path=pos"`
+	}{
+		Group: name,
+		Pos:   pos,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/groups/{group}/{pos}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_firewall_ipset.go b/pkg/api/cluster_firewall_ipset.go
new file mode 100644
index 0000000..5aa3c40
--- /dev/null
+++ b/pkg/api/cluster_firewall_ipset.go
@@ -0,0 +1,195 @@
+package api
+
+import "net/http"
+
+// ClusterFirewallIPSetList List IPSets
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterFirewallIPSetList() (res []struct {
+	Name    string `json:"name"`
+	Digest  string `json:"digest"`
+	Comment string `json:"comment"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/firewall/ipset",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterFirewallIPSetGet List IPSet content
+//
+// Parameters:
+//
+//   - name is the IPSet name.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterFirewallIPSetGet(name string) (res []struct {
+	CIDR    string `json:"cidr"`
+	Digest  string `json:"digest"`
+	Comment string `json:"comment"`
+	NoMatch *int   `json:"nomatch"`
+}, err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/ipset/{name}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterFirewallIPSetPostRequest struct {
+	// IP set name.
+	Name string `in:"query=name;nonzero"`
+
+	// IP set comment.
+	Comment string `in:"query=comment;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Rename an existing IPSet. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing IPSet.
+	Rename string `in:"query=rename;omitempty"`
+}
+
+// ClusterFirewallIPSetPost Create new IPSet
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterFirewallIPSetPost(req ClusterFirewallIPSetPostRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/ipset",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterFirewallIPSetAddCIDRRequest struct {
+	// IP set name.
+	Name string `in:"path=name;nonzero"`
+
+	// Network/IP specification in CIDR format.
+	CIDR string `in:"query=cidr;nonzero"`
+
+	// IP set comment.
+	Comment string `in:"query=comment;omitempty"`
+
+	// TODO: add proper comment
+	NoMatch *int `in:"query=nomatch;omitempty"`
+}
+
+// ClusterFirewallIPSetAddCIDR Add IP or Network to IPSet.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterFirewallIPSetAddCIDR(req ClusterFirewallIPSetAddCIDRRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/ipset/{name}",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterFirewallIPSetUpdateCIDRRequest struct {
+	Name    string `in:"path=name;nonzero"`
+	CIDR    string `in:"path=cidr;nonzero"`
+	Comment string `in:"query=comment;omitempty"`
+	Digest  string `in:"query=digest;omitempty"`
+	NoMatch *int   `in:"query=nomatch;omitempty"`
+}
+
+// ClusterFirewallIPSetUpdateCIDR Update IP or Network settings
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterFirewallIPSetUpdateCIDR(req ClusterFirewallIPSetUpdateCIDRRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/ipset/{name}/{cidr}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterFirewallIPSetDeleteCIDR Remove IP or Network from IPSet.
+//
+// Parameters:
+//
+//   - name is the IPSet name.
+//   - cidr is the IP or Network to remove.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterFirewallIPSetDeleteCIDR(name string, cidr string) (err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+		CIDR string `in:"path=cidr;nonzero"`
+	}{
+		Name: name,
+		CIDR: cidr,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/ipset/{name}/{cidr}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterFirewallIPSetDelete Delete IPSet.
+//
+// Parameters:
+//
+//   - name is the IPSet name.
+//   - force delete all members of the IPSet, if there are any.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterFirewallIPSetDelete(name string, force bool) (err error) {
+	req := struct {
+		Name  string `in:"path=name;nonzero"`
+		Force *int   `in:"query=force;omitempty"`
+	}{
+		Name: name,
+	}
+
+	if force {
+		req.Force = Int(1)
+	} else {
+		req.Force = Int(0)
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/ipset/{name}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_firewall_rules.go b/pkg/api/cluster_firewall_rules.go
new file mode 100644
index 0000000..cd3dd84
--- /dev/null
+++ b/pkg/api/cluster_firewall_rules.go
@@ -0,0 +1,200 @@
+package api
+
+import (
+	"net/http"
+	"strconv"
+
+	"github.com/iolave/go-errors"
+)
+
+type ClusterFirewallRulesGetResponse struct {
+	// Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.
+	Action *string `json:"action"`
+
+	// Rule type.
+	//
+	// 	in | out | forward | group
+	Type *string `json:"type"`
+
+	// Descriptive comment.
+	Comment string `json:"comment"`
+
+	// Restrict packet destination address. This can refer to a single IP address, an IP set ('+ipsetname') or an IP alias definition. You can also specify an address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists.
+	Dest *string `json:"dest"`
+
+	//Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest *string `json:"digest"`
+
+	// Restrict TCP/UDP destination port. You can use service names or simple numbers (0-65535), as defined in '/etc/services'. Port ranges can be specified with '\d+:\d+', for example '80:85', and you can use comma separated list to match several ports or ranges.
+	DPort *string `json:"dport"`
+
+	// Flag to enable/disable a rule.
+	Enable *int `json:"enable"`
+
+	// Specify icmp-type. Only valid if proto equals 'icmp' or 'icmpv6'/'ipv6-icmp'.
+	ICMPType *string `json:"icmp-type"`
+
+	// Network interface name. You have to use network configuration key names for VMs and containers ('net\d+'). Host related rules can use arbitrary strings.
+	Iface *string `json:"iface"`
+
+	// Log level for firewall rule.
+	//
+	// 	emerg | alert | crit | err | warning | notice | info | debug | nolog
+	Log *string `json:"log"`
+
+	// Use predefined standard macro.
+	Macro *string `json:"macro"`
+
+	// rule at position <pos>.
+	Pos *int `json:"pos"`
+
+	// IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as defined in '/etc/protocols'.
+	Proto *string `json:"proto"`
+
+	// Restrict packet source address. This can refer to a single IP address, an IP set ('+ipsetname') or an IP alias definition. You can also specify an address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists.
+	Source *string `json:"source"`
+
+	// Restrict TCP/UDP source port. You can use service names or simple numbers (0-65535), as defined in '/etc/services'. Port ranges can be specified with '\d+:\d+', for example '80:85', and you can use comma separated list to match several ports or ranges.
+	SPort *string `json:"sport"`
+}
+
+// ClusterFirewallRulesGetAll List rules.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterFirewallRulesGetAll() (res []ClusterFirewallRulesGetResponse, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/firewall/rules",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterFirewallRulesGet Get single rule data.
+//
+// Parameters:
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterFirewallRulesGet(pos int) (ClusterFirewallRulesGetResponse, error) {
+	res := struct {
+		ClusterFirewallRulesGetResponse
+		Pos string `json:"pos"`
+	}{}
+
+	req := struct {
+		Pos int `in:"path=pos"`
+	}{
+		Pos: pos,
+	}
+
+	err := s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/rules/{pos}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+	if err != nil {
+		return ClusterFirewallRulesGetResponse{}, err
+	}
+
+	pos, err = strconv.Atoi(res.Pos)
+	if err != nil {
+		return ClusterFirewallRulesGetResponse{}, errors.NewInternalServerError(
+			"failed to parse response",
+			err,
+		)
+	}
+	res.ClusterFirewallRulesGetResponse.Pos = Int(pos)
+
+	return res.ClusterFirewallRulesGetResponse, err
+}
+
+type ClusterFirewallRulesPostRequest struct {
+	Action   string `in:"query=action;omitempty"`
+	Type     string `in:"query=type;omitempty"`
+	Comment  string `in:"query=comment;omitempty"`
+	Dest     string `in:"query=dest;omitempty"`
+	Digest   string `in:"query=digest;omitempty"`
+	DPort    string `in:"query=dport;omitempty"`
+	Enable   *int   `in:"query=enable;omitempty"`
+	ICMPType string `in:"query=icmp-type;omitempty"`
+	Iface    string `in:"query=iface;omitempty"`
+	Log      string `in:"query=log;omitempty"`
+	Macro    string `in:"query=macro;omitempty"`
+	Pos      *int   `in:"query=pos;omitempty"`
+	Proto    string `in:"query=proto;omitempty"`
+	Source   string `in:"query=source;omitempty"`
+	SPort    string `in:"query=sport;omitempty"`
+}
+
+// ClusterFirewallRulesPost Add rule.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterFirewallRulesPost(req ClusterFirewallRulesPostRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/rules",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterFirewallRulesUpdateRequest struct {
+	ClusterFirewallRulesPostRequest
+
+	// Rule position.
+	Pos *int `in:"path=pos"`
+
+	// Move rule to new position. Other arguments are ignored.
+	MoveTo *int `in:"query=moveto;omitempty"`
+}
+
+// ClusterFirewallRulesUpdate Modify rule data.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterFirewallRulesUpdate(req ClusterFirewallRulesUpdateRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/rules/{pos}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterFirewallRulesDeleteRequest struct {
+	// Rule position.
+	Pos *int `in:"path=pos"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+}
+
+// ClusterFirewallRulesDelete Delete rule.
+//
+// Parameters:
+//
+//   - pos is the position of a rule.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterFirewallRulesDelete(req ClusterFirewallRulesDeleteRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/firewall/rules/{pos}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/helpers.go b/pkg/api/helpers.go
index 2815f71..193033c 100644
--- a/pkg/api/helpers.go
+++ b/pkg/api/helpers.go
@@ -1,5 +1,6 @@
 package api
 
+// Int returns a pointer to the given int value.
 func Int(v int) *int {
 	return &v
 }

From 1e27f2967e3163423edc70287ad2b27e5c036bd1 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 25 Aug 2025 20:17:05 -0400
Subject: [PATCH 29/40] fix: update group rule method doesnt fails anymore when
 type is not specified

---
 pkg/api/cluster_firewall_groups.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/api/cluster_firewall_groups.go b/pkg/api/cluster_firewall_groups.go
index 3e37e27..6f2cdb0 100644
--- a/pkg/api/cluster_firewall_groups.go
+++ b/pkg/api/cluster_firewall_groups.go
@@ -101,7 +101,7 @@ type ClusterFirewallGroupsNewRuleRequest struct {
 	// Rule type.
 	//
 	// 	in | out | forward | group
-	Type string `in:"query=type;nonzero"`
+	Type string `in:"query=type;omitempty"`
 
 	// Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.
 	Action string `in:"query=action;nonzero"`

From 0cad1934903cfdde80edc09c6b758602a7de3e76 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 25 Aug 2025 20:18:38 -0400
Subject: [PATCH 30/40] feat: added /api2/json/cluster/ha implementations

---
 pkg/api/cluster_ha_groups.go    | 150 +++++++++++++++
 pkg/api/cluster_ha_resources.go | 311 ++++++++++++++++++++++++++++++++
 pkg/api/cluster_ha_rules.go     | 205 +++++++++++++++++++++
 pkg/api/cluster_ha_status.go    |  51 ++++++
 4 files changed, 717 insertions(+)
 create mode 100644 pkg/api/cluster_ha_groups.go
 create mode 100644 pkg/api/cluster_ha_resources.go
 create mode 100644 pkg/api/cluster_ha_rules.go
 create mode 100644 pkg/api/cluster_ha_status.go

diff --git a/pkg/api/cluster_ha_groups.go b/pkg/api/cluster_ha_groups.go
new file mode 100644
index 0000000..ebf355c
--- /dev/null
+++ b/pkg/api/cluster_ha_groups.go
@@ -0,0 +1,150 @@
+package api
+
+import "net/http"
+
+// ClusterHAGroupsList Get HA groups. (deprecated in favor of HA rules)
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterHAGroupsList() (res []struct {
+	Group string `json:"group"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/ha/groups",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterHAGroupsPostRequest struct {
+	// The HA group identifier.
+	Group string `in:"query=group;omitempty"`
+
+	// List of cluster node members, where a priority can be given to each node. A resource bound to a group will run on the available nodes with the highest priority. If there are more nodes in the highest priority class, the services will get distributed to those nodes. The priorities have a relative meaning only. The higher the number, the higher the priority.
+	//
+	// 	<node>[:<pri>]{,<node>[:<pri>]}*
+	Nodes string `in:"query=nodes;omitempty"`
+
+	// Descriptive comment.
+	Comment string `in:"query=comment;omitempty"`
+
+	// The CRM tries to run services on the node with the highest priority. If a node with higher priority comes online, the CRM migrates the service to that node. Enabling nofailback prevents that behavior.
+	NoFailback *int `in:"query=nofailback;omitempty"`
+
+	// Resources bound to restricted groups may only run on nodes defined by the group. The resource will be placed in the stopped state if no group node member is online. Resources on unrestricted groups may run on any cluster node if all group members are offline, but they will migrate back as soon as a group member comes online. One can implement a 'preferred node' behavior using an unrestricted group with only one member.
+	Restricted *int `in:"query=restricted;omitempty"`
+
+	// Group type.
+	Type string `in:"query=type;omitempty"`
+}
+
+// ClusterHAGroupsPost Create a new HA group. (deprecated in favor of HA rules)
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Console"]]
+func (c API) ClusterHAGroupsPost(req ClusterHAGroupsPostRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/groups",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterHAGroupsGet Read ha group configuration. (deprecated in favor of HA rules)
+//
+// Parameters:
+//
+//   - group is the HA group identifier.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+//
+// NOTE:Proxmox api docs does not specify response type.
+func (c API) ClusterHAGroupsGet(group string) (res any, err error) {
+	req := struct {
+		Group string `in:"path=group"`
+	}{
+		Group: group,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/groups/{group}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterHAGroupsUpdateRequest struct {
+	// The HA group identifier.
+	Group string `in:"path=group;omitempty"`
+
+	// Descriptive comment.
+	Comment string `in:"query=comment;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// List of cluster node members, where a priority can be given to each node. A resource bound to a group will run on the available nodes with the highest priority. If there are more nodes in the highest priority class, the services will get distributed to those nodes. The priorities have a relative meaning only. The higher the number, the higher the priority.
+	//
+	// 	<node>[:<pri>]{,<node>[:<pri>]}*
+	Nodes string `in:"query=nodes;omitempty"`
+
+	// The CRM tries to run services on the node with the highest priority. If a node with higher priority comes online, the CRM migrates the service to that node. Enabling nofailback prevents that behavior.
+	NoFailback *int `in:"query=nofailback;omitempty"`
+
+	// Resources bound to restricted groups may only run on nodes defined by the group. The resource will be placed in the stopped state if no group node member is online. Resources on unrestricted groups may run on any cluster node if all group members are offline, but they will migrate back as soon as a group member comes online. One can implement a 'preferred node' behavior using an unrestricted group with only one member.
+	Restricted *int `in:"query=restricted;omitempty"`
+}
+
+// ClusterHAGroupsUpdate Update ha group configuration. (deprecated in favor of HA rules)
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Console"]]
+func (c API) ClusterHAGroupsUpdate(req ClusterHAGroupsUpdateRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/groups/{group}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterHAGroupsDelete Delete ha group configuration. (deprecated in favor of HA rules)
+//
+// Parameters:
+//
+//   - group is the HA group identifier.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Console"]]
+func (c API) ClusterHAGroupsDelete(group string) (err error) {
+	req := struct {
+		Group string `in:"path=group"`
+	}{
+		Group: group,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/groups/{group}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_ha_resources.go b/pkg/api/cluster_ha_resources.go
new file mode 100644
index 0000000..4b57480
--- /dev/null
+++ b/pkg/api/cluster_ha_resources.go
@@ -0,0 +1,311 @@
+package api
+
+import "net/http"
+
+type ClusterHAResourcesListRequest struct {
+	// Only list resources of specific type
+	//
+	// 	ct | vm
+	Type string `in:"query=type;omitempty"`
+}
+
+// ClusterHAREsourcesList List HA resources.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterHAResourcesList(req ClusterHAResourcesListRequest) (res []struct {
+	SID string `json:"sid"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/resources",
+		Method:  http.MethodGet,
+		Result:  &res,
+		Payload: &req,
+	})
+
+	return res, err
+}
+
+type ClusterHAResourcesPostRequest struct {
+	// HA resource ID. This consists of a resource type followed by a resource specific name, separated with colon (example: vm:100 / ct:100). For virtual machines and containers, you can simply use the VM or CT id as a shortcut (example: 100).
+	//
+	// 	<type>:<name>
+	SID string `in:"query=sid;omitempty"`
+
+	// Description.
+	Comment string `in:"query=comment;omitempty"`
+
+	// Automatically migrate HA resource to the node with the highest priority according to their node affinity  rules, if a node with a higher priority than the current node comes online.
+	Failback *int `in:"query=failback;omitempty"`
+
+	// The HA group identifier.
+	Group string `in:"query=group;omitempty"`
+
+	// Maximal number of service relocate tries when a service failes to start.
+	MaxRelocate *int `in:"query=max_relocate;omitempty"`
+
+	// Maximal number of tries to restart the service on a node after its start failed.
+	MaxRestart *int `in:"query=max_restart;omitempty"`
+
+	// Requested resource state. The CRM reads this state and acts accordingly.
+	// Please note that `enabled` is just an alias for `started`.
+	//
+	// `started`;;
+	//
+	// The CRM tries to start the resource. Service state is
+	// set to `started` after successful start. On node failures, or when start
+	// fails, it tries to recover the resource.  If everything fails, service
+	// state it set to `error`.
+	//
+	// `stopped`;;
+	//
+	// The CRM tries to keep the resource in `stopped` state, but it
+	// still tries to relocate the resources on node failures.
+	//
+	// `disabled`;;
+	//
+	// The CRM tries to put the resource in `stopped` state, but does not try
+	// to relocate the resources on node failures. The main purpose of this
+	// state is error recovery, because it is the only way to move a resource out
+	// of the `error` state.
+	//
+	// `ignored`;;
+	//
+	// The resource gets removed from the manager status and so the CRM and the LRM do
+	// not touch the resource anymore. All {pve} API calls affecting this resource
+	// will be executed, directly bypassing the HA stack. CRM commands will be thrown
+	// away while there source is in this state. The resource will not get relocated
+	// on node failures.
+	//
+	//   	started | stopped | enabled | disabled | ignored
+	State string `in:"query=state;omitempty"`
+
+	// Resource type.
+	//
+	// 	vm | ct
+	Type string `in:"query=type;omitempty"`
+}
+
+// ClusterHAResourcesPost Create new HA resource.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Console"]]
+func (c API) ClusterHAResourcesPost(req ClusterHAResourcesPostRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/ha/resources",
+		Method: http.MethodPost,
+	})
+
+	return err
+}
+
+// ClusterHAResourcesGet Read resource configuration.
+//
+// Parameters:
+//
+//   - sid is the HA resource ID. This consists of a resource type followed by a resource specific name, separated with colon (example: vm:100 / ct:100). For virtual machines and containers, you can simply use the VM or CT id as a shortcut (example: 100).
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterHAResourcesGet(sid string) (res struct {
+	Digest      string  `json:"digest"`
+	SID         string  `json:"sid"`
+	Type        string  `json:"type"`
+	Comment     string  `json:"comment"`
+	Failback    *int    `json:"failback"`
+	Group       *string `json:"group"`
+	MaxRelocate *int    `json:"max_relocate"`
+	MaxRestart  *int    `json:"max_restart"`
+	State       *string `json:"state"`
+}, err error) {
+	req := struct {
+		SID string `in:"path=sid"`
+	}{
+		SID: sid,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/resources/{sid}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterHAResourcesUpdateRequest struct {
+	// HA resource ID. This consists of a resource type followed by a resource specific name, separated with colon (example: vm:100 / ct:100). For virtual machines and containers, you can simply use the VM or CT id as a shortcut (example: 100).
+	SID string `in:"path=sid;nonzero"`
+
+	// Description.
+	Comment string `in:"query=comment;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Automatically migrate HA resource to the node with the highest priority according to their node affinity  rules, if a node with a higher priority than the current node comes online.
+	Failback *int `in:"query=failback;omitempty"`
+
+	// The HA group identifier.
+	Group string `in:"query=group;omitempty"`
+
+	// Maximal number of service relocate tries when a service failes to start.
+	MaxRelocate *int `in:"query=max_relocate;omitempty"`
+
+	// Maximal number of tries to restart the service on a node after its start failed.
+	MaxRestart *int `in:"query=max_restart;omitempty"`
+
+	// Requested resource state. The CRM reads this state and acts accordingly.
+	// Please note that `enabled` is just an alias for `started`.
+	//
+	// `started`;;
+	//
+	// The CRM tries to start the resource. Service state is
+	// set to `started` after successful start. On node failures, or when start
+	// fails, it tries to recover the resource.  If everything fails, service
+	// state it set to `error`.
+	//
+	// `stopped`;;
+	//
+	// The CRM tries to keep the resource in `stopped` state, but it
+	// still tries to relocate the resources on node failures.
+	//
+	// `disabled`;;
+	//
+	// The CRM tries to put the resource in `stopped` state, but does not try
+	// to relocate the resources on node failures. The main purpose of this
+	// state is error recovery, because it is the only way to move a resource out
+	// of the `error` state.
+	//
+	// `ignored`;;
+	//
+	// The resource gets removed from the manager status and so the CRM and the LRM do
+	// not touch the resource anymore. All {pve} API calls affecting this resource
+	// will be executed, directly bypassing the HA stack. CRM commands will be thrown
+	// away while there source is in this state. The resource will not get relocated
+	// on node failures.
+	//
+	//   	started | stopped | enabled | disabled | ignored
+	State string `in:"query=state;omitempty"`
+}
+
+// ClusterHAResourcesUpdate Update HA resource.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Console"]]
+func (c API) ClusterHAResourcesUpdate(req ClusterHAResourcesUpdateRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/resources/{sid}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterHAResourcesDelete Delete HA resource.
+//
+// Parameters:
+//
+//   - sid is the HA resource ID. This consists of a resource type followed by a resource specific name, separated with colon (example: vm:100 / ct:100). For virtual machines and containers, you can simply use the VM or CT id as a shortcut (example: 100).
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Console"]]
+func (c API) ClusterHAResourcesDelete(sid string) (err error) {
+	req := struct {
+		SID string `in:"path=sid"`
+	}{
+		SID: sid,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/resources/{sid}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterHAResourcesMigrate Request resource migration (online) to another node.
+//
+// Parameters:
+//
+//   - sid is the HA resource ID. This consists of a resource type followed by a resource specific name, separated with colon (example: vm:100 / ct:100). For virtual machines and containers, you can simply use the VM or CT id as a shortcut (example: 100).
+//   - node is the target node name.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Console"]]
+func (c API) ClusterHAResourcesMigrate(sid, node string) (res struct {
+	RequestedNode     string `json:"requested-node"`
+	SID               string `json:"sid"`
+	BlockingResources []struct {
+		Cause string `json:"cause"`
+		SID   string `json:"sid"`
+	} `json:"blocking-resources"`
+	CoMigratedResources []string `json:"comigrated-resources"`
+}, err error) {
+	req := struct {
+		SID  string `in:"path=sid"`
+		Node string `in:"query=node,omitempty"`
+	}{
+		SID:  sid,
+		Node: node,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/resources/{sid}/migrate",
+		Method:  http.MethodPost,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+// ClusterHAResourcesRelocate Request resource relocatzion to another node. This stops the service on the old node, and restarts it on the target node.
+
+// Parameters:
+//
+//   - sid is the HA resource ID. This consists of a resource type followed by a resource specific name, separated with colon (example: vm:100 / ct:100). For virtual machines and containers, you can simply use the VM or CT id as a shortcut (example: 100).
+//   - node is the target node name.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Console"]]
+func (c API) ClusterHAResourcesRelocate(sid, node string) (res struct {
+	RequestedNode     string `json:"requested-node"`
+	SID               string `json:"sid"`
+	BlockingResources []struct {
+		Cause string `json:"cause"`
+		SID   string `json:"sid"`
+	} `json:"blocking-resources"`
+	CoMigratedResources []string `json:"comigrated-resources"`
+}, err error) {
+	req := struct {
+		SID  string `in:"path=sid"`
+		Node string `in:"query=node,omitempty"`
+	}{
+		SID:  sid,
+		Node: node,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/resources/{sid}/relocate",
+		Method:  http.MethodPost,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
diff --git a/pkg/api/cluster_ha_rules.go b/pkg/api/cluster_ha_rules.go
new file mode 100644
index 0000000..85f77c0
--- /dev/null
+++ b/pkg/api/cluster_ha_rules.go
@@ -0,0 +1,205 @@
+package api
+
+import "net/http"
+
+type ClusterHARulesListRequest struct {
+	// Limit the returned list to rules affecting the specified resource.
+	Resource string `in:"query=resource;omitempty"`
+
+	// Limit the returned list to the specified rule type.
+	//
+	//	node-affinity | resource-affinity
+	Type string `in:"query=type;omitempty"`
+}
+
+// ClusterHARulesList Get HA rules.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterHARulesList(req ClusterHARulesListRequest) (res []struct {
+	Rule string `json:"rule"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/rules",
+		Method:  http.MethodGet,
+		Result:  &res,
+		Payload: &req,
+	})
+
+	return res, err
+}
+
+type ClusterHARulesPostRequest struct {
+	// List of HA resource IDs. This consists of a list of resource types followed by a resource specific name separated with a colon (example: vm:100,ct:101).
+	//
+	//	<type>:<name>{,<type>:<name>}*
+	Resources string `in:"query=resources;nonzero"`
+
+	//  HA rule identifier.
+	Rule string `in:"query=rule;nonzero"`
+
+	//  HA rule type.
+	//
+	//	node-affinity | resource-affinity
+	Type string `in:"query=type;nonzero"`
+
+	// Describes whether the node affinity rule is strict or non-strict.
+	//
+	// A non-strict node affinity rule makes resources prefer to be on the defined nodes.
+	// If none of the defined nodes are available, the resource may run on any other node.
+	//
+	// A strict node affinity rule makes resources be restricted to the defined nodes. If
+	// none of the defined nodes are available, the resource will be stopped.
+	Strict *int `in:"query=strict;omitempty"`
+
+	// Describes whether the HA resources are supposed to be kept on the same node ('positive'), or are supposed to be kept on separate nodes ('negative').
+	//
+	//	positive | negative
+	Affinity string `in:"query=affinity;omitempty"`
+
+	// HA rule comment.
+	Comment string `in:"query=comment;omitempty"`
+
+	// Whether the HA rule is disabled.
+	Disable *int `in:"query=disable;omitempty"`
+
+	// List of cluster node members, where a priority can be given to each node. A resource bound to a group will run on the available nodes with the highest priority. If there are more nodes in the highest priority class, the services will get distributed to those nodes. The priorities have a relative meaning only. The higher the number, the higher the priority.
+	//
+	// 	<node>[:<pri>]{,<node>[:<pri>]}*
+	Nodes string `in:"query=nodes;omitempty"`
+}
+
+// ClusterHARulesPost Create HA rule.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Console"]]
+func (c API) ClusterHARulesPost(req ClusterHARulesPostRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/rules",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterHARulesGet Get HA rule.
+//
+// Parameters:
+//
+//   - rule HA rule identifier.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterHARulesGet(rule string) (res struct {
+	Rule string `json:"rule"`
+	Type string `json:"type"`
+}, err error) {
+	req := struct {
+		Rule string `in:"path=rule;nonzero"`
+	}{
+		Rule: rule,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/rules/{rule}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterHARulesPutRequest struct {
+	//  HA rule identifier.
+	Rule string `in:"query=path;nonzero"`
+
+	//  HA rule type.
+	//
+	//	node-affinity | resource-affinity
+	Type string `in:"query=type;nonzero"`
+
+	// Describes whether the HA resources are supposed to be kept on the same node ('positive'), or are supposed to be kept on separate nodes ('negative').
+	//
+	//	positive | negative
+	Affinity string `in:"query=affinity;omitempty"`
+
+	// HA rule comment.
+	Comment string `in:"query=comment;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Whether the HA rule is disabled.
+	Disable *int `in:"query=disable;omitempty"`
+
+	// List of cluster node members, where a priority can be given to each node. A resource bound to a group will run on the available nodes with the highest priority. If there are more nodes in the highest priority class, the services will get distributed to those nodes. The priorities have a relative meaning only. The higher the number, the higher the priority.
+	//
+	// 	<node>[:<pri>]{,<node>[:<pri>]}*
+	Nodes string `in:"query=nodes;omitempty"`
+
+	// List of HA resource IDs. This consists of a list of resource types followed by a resource specific name separated with a colon (example: vm:100,ct:101).
+	//
+	//	<type>:<name>{,<type>:<name>}*
+	Resources string `in:"query=resources;omitempty"`
+
+	// Describes whether the node affinity rule is strict or non-strict.
+	//
+	// A non-strict node affinity rule makes resources prefer to be on the defined nodes.
+	// If none of the defined nodes are available, the resource may run on any other node.
+	//
+	// A strict node affinity rule makes resources be restricted to the defined nodes. If
+	// none of the defined nodes are available, the resource will be stopped.
+	Strict *int `in:"query=strict;omitempty"`
+}
+
+// ClusterHARulesPut Update HA rule.
+//
+// Parameters:
+//
+//   - rule HA rule identifier.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterHARulesPut(req ClusterHARulesPutRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/rules/{rule}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterHARulesDelete Delete HA rule.
+//
+// Parameters:
+//
+//   - rule HA rule identifier.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterHARulesDelete(rule string) (err error) {
+	req := struct {
+		Rule string `in:"path=rule"`
+	}{
+		Rule: rule,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/ha/rules/{rule}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_ha_status.go b/pkg/api/cluster_ha_status.go
new file mode 100644
index 0000000..420a686
--- /dev/null
+++ b/pkg/api/cluster_ha_status.go
@@ -0,0 +1,51 @@
+package api
+
+import "net/http"
+
+// ClusterHAStatusCurrent Get HA manger status.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (c API) ClusterHAStatusCurrent() (res []struct {
+	ID           string  `json:"id"`
+	Node         string  `json:"node"`
+	Status       string  `json:"status"`
+	Type         string  `json:"type"`
+	CRMState     *string `json:"crm_state"`
+	Failback     *string `json:"failback"`
+	MaxRelocate  *string `json:"max_relocate"`
+	MaxRestart   *string `json:"max_restart"`
+	QuoRate      *string `json:"quorate"`
+	RequestState *string `json:"request_state"`
+	SID          *string `json:"sid"`
+	State        *string `json:"state"`
+	Timestamp    *string `json:"timestamp"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/ha/status/current",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterHAStatusManager Get full HA manger status, including LRM status.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+//
+// TODO: Add response type (not provided in [proxmox docs])
+//
+// [proxmox docs]: https://pve.proxmox.com/pve-docs/api-viewer/#/cluster/ha/status/manager_status
+func (c API) ClusterHAStatusManager() (res any, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/ha/status/manager_status",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}

From 096dab57c37dcb377bdf83786c819e309de7dc80 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Mon, 25 Aug 2025 20:28:17 -0400
Subject: [PATCH 31/40] chore: added missing mkdocs pip dependency

---
 scripts/generate-docs.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/generate-docs.sh b/scripts/generate-docs.sh
index e588492..e2e1f0f 100755
--- a/scripts/generate-docs.sh
+++ b/scripts/generate-docs.sh
@@ -57,6 +57,7 @@ python3 -m venv ${VENV}
 source "${VENV}/bin/activate"
 
 PIP_DEPS=" \
+	mkdocs \
 	mkdocs-material \
 	pymdown-extensions \
 	markdown-callouts \

From 0d9f862bd3d30ff70e206b75540f848914ecd88a Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Tue, 26 Aug 2025 15:47:46 -0400
Subject: [PATCH 32/40] feat: added /api2/json/cluster/jobs implementations

---
 pkg/api/cluster_jobs.go | 224 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 224 insertions(+)
 create mode 100644 pkg/api/cluster_jobs.go

diff --git a/pkg/api/cluster_jobs.go b/pkg/api/cluster_jobs.go
new file mode 100644
index 0000000..b38ca2a
--- /dev/null
+++ b/pkg/api/cluster_jobs.go
@@ -0,0 +1,224 @@
+package api
+
+import "net/http"
+
+type ClusterJobsScheduleListRequest struct {
+	Schedule   string `in:"query=schedule;omitempty"`
+	Iterations *int   `in:"query=iterations;omitempty"`
+	StartTime  *int   `in:"query=starttime;omitempty"`
+}
+
+// ClusterJobsScheduleList Returns a list of future schedule runtimes.
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (c API) ClusterJobsScheduleList(req ClusterJobsScheduleListRequest) (res []struct {
+	Timestamp int    `json:"timestamp"`
+	UTC       string `json:"utc"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/jobs/schedule-analyze",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterJobsGetRealmSyncResponse struct {
+	// If the job is enabled or not.
+	Enabled int `json:"enabled"`
+
+	// The ID of the entry.
+	ID string `json:"id"`
+
+	// Authentication domain ID
+	Realm string `json:"realm"`
+
+	// The configured sync schedule.
+	Schedule string `json:"schedule"`
+
+	// A comment for the job.
+	Comment string `json:"comment"`
+
+	// Last execution time of the job in seconds since the beginning of the UNIX epoch
+	LastRun *int `json:"last-run"`
+
+	// Next planned execution time of the job in seconds since the beginning of the UNIX epoch.
+	NextRun *int `json:"next-run"`
+
+	// A semicolon-separated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
+	//
+	// 	([acl];[properties];[entry])|none
+	RemoveVanished *string `json:"remove-vanished"`
+
+	// Select what to sync.
+	//
+	// 	users | groups | both
+	Scope *string `json:"scope"`
+}
+
+// ClusterJobsListRealmSync List configured realm-sync-jobs.
+//
+// Required permissions:
+//
+//	'Realm.AllocateUser' on '/access/realm/<realm>' and 'User.Modify' permissions to '/access/groups/'.
+//	Check: ["and",["perm","/access/realm/{realm}",["Realm.AllocateUser"]],["perm","/access/groups",["User.Modify"]]
+func (c API) ClusterJobsListRealmSync() (res []ClusterJobsGetRealmSyncResponse, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/jobs/realm-sync",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterJobsGetRealmSync Read realm-sync job definition.
+//
+// Parameters:
+//
+//   - id is the unique identifier of the realm-sync job.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+//
+// TODO: Add response type (not provided in [proxmox docs])
+//
+// [proxmox docs]: https://pve.proxmox.com/pve-docs/api-viewer/index.html#/cluster/jobs/realm-sync/{id}
+func (c API) ClusterJobsGetRealmSync(id string) (res ClusterJobsGetRealmSyncResponse, err error) {
+	req := struct {
+		ID string `in:"path=id;nonzero"`
+	}{
+		ID: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/jobs/realm-sync/{id}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterJobsPostRealmSyncRequest struct {
+	// The ID of the job.
+	ID string `in:"path=id;omitempty"`
+
+	// Backup schedule. The format is a subset of `systemd` calendar events.
+	Schedule string `in:"query=schedule;omitempty"`
+
+	// Description for the Job.
+	Comment string `in:"query=comment;omitempty"`
+
+	// Enable newly synced users immediately.
+	EnableNew *int `in:"query=enable-new;omitempty"`
+
+	// Determines if the job is enabled.
+	Enabled *int `in:"query=enabled;omitempty"`
+
+	// Authentication domain ID
+	Realm string `in:"query=realm;omitempty"`
+
+	// A semicolon-separated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
+	//
+	// 	([acl];[properties];[entry])|none
+	RemoveVanished string `in:"query=remove-vanished;omitempty"`
+
+	// Select what to sync.
+	//
+	// 	users | groups | both
+	Scope string `in:"query=scope;omitempty"`
+}
+
+// ClusterJobsPostRealmSync Create new realm-sync job.
+//
+// Required permissions:
+//
+//	     'Realm.AllocateUser' on '/access/realm/<realm>' and 'User.Modify' permissions to '/access/groups/'.
+//		Check: ["and",["perm","/access/realm/{realm}",["Realm.AllocateUser"]],["perm","/access/groups",["User.Modify"]]]
+func (c API) ClusterJobsPostRealmSync(req ClusterJobsPostRealmSyncRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/jobs/realm-sync",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterJobsPutRealmSyncRequest struct {
+	// The ID of the job.
+	ID string `in:"path=id;omitempty"`
+
+	// Backup schedule. The format is a subset of `systemd` calendar events.
+	Schedule string `in:"query=schedule;omitempty"`
+
+	// Description for the Job.
+	Comment string `in:"query=comment;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Enable newly synced users immediately.
+	EnableNew *int `in:"query=enable-new;omitempty"`
+
+	// Determines if the job is enabled.
+	Enabled *int `in:"query=enabled;omitempty"`
+
+	// A semicolon-separated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
+	//
+	// 	([acl];[properties];[entry])|none
+	RemoveVanished string `in:"query=remove-vanished;omitempty"`
+
+	// Select what to sync.
+	//
+	// 	users | groups | both
+	Scope string `in:"query=scope;omitempty"`
+}
+
+// ClusterJobsPutRealmSync Update realm-sync job.
+//
+// Required permissions:
+//
+//	'Realm.AllocateUser' on '/access/realm/<realm>' and 'User.Modify' permissions to '/access/groups/'.
+//	Check: ["and",["perm","/access/realm/{realm}",["Realm.AllocateUser"]],["perm","/access/groups",["User.Modify"]]]
+func (c API) ClusterJobsPutRealmSync(req ClusterJobsPutRealmSyncRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/jobs/realm-sync/{id}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterJobsDeleteRealmSync Delete realm-sync job.
+//
+// Parameters:
+//
+//   - id is the unique identifier of the realm-sync job.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (c API) ClusterJobsDeleteRealmSync(id string) (err error) {
+	req := struct {
+		ID string `in:"path=id"`
+	}{
+		ID: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/jobs/realm-sync/{id}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}

From 2f93558cd1487babf1b829e908ae5e1e862f062f Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Tue, 26 Aug 2025 21:42:29 -0400
Subject: [PATCH 33/40] feat: added /api2/json/cluster/mapping implementations

---
 pkg/api/cluster_mapping.go     |  20 ++++
 pkg/api/cluster_mapping_dir.go | 167 +++++++++++++++++++++++++++++++
 pkg/api/cluster_mapping_pci.go | 178 +++++++++++++++++++++++++++++++++
 pkg/api/cluster_mapping_usb.go | 149 +++++++++++++++++++++++++++
 4 files changed, 514 insertions(+)
 create mode 100644 pkg/api/cluster_mapping.go
 create mode 100644 pkg/api/cluster_mapping_dir.go
 create mode 100644 pkg/api/cluster_mapping_pci.go
 create mode 100644 pkg/api/cluster_mapping_usb.go

diff --git a/pkg/api/cluster_mapping.go b/pkg/api/cluster_mapping.go
new file mode 100644
index 0000000..2fd1489
--- /dev/null
+++ b/pkg/api/cluster_mapping.go
@@ -0,0 +1,20 @@
+package api
+
+import http "net/http"
+
+// ClusterMappingListResourceTypes list resource types
+//
+// Required permissions:
+//
+//	Accessible by all authenticated users.
+func (s API) ClusterMappingListResourceTypes() (res []struct {
+	Name string `json:"name"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/mapping",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
diff --git a/pkg/api/cluster_mapping_dir.go b/pkg/api/cluster_mapping_dir.go
new file mode 100644
index 0000000..22924e2
--- /dev/null
+++ b/pkg/api/cluster_mapping_dir.go
@@ -0,0 +1,167 @@
+package api
+
+import http "net/http"
+
+type ClusterMappingListDirRequest struct {
+	// If given, checks the configurations on the given node for correctness, and adds relevant diagnostics for the directory to the response.
+	CheckNode string `in:"query=check-node;omitempty"`
+}
+
+type ClusterMappingGetDirResponse struct {
+}
+
+// ClusterMappingListDir List directory mapping
+//
+// Required permissions:
+//
+//	Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or 'Mapping.Audit' permissions on '/mapping/dir/<id>'.
+func (s API) ClusterMappingListDir(req ClusterMappingListDirRequest) (
+	res []struct {
+		// A description of the logical mapping.
+		Description string `json:"description"`
+
+		// The logical ID of the mapping.
+		ID int `json:"id"`
+
+		// The entries of the mapping.
+		Map []string `json:"map"`
+
+		// A list of checks, only present if 'check-node' is set.
+		Checks []struct {
+			// The message of the error
+			Message string `json:"message"`
+
+			// The severity of the error
+			//
+			// 	error | warning
+			Severity string `json:"severity"`
+		} `json:"checks"`
+	},
+	err error,
+) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/dir",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterMappingCreateDirRequest struct {
+	// The ID of the directory mapping.
+	ID string `in:"query=id;omitempty"`
+
+	// A list of maps for the cluster nodes.
+	//
+	// 	[node=<string>, path=<string> , ...]
+	Map string `in:"query=map;omitempty"`
+
+	// Description of the directory mapping.
+	Description string `in:"query=description;omitempty"`
+}
+
+// ClusterMappingCreateDir Create a new directory mapping.
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/dir",["Mapping.Modify"]]
+func (s API) ClusterMappingCreateDir(req ClusterMappingCreateDirRequest) error {
+	err := s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/dir",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterMappingGetDir Get directory mapping.
+//
+// Parameters:
+//
+//   - id is the ID of the directory mapping.
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/dir/{id}",["Mapping.Use"]],["perm","/mapping/dir/{id}",["Mapping.Modify"]],["perm","/mapping/dir/{id}",["Mapping.Audit"]]]
+//
+// TODO: Add response type. [Promox docs] doesn't have any response type.
+//
+// [Promox docs] https://pve.proxmox.com/pve-docs/api-viewer/index.html#/cluster/mapping/dir/{id}
+func (s API) ClusterMappingGetDir(id string) (res any, err error) {
+	req := struct {
+		ID string `in:"path=id"`
+	}{
+		ID: id,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/dir/{id}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterMappingUpdateDirRequest struct {
+	// The ID of the directory mapping.
+	ID string `in:"path=id;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Description of the directory mapping.
+	Description string `in:"query=description;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// A list of maps for the cluster nodes.
+	//
+	// 	[node=<string>, path=<string> , ...]
+	Map string `in:"query=map;omitempty"`
+}
+
+// ClusterMappingCreateDir Update a directory mapping.
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/dir/{id}",["Mapping.Modify"]]
+func (s API) ClusterMappingUpdateDir(req ClusterMappingUpdateDirRequest) error {
+	err := s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/dir/{id}",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterMappingDeleteDir Remove directory mapping.
+//
+// Parameters:
+//
+//   - id is the ID of the directory mapping.
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/dir",["Mapping.Modify"]]
+func (s API) ClusterMappingDeleteDir(id string) error {
+	req := struct {
+		ID string `in:"path=id"`
+	}{
+		ID: id,
+	}
+
+	err := s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/dir/{id}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_mapping_pci.go b/pkg/api/cluster_mapping_pci.go
new file mode 100644
index 0000000..ea38f5f
--- /dev/null
+++ b/pkg/api/cluster_mapping_pci.go
@@ -0,0 +1,178 @@
+package api
+
+import http "net/http"
+
+type ClusterMappingListPCIRequest struct {
+	// If given, checks the configurations on the given node for correctness, and adds relevant diagnostics for the directory to the response.
+	CheckNode string `in:"query=check-node;omitempty"`
+}
+
+type ClusterMappingGetPCIResponse struct {
+	// A description of the logical mapping.
+	Description string `json:"description"`
+
+	// The logical ID of the mapping.
+	ID int `json:"id"`
+
+	// The entries of the mapping.
+	Map []string `json:"map"`
+
+	// A list of checks, only present if 'check-node' is set.
+	Checks []struct {
+		// The message of the error
+		Message string `json:"message"`
+
+		// The severity of the error
+		//
+		// 	error | warning
+		Severity string `json:"severity"`
+	} `json:"checks"`
+}
+
+// ClusterMappingListPCI List PCI mapping
+//
+// Required permissions:
+//
+//	Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or 'Mapping.Audit' permissions on '/mapping/pci/<id>'.
+func (s API) ClusterMappingListPCI(req ClusterMappingListPCIRequest) (
+	res []ClusterMappingGetPCIResponse,
+	err error,
+) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/pci",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterMappingCreatePCIRequest struct {
+	// The ID of the logical PCI mapping.
+	ID string `in:"query=id;omitempty"`
+
+	// A list of maps for the cluster nodes.
+	//
+	// 	[id=<(?^:^[0-9A-Fa-f]{4}:[0-9A-Fa-f]{4}$)>, node=<string>, path=<(?:[a-f0-9]{4,}:[a-f0-9]{2}:[a-f0-9]{2}(?:.[a-f0-9])?;)*[a-f0-9]{4,}:[a-f0-9]{2}:[a-f0-9]{2}(?:.[a-f0-9])?> [,description=<string>] [,iommugroup=<integer>] [,subsystem-id=<(?^:^[0-9A-Fa-f]{4}:[0-9A-Fa-f]{4}$)>], ...]
+	Map string `in:"query=map;omitempty"`
+
+	// Description of the logical PCI mapping.
+	Description string `in:"query=description;omitempty"`
+
+	// Marks the device(s) as being able to be live-migrated (Experimental). This needs hardware and driver support to work.
+	LiveMigrationCapable *int `in:"query=live-migration-capable;omitempty"`
+
+	// Marks the device(s) as being capable of providing mediated devices.
+	MDev *int `in:"query=mdev;omitempty"`
+}
+
+// ClusterMappingCreatePCI Create a new hardware mapping.
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/pci",["Mapping.Modify"]]
+func (s API) ClusterMappingCreatePCI(req ClusterMappingCreatePCIRequest) error {
+	err := s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/pci",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterMappingGetPCI Get PCI Mapping.
+//
+// Parameters:
+//
+//   - id is the ID of the logical PCI mapping.
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/pci/{id}",["Mapping.Use"]],["perm","/mapping/pci/{id}",["Mapping.Modify"]],["perm","/mapping/pci/{id}",["Mapping.Audit"]]]
+//
+// TODO: Add response type. [Promox docs] doesn't have any response type.
+//
+// [Promox docs] https://pve.proxmox.com/pve-docs/api-viewer/index.html#/cluster/mapping/pci/{id}
+func (s API) ClusterMappingGetPCI(id string) (res any, err error) {
+	req := struct {
+		ID string `in:"path=id"`
+	}{
+		ID: id,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/pci/{id}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterMappingUpdatePCIRequest struct {
+	// The ID of the logical PCI mapping.
+	ID string `in:"path=id;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Description of the logical PCI mapping.
+	Description string `in:"query=description;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Marks the device(s) as being able to be live-migrated (Experimental). This needs hardware and driver support to work.
+	LiveMigrationCapable *int `in:"query=live-migration-capable;omitempty"`
+
+	// A list of maps for the cluster nodes.
+	//
+	// 	[id=<(?^:^[0-9A-Fa-f]{4}:[0-9A-Fa-f]{4}$)>, node=<string>, path=<(?:[a-f0-9]{4,}:[a-f0-9]{2}:[a-f0-9]{2}(?:.[a-f0-9])?;)*[a-f0-9]{4,}:[a-f0-9]{2}:[a-f0-9]{2}(?:.[a-f0-9])?> [,description=<string>] [,iommugroup=<integer>] [,subsystem-id=<(?^:^[0-9A-Fa-f]{4}:[0-9A-Fa-f]{4}$)>], ...]
+	Map string `in:"query=map;omitempty"`
+
+	// Marks the device(s) as being capable of providing mediated devices.
+	MDev *int `in:"query=mdev;omitempty"`
+}
+
+// ClusterMappingUpdatePCI Update a hardware mapping.
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/pci/{id}",["Mapping.Modify"]]
+func (s API) ClusterMappingUpdatePCI(req ClusterMappingUpdatePCIRequest) error {
+	err := s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/pci/{id}",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterMappingDeletePCI Remove Hardware Mapping.
+//
+// Parameters:
+//
+//   - id is the ID of the logical PCI mapping.
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/pci",["Mapping.Modify"]]
+func (s API) ClusterMappingDeletePCI(id string) error {
+	req := struct {
+		ID string `in:"path=id"`
+	}{
+		ID: id,
+	}
+
+	err := s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/pci/{id}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_mapping_usb.go b/pkg/api/cluster_mapping_usb.go
new file mode 100644
index 0000000..72ced64
--- /dev/null
+++ b/pkg/api/cluster_mapping_usb.go
@@ -0,0 +1,149 @@
+package api
+
+import http "net/http"
+
+type ClusterMappingListUSBRequest struct {
+	// If given, checks the configurations on the given node for correctness, and adds relevant diagnostics for the directory to the response.
+	CheckNode string `in:"query=check-node;omitempty"`
+}
+
+// ClusterMappingListUSB List USB Hardware Mappings
+//
+// Required permissions:
+//
+//	Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or 'Mapping.Audit' permissions on '/mapping/usb/<id>'.
+func (s API) ClusterMappingListUSB(req ClusterMappingListUSBRequest) (
+	res []struct {
+		Description string   `json:"description"`
+		Error       string   `json:"error"`
+		ID          int      `json:"id"`
+		Map         []string `json:"map"`
+	},
+	err error,
+) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/usb",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterMappingCreateUSBRequest struct {
+	// The ID of the logical USB mapping.
+	ID string `in:"query=id;omitempty"`
+
+	// A list of maps for the cluster nodes.
+	//
+	// 	[id=<(?^:^[0-9A-Fa-f]{4}:[0-9A-Fa-f]{4}$)>, node=<string> [,description=<string>] [,path=<(?^:^(\d+)\-(\d+(\.\d+)*)$)>], ...]
+	Map string `in:"query=map;omitempty"`
+
+	// Description of the logical USB mapping.
+	Description string `in:"query=description;omitempty"`
+}
+
+// ClusterMappingCreateUSB Create a new hardware mapping.
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/usb",["Mapping.Modify"]]
+func (s API) ClusterMappingCreateUSB(req ClusterMappingCreateUSBRequest) error {
+	err := s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/usb",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterMappingGetUSB Get USB Mapping.
+//
+// Parameters:
+//
+//   - id is the ID of the logical USB mapping.
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/usb/{id}",["Mapping.Audit"]],["perm","/mapping/usb/{id}",["Mapping.Use"]],["perm","/mapping/usb/{id}",["Mapping.Modify"]]]
+//
+// TODO: Add response type. [Promox docs] doesn't have any response type.
+//
+// [Promox docs] https://pve.proxmox.com/pve-docs/api-viewer/index.html#/cluster/mapping/usb/{id}
+func (s API) ClusterMappingGetUSB(id string) (res any, err error) {
+	req := struct {
+		ID string `in:"path=id"`
+	}{
+		ID: id,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/usb/{id}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterMappingUpdateUSBRequest struct {
+	// The ID of the logical USB mapping.
+	ID string `in:"path=id;omitempty"`
+
+	// A list of maps for the cluster nodes.
+	//
+	// 	[id=<(?^:^[0-9A-Fa-f]{4}:[0-9A-Fa-f]{4}$)>, node=<string> [,description=<string>] [,path=<(?^:^(\d+)\-(\d+(\.\d+)*)$)>], ...]
+	Map string `in:"query=map;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Description of the logical USB mapping.
+	Description string `in:"query=description;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+}
+
+// ClusterMappingUpdateUSB Update a hardware mapping.
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/usb/{id}",["Mapping.Modify"]]
+func (s API) ClusterMappingUpdateUSB(req ClusterMappingUpdateUSBRequest) error {
+	err := s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/usb/{id}",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterMappingDeleteUSB Remove Hardware Mapping.
+//
+// Parameters:
+//
+//   - id is the ID of the logical USB mapping.
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/usb",["Mapping.Modify"]]
+func (s API) ClusterMappingDeleteUSB(id string) error {
+	req := struct {
+		ID string `in:"path=id"`
+	}{
+		ID: id,
+	}
+
+	err := s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/mapping/usb/{id}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}

From b76222e8a5653164edd580bc7a4354a0720d6f40 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Sun, 31 Aug 2025 20:14:51 -0400
Subject: [PATCH 34/40] feat: added /api2/json/cluster/metrics implementations

---
 pkg/api/cluster_metrics.go        |  36 ++++
 pkg/api/cluster_metrics_server.go | 269 ++++++++++++++++++++++++++++++
 2 files changed, 305 insertions(+)
 create mode 100644 pkg/api/cluster_metrics.go
 create mode 100644 pkg/api/cluster_metrics_server.go

diff --git a/pkg/api/cluster_metrics.go b/pkg/api/cluster_metrics.go
new file mode 100644
index 0000000..4cd7147
--- /dev/null
+++ b/pkg/api/cluster_metrics.go
@@ -0,0 +1,36 @@
+package api
+
+import "net/http"
+
+type ClusterMetricsGetRequest struct {
+	// Also return historic values. Returns full available metric history unless `start-time` is also set
+	History *int `in:"query=history;omitempty"`
+
+	// Only return metrics for the current node instead of the whole cluster
+	LocalOnly *int `in:"query=local-only;omitempty"`
+
+	// Only include metrics with a timestamp > start-time.
+	StartTime *int `in:"query=start-time;omitempty"`
+}
+
+// ClusterMetricsGet Retrieve metrics of the cluster.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (a API) ClusterMetricsGet(req *ClusterMetricsGetRequest) (res []struct {
+	ID        string `json:"id"`
+	Metric    string `json:"metric"`
+	Timestamp int    `json:"timestamp"`
+	Type      string `json:"type"`
+	Value     string `json:"value"`
+}, err error) {
+	err = a.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/metrics/export",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
diff --git a/pkg/api/cluster_metrics_server.go b/pkg/api/cluster_metrics_server.go
new file mode 100644
index 0000000..645a76a
--- /dev/null
+++ b/pkg/api/cluster_metrics_server.go
@@ -0,0 +1,269 @@
+package api
+
+import "net/http"
+
+// ClusterMetricsServerList List configured metric servers.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+func (s API) ClusterMetricsServerList() (res []struct {
+	Disable int    `json:"disable"`
+	ID      string `json:"id"`
+	Port    int    `json:"port"`
+	Server  string `json:"server"`
+	Type    string `json:"type"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/metrics/server",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterMetricsServerGet Read metric server configuration.
+//
+// Parameters:
+//
+//   - id is the metric server ID.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Audit"]]
+//
+// TODO: add response type, [proxmox docs] don't specify
+//
+// [proxmox docs] https://pve.proxmox.com/pve-docs/api-viewer/index.html#/cluster/metrics/server/{id}
+func (s API) ClusterMetricsServerGet(id string) (res any, err error) {
+	req := struct {
+		ID string `in:"path=id"`
+	}{
+		ID: id,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/metrics/server/{id}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterMetricsServerPostRequest struct {
+	// The ID of the entry.
+	ID string `in:"path=id;nonzero"`
+
+	// server network port
+	Port int `in:"query=port;omitempty"`
+
+	// server dns name or IP address
+	Server string `in:"query=server;omitempty"`
+
+	// Plugin type.
+	//   graphite | influxdb | opentelemetry
+	Type string `in:"query=type;omitempty"`
+
+	// An API path prefix inserted between '<host>:<port>/' and '/api2/'. Can be useful if the InfluxDB service runs behind a reverse proxy.
+	APIPathPrefix string `in:"query=api-path-prefix;omitempty"`
+
+	// The InfluxDB bucket/db. Only necessary when using the http v2 api.
+	Bucket string `in:"query=bucket;omitempty"`
+
+	// Flag to disable the plugin.
+	Disable *int `in:"query=disable;omitempty"`
+
+	// The InfluxDB protocol.
+	// 	udp | http | https
+	InfluxDBProto string `in:"query=influxdbproto;omitempty"`
+
+	// InfluxDB max-body-size in bytes. Requests are batched up to this size.
+	MaxBodySize *int `in:"query=max-body-size;omitempty"`
+
+	// MTU for metrics transmission over UDP
+	MTU *int `in:"query=mtu;omitempty"`
+
+	// The InfluxDB organization. Only necessary when using the http v2 api. Has no meaning when using v2 compatibility api.
+	Organization string `in:"query=organization;omitempty"`
+
+	// Compression algorithm for requests
+	// 	none | gzip
+	OTELCompression string `in:"query=otel-compression;omitempty"`
+
+	// Custom HTTP headers (JSON format, base64 encoded)
+	OTELHeaders string `in:"query=otel-headers;omitempty"`
+
+	// Maximum request body size in bytes
+	OTELMaxBodySize *int `in:"query=otel-max-body-size;omitempty"`
+
+	// OTLP endpoint path
+	OTELPath string `in:"query=otel-path;omitempty"`
+
+	// HTTP protocol
+	// 	http | https
+	OTELProtocol string `in:"query=otel-protocol;omitempty"`
+
+	// Additional resource attributes as JSON, base64 encoded
+	OTELResourceAttributes string `in:"query=otel-resource-attributes;omitempty"`
+
+	// HTTP request timeout in seconds
+	OTELTimeout *int `in:"query=otel-timeout;omitempty"`
+
+	// Verify SSL certificates
+	OTELVerifySSL *int `in:"query=otel-verify-ssl;omitempty"`
+
+	// root graphite path (ex: proxmox.mycluster.mykey)
+	Path string `in:"query=path;omitempty"`
+
+	// Protocol to send graphite data. TCP or UDP (default)
+	//   tcp | udp
+	Proto string `in:"query=proto;omitempty"`
+
+	// graphite TCP socket timeout (default=1)
+	Timeout *int `in:"query=timeout;omitempty"`
+
+	// The InfluxDB access token. Only necessary when using the http v2 api. If the v2 compatibility api is used, use 'user:password' instead.
+	Token string `in:"query=token;omitempty"`
+
+	// Set to 0 to disable certificate verification for https endpoints.
+	VerifyCertificate *int `in:"query=verify-certificate;omitempty"`
+}
+
+// ClusterMetricsServerPost Create a new external metric server config
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterMetricsServerPost(req ClusterMetricsServerPostRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/metrics/server/{id}",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterMetricsServerUpdateRequest struct {
+	// The ID of the entry.
+	ID string `in:"path=id;nonzero"`
+
+	// server network port
+	Port int `in:"query=port;omitempty"`
+
+	// server dns name or IP address
+	Server string `in:"query=server;omitempty"`
+
+	// An API path prefix inserted between '<host>:<port>/' and '/api2/'. Can be useful if the InfluxDB service runs behind a reverse proxy.
+	APIPathPrefix string `in:"query=api-path-prefix;omitempty"`
+
+	// The InfluxDB bucket/db. Only necessary when using the http v2 api.
+	Bucket string `in:"query=bucket;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Flag to disable the plugin.
+	Disable *int `in:"query=disable;omitempty"`
+
+	// The InfluxDB protocol.
+	// 	udp | http | https
+	InfluxDBProto string `in:"query=influxdbproto;omitempty"`
+
+	// InfluxDB max-body-size in bytes. Requests are batched up to this size.
+	MaxBodySize *int `in:"query=max-body-size;omitempty"`
+
+	// MTU for metrics transmission over UDP
+	MTU *int `in:"query=mtu;omitempty"`
+
+	// The InfluxDB organization. Only necessary when using the http v2 api. Has no meaning when using v2 compatibility api.
+	Organization string `in:"query=organization;omitempty"`
+
+	// Compression algorithm for requests
+	// 	none | gzip
+	OTELCompression string `in:"query=otel-compression;omitempty"`
+
+	// Custom HTTP headers (JSON format, base64 encoded)
+	OTELHeaders string `in:"query=otel-headers;omitempty"`
+
+	// Maximum request body size in bytes
+	OTELMaxBodySize *int `in:"query=otel-max-body-size;omitempty"`
+
+	// OTLP endpoint path
+	OTELPath string `in:"query=otel-path;omitempty"`
+
+	// HTTP protocol
+	// 	http | https
+	OTELProtocol string `in:"query=otel-protocol;omitempty"`
+
+	// Additional resource attributes as JSON, base64 encoded
+	OTELResourceAttributes string `in:"query=otel-resource-attributes;omitempty"`
+
+	// HTTP request timeout in seconds
+	OTELTimeout *int `in:"query=otel-timeout;omitempty"`
+
+	// Verify SSL certificates
+	OTELVerifySSL *int `in:"query=otel-verify-ssl;omitempty"`
+
+	// root graphite path (ex: proxmox.mycluster.mykey)
+	Path string `in:"query=path;omitempty"`
+
+	// Protocol to send graphite data. TCP or UDP (default)
+	//   tcp | udp
+	Proto string `in:"query=proto;omitempty"`
+
+	// graphite TCP socket timeout (default=1)
+	Timeout *int `in:"query=timeout;omitempty"`
+
+	// The InfluxDB access token. Only necessary when using the http v2 api. If the v2 compatibility api is used, use 'user:password' instead.
+	Token string `in:"query=token;omitempty"`
+
+	// Set to 0 to disable certificate verification for https endpoints.
+	VerifyCertificate *int `in:"query=verify-certificate;omitempty"`
+}
+
+// ClusterMetricsServerUpdate Update metric server configuration.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterMetricsServerUpdate(req ClusterMetricsServerUpdateRequest) (err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/metrics/server/{id}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterMetricsServerDelete Remove Metric server.
+//
+// Parameters:
+//
+//   - id is the metric server ID.
+//
+// Required permissions:
+//
+//	Check: ["perm","/",["Sys.Modify"]]
+func (s API) ClusterMetricsServerDelete(id string) (err error) {
+	req := struct {
+		ID string `in:"path=id;nonzero"`
+	}{
+		ID: id,
+	}
+
+	err = s.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/metrics/server/{id}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}

From 000716ce2df41065f343a0177f0ade1d6c838b7b Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Sat, 27 Sep 2025 17:11:32 -0300
Subject: [PATCH 35/40] feat: added /api2/json/cluster/notifications
 implementations

---
 pkg/api/cluster_notifications.go | 39 ++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 pkg/api/cluster_notifications.go

diff --git a/pkg/api/cluster_notifications.go b/pkg/api/cluster_notifications.go
new file mode 100644
index 0000000..9c3f2a8
--- /dev/null
+++ b/pkg/api/cluster_notifications.go
@@ -0,0 +1,39 @@
+package api
+
+import "net/http"
+
+// ClusterNotificationsGetMacherFieldValues Returns known notification metadata fields and their known values
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/notifications",["Mapping.Modify"]],["perm","/mapping/notifications",["Mapping.Audit"]]]
+func (s API) ClusterNotificationsGetMacherFieldValues() (res []struct {
+	Field   string `json:"field"`
+	Value   string `json:"value"`
+	Comment string `json:"comment"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/notifications/matcher-field-values",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterNotificationsGetMacherFields Returns known notification metadata fields
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/notifications",["Mapping.Modify"]],["perm","/mapping/notifications",["Mapping.Audit"]]]
+func (s API) ClusterNotificationsGetMacherFields() (res []struct {
+	Name string `json:"name"`
+}, err error) {
+	err = s.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/notifications/matcher-fields",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}

From 49794c4b0e6931c450f0955f3b3c81cda9dd3a96 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Sat, 27 Sep 2025 17:58:36 -0300
Subject: [PATCH 36/40] feat: added /api2/json/cluster/notifications/endpoints
 implementations

---
 .../cluster_notifications_endpoints_gotify.go | 153 +++++++++++++
 ...luster_notifications_endpoints_sendmail.go | 171 ++++++++++++++
 .../cluster_notifications_endpoints_smtp.go   | 213 ++++++++++++++++++
 ...cluster_notifications_endpoints_webhook.go | 181 +++++++++++++++
 4 files changed, 718 insertions(+)
 create mode 100644 pkg/api/cluster_notifications_endpoints_gotify.go
 create mode 100644 pkg/api/cluster_notifications_endpoints_sendmail.go
 create mode 100644 pkg/api/cluster_notifications_endpoints_smtp.go
 create mode 100644 pkg/api/cluster_notifications_endpoints_webhook.go

diff --git a/pkg/api/cluster_notifications_endpoints_gotify.go b/pkg/api/cluster_notifications_endpoints_gotify.go
new file mode 100644
index 0000000..82aaa3d
--- /dev/null
+++ b/pkg/api/cluster_notifications_endpoints_gotify.go
@@ -0,0 +1,153 @@
+package api
+
+import (
+	"net/http"
+)
+
+// ClusterNotificationsListGotifyEndpoints Returns a list of all gotify endpoints
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/notifications",["Mapping.Audit"]]
+func (c API) ClusterNotificationsListGotifyEndpoints() (res []struct {
+	Name    string `json:"name"`
+	Origin  string `json:"origin"`
+	Server  string `json:"server"`
+	Comment string `json:"comment"`
+	Disable *int   `json:"disable"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/notifications/endpoints/gotify",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterNotificationsNewGotifyEndpointRequest struct {
+	// The name of the endpoint.
+	Name string `in:"query=name;omitempty"`
+
+	// Server URL
+	Server string `in:"query=server;omitempty"`
+
+	// Secret token
+	Token string `in:"query=token;omitempty"`
+
+	// Comment
+	Comment string `in:"query=comment;omitempty"`
+
+	// Disable this target
+	Disable *int `in:"query=disable;omitempty"`
+}
+
+// ClusterNotificationsNewGotifyEndpoint Create a new gotify endpoint
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/mapping/notifications",["Mapping.Modify"]],["or",["perm","/",["Sys.Audit","Sys.Modify"]],["perm","/",["Sys.AccessNetwork"]]]]
+func (c API) ClusterNotificationsNewGotifyEndpoint(req ClusterNotificationsNewGotifyEndpointRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/gotify",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterNotificationsGetGotifyEndpoint Return a specific gotify endpoint
+//
+// Parameters:
+//
+//   - name is the name of the endpoint
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/notifications",["Mapping.Modify"]],["perm","/mapping/notifications",["Mapping.Audit"]]]
+func (c API) ClusterNotificationsGetGotifyEndpoint(name string) (res struct {
+	Name    string  `json:"name"`
+	Server  string  `json:"server"`
+	Comment string  `json:"comment"`
+	Digest  *string `json:"digest"`
+	Disable *int    `json:"disable"`
+}, err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/gotify/{name}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterNotificationsUpdateGotifyEndpointRequest struct {
+	// The name of the endpoint.
+	Name string `in:"path=name;nonzero"`
+
+	// Comment.
+	Comment string `in:"query=comment;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Disable this target
+	Disable *int `in:"query=disable;omitempty"`
+
+	// Server URL
+	Server string `in:"query=server;omitempty"`
+
+	// Secret token
+	Token string `in:"query=token;omitempty"`
+}
+
+// ClusterNotificationsUpdateGotifyEndpoint Update existing gotify endpoint
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/mapping/notifications",["Mapping.Modify"]],["or",["perm","/",["Sys.Audit","Sys.Modify"]],["perm","/",["Sys.AccessNetwork"]]]]
+func (c API) ClusterNotificationsUpdateGotifyEndpoint(req ClusterNotificationsUpdateGotifyEndpointRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/gotify/{name}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterNotificationsDeleteGotifyEndpoint Remove gotify endpoint
+//
+// Parameters:
+//
+//   - name is the name of the endpoint
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/notifications",["Mapping.Modify"]],["perm","/mapping/notifications",["Mapping.Audit"]]]
+func (c API) ClusterNotificationsDeleteGotifyEndpoint(name string) (err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/gotify/{name}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_notifications_endpoints_sendmail.go b/pkg/api/cluster_notifications_endpoints_sendmail.go
new file mode 100644
index 0000000..356dff5
--- /dev/null
+++ b/pkg/api/cluster_notifications_endpoints_sendmail.go
@@ -0,0 +1,171 @@
+package api
+
+import (
+	"net/http"
+)
+
+// ClusterNotificationsListSendmailEndpoints Returns a list of all sendmail endpoints
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/notifications",["Mapping.Audit"]]
+func (c API) ClusterNotificationsListSendmailEndpoints() (res []struct {
+	Name        string   `json:"name"`
+	Origin      string   `json:"origin"`
+	Author      *string  `json:"author"`
+	Comment     string   `json:"comment"`
+	Disable     *int     `json:"disable"`
+	FromAddress *string  `json:"from-address"`
+	MailTo      []string `json:"mailto"`
+	MailToUser  []string `json:"mailto-user"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/notifications/endpoints/sendmail",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterNotificationsNewSendmailEndpointRequest struct {
+	// The name of the endpoint.
+	Name string `in:"query=name;omitempty"`
+
+	// Author of the mail
+	Author string `in:"query=author;omitempty"`
+
+	// Comment
+	Comment string `in:"query=comment;omitempty"`
+
+	// Disable this target
+	Disable *int `in:"query=disable;omitempty"`
+
+	// `From` address for the mail
+	FromAddress string `in:"query=from-address;omitempty"`
+
+	// List of email recipients
+	MailTo string `in:"query=mailto;omitempty"`
+
+	// List of users
+	MailToUser string `in:"query=mailto-user;omitempty"`
+}
+
+// ClusterNotificationsNewSendmailEndpoint Create a new sendmail endpoint
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/mapping/notifications",["Mapping.Modify"]],["or",["perm","/",["Sys.Audit","Sys.Modify"]],["perm","/",["Sys.AccessNetwork"]]]]
+func (c API) ClusterNotificationsNewSendmailEndpoint(req ClusterNotificationsNewSendmailEndpointRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/sendmail",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterNotificationsGetSendmailEndpoint Return a specific sendmail endpoint
+//
+// Parameters:
+//
+//   - name is the name of the endpoint
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/notifications",["Mapping.Modify"]],["perm","/mapping/notifications",["Mapping.Audit"]]]
+func (c API) ClusterNotificationsGetSendmailEndpoint(name string) (res struct {
+	Name        string   `json:"name"`
+	Author      *string  `json:"author"`
+	Comment     string   `json:"comment"`
+	Digest      *string  `json:"digest"`
+	Disable     *int     `json:"disable"`
+	FromAddress *string  `json:"from-address"`
+	MailTo      []string `json:"mailto"`
+	MailToUser  []string `json:"mailto-user"`
+}, err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/sendmail/{name}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterNotificationsUpdateSendmailEndpointRequest struct {
+	// The name of the endpoint.
+	Name string `in:"path=name;nonzero"`
+
+	// Author of the mail
+	Author string `in:"query=author;omitempty"`
+
+	// Comment
+	Comment string `in:"query=comment;omitempty"`
+
+	// A list of settings you want to delete
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications
+	Digest string `in:"query=digest;omitempty"`
+
+	// Disable this target
+	Disable *int `in:"query=disable;omitempty"`
+
+	// `From` address for the mail
+	FromAddress string `in:"query=from-address;omitempty"`
+
+	// List of email recipients
+	MailTo string `in:"query=mailto;omitempty"`
+
+	// List of users
+	MailToUser string `in:"query=mailto-user;omitempty"`
+}
+
+// ClusterNotificationsUpdateSendmailEndpoint Update existing sendmail endpoint
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/mapping/notifications",["Mapping.Modify"]],["or",["perm","/",["Sys.Audit","Sys.Modify"]],["perm","/",["Sys.AccessNetwork"]]]]
+func (c API) ClusterNotificationsUpdateSendmailEndpoint(req ClusterNotificationsUpdateSendmailEndpointRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/sendmail/{name}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterNotificationsDeleteSendmailEndpoint Remove sendmail endpoint
+//
+// Parameters:
+//
+//   - name is the name of the endpoint
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/notifications",["Mapping.Modify"]],["perm","/mapping/notifications",["Mapping.Audit"]]]
+func (c API) ClusterNotificationsDeleteSendmailEndpoint(name string) (err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/sendmail/{name}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_notifications_endpoints_smtp.go b/pkg/api/cluster_notifications_endpoints_smtp.go
new file mode 100644
index 0000000..110751e
--- /dev/null
+++ b/pkg/api/cluster_notifications_endpoints_smtp.go
@@ -0,0 +1,213 @@
+package api
+
+import (
+	"net/http"
+)
+
+// ClusterNotificationsListSMTPEndpoints Returns a list of all SMTP endpoints
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/notifications",["Mapping.Audit"]]
+func (c API) ClusterNotificationsListSMTPEndpoints() (res []struct {
+	FromAddress string   `json:"from-address"`
+	Name        string   `json:"name"`
+	Origin      string   `json:"origin"`
+	Server      string   `json:"server"`
+	Author      *string  `json:"author"`
+	Comment     string   `json:"comment"`
+	Disable     *int     `json:"disable"`
+	MailTo      []string `json:"mailto"`
+	MailToUser  []string `json:"mailto-user"`
+	Mode        *string  `json:"mode"`
+	Port        *int     `json:"port"`
+	Username    *string  `json:"username"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/notifications/endpoints/smtp",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterNotificationsNewSMTPEndpointRequest struct {
+	// `From` address for the mail
+	FromAddress string `in:"query=from-address;omitempty"`
+
+	// The name of the endpoint.
+	Name string `in:"query=name;omitempty"`
+
+	// The address of the SMTP server
+	Server string `in:"query=server;omitempty"`
+
+	// Author of the mail. Defaults to 'Proxmox VE'.
+	Author string `in:"query=author;omitempty"`
+
+	// Comment
+	Comment string `in:"query=comment;omitempty"`
+
+	// Disable this target.
+	Disable *int `in:"query=disable;omitempty"`
+
+	// List of email recipients.
+	MailTo string `in:"query=mailto;omitempty"`
+
+	// List of users.
+	MailToUser string `in:"query=mailto-user;omitempty"`
+
+	// Determine which encryption method shall be used for the connection.
+	//
+	//	insecure | starttls | tls
+	Mode string `in:"query=mode;omitempty"`
+
+	// Password for SMTP authentication
+	Password string `in:"query=password;omitempty"`
+
+	// The port to be used. Defaults to 465 for TLS based connections, 587 for STARTTLS based connections and port 25 for insecure plain-text connections.
+	Port *int `in:"query=port;omitempty"`
+
+	// Username for SMTP authentication
+	Username string `in:"query=username;omitempty"`
+}
+
+// ClusterNotificationsNewSMTPEndpoint Create a new SMTP endpoint
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/mapping/notifications",["Mapping.Modify"]],["or",["perm","/",["Sys.Audit","Sys.Modify"]],["perm","/",["Sys.AccessNetwork"]]]]
+func (c API) ClusterNotificationsNewSMTPEndpoint(req ClusterNotificationsNewSMTPEndpointRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/smtp",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterNotificationsGetSMTPEndpoint Return a specific SMTP endpoint
+//
+// Parameters:
+//
+//   - name is the name of the endpoint
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/notifications",["Mapping.Modify"]],["perm","/mapping/notifications",["Mapping.Audit"]]]
+func (c API) ClusterNotificationsGetSMTPEndpoint(name string) (res struct {
+	FromAddress string   `json:"from-address"`
+	Name        string   `json:"name"`
+	Server      string   `json:"server"`
+	Author      *string  `json:"author"`
+	Comment     string   `json:"comment"`
+	Digest      *string  `json:"digest"`
+	Disable     *int     `json:"disable"`
+	MailTo      []string `json:"mailto"`
+	MailToUser  []string `json:"mailto-user"`
+	Mode        *string  `json:"mode"`
+	Port        *int     `json:"port"`
+	Username    *string  `json:"username"`
+}, err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/smtp/{name}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterNotificationsUpdateSMTPEndpointRequest struct {
+	// The name of the endpoint.
+	Name string `in:"path=name;nonzero"`
+
+	// Author of the mail. Defaults to 'Proxmox VE'.
+	Author string `in:"query=author;omitempty"`
+
+	// Comment
+	Comment string `in:"query=comment;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Disable this target.
+	Disable *int `in:"query=disable;omitempty"`
+
+	// `From` address for the mail
+	FromAddress string `in:"query=from-address;omitempty"`
+
+	// List of email recipients.
+	MailTo string `in:"query=mailto;omitempty"`
+
+	// List of users.
+	MailToUser string `in:"query=mailto-user;omitempty"`
+
+	// Determine which encryption method shall be used for the connection.
+	//
+	//	insecure | starttls | tls
+	Mode string `in:"query=mode;omitempty"`
+
+	// Password for SMTP authentication
+	Password string `in:"query=password;omitempty"`
+
+	// The port to be used. Defaults to 465 for TLS based connections, 587 for STARTTLS based connections and port 25 for insecure plain-text connections.
+	Port *int `in:"query=port;omitempty"`
+
+	// The address of the SMTP server
+	Server string `in:"query=server;omitempty"`
+
+	// Username for SMTP authentication
+	Username string `in:"query=username;omitempty"`
+}
+
+// ClusterNotificationsUpdateSMTPEndpoint Update existing SMTP endpoint
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/mapping/notifications",["Mapping.Modify"]],["or",["perm","/",["Sys.Audit","Sys.Modify"]],["perm","/",["Sys.AccessNetwork"]]]]
+func (c API) ClusterNotificationsUpdateSMTPEndpoint(req ClusterNotificationsUpdateSMTPEndpointRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/smtp/{name}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterNotificationsDeleteSMTPEndpoint Remove SMTP endpoint
+//
+// Parameters:
+//
+//   - name is the name of the endpoint
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/notifications",["Mapping.Modify"]],["perm","/mapping/notifications",["Mapping.Audit"]]]
+func (c API) ClusterNotificationsDeleteSMTPEndpoint(name string) (err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/smtp/{name}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_notifications_endpoints_webhook.go b/pkg/api/cluster_notifications_endpoints_webhook.go
new file mode 100644
index 0000000..bc3ac55
--- /dev/null
+++ b/pkg/api/cluster_notifications_endpoints_webhook.go
@@ -0,0 +1,181 @@
+package api
+
+import (
+	"net/http"
+)
+
+// ClusterNotificationsListWebhookEndpoints Returns a list of all Webhook endpoints
+//
+// Required permissions:
+//
+//	Check: ["perm","/mapping/notifications",["Mapping.Audit"]]
+func (c API) ClusterNotificationsListWebhookEndpoints() (res []struct {
+	Method  string   `json:"method"`
+	Name    string   `json:"name"`
+	Origin  string   `json:"origin"`
+	URL     string   `json:"url"`
+	Body    *string  `json:"body"`
+	Comment string   `json:"comment"`
+	Disable *int     `json:"disable"`
+	Header  []string `json:"header"`
+	Secret  []string `json:"secret"`
+}, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/notifications/endpoints/webhook",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterNotificationsNewWebhookEndpointRequest struct {
+	// HTTP method
+	//	GET | POST | PUT
+	Method string `in:"query=method;omitempty"`
+
+	// The name of the endpoint.
+	Name string `in:"query=name;omitempty"`
+
+	// Server URL
+	URL string `in:"query=url;omitempty"`
+
+	// HTTP body, base64 encoded
+	Body string `in:"query=body;omitempty"`
+
+	// Comment
+	Comment string `in:"query=comment;omitempty"`
+
+	// Disable this target.
+	Disable *int `in:"query=disable;omitempty"`
+
+	// HTTP headers to set. These have to be formatted as a property string in the format name=<name>,value=<base64 of value>
+	Header string `in:"query=header;omitempty"`
+
+	// Secrets to set. These have to be formatted as a property string in the format name=<name>,value=<base64 of value>
+	Secret string `in:"query=secret;omitempty"`
+}
+
+// ClusterNotificationsNewWebhookEndpoint Create a new Webhook endpoint
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/mapping/notifications",["Mapping.Modify"]],["or",["perm","/",["Sys.Audit","Sys.Modify"]],["perm","/",["Sys.AccessNetwork"]]]]
+func (c API) ClusterNotificationsNewWebhookEndpoint(req ClusterNotificationsNewWebhookEndpointRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/webhook",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterNotificationsGetWebhookEndpoint Return a specific Webhook endpoint
+//
+// Parameters:
+//
+//   - name is the name of the endpoint
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/notifications",["Mapping.Modify"]],["perm","/mapping/notifications",["Mapping.Audit"]]]
+func (c API) ClusterNotificationsGetWebhookEndpoint(name string) (res struct {
+	Method  string   `json:"method"`
+	Name    string   `json:"name"`
+	URL     string   `json:"url"`
+	Body    *string  `json:"body"`
+	Comment string   `json:"comment"`
+	Digest  *string  `json:"digest"`
+	Disable *int     `json:"disable"`
+	Header  []string `json:"header"`
+	Secret  []string `json:"secret"`
+}, err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/webhook/{name}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterNotificationsUpdateWebhookEndpointRequest struct {
+	// The name of the endpoint.
+	Name string `in:"path=name;nonzero"`
+
+	// HTTP body, base64 encoded
+	Body string `in:"query=body;omitempty"`
+
+	// Comment
+	Comment string `in:"query=comment;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Disable this target.
+	Disable *int `in:"query=disable;omitempty"`
+
+	// HTTP headers to set. These have to be formatted as a property string in the format name=<name>,value=<base64 of value>
+	Header string `in:"query=header;omitempty"`
+
+	// HTTP method
+	//	GET | POST | PUT
+	Method string `in:"query=method;omitempty"`
+
+	// Secrets to set. These have to be formatted as a property string in the format name=<name>,value=<base64 of value>
+	Secret string `in:"query=secret;omitempty"`
+
+	// Server URL
+	URL string `in:"query=url;omitempty"`
+}
+
+// ClusterNotificationsUpdateWebhookEndpoint Update existing Webhook endpoint
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/mapping/notifications",["Mapping.Modify"]],["or",["perm","/",["Sys.Audit","Sys.Modify"]],["perm","/",["Sys.AccessNetwork"]]]]
+func (c API) ClusterNotificationsUpdateWebhookEndpoint(req ClusterNotificationsUpdateWebhookEndpointRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/webhook/{name}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterNotificationsDeleteWebhookEndpoint Remove Webhook endpoint
+//
+// Parameters:
+//
+//   - name is the name of the endpoint
+//
+// Required permissions:
+//
+//	Check: ["or",["perm","/mapping/notifications",["Mapping.Modify"]],["perm","/mapping/notifications",["Mapping.Audit"]]]
+func (c API) ClusterNotificationsDeleteWebhookEndpoint(name string) (err error) {
+	req := struct {
+		Name string `in:"path=name;nonzero"`
+	}{
+		Name: name,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/notifications/endpoints/webhook/{name}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}

From 4961e93c28ef55d50a36cdd1b7c6ce2aff46e584 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Sun, 26 Oct 2025 21:42:40 -0300
Subject: [PATCH 37/40] feat: added /api2/json/cluster/replication
 implementations

---
 pkg/api/cluster_replication.go | 183 +++++++++++++++++++++++++++++++++
 1 file changed, 183 insertions(+)
 create mode 100644 pkg/api/cluster_replication.go

diff --git a/pkg/api/cluster_replication.go b/pkg/api/cluster_replication.go
new file mode 100644
index 0000000..587ab8f
--- /dev/null
+++ b/pkg/api/cluster_replication.go
@@ -0,0 +1,183 @@
+package api
+
+import (
+	"net/http"
+)
+
+// ClisterReplicationListReplicationJobs List replication jobs.
+//
+// Required permissions:
+//
+//	Will only return replication jobs for which the calling
+//	user has VM.Audit permission on /vms/<vmid>.
+func (c API) ClusterReplicationListReplicationJobs() (res []any, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/replication",
+		Method: http.MethodGet,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+type ClusterReplicationNewReplicationJobRequest struct {
+	// Replication Job ID. The ID is composed of a Guest ID and a job number, separated by a hyphen, i.e. '<GUEST>-<JOBNUM>'.
+	//	format: pve-replication-job-id
+	ID string `in:"query=id;omitempty"`
+
+	// Target node.
+	Target string `in:"query=target;omitempty"`
+
+	// Section type.
+	//	local
+	Type string `in:"query=type;omitempty"`
+
+	// Description.
+	Comment string `in:"query=comment;omitempty"`
+
+	// Flag to disable/deactivate the entry.
+	Disable *int `in:"query=disable;omitempty"`
+
+	// Rate limit in mbps (megabytes per second) as floating point number.
+	Rate *int `in:"query=rate;omitempty"`
+
+	// Mark the replication job for removal. The job will remove all local replication snapshots. When set to 'full', it also tries to remove replicated volumes on the target. The job then removes itself from the configuration file.
+	//	local | full
+	RemoveJob string `in:"query=remove_job;omitempty"`
+
+	// Storage replication schedule. The format is a subset of `systemd` calendar events.
+	//	format: */15
+	Schedule string `in:"query=schedule;omitempty"`
+
+	// For internal use, to detect if the guest was stolen.
+	Source string `in:"query=source;omitempty"`
+}
+
+// ClusterReplicationNewReplicationJob Create a new replication job.
+//
+// Required permissions:
+//
+//	Requires the VM.Replicate permission on /vms/<vmid>.
+func (c API) ClusterReplicationNewReplicationJob(req ClusterReplicationNewReplicationJobRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/replication",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterReplicationGetReplicationJob Read replication job configuration.
+//
+// Parameters:
+//
+//   - id is the replication job ID.
+//
+// Required permissions:
+//
+//	Requires the VM.Audit permission on /vms/<vmid>.
+func (c API) ClusterReplicationGetReplicationJob(id string) (res struct {
+	Comment   string `json:"comment"`
+	Disable   *int   `json:"disable"`
+	ID        string `json:"id"`
+	Rate      *int   `json:"rate"`
+	RemoveJob string `json:"remove_job"`
+	Schedule  string `json:"schedule"`
+	Source    string `json:"source"`
+	Target    string `json:"target"`
+	Type      string `json:"type"`
+}, err error) {
+	req := struct {
+		ID string `in:"path=id;nonzero"`
+	}{
+		ID: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/replication/{id}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterReplicationUpdateReplicationJobRequest struct {
+	// Replication Job ID. The ID is composed of a Guest ID and a job number, separated by a hyphen, i.e. '<GUEST>-<JOBNUM>'.
+	//	format: pve-replication-job-id
+	ID string `in:"query=id;omitempty"`
+
+	// Description.
+	Comment string `in:"query=comment;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Flag to disable/deactivate the entry.
+	Disable *int `in:"query=disable;omitempty"`
+
+	// Rate limit in mbps (megabytes per second) as floating point number.
+	Rate *int `in:"query=rate;omitempty"`
+
+	// Mark the replication job for removal. The job will remove all local replication snapshots. When set to 'full', it also tries to remove replicated volumes on the target. The job then removes itself from the configuration file.
+	//	local | full
+	RemoveJob string `in:"query=remove_job;omitempty"`
+
+	// Storage replication schedule. The format is a subset of `systemd` calendar events.
+	//	format: */15
+	Schedule string `in:"query=schedule;omitempty"`
+
+	// For internal use, to detect if the guest was stolen.
+	Source string `in:"query=source;omitempty"`
+}
+
+// ClusterReplicationUpdateReplicationJob Update replication job configuration.
+//
+// Required permissions:
+//
+//	Requires the VM.Replicate permission on /vms/<vmid>.
+func (c API) ClusterReplicationUpdateReplicationJob(req ClusterReplicationUpdateReplicationJobRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/replication/{id}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterReplicationDeleteReplicationJob Mark replication job for removal.
+//
+// Parameters:
+//
+//   - id: Replication Job ID. The ID is composed of a Guest ID and a job number, separated by a hyphen, i.e. '<GUEST>-<JOBNUM>'.
+//   - force (0|1): Will remove the jobconfig entry, but will not cleanup.
+//   - keep (0|1): Keep replicated data at target (do not remove).
+//
+// Required permissions:
+//
+//	Requires the VM.Replicate permission on /vms/<vmid>.
+func (c API) ClusterReplicationDeleteReplicationJob(id string, force, keep int) (err error) {
+	req := struct {
+		ID    string `in:"path=id;nonzero"`
+		Force int    `in:"query=force"`
+		Keep  int    `in:"query=keep"`
+	}{
+		ID:    id,
+		Force: force,
+		Keep:  keep,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/replication/{id}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}

From 59fc10ac394b0ac861b280729432560c0da59b87 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Sun, 7 Dec 2025 21:36:45 -0300
Subject: [PATCH 38/40] feat: added /api2/json/cluster/sdn implementations

---
 pkg/api/cluster_sdn.go             |  91 ++++++
 pkg/api/cluster_sdn_controllers.go | 224 ++++++++++++++
 pkg/api/cluster_sdn_dns.go         | 171 +++++++++++
 pkg/api/cluster_sdn_fabrics.go     | 452 +++++++++++++++++++++++++++++
 pkg/api/cluster_sdn_ipams.go       | 169 +++++++++++
 pkg/api/cluster_sdn_vnets.go       | 295 +++++++++++++++++++
 pkg/api/cluster_sdn_zones.go       | 407 ++++++++++++++++++++++++++
 7 files changed, 1809 insertions(+)
 create mode 100644 pkg/api/cluster_sdn.go
 create mode 100644 pkg/api/cluster_sdn_controllers.go
 create mode 100644 pkg/api/cluster_sdn_dns.go
 create mode 100644 pkg/api/cluster_sdn_fabrics.go
 create mode 100644 pkg/api/cluster_sdn_ipams.go
 create mode 100644 pkg/api/cluster_sdn_vnets.go
 create mode 100644 pkg/api/cluster_sdn_zones.go

diff --git a/pkg/api/cluster_sdn.go b/pkg/api/cluster_sdn.go
new file mode 100644
index 0000000..e6ef9d8
--- /dev/null
+++ b/pkg/api/cluster_sdn.go
@@ -0,0 +1,91 @@
+package api
+
+import (
+	"net/http"
+)
+
+type ClusterSDNApplyRequest struct {
+	// The token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	// When lock-token has been provided and configuration successfully commited, release the lock automatically afterwards
+	ReleaseLock *int `in:"query=release-lock;omitempty"`
+}
+
+// ClusterSDNApply Apply sdn controller changes && reload.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn",["SDN.Allocate"]]
+func (c API) ClusterSDNApply(req ClusterSDNApplyRequest) (res string, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn",
+		Method:  http.MethodPost,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+// ClusterSDNLock Acquire global lock for SDN configuration
+//
+// Parameters:
+//
+//   - allowPending (0|1): if true, allow acquiring lock even though there are pending changes
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn",["SDN.Allocate"]]
+func (c API) ClusterSDNLock(allowPending int) (res string, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:   "/api2/json/cluster/sdn/lock",
+		Method: http.MethodPost,
+		Result: &res,
+	})
+
+	return res, err
+}
+
+// ClusterSDNUnlock Release global lock for SDN configuration
+//
+// Parameters:
+//
+//   - force (0|1): if true, allow releasing lock without providing the token.
+//   - lockToken: the token for unlocking the global SDN configuration.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn",["SDN.Allocate"]]
+func (c API) ClusterSDNUnlock(force int, lockToken string) (err error) {
+	req := struct {
+		Force     int    `in:"query=force"`
+		LockToken string `in:"query=lock-token"`
+	}{
+		Force:     force,
+		LockToken: lockToken,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/lock",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNRollback Rollback pending changes to SDN configuration
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn",["SDN.Allocate"]]
+func (c API) ClusterSDNRollback(req ClusterSDNApplyRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/rollback",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_sdn_controllers.go b/pkg/api/cluster_sdn_controllers.go
new file mode 100644
index 0000000..0e4d3fc
--- /dev/null
+++ b/pkg/api/cluster_sdn_controllers.go
@@ -0,0 +1,224 @@
+package api
+
+import (
+	"net/http"
+)
+
+// ClusterSDNControllersList List SDN controllers
+//
+// Parameters:
+//
+//   - pending (0|1): Display pending config.
+//   - running (0|1): Display running config.
+//   - t: Only list sdn controllers of specific type (bgp | evpn | faucet | isis)
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn",["SDN.Allocate"]]
+func (c API) ClusterSDNControllersList(pending, running int, t string) (res []struct {
+	Controller string  `json:"controller"`
+	Type       string  `json:"type"`
+	Pending    *int    `json:"pending"`
+	State      *string `json:"state"`
+}, err error) {
+	req := struct {
+		Pending int    `in:"query=pending"`
+		Running int    `in:"query=running"`
+		T       string `in:"query=type"`
+	}{
+		Pending: pending,
+		Running: running,
+		T:       t,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/controllers",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNControllersNewControllerRequest struct {
+	// The SDN controller object identifier.
+	Controller string `in:"query=controller;omitempty"`
+
+	// Plugin type.
+	//	bgp | evpn | faucet | isis
+	Type string `in:"query=type;omitempty"`
+
+	// autonomous system number
+	ASN *int `in:"query=asn;omitempty"`
+
+	BGPMultipathAsPathRelax *int `in:"query=bgp-multipath-as-path-relax;omitempty"`
+
+	// Enable ebgp. (remote-as external)
+	EBGP *int `in:"query=ebgp;omitempty"`
+
+	EBGPMultihop *int `in:"query=ebgp-multihop;omitempty"`
+
+	// SDN fabric to use as underlay for this EVPN controller.
+	Fabric string `in:"query=fabric;omitempty"`
+
+	// ISIS domain.
+	ISISDomain string `in:"query=isis-domain;omitempty"`
+
+	// ISIS interface.
+	ISISIfaces string `in:"query=isis-ifaces;omitempty"`
+
+	// ISIS network entity title.
+	ISISNet string `in:"query=isis-net;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	// source loopback interface.
+	Loopback string `in:"query=loopback;omitempty"`
+
+	// The cluster node name.
+	Node string `in:"query=node;omitempty"`
+
+	// peers address list.
+	Peers string `in:"query=peers;omitempty"`
+}
+
+// ClusterSDNControllersNewController Create a new sdn controller object.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/controllers",["SDN.Allocate"]]
+func (c API) ClusterSDNControllersNewController(req ClusterSDNControllersNewControllerRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/controllers",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNControllersGetController Read sdn controller configuration.
+//
+// Parameters:
+//
+//   - controller: The SDN controller object identifier.
+//   - pending (0|1): Display pending config.
+//   - running (0|1): Display running config.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/controllers/{controller}",["SDN.Allocate"]]
+func (c API) ClusterSDNControllersGetController(controller string, pending, running int) (res struct {
+	Controller string  `json:"controller"`
+	Type       string  `json:"type"`
+	Pending    *int    `json:"pending"`
+	State      *string `json:"state"`
+}, err error) {
+	req := struct {
+		Controller string `in:"path=controller;nonzero"`
+		Pending    int    `in:"query=pending"`
+		Running    int    `in:"query=running"`
+	}{
+		Controller: controller,
+		Pending:    pending,
+		Running:    running,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/controllers/{controller}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNControllersUpdateControllerRequest struct {
+	// The SDN controller object identifier.
+	Controller string `in:"path=controller;omitempty"`
+
+	// autonomous system number
+	ASN *int `in:"query=asn;omitempty"`
+
+	BGPMultipathAsPathRelax *int `in:"query=bgp-multipath-as-path-relax;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Enable ebgp. (remote-as external)
+	EBGP *int `in:"query=ebgp;omitempty"`
+
+	EBGPMultihop *int `in:"query=ebgp-multihop;omitempty"`
+
+	// SDN fabric to use as underlay for this EVPN controller.
+	Fabric string `in:"query=fabric;omitempty"`
+
+	// ISIS domain.
+	ISISDomain string `in:"query=isis-domain;omitempty"`
+
+	// ISIS interface.
+	ISISIfaces string `in:"query=isis-ifaces;omitempty"`
+
+	// ISIS network entity title.
+	ISISNet string `in:"query=isis-net;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	// source loopback interface.
+	Loopback string `in:"query=loopback;omitempty"`
+
+	// The cluster node name.
+	Node string `in:"query=node;omitempty"`
+
+	// peers address list.
+	Peers string `in:"query=peers;omitempty"`
+}
+
+// ClusterSDNControllersUpdateController Update sdn controller configuration.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/controllers/{controller}",["SDN.Allocate"]]
+func (c API) ClusterSDNControllersUpdateController(req ClusterSDNControllersUpdateControllerRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/controllers/{controller}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNControllersDeleteController Delete sdn controller object configuration.
+// Parameters:
+//
+//   - controller: The SDN controller object identifier.
+//   - lockToken (optional): the token for unlocking the global SDN configuration
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/controllers",["SDN.Allocate"]]
+func (c API) ClusterSDNControllersDeleteController(controller, lockToken string) (err error) {
+	req := struct {
+		Controller string `in:"path=controller;nonzero"`
+		LockToken  string `in:"query=lock-token;omitempty"`
+	}{
+		Controller: controller,
+		LockToken:  lockToken,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/controllers/{controller}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_sdn_dns.go b/pkg/api/cluster_sdn_dns.go
new file mode 100644
index 0000000..4f8b391
--- /dev/null
+++ b/pkg/api/cluster_sdn_dns.go
@@ -0,0 +1,171 @@
+package api
+
+import (
+	"net/http"
+)
+
+// ClusterSDNDNSList SDN DNS index
+//
+// Parameters:
+//
+//   - t (optional: powerdns): Only list sdn dns of specific type
+//
+// Required permissions:
+//
+//	Only list entries where you have 'SDN.Audit' or 'SDN.Allocate' permissions on '/sdn/dns/<dns>'
+func (c API) ClusterSDNDNSList(t string) (res []struct {
+	DNS  string `json:"dns"`
+	Type string `json:"type"`
+}, err error) {
+	req := struct {
+		Type string `in:"query=type;omitempty"`
+	}{
+		Type: t,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/dns",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNDNSNewDNSRequest struct {
+	// The SDN dns object identifier.
+	DNS string `in:"query=dns;omitempty"`
+
+	Key string `in:"query=key;omitempty"`
+
+	// Plugin type.
+	//	powerdns
+	Type string `in:"query=type;omitempty"`
+
+	URL string `in:"query=url;omitempty"`
+
+	// Certificate SHA 256 fingerprint.
+	Fingerprint string `in:"query=fingerprint;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	ReverseMaskV6 *int `in:"query=reversemaskv6;omitempty"`
+
+	ReverseV6Mask *int `in:"query=reversev6mask;omitempty"`
+
+	TTL *int `in:"query=ttl;omitempty"`
+}
+
+// ClusterSDNDNSNewDNS Create a new sdn dns object.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/dns",["SDN.Allocate"]]
+func (c API) ClusterSDNDNSNewDNS(req ClusterSDNDNSNewDNSRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/dns",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNDNSGetDNS Read sdn dns configuration.
+//
+// Parameters:
+//
+//   - dns: The SDN dns object identifier.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/dns/{dns}",["SDN.Allocate"]]
+func (c API) ClusterSDNDNSGetDNS(dns string) (res struct {
+	DNS  string `json:"dns"`
+	Type string `json:"type"`
+}, err error) {
+	req := struct {
+		DNS string `in:"path=dns;nonzero"`
+	}{
+		DNS: dns,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/dns/{dns}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNDNSUpdateDNSRequest struct {
+	// The SDN dns object identifier.
+	DNS string `in:"path=dns;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Certificate SHA 256 fingerprint.
+	Fingerprint string `in:"query=fingerprint;omitempty"`
+
+	Key string `in:"query=key;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	ReverseMaskV6 *int `in:"query=reversemaskv6;omitempty"`
+
+	TTL *int `in:"query=ttl;omitempty"`
+
+	URL string `in:"query=url;omitempty"`
+}
+
+// ClusterSDNDNSUpdateDNS Update sdn dns configuration.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/dns/{dns}",["SDN.Allocate"]]
+func (c API) ClusterSDNDNSUpdateDNS(req ClusterSDNDNSUpdateDNSRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/dns/{dns}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNDNSDeleteDNS Delete sdn dns object configuration.
+//
+// Parameters:
+//
+//   - dns: The SDN dns object identifier.
+//   - lockToken (optional): the token for unlocking the global SDN configuration
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/dns",["SDN.Allocate"]]
+func (c API) ClusterSDNDNSDeleteDNS(dns, lockToken string) (err error) {
+	req := struct {
+		DNS       string `in:"path=dns;nonzero"`
+		LockToken string `in:"query=lock-token;omitempty"`
+	}{
+		DNS:       dns,
+		LockToken: lockToken,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/dns/{dns}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_sdn_fabrics.go b/pkg/api/cluster_sdn_fabrics.go
new file mode 100644
index 0000000..d1f7b15
--- /dev/null
+++ b/pkg/api/cluster_sdn_fabrics.go
@@ -0,0 +1,452 @@
+package api
+
+import (
+	"net/http"
+)
+
+type ClusterSDNFabric struct {
+	// Identifier for SDN fabrics
+	ID string `json:"id"`
+
+	// Type of configuration entry in an SDN Fabric section config
+	//	openfabric | ospf
+	Protocol string `json:"protocol"`
+
+	// OSPF area. Either a IPv4 address or a 32-bit number. Gets validated in rust.
+	Area *string `json:"area"`
+
+	// The csnp_interval property for Openfabric
+	CSNPInterval *int `json:"csnp_interval"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest *string `json:"digest"`
+
+	// The hello_interval property for Openfabric
+	HelloInterval *int `json:"hello_interval"`
+
+	// The IP prefix for Node IPs
+	IP6Prefix *string `json:"ip6_prefix"`
+
+	// The IP prefix for Node IPs
+	IPPrefix *string `json:"ip_prefix"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken *string `json:"lock-token"`
+}
+
+// ClusterSDNFabricsList SDN Fabrics Index
+//
+// Parameters:
+//
+//   - pending (0|1): Display pending config.
+//   - running (0|1): Display running config.
+//
+// Required permissions:
+//
+//	Only list entries where you have 'SDN.Audit' or 'SDN.Allocate' permissions on '/sdn/fabrics/<fabric>'
+func (c API) ClusterSDNFabricsList(pending, running int) (res []ClusterSDNFabric, err error) {
+	req := struct {
+		Pending int `in:"query=pending"`
+		Running int `in:"query=running"`
+	}{
+		Pending: pending,
+		Running: running,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/fabric",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNFabricsNewFabricRequest struct {
+	// Identifier for SDN fabrics
+	ID string `in:"query=id;omitempty"`
+
+	// Type of configuration entry in an SDN Fabric section config
+	//	openfabric | ospf
+	Protocol string `in:"query=protocol;omitempty"`
+
+	// The csnp_interval property for Openfabric
+	CSNPInterval *int `in:"query=csnp_interval;omitempty"`
+
+	// OSPF area. Either a IPv4 address or a 32-bit number. Gets validated in rust.
+	Area string `in:"query=area;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// The hello_interval property for Openfabric
+	HelloInterval *int `in:"query=hello_interval;omitempty"`
+
+	// The IP prefix for Node IPs
+	IP6Prefix string `in:"query=ip6_prefix;omitempty"`
+
+	// The IP prefix for Node IPs
+	IPPrefix string `in:"query=ip_prefix;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+}
+
+// ClusterSDNFabricsNewFabric Add a fabric
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/fabrics",["SDN.Allocate"]]
+func (c API) ClusterSDNFabricsNewFabric(req ClusterSDNFabricsNewFabricRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/fabric",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNFabricsGetFabric Read sdn fabric configuration.
+//
+// Parameters:
+//
+//   - id: Identifier for SDN fabrics
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/fabrics/{id}",["SDN.Audit","SDN.Allocate"],"any",1]
+func (c API) ClusterSDNFabricsGetFabric(id string) (res ClusterSDNFabric, err error) {
+	req := struct {
+		ID string `in:"path=id;nonzero"`
+	}{
+		ID: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/fabric/{id}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNFabricsUpdateFabricRequest struct {
+	// Identifier for SDN fabrics
+	ID string `in:"query=id;omitempty"`
+
+	// Type of configuration entry in an SDN Fabric section config
+	//	openfabric | ospf
+	Protocol string `in:"query=protocol;omitempty"`
+
+	// (OpenFabric only) The csnp_interval property for Openfabric
+	CSNPInterval *int `in:"query=csnp_interval;omitempty"`
+
+	// (OpenFabric only) The hello_interval property for Openfabric
+	HelloInterval *int `in:"query=hello_interval;omitempty"`
+
+	// (OSPF only) OSPF area. Either a IPv4 address or a 32-bit number. Gets validated in rust.
+	Area string `in:"query=area;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// A list of settings you want to delete.
+	//	- OpenFabric: [hello_interval | csnp_interval, ...]
+	//	- OSPF: [area, ...]
+	Delete string `in:"query=delete;omitempty"`
+
+	// The IP prefix for Node IPs
+	IP6Prefix string `in:"query=ip6_prefix;omitempty"`
+
+	// The IP prefix for Node IPs
+	IPPrefix string `in:"query=ip_prefix;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+}
+
+// ClusterSDNFabricsUpdateFabric Update sdn fabric configuration.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/fabrics/{id}",["SDN.Allocate"]]
+func (c API) ClusterSDNFabricsUpdateFabric(req ClusterSDNFabricsUpdateFabricRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/fabric/{id}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNFabricsDeleteFabric Delete sdn fabric configuration.
+//
+// Parameters:
+//
+//   - id: Identifier for SDN fabrics
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/fabrics",["SDN.Allocate"]]
+func (c API) ClusterSDNFabricsDeleteFabric(id string) (err error) {
+	req := struct {
+		ID string `in:"path=id;nonzero"`
+	}{
+		ID: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/fabric/{id}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterSDNFabricNode struct {
+	// Identifier for SDN fabrics
+	FabricID string `json:"fabric_id"`
+
+	Interfaces []any
+
+	// Identifier for nodes in an SDN fabric
+	NodeID string `json:"node_id"`
+
+	// Type of configuration entry in an SDN Fabric section config
+	//	openfabric | ospf
+	Protocol string `json:"protocol"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest *string `json:"digest"`
+
+	// IPv4 address for this node
+	IP *string `json:"ip"`
+
+	// IPv6 address for this node
+	IP6 *string `json:"ip6"`
+
+	// The token for unlocking the global SDN configuration
+	LockToken *string `json:"lock-token"`
+}
+
+// ClusterSDNFabricsListNodes SDN Fabrics Index.
+//
+// Parameters:
+//
+//   - pending (0|1): Display pending config.
+//   - running (0|1): Display running config.
+//
+// Required permissions:
+//
+//	Only list nodes where you have 'SDN.Audit' or 'SDN.Allocate' permissions on
+//
+// '/sdn/fabrics/<fabric>' and 'Sys.Audit' or 'Sys.Modify' on /nodes/<node_id>
+func (c API) ClusterSDNFabricsListNodes(pending, running int) (res []ClusterSDNFabricNode, err error) {
+	req := struct {
+		Pending int `in:"query=pending"`
+		Running int `in:"query=running"`
+	}{
+		Pending: pending,
+		Running: running,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/node",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+// ClusterSDNFabricsGetNodeFabrics Read sdn fabric configuration.
+//
+// Parameters:
+//
+//   - fabricId: Identifier for SDN fabrics
+//   - pending (0|1): Display pending config.
+//   - running (0|1): Display running config.
+//
+// Required permissions:
+//
+//	Only returns nodes where you have 'Sys.Audit' or 'Sys.Modify' permissions.
+//	Check: ["perm","/sdn/fabrics/{fabric_id}",["SDN.Audit"]]
+func (c API) ClusterSDNFabricsGetFabricNodes(
+	fabricId string,
+	pending, running int,
+) (res []ClusterSDNFabricNode, err error) {
+	req := struct {
+		FabricID string `in:"path=fabric_id;nonzero"`
+		Pending  int    `in:"query=pending"`
+		Running  int    `in:"query=running"`
+	}{
+		FabricID: fabricId,
+		Pending:  pending,
+		Running:  running,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/node/{fabric_id}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNFabricsAddNodeRequest struct {
+	// Identifier for SDN fabrics
+	FabricID string `in:"path=fabric_id;nonzero"`
+
+	// Identifier for nodes in an SDN fabric
+	NodeID string `in:"query=node_id;omitempty"`
+
+	// Type of configuration entry in an SDN Fabric section config
+	//	openfabric | ospf
+	Protocol string `in:"query=protocol;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// network interface
+	//	openfabric: [name=<string> [,hello_multiplier=<integer>] [,ip=<string>] [,ip6=<string>], ...]
+	//	ospf: [name=<string> [,ip=<string>], ...]
+	Interfaces string `in:"query=interfaces;omitempty"`
+
+	// IPv4 address for this node
+	IP string `in:"query=ip;omitempty"`
+
+	// IPv6 address for this node
+	IP6 string `in:"query=ip6;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+}
+
+// ClusterSDNFabricsAddNode Add a node to sdn fabric configuration.
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/sdn/fabrics/{fabric_id}",["SDN.Allocate"]],["perm","/nodes/{node_id}",["Sys.Modify"]]]
+func (c API) ClusterSDNFabricsAddNode(req ClusterSDNFabricsAddNodeRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/node/{fabric_id}",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNFabricsGetFabricNode Get a node
+//
+// Parameters:
+//
+//   - fabricId: Identifier for SDN fabrics
+//   - nodeId: Identifier for nodes in an SDN fabric
+
+// Required permissions:
+//
+//	Check: ["perm","/sdn/fabrics/{fabric_id}",["SDN.Audit"]]
+func (c API) ClusterSDNFabricsGetFabricNode(fabricId, nodeId string) (res ClusterSDNFabricNode, err error) {
+	req := struct {
+		FabricID string `in:"path=fabric_id;nonzero"`
+		NodeID   string `in:"path=node_id;nonzero"`
+	}{
+		FabricID: fabricId,
+		NodeID:   nodeId,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/node/{fabric_id}/{node_id}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNFabricNodeUpdateRequest struct {
+	// Identifier for SDN fabrics
+	FabricID string `in:"path=fabric_id;nonzero"`
+
+	// Identifier for nodes in an SDN fabric
+	NodeID string `in:"path=node_id;nonzero"`
+
+	// Type of configuration entry in an SDN Fabric section config
+	//	openfabric | ospf
+	Protocol string `in:"query=protocol;omitempty"`
+
+	// A list of settings you want to delete.
+	//	[interfaces | ip | ip6, ...]
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// network interface
+	//	openfabric: [name=<string> [,hello_multiplier=<integer>] [,ip=<string>] [,ip6=<string>], ...]
+	//	ospf: [name=<string> [,ip=<string>], ...]
+	Interfaces string `in:"query=interfaces;omitempty"`
+
+	// IPv4 address for this node
+	IP string `in:"query=ip;omitempty"`
+
+	// IPv6 address for this node
+	IP6 string `in:"query=ip6;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+}
+
+// ClusterSDNFabricsUpdateNode Update sdn fabric configuration.
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/sdn/fabrics/{fabric_id}",["SDN.Allocate"]],["perm","/nodes/{node_id}",["Sys.Modify"]]]
+func (c API) ClusterSDNFabricsUpdateNode(req ClusterSDNFabricNodeUpdateRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/node/{fabric_id}/{node_id}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNFabricsDeleteNode Delete node from sdn fabric configuration.
+//
+// Parameters:
+//
+//   - fabricId: Identifier for SDN fabrics
+//   - nodeId: Identifier for nodes in an SDN fabric
+//
+// Required permissions:
+//
+//	Check: ["and",["perm","/sdn/fabrics/{fabric_id}",["SDN.Allocate"]],["perm","/nodes/{node_id}",["Sys.Modify"]]]
+func (c API) ClusterSDNFabricsDeleteNode(fabricId, nodeId string) (err error) {
+	req := struct {
+		FabricID string `in:"path=fabric_id;nonzero"`
+		NodeID   string `in:"path=node_id;nonzero"`
+	}{
+		FabricID: fabricId,
+		NodeID:   nodeId,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/fabrics/node/{fabric_id}/{node_id}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_sdn_ipams.go b/pkg/api/cluster_sdn_ipams.go
new file mode 100644
index 0000000..8ff687b
--- /dev/null
+++ b/pkg/api/cluster_sdn_ipams.go
@@ -0,0 +1,169 @@
+package api
+
+import (
+	"net/http"
+)
+
+type ClusterSDNIPAMS struct {
+	IPAM string `json:"ipam"`
+	Type string `json:"type"`
+
+	// Certificate SHA 256 fingerprint.
+	Fingerprint string `json:"fingerprint"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `json:"lock-token"`
+
+	Section string `json:"section"`
+	Token   string `json:"token"`
+	URL     string `json:"url"`
+}
+
+// ClusterSDNIPAMSList SDN ipams index.
+//
+// Parameters:
+//
+//   - t ("netbox" | "phpipam" | "pve" | ""): Only list sdn ipams of specific type
+//
+// Required permissions:
+//
+//	Only list entries where you have 'SDN.Audit' or 'SDN.Allocate' permissions on '/sdn/ipams/<ipam>'
+func (c API) ClusterSDNIPAMSList(t string) (res []ClusterSDNIPAMS, err error) {
+	req := struct {
+		Type string `in:"query=type;omitempty"`
+	}{
+		Type: t,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/ipams",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNIPAMSNewIPAMRequest struct {
+	// The SDN ipam object identifier.
+	IPAM string `in:"query=ipam;omitempty"`
+
+	// Plugin type.
+	//	netbox | phpipam | pve
+	Type string `in:"query=type;omitempty"`
+
+	// Certificate SHA 256 fingerprint.
+	Fingerprint string `in:"query=fingerprint;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	Section string `in:"query=section;omitempty"`
+	Token   string `in:"query=token;omitempty"`
+	URL     string `in:"query=url;omitempty"`
+}
+
+// ClusterSDNIPAMSNewIPAM Create a new sdn ipam object.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/ipams",["SDN.Allocate"]]
+func (c API) ClusterSDNIPAMSNewIPAM(req ClusterSDNIPAMSNewIPAMRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/ipams",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNIPAMSGetIPAM Read sdn ipam configuration.
+//
+// Parameters:
+//
+//   - id: The SDN ipam object identifier.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/ipams/{ipam}",["SDN.Allocate"]]
+func (c API) ClusterSDNIPAMSGetIPAM(id string) (res ClusterSDNIPAMS, err error) {
+	req := struct {
+		IPAM string `in:"path=ipam;nonzero"`
+	}{
+		IPAM: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/ipams/{ipam}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNIPAMSUpdateIPAMRequest struct {
+	// The SDN ipam object identifier.
+	IPAM string `in:"query=ipam;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Certificate SHA 256 fingerprint.
+	Fingerprint string `in:"query=fingerprint;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	Section string `in:"query=section;omitempty"`
+	Token   string `in:"query=token;omitempty"`
+	URL     string `in:"query=url;omitempty"`
+}
+
+// ClusterSDNIPAMSUpdateIPAM Update sdn ipam configuration.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/ipams/{ipam}",["SDN.Allocate"]]
+func (c API) ClusterSDNIPAMSUpdateIPAM(req ClusterSDNIPAMSUpdateIPAMRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/ipams/{ipam}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNIPAMSDeleteIPAM Delete sdn ipam configuration.
+//
+// Parameters:
+//
+//   - id: The SDN ipam object identifier.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/ipams",["SDN.Allocate"]]
+func (c API) ClusterSDNIPAMSDeleteIPAM(id string) (err error) {
+	req := struct {
+		IPAM string `in:"path=ipam;nonzero"`
+	}{
+		IPAM: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/ipams/{ipam}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// FIXME: /api2/json/cluster/sdn/ipams/{ipam}/status not in docs(?)
diff --git a/pkg/api/cluster_sdn_vnets.go b/pkg/api/cluster_sdn_vnets.go
new file mode 100644
index 0000000..790aa1c
--- /dev/null
+++ b/pkg/api/cluster_sdn_vnets.go
@@ -0,0 +1,295 @@
+package api
+
+import (
+	"net/http"
+)
+
+type ClusterSDNVNet struct {
+	// The SDN vnet object identifier.
+	VNet string `json:"vnet"`
+
+	// zone id
+	Zone string `json:"zone"`
+
+	// alias name of the vnet
+	Alias string `json:"alias"`
+
+	// If true, sets the isolated property for all members of this VNet
+	IsolatePorts *int `json:"isolate-ports"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken *string `json:"lock-token"`
+
+	// vlan or vxlan id
+	Tag *int `json:"tag"`
+
+	// Type
+	Type *string `json:"type"`
+
+	// Allow vm VLANs to pass through this vnet.
+	VLanAware *int `json:"vlan-aware"`
+}
+
+// ClusterSDNVNetsList SDN vnets index.
+//
+// Parameters:
+//
+//   - pending (0|1): Display pending config.
+//   - running (0|1): Display running config.
+//
+// Required permissions:
+//
+//	Only list entries where you have 'SDN.Audit' or 'SDN.Allocate' permissions on '/sdn/zones/<zone>/<vnet>'
+func (c API) ClusterSDNVNetsList(pending, running int) (res []ClusterSDNVNet, err error) {
+	req := struct {
+		Pending int `in:"query=pending"`
+		Running int `in:"query=running"`
+	}{
+		Pending: pending,
+		Running: running,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/vnets",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNVNetsNewVNetRequest struct {
+	// The SDN vnet object identifier.
+	VNet string `in:"query=vnet;omitempty"`
+
+	// zone id
+	Zone string `in:"query=zone;omitempty"`
+
+	// alias name of the vnet
+	Alias string `in:"query=alias;omitempty"`
+
+	// If true, sets the isolated property for all members of this VNet
+	IsolatePorts *int `in:"query=isolate-ports;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	// vlan or vxlan id
+	Tag *int `json:"tag"`
+
+	// Type
+	Type string `in:"query=type;omitempty"`
+
+	// Allow vm VLANs to pass through this vnet.
+	VLanAware *int `in:"query=vlanaware;omitempty"`
+}
+
+// ClusterSDNVNetsNewVNet Create a new sdn vnet object.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/zones/{zone}",["SDN.Allocate"]]
+func (c API) ClusterSDNVNetsNewVNet(req ClusterSDNVNetsNewVNetRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/vnets",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNVNetsGetVNet Read sdn vnet configuration.
+//
+// Parameters:
+//
+//   - id: The SDN vnet object identifier.
+//
+// Required permissions:
+//
+//	Require 'SDN.Audit' or 'SDN.Allocate' permissions on '/sdn/zones/<zone>/<vnet>'
+func (c API) ClusterSDNVNetsGetVNet(id string) (res ClusterSDNVNet, err error) {
+	req := struct {
+		VNet string `in:"path=vnet;nonzero"`
+	}{
+		VNet: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/vnets/{vnet}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNVNetsUpdateVNetRequest struct {
+	// The SDN vnet object identifier.
+	VNet string `in:"path=vnet;nonzero"`
+
+	// alias name of the vnet
+	Alias string `in:"query=alias;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// If true, sets the isolated property for all members of this VNet
+	IsolatePorts *int `in:"query=isolate-ports;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	// vlan or vxlan id
+	Tag *int `json:"tag"`
+
+	// Allow vm VLANs to pass through this vnet.
+	VLanAware *int `in:"query=vlanaware;omitempty"`
+
+	// zone id
+	Zone string `in:"query=zone;omitempty"`
+}
+
+// ClusterSDNVNetsUpdateVNet Update sdn vnet configuration.
+//
+// Required permissions:
+//
+//	Require 'SDN.Allocate' permission on '/sdn/zones/<zone>/<vnet>'
+func (c API) ClusterSDNVNetsUpdateVNet(req ClusterSDNVNetsUpdateVNetRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/vnets/{vnet}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNVNetsDeleteVNet Delete sdn vnet configuration.
+//
+// Parameters:
+//
+//   - id: The SDN vnet object identifier.
+//
+// Required permissions:
+//
+//	Require 'SDN.Allocate' permission on '/sdn/zones/<zone>/<vnet>'
+func (c API) ClusterSDNVNetsDeleteVNet(id string) (err error) {
+	req := struct {
+		VNet string `in:"path=vnet;nonzero"`
+	}{
+		VNet: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/vnets/{vnet}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterSDNVNetsNewIPMappingRequest struct {
+	// The IP address to associate with the given MAC address
+	IP string `in:"query=ip;omitempty"`
+
+	// The SDN vnet object identifier.
+	VNet string `in:"path=vnet;omitempty"`
+
+	// The SDN zone object identifier.
+	Zone string `in:"query=zone;omitempty"`
+
+	// A common MAC address with the I/G (Individual/Group) bit not set.
+	MAC string `in:"query=mac;omitempty"`
+}
+
+// ClusterSDNVNetsNewIPMapping Create a new sdn vnet ip mapping object.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/zones/{zone}/{vnet}",["SDN.Allocate"]]
+func (c API) ClusterSDNVNetsNewIPMapping(req ClusterSDNVNetsNewIPMappingRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/vnets/{vnet}/ips",
+		Payload: &req,
+	})
+
+	return err
+}
+
+type ClusterSDNVNetsUpdateIPMappingRequest struct {
+	// The IP address to associate with the given MAC address
+	IP string `in:"query=ip;omitempty"`
+
+	// The SDN vnet object identifier.
+	VNet string `in:"path=vnet;omitempty"`
+
+	// The SDN zone object identifier.
+	Zone string `in:"query=zone;omitempty"`
+
+	// A common MAC address with the I/G (Individual/Group) bit not set.
+	MAC string `in:"query=mac;omitempty"`
+
+	// The (unique) ID of the VM.
+	VMID *int `in:"query=vmid;omitempty"`
+}
+
+type ClusterSDNVNetsDeleteIPMappingRequest struct {
+	// The IP address to associate with the given MAC address
+	IP string `in:"query=ip;omitempty"`
+
+	// The SDN vnet object identifier.
+	VNet string `in:"path=vnet;omitempty"`
+
+	// The SDN zone object identifier.
+	Zone string `in:"query=zone;omitempty"`
+
+	// A common MAC address with the I/G (Individual/Group) bit not set.
+	MAC string `in:"query=mac;omitempty"`
+}
+
+// ClusterSDNVNetsUpdateIPMapping Update sdn vnet ip mapping configuration.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/zones/{zone}/{vnet}",["SDN.Allocate"]]
+func (c API) ClusterSDNVNetsUpdateIPMapping(req ClusterSDNVNetsUpdateIPMappingRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/vnets/{vnet}/ips",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNVNetsDeleteIPMapping Delete sdn vnet ip mapping configuration.
+//
+// Parameters:
+//
+//   - id: The SDN vnet object identifier.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/zones/{zone}/{vnet}",["SDN.Allocate"]]
+func (c API) ClusterSDNVNetsDeleteIPMapping(id string) (err error) {
+	req := struct {
+		VNet string `in:"path=vnet;nonzero"`
+	}{
+		VNet: id,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/vnets/{vnet}/ips",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}
diff --git a/pkg/api/cluster_sdn_zones.go b/pkg/api/cluster_sdn_zones.go
new file mode 100644
index 0000000..b71794f
--- /dev/null
+++ b/pkg/api/cluster_sdn_zones.go
@@ -0,0 +1,407 @@
+package api
+
+import (
+	"net/http"
+)
+
+type ClusterSDNZone struct {
+	// Type of the zone.
+	//	evpn | faucet | qinq | simple | vlan | vxlan
+	Type string `json:"type"`
+
+	// Name of the zone.
+	Zone string `json:"zone"`
+
+	// Advertise IP prefixes (Type-5 routes) instead of MAC/IP pairs (Type-2 routes). EVPN zone only.
+	AdvertiseSubnets *int `json:"advertise-subnets"`
+
+	// the bridge for which VLANs should be managed. VLAN & QinQ zone only.
+	Bridge *string `json:"bridge"`
+
+	// Disable auto mac learning. VLAN zone only.
+	BridgeDisableMACLearning *int `json:"bridge-disable-mac-learning"`
+
+	// ID of the controller for this zone. EVPN zone only.
+	Controller *string `json:"controller"`
+
+	// Name of DHCP server backend for this zone.
+	DHCP *string `json:"dhcp"`
+
+	// Digest of the controller section.
+	Digest *string `json:"digest"`
+
+	// Suppress IPv4 ARP && IPv6 Neighbour Discovery messages. EVPN zone only.
+	DisableARPNDSuppression *int `json:"disable-arp-nd-suppression"`
+
+	// ID of the DNS server for this zone.
+	DNS *string `json:"dns"`
+
+	// Domain name for this zone.
+	DNSZone *string `json:"dnszone"`
+
+	// List of PVE Nodes that should act as exit node for this zone. EVPN zone only.
+	ExitNodes *string `json:"exitnodes"`
+
+	// Create routes on the exit nodes, so they can connect to EVPN guests. EVPN zone only.
+	ExitNodesLocalRouting *int `json:"exitnodes-local-routing"`
+
+	// Force traffic through this exitnode first. EVPN zone only.
+	ExitNodesPrimary *string `json:"exitnodes-primary"`
+
+	// ID of the IPAM for this zone.
+	IPAM *string `json:"ipam"`
+
+	// MAC address of the anycast router for this zone.
+	MAC *string `json:"mac"`
+
+	// MTU of the zone, will be used for the created VNet bridges.
+	MTU *int `json:"mtu"`
+
+	// Nodes where this zone should be created.
+	Nodes *string `json:"nodes"`
+
+	// Comma-separated list of peers, that are part of the VXLAN zone. Usually the IPs of the nodes. VXLAN zone only.
+	Peers *string `json:"peers"`
+
+	// Changes that have not yet been applied to the running configuration.
+	Pending struct {
+		AdvertiseSubnets         *int    `json:"advertise-subnets"`
+		Bridge                   *string `json:"bridge"`
+		BridgeDisableMACLearning *int    `json:"bridge-disable-mac-learning"`
+		Controller               *string `json:"controller"`
+		DHCP                     *string `json:"dhcp"`
+		DisableARPNDSuppression  *int    `json:"disable-arp-nd-suppression"`
+		DNS                      *string `json:"dns"`
+		DNSZone                  *string `json:"dnszone"`
+		ExitNodes                *string `json:"exitnodes"`
+		ExitNodesLocalRouting    *int    `json:"exitnodes-local-routing"`
+		ExitNodesPrimary         *string `json:"exitnodes-primary"`
+		IPAM                     *string `json:"ipam"`
+		MAC                      *string `json:"mac"`
+		MTU                      *int    `json:"mtu"`
+		Nodes                    *string `json:"nodes"`
+		Peers                    *string `json:"peers"`
+		ReverseDNS               *string `json:"reversedns"`
+		RTImport                 *string `json:"rt-import"`
+	} `json:"pending"`
+
+	// ID of the reverse DNS server for this zone.
+	ReverseDNS *string `json:"reversedns"`
+
+	// Route-Targets that should be imported into the VRF of this zone via BGP. EVPN zone only.
+	RTImport *string `json:"rt-import"`
+
+	// State of the SDN configuration object.
+	//	new | changed | deleted
+	State *string `json:"state"`
+
+	// Service-VLAN Tag (outer VLAN). QinQ zone only
+	Tag *int `json:"tag"`
+
+	// VLAN protocol for the creation of the QinQ zone. QinQ zone only.
+	//	802.1q | 802.1ad
+	VlanProtocol *string `json:"vlan-protocol"`
+
+	// VNI for the zone VRF. EVPN zone only.
+	//	1 - 16777215
+	VRFVxLan *int `json:"vrf-vxlan"`
+
+	// VXLAN port for the zone VRF. VXLAN zone only.
+	//	1 - 65536
+	VxLanPort *int `json:"vxlan-port"`
+}
+
+type ClusterSDNZoneListRequest struct {
+	// Display pending config.
+	Pending int `in:"query=pending"`
+
+	// Display running config.
+	Running int `in:"query=running"`
+
+	// Only list SDN zones of specific type
+	//	evpn | faucet | qinq | simple | vlan | vxlan
+	Type string `in:"query=type"`
+}
+
+// ClusterSDNZonesList SDN zones index.
+//
+// Required permissions:
+//
+//	Only list entries where you have 'SDN.Audit' or 'SDN.Allocate' permissions on '/sdn/zones/<zone>'
+func (c API) ClusterSDNZonesList(req ClusterSDNZoneListRequest) (res []ClusterSDNZone, err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/zones",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNZonesNewZoneRequest struct {
+	// Plugin type.
+	//	evpn | faucet | qinq | simple | vlan | vxlan
+	Type string `in:"query=type;omitempty"`
+	// The SDN zone object identifier.
+	Zone string `in:"query=zone;omitempty"`
+
+	// Advertise IP prefixes (Type-5 routes) instead of MAC/IP pairs (Type-2 routes).
+	AdvertiseSubnets *int `in:"query=advertise-subnets;omitempty"`
+
+	// The bridge for which VLANs should be managed.
+	Bridge string `in:"query=bridge;omitempty"`
+
+	// Disable auto mac learning.
+	BridgeDisableMACLearning *int `in:"query=bridge-disable-mac-learning;omitempty"`
+
+	// Controller for this zone.
+	Controller string `in:"query=controller;omitempty"`
+
+	// Type of the DHCP backend for this zone
+	DHCP string `in:"query=dhcp;omitempty"`
+
+	// Suppress IPv4 ARP && IPv6 Neighbour Discovery messages.
+	DisableARPNDSuppression *int `in:"query=disable-arp-nd-suppression;omitempty"`
+
+	// dns api server
+	DNS string `in:"query=dns;omitempty"`
+
+	// dns domain zone
+	//	ex: mydomain.com
+	DNSZone string `in:"query=dnszone;omitempty"`
+
+	// Faucet dataplane id
+	DPID *int `in:"query=dp-id;omitempty"`
+
+	// List of cluster node names.
+	ExitNodes string `in:"query=exitnodes;omitempty"`
+
+	// Allow exitnodes to connect to EVPN guests.
+	ExitNodesLocalRouting *int `in:"query=exitnodes-local-routing;omitempty"`
+
+	// Force traffic through this exitnode first.
+	ExitNodesPrimary string `in:"query=exitnodes-primary;omitempty"`
+
+	// SDN fabric to use as underlay for this VXLAN zone.
+	Fabric string `in:"query=fabric;omitempty"`
+
+	// use a specific ipam
+	IPAM string `in:"query=ipam;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	// Anycast logical router mac address.
+	MAC string `in:"query=mac;omitempty"`
+
+	// MTU of the zone, will be used for the created VNet bridges.
+	MTU *int `in:"query=mtu;omitempty"`
+
+	// List of cluster node names.
+	Nodes string `in:"query=nodes;omitempty"`
+
+	// Comma-separated list of peers, that are part of the VXLAN zone. Usually the IPs of the nodes.
+	Peers string `in:"query=peers;omitempty"`
+
+	// reverse dns api server
+	ReverseDNS string `in:"query=reversedns;omitempty"`
+
+	// List of Route Targets that should be imported into the VRF of the zone.
+	RTImport string `in:"query=rt-import;omitempty"`
+
+	// service-VLAN Tag (outer VLAN)
+	//	0 - N
+	Tag *int `in:"query=tag;omitempty"`
+
+	// Which VLAN protocol should be used for the creation of the QinQ zone.
+	//	802.1q | 802.1ad
+	VlanProtocol string `in:"query=vlan-protocol;omitempty"`
+
+	// VNI for the zone VRF.
+	//	1 - 16777215
+	VRFVxLan *int `in:"query=vrf-vxlan;omitempty"`
+
+	// UDP port that should be used for the VXLAN tunnel (default 4789).
+	//	1 - 65536
+	VxLanPort *int `in:"query=vxlan-port;omitempty"`
+}
+
+// ClusterSDNZonesNewZone Create a new sdn zone object.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/zones",["SDN.Allocate"]]
+func (c API) ClusterSDNZonesNewZone(req ClusterSDNZonesNewZoneRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/zones",
+		Method:  http.MethodPost,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNZonesGetZone Read sdn zone configuration.
+//
+// Parameters:
+//
+//   - zone: The SDN zone object identifier.
+//   - pending (0|1): Display pending config.
+//   - running (0|1): Display running config.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/zones/{zone}",["SDN.Allocate"]]
+func (c API) ClusterSDNZonesGetZone(zone string, pending, running int) (res ClusterSDNZone, err error) {
+	req := struct {
+		Zone    string `in:"path=zone;nonzero"`
+		Pending int    `in:"query=pending"`
+		Running int    `in:"query=running"`
+	}{
+		Zone:    zone,
+		Pending: pending,
+		Running: running,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/zones/{zone}",
+		Method:  http.MethodGet,
+		Payload: &req,
+		Result:  &res,
+	})
+
+	return res, err
+}
+
+type ClusterSDNZonesUpdateZoneRequest struct {
+	// The SDN zone object identifier.
+	Zone string `in:"path=zone;nonzero"`
+
+	// Advertise IP prefixes (Type-5 routes) instead of MAC/IP pairs (Type-2 routes).
+	AdvertiseSubnets *int `in:"query=advertise-subnets;omitempty"`
+
+	// The bridge for which VLANs should be managed.
+	Bridge string `in:"query=bridge;omitempty"`
+
+	// Disable auto mac learning.
+	BridgeDisableMACLearning *int `in:"query=bridge-disable-mac-learning;omitempty"`
+
+	// Controller for this zone.
+	Controller string `in:"query=controller;omitempty"`
+
+	// A list of settings you want to delete.
+	Delete string `in:"query=delete;omitempty"`
+
+	// Type of the DHCP backend for this zone
+	DHCP string `in:"query=dhcp;omitempty"`
+
+	// Prevent changes if current configuration file has a different digest. This can be used to prevent concurrent modifications.
+	Digest string `in:"query=digest;omitempty"`
+
+	// Suppress IPv4 ARP && IPv6 Neighbour Discovery messages.
+	DisableARPNDSuppression *int `in:"query=disable-arp-nd-suppression;omitempty"`
+
+	// dns api server
+	DNS string `in:"query=dns;omitempty"`
+
+	// dns domain zone
+	//	ex: mydomain.com
+	DNSZone string `in:"query=dnszone;omitempty"`
+
+	// Faucet dataplane id
+	DPID *int `in:"query=dp-id;omitempty"`
+
+	// List of cluster node names.
+	ExitNodes string `in:"query=exitnodes;omitempty"`
+
+	// Allow exitnodes to connect to EVPN guests.
+	ExitNodesLocalRouting *int `in:"query=exitnodes-local-routing;omitempty"`
+
+	// Force traffic through this exitnode first.
+	ExitNodesPrimary string `in:"query=exitnodes-primary;omitempty"`
+
+	// SDN fabric to use as underlay for this VXLAN zone.
+	Fabric string `in:"query=fabric;omitempty"`
+
+	// use a specific ipam
+	IPAM string `in:"query=ipam;omitempty"`
+
+	// the token for unlocking the global SDN configuration
+	LockToken string `in:"query=lock-token;omitempty"`
+
+	// Anycast logical router mac address.
+	MAC string `in:"query=mac;omitempty"`
+
+	// MTU of the zone, will be used for the created VNet bridges.
+	MTU *int `in:"query=mtu;omitempty"`
+
+	// List of cluster node names.
+	Nodes string `in:"query=nodes;omitempty"`
+
+	// Comma-separated list of peers, that are part of the VXLAN zone. Usually the IPs of the nodes.
+	Peers string `in:"query=peers;omitempty"`
+
+	// reverse dns api server
+	ReverseDNS string `in:"query=reversedns;omitempty"`
+
+	// List of Route Targets that should be imported into the VRF of the zone.
+	RTImport string `in:"query=rt-import;omitempty"`
+
+	// service-VLAN Tag (outer VLAN)
+	//	0 - N
+	Tag *int `in:"query=tag;omitempty"`
+
+	// Which VLAN protocol should be used for the creation of the QinQ zone.
+	//	802.1q | 802.1ad
+	VlanProtocol string `in:"query=vlan-protocol;omitempty"`
+
+	// VNI for the zone VRF.
+	//	1 - 16777215
+	VRFVxLan *int `in:"query=vrf-vxlan;omitempty"`
+
+	// UDP port that should be used for the VXLAN tunnel (default 4789).
+	//	1 - 65536
+	VxLanPort *int `in:"query=vxlan-port;omitempty"`
+}
+
+// ClusterSDNZonesUpdateZone Update sdn zone configuration.
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/zones/{zone}",["SDN.Allocate"]]
+func (c API) ClusterSDNZonesUpdateZone(req ClusterSDNZonesUpdateZoneRequest) (err error) {
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/zones/{zone}",
+		Method:  http.MethodPut,
+		Payload: &req,
+	})
+
+	return err
+}
+
+// ClusterSDNZonesDeleteZone Delete sdn zone configuration.
+//
+// Parameters:
+//
+//   - zone: The SDN zone object identifier.
+//   - lockToken (optional): the token for unlocking the global SDN configuration
+//
+// Required permissions:
+//
+//	Check: ["perm","/sdn/zones/{zone}",["SDN.Allocate"]]
+func (c API) ClusterSDNZonesDeleteZone(zone string) (err error) {
+	req := struct {
+		Zone string `in:"path=zone;nonzero"`
+	}{
+		Zone: zone,
+	}
+
+	err = c.SendPVERequest(PVERequest{
+		Path:    "/api2/json/cluster/sdn/zones/{zone}",
+		Method:  http.MethodDelete,
+		Payload: &req,
+	})
+
+	return err
+}

From e1cd4bfab6fab709305cecef71542ee0baaf8c83 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Thu, 11 Dec 2025 17:33:55 -0300
Subject: [PATCH 39/40] chore: updated docs

---
 CHANGELOG.md                            |  17 +-
 README.md                               |  74 ++++++-
 cmd/gomarkdoc/main.go                   |   3 +-
 docs/go-client/implemented-endpoints.md | 265 ++++++++++++------------
 docs/go-client/index.md                 |   2 +-
 mkdocs.yml                              |   8 +-
 6 files changed, 215 insertions(+), 154 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a8c4412..1b79e86 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,22 +6,27 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+<!-- ################# 
+     # PVE API Wrapper
+     ################# -->
 ### PVE API wrapper
 
 #### Fixed
 - PVE original passthrough handler now properly includes the request query params (resolves [#4](https://github.com/iolave/go-proxmox/issues/4)).
 
+<!-- ################ 
+     # PVE API client
+     ################ -->
 ### PVE API client
+
 #### Added
-- Added a Core Service to the client:
-    - Implements `GET /api2/json/version` as `GetVersion`.
+- Added the `api` package that contains raw proxmox api implementations for:
+    - `/api2/json/access`
+    - `/api2/json/cluster`
 
 #### Changed
 - Renamed `pve.PVE` to `pve.Client`.
-
-#### Removed
-- Removed client `GetVersion` method.
-
+- Moved the `GetVersion` method from `pkg/pve` to `pkg/pve/core`.
 
 ## [v0.7.1]
 ### PVE API client
diff --git a/README.md b/README.md
index 3cf96a9..5d9a566 100644
--- a/README.md
+++ b/README.md
@@ -3,13 +3,73 @@
 > [!WARNING]
 > All versions released prior to `v1.0.0` are to be considered [breaking changes](https://semver.org/#how-do-i-know-when-to-release-100)
 
-go-proxmox is a set of tools I built in order to manage proxmox instances remotely without too much effort.
+A fully-featured set of tools for Proxmox Virtual Environment.
+This repository provides three layers:
 
-## Tools
-- Proxmox go client: To see a list of all implemented api endpoints and more information, click [here].
-- Proxmox cli (not available yet): Proxmox remote management tool.
-- Proxmox [api wrapper]: Proxmox api wrapper that adds missing features to proxmox default one.
+- Low-level 1:1 API implementation: minimal abstractions, closely matching the upstream Proxmox REST API. To see a list of all implemented api endpoints and more information, click [here].
+- [API Wrapper] (binary): exposes additional features and allows original api calls to be passed through.
+- High-level, ergonomic client – a set of well-documented Go interfaces that smooths over quirks of the raw API and integrates extensions provided by the wrapper.
 
 [here]: https://go-proxmox.iolave.com/go-client/
-[api wrapper]: https://go-proxmox.iolave.com/api-wrapper/
-[telmate/terraform-provider-proxmox]: https://github.com/Telmate/terraform-provider-proxmox
+[API Wrapper]: https://go-proxmox.iolave.com/api-wrapper/
+
+## Features
+### 1:1 Proxmox API Implementation
+- Direct mapping of Proxmox endpoints, parameters, and responses.
+- As close to upstream behavior as possible.
+- Useful for users who need full control or raw input/output.
+- Unclear or inconsistent API behaviors are intentionally preserved (mirrors the original).
+
+### API Wrapper
+Small binary that exposes:
+
+- Original API.
+- Custom API with missing functionality from the native one.
+
+It is designed to be deployed on a Proxmox node.
+
+### High-level Client
+- Human-friendly Go API.
+- Strong typing and validation where the raw API is ambiguous.
+- Includes wrapper-only features
+
+## Project Structure
+```text
+.
+├── pkg/                  # Packages that can be imported by other projects
+│   │
+│   ├── api/              # Proxmox API 1:1 implementation
+│   ├── helpers/          # General purpose helpers
+│   └── pve/              # High-level Proxmox API client
+│
+├── cmd/                  # Command line tools
+│   │
+│   ├── pve-api-wrapper/  # Proxmox API wrapper
+│   └── gomarkdoc/        # Documentation generator
+│
+├── internal/             # API Wrapper internals
+├── scripts/              # Shell scripts, mostly for development and Makefile
+├── docs/                 # MKDocs documentation
+├── README.md             # This file
+├── Makefile              # Makefile for building, testing and documentation generation
+├── LICENSE               # License
+├── go.mod                # Go module definition
+├── go.sum                # Go module checksums
+└── mkdocs.yml            # MKDocs configuration
+```
+
+## Documentation
+- The go client documentation is available [here].
+- The API wrapper documentation is available [here](https://go-proxmox.iolave.com/api-wrapper/).
+
+## Contributing
+Contributions are welcome! 
+
+Please:
+
+- Open an issue before large changes.
+- Keep PRs focused and well‑scoped.
+- Include relevant tests.
+
+[here]: https://go-proxmox.iolave.com/go-client/
+[API Wrapper]: https://go-proxmox.iolave.com/api-wrapper/
diff --git a/cmd/gomarkdoc/main.go b/cmd/gomarkdoc/main.go
index 0c3d98a..44a59b6 100644
--- a/cmd/gomarkdoc/main.go
+++ b/cmd/gomarkdoc/main.go
@@ -13,10 +13,9 @@ import (
 
 func main() {
 	packages := []string{
+		"api",
 		"pve",
 		"helpers",
-		"cloudflare",
-		"errors",
 	}
 
 	for i := 0; i < len(packages); i++ {
diff --git a/docs/go-client/implemented-endpoints.md b/docs/go-client/implemented-endpoints.md
index e412670..b133828 100644
--- a/docs/go-client/implemented-endpoints.md
+++ b/docs/go-client/implemented-endpoints.md
@@ -1,22 +1,21 @@
-This is a development-purposed list to keep track of the implemented proxmox [endpoints](https://pve.proxmox.com/pve-docs/api-viewer/) as a callable golang func but **not** necessarily as a CLI command.
+This is a development-purposed list to keep track of the implemented proxmox [endpoints](https://pve.proxmox.com/pve-docs/api-viewer/) as a callable golang func within the `pkg/api` package.
 
 | Symbol | Description |
 |:------:|:-----------:|
 |:material-close:|Not implemented|
-|:material-check:|Partially implemented (notes will be added in the docs)|
-|:material-check-all:|Fully implemented|
+|:material-check:|Implemented|
 
 ## PVE Core
 | Path                                                        | GET                | POST           | PUT | DELETE |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/version`                                                  |:material-check-all:|
+| `/version`                                                  |:material-check:|
 
 ## Access
 | Path                                                        | GET                | POST           | PUT | DELETE |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
 | `/access/acl`                                               |:material-close:||:material-close:|
 | `/access/password`                                          |||:material-close:|
-| `/access/permissions`                                       |:material-check-all:|
+| `/access/permissions`                                       |:material-close:|
 | `/access/ticket`                                            |:material-close:|:material-close:|
 
 ### Users
@@ -65,171 +64,171 @@ This is a development-purposed list to keep track of the implemented proxmox [en
 ## Cluster
 | Path                                                        | GET                | POST           | PUT | DELETE |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster`                                                  |:material-close:|
-| `/cluster/log`                                              |:material-close:|
-| `/cluster/nextid`                                           |:material-check-all:|
-| `/cluster/options`                                          |:material-close:||:material-close:|
+| `/cluster`                                                  |:material-check:|
+| `/cluster/log`                                              |:material-check:|
+| `/cluster/nextid`                                           |:material-check:|
+| `/cluster/options`                                          |:material-check:||:material-check:|
 | `/cluster/resources`                                        |:material-check:|
-| `/cluster/status`                                           |:material-close:|
-| `/cluster/tasks`                                            |:material-close:|
+| `/cluster/status`                                           |:material-check:|
+| `/cluster/tasks`                                            |:material-check:|
 
 ### Acme
 | Path                                                        | GET                | POST           | PUT | DELETE |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/acme`                                             |:material-close:|
-| `/cluster/acme/challenge-schema`                            |:material-close:|
-| `/cluster/acme/directories`                                 |:material-close:|
-| `/cluster/acme/meta`                                        |:material-close:|
-| `/cluster/acme/tos`                                         |:material-close:|
-| `/cluster/acme/account`                                     |:material-close:|:material-close:|
-| `/cluster/acme/account/:name`                               |:material-close:||:material-close:|:material-close:|
-| `/cluster/acme/plugins`                                     |:material-close:|:material-close:|
-| `/cluster/acme/plugins/:id`                                 |:material-close:||:material-close:|:material-close:|
+| `/cluster/acme`                                             |:material-check:|
+| `/cluster/acme/challenge-schema`                            |:material-check:|
+| `/cluster/acme/directories`                                 |:material-check:|
+| `/cluster/acme/meta`                                        |:material-check:|
+| `/cluster/acme/tos`                                         |:material-check:|
+| `/cluster/acme/account`                                     |:material-check:|:material-check:|
+| `/cluster/acme/account/:name`                               |:material-check:||:material-check:|:material-check:|
+| `/cluster/acme/plugins`                                     |:material-check:|:material-check:|
+| `/cluster/acme/plugins/:id`                                 |:material-check:||:material-check:|:material-check:|
 
 
 ### Backup
 | Path                                                        | GET                | POST           | PUT | DELETE |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/backup`                                           |:material-close:|:material-close:|
-| `/cluster/backup/:id`                                       |:material-close:||:material-close:|:material-close:|
-| `/cluster/backup/:id/included_volumes`                      |:material-close:|
+| `/cluster/backup`                                           |:material-check:|:material-check:|
+| `/cluster/backup/:id`                                       |:material-check:||:material-check:|:material-check:|
+| `/cluster/backup/:id/included_volumes`                      |:material-check:|
 
 ### Backup info
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/backup-info`                                      |:material-close:|
-| `/cluster/backup-info/not-backed-up`                        |:material-close:|
+| `/cluster/backup-info`                                      |:material-check:|
+| `/cluster/backup-info/not-backed-up`                        |:material-check:|
 
 ### Ceph
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/ceph`                                             |:material-close:|
-| `/cluster/ceph/metadata`                                    |:material-close:|
-| `/cluster/ceph/status`                                      |:material-close:|
-| `/cluster/ceph/flags`                                       |:material-close:||:material-close:|
-| `/cluster/ceph/flags/:flag`                                 |:material-close:||:material-close:|
+| `/cluster/ceph`                                             |:material-check:|
+| `/cluster/ceph/metadata`                                    |:material-check:|
+| `/cluster/ceph/status`                                      |:material-check:|
+| `/cluster/ceph/flags`                                       |:material-check:||:material-check:|
+| `/cluster/ceph/flags/:flag`                                 |:material-check:||:material-check:|
 
 ### Config
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/config`                                           |:material-close:|:material-close:|
-| `/cluster/config/apiversion`                                |:material-close:|
-| `/cluster/config/join`                                      |:material-close:|:material-close:|
-| `/cluster/config/qdevice`                                   |:material-close:|:material-close:|
-| `/cluster/config/totem`                                     |:material-close:|
-| `/cluster/config/nodes`                                     |:material-close:|
-| `/cluster/config/nodes/:node`                               ||:material-close:||:material-close:|
+| `/cluster/config`                                           |:material-check:|:material-check:|
+| `/cluster/config/apiversion`                                |:material-check:|
+| `/cluster/config/join`                                      |:material-check:|:material-check:|
+| `/cluster/config/qdevice`                                   |:material-check:|:material-check:|
+| `/cluster/config/totem`                                     |:material-check:|
+| `/cluster/config/nodes`                                     |:material-check:|
+| `/cluster/config/nodes/:node`                               ||:material-check:||:material-check:|
 
 ### Firewall
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/firewall`                                         |:material-close:|
-| `/cluster/firewall/macros`                                  |:material-close:|
-| `/cluster/firewall/options`                                 |:material-close:||:material-close:|
-| `/cluster/firewall/refs`                                    |:material-close:|
-| `/cluster/firewall/aliases`                                 |:material-check-all:|:material-check-all:|
-| `/cluster/firewall/aliases/:name`                           |:material-check-all:||:material-check-all:|:material-check-all:|
-| `/cluster/firewall/groups`                                  |:material-close:|:material-close:|
-| `/cluster/firewall/groups/:group`                           |:material-close:|:material-close:||:material-close:|
-| `/cluster/firewall/groups/:group/:pos`                      |:material-close:||:material-close:|:material-close:|
-| `/cluster/firewall/ipset`                                   |:material-check-all:|:material-close:|
-| `/cluster/firewall/ipset/:name`                             |:material-close:|:material-close:||:material-close:|
-| `/cluster/firewall/ipset/:name/:cidr`                       |:material-close:||:material-close:|:material-close:|
-| `/cluster/firewall/rules`                                   |:material-check-all:|:material-close:|
-| `/cluster/firewall/rules/:pos`                              |:material-close:||:material-close:|:material-close:|
+| `/cluster/firewall`                                         |:material-check:|
+| `/cluster/firewall/macros`                                  |:material-check:|
+| `/cluster/firewall/options`                                 |:material-check:||:material-check:|
+| `/cluster/firewall/refs`                                    |:material-check:|
+| `/cluster/firewall/aliases`                                 |:material-check:|:material-check:|
+| `/cluster/firewall/aliases/:name`                           |:material-check:||:material-check:|:material-check:|
+| `/cluster/firewall/groups`                                  |:material-check:|:material-check:|
+| `/cluster/firewall/groups/:group`                           |:material-check:|:material-check:||:material-check:|
+| `/cluster/firewall/groups/:group/:pos`                      |:material-check:||:material-check:|:material-check:|
+| `/cluster/firewall/ipset`                                   |:material-check:|:material-check:|
+| `/cluster/firewall/ipset/:name`                             |:material-check:|:material-check:||:material-check:|
+| `/cluster/firewall/ipset/:name/:cidr`                       |:material-check:||:material-check:|:material-check:|
+| `/cluster/firewall/rules`                                   |:material-check:|:material-check:|
+| `/cluster/firewall/rules/:pos`                              |:material-check:||:material-check:|:material-check:|
 
 ### High availability
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/ha`                                               |:material-close:|
-| `/cluster/ha/groups`                                        |:material-close:|:material-close:|
-| `/cluster/ha/groups/:group`                                 |:material-close:||:material-close:|:material-close:|
-| `/cluster/ha/resources`                                     |:material-close:|:material-close:|
-| `/cluster/ha/resources/:sid`                                |:material-close:||:material-close:|:material-close:|
-| `/cluster/ha/resources/:sid/migrate`                        ||:material-close:|
-| `/cluster/ha/resources/:sid/relocate`                       ||:material-close:|
-| `/cluster/ha/status`                                        |:material-close:|
-| `/cluster/ha/status/current`                                |:material-close:|
-| `/cluster/ha/status/manager_status`                         |:material-close:|
+| `/cluster/ha`                                               |:material-check:|
+| `/cluster/ha/groups`                                        |:material-check:|:material-check:|
+| `/cluster/ha/groups/:group`                                 |:material-check:||:material-check:|:material-check:|
+| `/cluster/ha/resources`                                     |:material-check:|:material-check:|
+| `/cluster/ha/resources/:sid`                                |:material-check:||:material-check:|:material-check:|
+| `/cluster/ha/resources/:sid/migrate`                        ||:material-check:|
+| `/cluster/ha/resources/:sid/relocate`                       ||:material-check:|
+| `/cluster/ha/status`                                        |:material-check:|
+| `/cluster/ha/status/current`                                |:material-check:|
+| `/cluster/ha/status/manager_status`                         |:material-check:|
 
 ### Jobs
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/jobs`                                             |:material-close:|
-| `/cluster/jobs/schedule-analyze`                            |:material-close:|
-| `/cluster/jobs/realm-sync`                                  |:material-close:|
-| `/cluster/jobs/realm-sync/:id`                              |:material-close:|:material-close:|:material-close:|:material-close:|
+| `/cluster/jobs`                                             |:material-check:|
+| `/cluster/jobs/schedule-analyze`                            |:material-check:|
+| `/cluster/jobs/realm-sync`                                  |:material-check:|
+| `/cluster/jobs/realm-sync/:id`                              |:material-check:|:material-check:|:material-check:|:material-check:|
 
 ### Mapping
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/mapping`                                          |:material-close:|
-| `/cluster/mapping/pci`                                      |:material-close:|:material-close:|
-| `/cluster/mapping/pci/:id`                                  |:material-close:||:material-close:|:material-close:|
-| `/cluster/mapping/usb`                                      |:material-close:|:material-close:|
-| `/cluster/mapping/usb/:id`                                  |:material-close:||:material-close:|:material-close:|
+| `/cluster/mapping`                                          |:material-check:|
+| `/cluster/mapping/pci`                                      |:material-check:|:material-check:|
+| `/cluster/mapping/pci/:id`                                  |:material-check:||:material-check:|:material-check:|
+| `/cluster/mapping/usb`                                      |:material-check:|:material-check:|
+| `/cluster/mapping/usb/:id`                                  |:material-check:||:material-check:|:material-check:|
 
 ### Metrics
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/metrics`                                          |:material-close:|
-| `/cluster/metrics/export`                                   |:material-close:|
-| `/cluster/metrics/server`                                   |:material-close:|
-| `/cluster/metrics/server/:id`                               |:material-close:|:material-close:|:material-close:|:material-close:|
+| `/cluster/metrics`                                          |:material-check:|
+| `/cluster/metrics/export`                                   |:material-check:|
+| `/cluster/metrics/server`                                   |:material-check:|
+| `/cluster/metrics/server/:id`                               |:material-check:|:material-check:|:material-check:|:material-check:|
 
 ### Notifications
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/notifications`                                    |:material-close:|
-| `/cluster/notifications/matcher-field-values`               |:material-close:|
-| `/cluster/notifications/matcher-fields`                     |:material-close:|
-| `/cluster/notifications/endpoints`                          |:material-close:|
-| `/cluster/notifications/endpoints/gotify`                   |:material-close:|:material-close:|
-| `/cluster/notifications/endpoints/gotify/:name`             |:material-close:||:material-close:|:material-close:|
-| `/cluster/notifications/endpoints/sendmail`                 |:material-close:|:material-close:|
-| `/cluster/notifications/endpoints/sendmail/:name`           |:material-close:||:material-close:|:material-close:|
-| `/cluster/notifications/endpoints/smpt`                     |:material-close:|:material-close:|
-| `/cluster/notifications/endpoints/smpt/:name`               |:material-close:||:material-close:|:material-close:|
-| `/cluster/notifications/endpoints/webhook`                  |:material-close:|:material-close:|
-| `/cluster/notifications/endpoints/webhook/:name`            |:material-close:||:material-close:|:material-close:|
-| `/cluster/notifications/matchers`                           |:material-close:|:material-close:|
-| `/cluster/notifications/matchers/:name`                     |:material-close:||:material-close:|:material-close:|
-| `/cluster/notifications/targets`                            |:material-close:|
-| `/cluster/notifications/targets/:name`                      |:material-close:||:material-close:|:material-close:|
+| `/cluster/notifications`                                    |:material-check:|
+| `/cluster/notifications/matcher-field-values`               |:material-check:|
+| `/cluster/notifications/matcher-fields`                     |:material-check:|
+| `/cluster/notifications/endpoints`                          |:material-check:|
+| `/cluster/notifications/endpoints/gotify`                   |:material-check:|:material-check:|
+| `/cluster/notifications/endpoints/gotify/:name`             |:material-check:||:material-check:|:material-check:|
+| `/cluster/notifications/endpoints/sendmail`                 |:material-check:|:material-check:|
+| `/cluster/notifications/endpoints/sendmail/:name`           |:material-check:||:material-check:|:material-check:|
+| `/cluster/notifications/endpoints/smpt`                     |:material-check:|:material-check:|
+| `/cluster/notifications/endpoints/smpt/:name`               |:material-check:||:material-check:|:material-check:|
+| `/cluster/notifications/endpoints/webhook`                  |:material-check:|:material-check:|
+| `/cluster/notifications/endpoints/webhook/:name`            |:material-check:||:material-check:|:material-check:|
+| `/cluster/notifications/matchers`                           |:material-check:|:material-check:|
+| `/cluster/notifications/matchers/:name`                     |:material-check:||:material-check:|:material-check:|
+| `/cluster/notifications/targets`                            |:material-check:|
+| `/cluster/notifications/targets/:name`                      |:material-check:||:material-check:|:material-check:|
 
 ### Replication
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/replication`                                      |:material-close:|:material-close:|
-| `/cluster/replication/:id`                                  |:material-close:||:material-close:|:material-close:|
+| `/cluster/replication`                                      |:material-check:|:material-check:|
+| `/cluster/replication/:id`                                  |:material-check:||:material-check:|:material-check:|
 
 ### SDN
 | path                                                        | get                | post           | put | delete |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/cluster/sdn`                                              |:material-close:||:material-close:|
-| `/cluster/sdn/controllers`                                  |:material-close:|:material-close:|
-| `/cluster/sdn/controllers/:controller`                      |:material-close:||:material-close:|:material-close:|
-| `/cluster/sdn/dns`                                          |:material-close:|:material-close:|
-| `/cluster/sdn/dns/:dns`                                     |:material-close:||:material-close:|:material-close:|
-| `/cluster/sdn/ipams`                                        |:material-close:|:material-close:|
-| `/cluster/sdn/ipams/:ipam`                                  |:material-close:||:material-close:|:material-close:|
-| `/cluster/sdn/vnets`                                        |:material-close:|:material-close:|
-| `/cluster/sdn/vnets/:vnet`                                  |:material-close:||:material-close:|:material-close:|
-| `/cluster/sdn/vnets/:vnet/ips`                              ||:material-close:|:material-close:|:material-close:|
-| `/cluster/sdn/vnets/:vnet/firewall`                         |:material-close:|
-| `/cluster/sdn/vnets/:vnet/firewall/options`                 |:material-close:||:material-close:|
-| `/cluster/sdn/vnets/:vnet/firewall/rules`                   |:material-close:|:material-close:|
-| `/cluster/sdn/vnets/:vnet/firewall/rules/:pos`              |:material-close:||:material-close:|:material-close:|
-| `/cluster/sdn/vnets/:vnet/subnets`                          |:material-close:|:material-close:|
-| `/cluster/sdn/vnets/:vnet/subnets/:subnet`                  |:material-close:||:material-close:|:material-close:|
-| `/cluster/sdn/zones`                                        |:material-close:|:material-close:|
-| `/cluster/sdn/zones/:zone`                                  |:material-close:||:material-close:|:material-close:|
+| `/cluster/sdn`                                              |:material-check:||:material-check:|
+| `/cluster/sdn/controllers`                                  |:material-check:|:material-check:|
+| `/cluster/sdn/controllers/:controller`                      |:material-check:||:material-check:|:material-check:|
+| `/cluster/sdn/dns`                                          |:material-check:|:material-check:|
+| `/cluster/sdn/dns/:dns`                                     |:material-check:||:material-check:|:material-check:|
+| `/cluster/sdn/ipams`                                        |:material-check:|:material-check:|
+| `/cluster/sdn/ipams/:ipam`                                  |:material-check:||:material-check:|:material-check:|
+| `/cluster/sdn/vnets`                                        |:material-check:|:material-check:|
+| `/cluster/sdn/vnets/:vnet`                                  |:material-check:||:material-check:|:material-check:|
+| `/cluster/sdn/vnets/:vnet/ips`                              ||:material-check:|:material-check:|:material-check:|
+| `/cluster/sdn/vnets/:vnet/firewall`                         |:material-check:|
+| `/cluster/sdn/vnets/:vnet/firewall/options`                 |:material-check:||:material-check:|
+| `/cluster/sdn/vnets/:vnet/firewall/rules`                   |:material-check:|:material-check:|
+| `/cluster/sdn/vnets/:vnet/firewall/rules/:pos`              |:material-check:||:material-check:|:material-check:|
+| `/cluster/sdn/vnets/:vnet/subnets`                          |:material-check:|:material-check:|
+| `/cluster/sdn/vnets/:vnet/subnets/:subnet`                  |:material-check:||:material-check:|:material-check:|
+| `/cluster/sdn/zones`                                        |:material-check:|:material-check:|
+| `/cluster/sdn/zones/:zone`                                  |:material-check:||:material-check:|:material-check:|
 
 ## Nodes
 | Path                                                        | GET                | POST           | PUT | DELETE |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/nodes`                                                    |:material-check-all:|
-| `/nodes/:node`                                              |:material-check-all:|
+| `/nodes`                                                    |:material-close:|
+| `/nodes/:node`                                              |:material-close:|
 | `/nodes/:node/aplinfo`                                      |:material-close:|:material-close:|
 | `/nodes/:node/config`                                       |:material-close:||:material-close:|
 | `/nodes/:node/dns`                                          |:material-close:||:material-close:|
@@ -259,11 +258,11 @@ This is a development-purposed list to keep track of the implemented proxmox [en
 ### Node: apt
 | Path                                                        | GET                | POST           | PUT | DELETE |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/nodes/:node/apt`                                          |:material-check-all:|
-| `/nodes/:node/apt/changelog`                                |:material-check-all:|
-| `/nodes/:node/apt/repositories`                             |:material-check-all:|:material-check-all:|:material-check-all:|
-| `/nodes/:node/apt/update`                                   |:material-check:|:material-check-all:|
-| `/nodes/:node/apt/versions`                                 |:material-check:|
+| `/nodes/:node/apt`                                          |:material-close:|
+| `/nodes/:node/apt/changelog`                                |:material-close:|
+| `/nodes/:node/apt/repositories`                             |:material-close:|:material-close:|:material-close:|
+| `/nodes/:node/apt/update`                                   |:material-close:|:material-close:|
+| `/nodes/:node/apt/versions`                                 |:material-close:|
 
 ### Node: Capabilities
 | Path                                                        | GET                | POST           | PUT | DELETE |
@@ -340,9 +339,9 @@ This is a development-purposed list to keep track of the implemented proxmox [en
 | Path                                                        | GET                | POST           | PUT | DELETE |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
 | `/nodes/:node/firewall`                                     |:material-close:|
-| `/nodes/:node/firewall/rules`                               |:material-check-all:|:material-check-all:|
-| `/nodes/:node/firewall/rules/:pos`                          |:material-check-all:||:material-close:|:material-check:|
-| `/nodes/:node/firewall/log`                                 |:material-check:|
+| `/nodes/:node/firewall/rules`                               |:material-close:|:material-close:|
+| `/nodes/:node/firewall/rules/:pos`                          |:material-close:||:material-close:|:material-close:|
+| `/nodes/:node/firewall/log`                                 |:material-close:|
 | `/nodes/:node/firewall/options`                             |:material-close:||:material-close:|
 
 ### Node: Hardware
@@ -356,8 +355,8 @@ This is a development-purposed list to keep track of the implemented proxmox [en
 ### Node: lxc
 | Path                                                        | GET                | POST           | PUT | DELETE |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/nodes/:node/lxc`                                          |:material-check-all:|:material-check:|
-| `/nodes/:node/lxc/:vmid`                                    |:material-check-all:| | |:material-check-all:|
+| `/nodes/:node/lxc`                                          |:material-close:|:material-close:|
+| `/nodes/:node/lxc/:vmid`                                    |:material-close:| | |:material-close:|
 | `/nodes/:node/lxc/:vmid/firewall`                           |:material-close:|
 | `/nodes/:node/lxc/:vmid/firewall/log`                       |:material-close:|
 | `/nodes/:node/lxc/:vmid/firewall/option`                    |:material-close:||:material-close:|
@@ -374,17 +373,17 @@ This is a development-purposed list to keep track of the implemented proxmox [en
 | `/nodes/:node/lxc/:vmid/snapshot/:name/config`              |:material-close:||:material-close:|
 | `/nodes/:node/lxc/:vmid/snapshot/:name/rollback`            ||:material-close:|
 | `/nodes/:node/lxc/:vmid/status`                             |:material-close:|
-| `/nodes/:node/lxc/:vmid/status/current`                     |:material-check-all:|
-| `/nodes/:node/lxc/:vmid/status/reboot`                      ||:material-check-all:|
-| `/nodes/:node/lxc/:vmid/status/resume`                      ||:material-check-all:|
-| `/nodes/:check-all/lxc/:vmid/status/shutdown`               ||:material-check-all:|
-| `/nodes/:node/lxc/:vmid/status/start`                       ||:material-check-all:|
-| `/nodes/:check-all/lxc/:vmid/status/stop`                   ||:material-check-all:|
-| `/nodes/:node/lxc/:vmid/status/suspend`                     ||:material-check-all:|
+| `/nodes/:node/lxc/:vmid/status/current`                     |:material-close:|
+| `/nodes/:node/lxc/:vmid/status/reboot`                      ||:material-close:|
+| `/nodes/:node/lxc/:vmid/status/resume`                      ||:material-close:|
+| `/nodes/:node/lxc/:vmid/status/shutdown`                    ||:material-close:|
+| `/nodes/:node/lxc/:vmid/status/start`                       ||:material-close:|
+| `/nodes/:node/lxc/:vmid/status/stop`                        ||:material-close:|
+| `/nodes/:node/lxc/:vmid/status/suspend`                     ||:material-close:|
 | `/nodes/:node/lxc/:vmid/clone`                              ||:material-close:|
 | `/nodes/:node/lxc/:vmid/config`                             |:material-close:||:material-close:|
 | `/nodes/:node/lxc/:vmid/feature`                            |:material-close:|
-| `/nodes/:node/lxc/:vmid/interfaces`                         |:material-check-all:|
+| `/nodes/:node/lxc/:vmid/interfaces`                         |:material-close:|
 | `/nodes/:node/lxc/:vmid/migrate`                            ||:material-close:|
 | `/nodes/:node/lxc/:vmid/move_volume`                        ||:material-close:|
 | `/nodes/:node/lxc/:vmid/mtunnel`                            ||:material-close:|
@@ -528,14 +527,14 @@ This is a development-purposed list to keep track of the implemented proxmox [en
 ### Node: Storage
 | Path                                                        | GET                | POST           | PUT | DELETE |
 |-------------------------------------------------------------|:------------------:|:--------------:|:-----:|:-:|
-| `/nodes/:node/storage`                                      |:material-check-all:|
+| `/nodes/:node/storage`                                      |:material-close:|
 | `/nodes/:node/storage/:storage`                             |:material-close:|
-| `/nodes/:node/storage/:storage/content`                     |:material-close:|:material-check-all:|
+| `/nodes/:node/storage/:storage/content`                     |:material-close:|:material-close:|
 | `/nodes/:node/storage/:storage/content/:volume`             |:material-close:|:material-close:|:material-close:|:material-close:|
 | `/nodes/:node/storage/:storage/file-restore`                |:material-close:|:material-close:|:material-close:|:material-close:|
 | `/nodes/:node/storage/:storage/file-restore/download`       |:material-close:|
 | `/nodes/:node/storage/:storage/file-restore/list`           |:material-close:|
-| `/nodes/:node/storage/:storage/download-url`                ||:material-check:|
+| `/nodes/:node/storage/:storage/download-url`                ||:material-close:|
 | `/nodes/:node/storage/:storage/import-metadata`             |:material-close:|
 | `/nodes/:node/storage/:storage/prunebackups`                |:material-close:|||:material-close:|
 | `/nodes/:node/storage/:storage/rdd`                         |:material-close:|
diff --git a/docs/go-client/index.md b/docs/go-client/index.md
index 579da56..c342b67 100644
--- a/docs/go-client/index.md
+++ b/docs/go-client/index.md
@@ -1,7 +1,7 @@
 # Go client
 ## Install
 ```bash 
-go get github.com/iolave/go-proxmox@v0.5.0
+go get github.com/iolave/go-proxmox@v0.8.0
 ```
 
 ## Environment variables
diff --git a/mkdocs.yml b/mkdocs.yml
index 280cb97..a5ea08d 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -71,11 +71,9 @@ nav:
   - Go client:
     - go-client/index.md
     - Reference:
-      - pkg:
-        - go-client/pkg/cloudflare.md
-        - go-client/pkg/helpers.md
-        - go-client/pkg/pve.md
-        - go-client/pkg/errors.md
+      - pkg/api: go-client/pkg/api.md
+      - pkg/pve: go-client/pkg/pve.md
+      - pkg/helpers: go-client/pkg/helpers.md
     - Implemented endpoints: go-client/implemented-endpoints.md
   - API Wrapper:
     - api-wrapper/index.md

From 4122265953b3562c0c52d7732ace0b724dc23268 Mon Sep 17 00:00:00 2001
From: Ignacio Olave <me@iolave.com>
Date: Thu, 11 Dec 2025 18:14:07 -0300
Subject: [PATCH 40/40] feat: the api pkg now have built-in credentials

---
 docs/go-client/index.md    | 96 +++++++++++++++++++++++++++-----------
 mkdocs.yml                 |  7 +--
 pkg/api/api.go             | 67 +++++++++++++++-----------
 pkg/api/api_credentials.go | 92 ++++++++++++++++++++++++++++++++++++
 4 files changed, 204 insertions(+), 58 deletions(-)
 create mode 100644 pkg/api/api_credentials.go

diff --git a/docs/go-client/index.md b/docs/go-client/index.md
index c342b67..e34befd 100644
--- a/docs/go-client/index.md
+++ b/docs/go-client/index.md
@@ -15,62 +15,104 @@ The following environment variables can be used to interact both with the cli an
 |PROXMOX_TOKEN      |Proxmox VE generated token             |X    |-         |
 
 ## Getting started 
-First, import the [pve package]:
+First, import the [api package]:
 ```go
-import "github.com/iolave/go-proxmox/pkg/pve"
+import "github.com/iolave/go-proxmox/pkg/api"
 ```
 
 In order to create a new pve api you can either use environment variables or the built-in [credentials] constructors.
 
 === "Using environment variables"
     ```go
-    config := pve.Config{
+    creds, err := api.NewTokenCreds("root@pam", "TOKEN_NAME", "UUID_TOKEN")
+    if err != nil {
+        // handle error
+        panic(err)
+    }
+
+    config := api.Config{
 	    Host:               "pve.example.com",
 	    Port:               8006,
 	    InsecureSkipVerify: true,
+        Credentials:        creds,
     }
 
-    api, err := pve.New()
+    c, err := api.New(config)
     ```
 
-=== "Using the built-in credentials constructors"
+=== "Using token credentials"
     ```go
-    creds, err := pve.NewEnvCreds()
-    // Or:
-    // creds := pve.NewTokenCreds("root@pam", "TOKEN_NAME", "UUID_TOKEN")
+    creds := api.NewTokenCreds("root@pam", "TOKEN_NAME", "UUID_TOKEN")
 
-    if err != nil {
-	    // handle the error as you please
-    }
-	
-    config := pve.Config{
+    config := api.Config{
 	    Host:               "pve.example.com",
 	    Port:               8006,
 	    InsecureSkipVerify: true,
+        Credentials:        creds,
     }
 
-    api, err := pve.NewWithCredentials(config, creds)
+    c, err := api.New(config)
     ```
 
-### Connecting to a proxmox instance secured by Cloudflare 
-If you are exposing your pve instance through proxmox zero trust, you need to setup an [application] within cloudflare and generate a [service token] for that application.
+### Connecting to a proxmox instance using custom headers 
+If for some reason you need to add custom headers to your requests in order to reach the proxmox instance, you can do so by passing a map of custom headers to the [api.Config] struct.
 
-Once you have your service token id and secret, add them your `pve.Config`:
 ```go
-import "github.com/iolave/go-proxmox/pkg/cloudflare"
+creds := api.NewTokenCreds("root@pam", "TOKEN_NAME", "UUID_TOKEN")
 
-//...
-
-config := pve.Config{
+config := api.Config{
     Host:               "pve.example.com",
-	Port:               8006,
-	InsecureSkipVerify: true,
-	CfServiceToken:     cloudflare.NewServiceToken("token-id.access", "token-secret"),
+    Port:               8006,
+    InsecureSkipVerify: true,
+    Credentials:        creds,
+    CustomHeaders: http.Header{
+        "x-api-key": []string{"my-api-key"},
+    },
 }
+
+c, err := api.New(config)
 ```
 
+## Using the go-proxmox services
+The go-proxmox services are available under the `pkg/pve` package. Next, there's an example of how to use the core service.
+
+```go
+package main
+
+import (
+    "fmt"
+    "github.com/iolave/go-proxmox/pkg/api"
+    "github.com/iolave/go-proxmox/pkg/pve/core"
+)
+
+func main() {
+    creds := api.NewTokenCreds("root@pam", "TOKEN_NAME", "UUID_TOKEN")
+    
+    config := api.Config{
+        Host:               "pve.example.com",
+        Port:               8006,
+        InsecureSkipVerify: true,
+        Credentials:        creds,
+        CustomHeaders: http.Header{
+            "x-api-key": []string{"my-api-key"},
+        },
+    }
+    
+    c, err := api.New(config)
+
+    cs := core.New(c)
+    
+    // Get the version of the proxmox instance
+    res, err := cs.GetVersion()
+    if err != nil {
+        // handle error
+        panic(err)
+    }
+    
+    fmt.Println(res)
+}
+```
 
-[pve package]: https://go-proxmox.iolave.com/go-client/pkg/pve/
-[credentials]: https://go-proxmox.iolave.com/go-client/pkg/pve/#type-credentials
-[service token]: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens
+[api package]: https://go-proxmox.iolave.com/go-client/pkg/api/
+[credentials]: https://go-proxmox.iolave.com/go-client/pkg/api/#type-credentials
 [application]: https://developers.cloudflare.com/cloudflare-one/applications/
diff --git a/mkdocs.yml b/mkdocs.yml
index a5ea08d..5bfbffb 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -71,9 +71,10 @@ nav:
   - Go client:
     - go-client/index.md
     - Reference:
-      - pkg/api: go-client/pkg/api.md
-      - pkg/pve: go-client/pkg/pve.md
-      - pkg/helpers: go-client/pkg/helpers.md
+      - pkg:
+        - api: go-client/pkg/api.md
+        - pve: go-client/pkg/pve.md
+        - helpers: go-client/pkg/helpers.md
     - Implemented endpoints: go-client/implemented-endpoints.md
   - API Wrapper:
     - api-wrapper/index.md
diff --git a/pkg/api/api.go b/pkg/api/api.go
index f9a7401..f6eaeef 100644
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -18,13 +18,17 @@ import (
 // API is an http client used to send requests
 // to the proxmox api.
 type API struct {
+	// cfg is the proxmox api configuration.
+	cfg Config
+
 	// httpc is the underlying http client used
 	// to send requests to the proxmox api.
 	httpc *http.Client
+}
 
+type Config struct {
 	// CustomHeaders is a map of custom headers
-	// to be sent with each request, authorization
-	// should be added to this map.
+	// to be sent with each request.
 	CustomHeaders http.Header
 
 	// Proto is the protocol used to send requests
@@ -38,43 +42,41 @@ type API struct {
 	// Port is the port used to send requests
 	// to the proxmox api.
 	Port int `validate:"required"`
+
+	// Credentials is the proxmox api credentials.
+	Credentials *Credentials `validate:"required"`
+
+	// InsecureSkipVerify is a flag that indicates
+	// whether the client should skip verifying the
+	// server's certificate chain and host name.
+	// It is used to disable SSL certificate verification.
+	InsecureSkipVerify bool
 }
 
-// New returns a new HTTPClient.
+// New returns a new Proxmox API client. It returns an
+// error when the config is invalid.
 //
-// proto is the protocol used to send requests
-// and it's allowed values are http or https.
-//
-// It returns an error when the proto is not
-// supported or when the host or port is not
-// set/valid.
-//
-// Any error returned is of type [errors].Error.
-//
-// It also initializes custom httpin directives.
+// - Any error returned is of type [errors].Error.
+// - It also initializes custom httpin directives.
 //
 // [errors]: https://pkg.go.dev/github.com/iolave/go-errors
-func New(
-	proto string,
-	host string,
-	port int,
-	insecureSkipVerify bool,
-) (*API, error) {
+func New(cfg Config) (*API, error) {
 	httpinInit()
 
 	transport := &http.Transport{
 		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: insecureSkipVerify,
+			InsecureSkipVerify: cfg.InsecureSkipVerify,
 		},
 	}
 	httpc := &http.Client{Transport: transport}
 
+	if cfg.CustomHeaders == nil {
+		cfg.CustomHeaders = http.Header{}
+	}
+
 	c := &API{
-		httpc:         httpc,
-		CustomHeaders: http.Header{},
-		Proto:         proto,
-		Host:          host,
-		Port:          port,
+		httpc: httpc,
+		cfg:   cfg,
 	}
 
 	validate := validator.New(
@@ -121,14 +123,14 @@ type PVERequest struct {
 	Result any
 }
 
-// sendPVERequest sends a request to the proxmox api. It returns
+// SendPVERequest sends a request to the proxmox api. It returns
 // an error when the request fails.
 //
 // Any error returned is of type [errors].*HTTPError.
 //
 // [errors]: https://pkg.go.dev/github.com/iolave/go-errors
 func (c API) SendPVERequest(pvereq PVERequest) error {
-	base := fmt.Sprintf("%s://%s:%d", c.Proto, c.Host, c.Port)
+	base := fmt.Sprintf("%s://%s:%d", c.cfg.Proto, c.cfg.Host, c.cfg.Port)
 	url, err := url.JoinPath(base, pvereq.Path)
 	if err != nil {
 		return errors.NewInternalServerError(
@@ -153,10 +155,19 @@ func (c API) SendPVERequest(pvereq PVERequest) error {
 	}
 
 	// Add the custom headers to the request
-	for k, v := range c.CustomHeaders {
+	for k, v := range c.cfg.CustomHeaders {
 		req.Header[k] = v
 	}
 
+	auth, err := c.cfg.Credentials.getAuthorization()
+	if err != nil {
+		return errors.NewInternalServerError(
+			"failed to get authorization header",
+			err,
+		)
+	}
+	req.Header.Set("Authorization", auth)
+
 	// If the request has additional payload,
 	// a clone of the request is created in
 	// order to parse the form data and populate
diff --git a/pkg/api/api_credentials.go b/pkg/api/api_credentials.go
new file mode 100644
index 0000000..10675d3
--- /dev/null
+++ b/pkg/api/api_credentials.go
@@ -0,0 +1,92 @@
+package api
+
+import (
+	"errors"
+	"fmt"
+	"os"
+)
+
+// Proxmox api client available credential types
+type CredentialType int
+
+// TODO: Add CREDENTIALS_PASSWORD support
+const (
+	CREDENTIALS_TOKEN CredentialType = iota
+	CREDENTIALS_PASSWORD
+)
+
+// Credentials error messages.
+const (
+	CREDENTIALS_NOT_DETECTED_ERROR    = "credentials could not be detected from env"
+	CREDENTIALS_NOT_SUPPORTED_ERROR   = "credentials type not supported yet"
+	CREDENTIALS_MISSING_REQUEST_ERROR = "*http.Request parameter is nil"
+)
+
+// Credentials store proxmox api credentials.
+type Credentials struct {
+	credType  CredentialType
+	username  string
+	tokenName string
+	token     string
+}
+
+// getAuthorization builds the authorization header based on the
+// credentials type.
+//
+// It returns an error if the credentials type is not supported.
+func (c Credentials) getAuthorization() (string, error) {
+	switch c.credType {
+	case CREDENTIALS_TOKEN:
+		auth := fmt.Sprintf("PVEAPIToken=%s!%s=%s",
+			c.username,
+			c.tokenName,
+			c.token,
+		)
+		return auth, nil
+	default:
+		return "", errors.New(CREDENTIALS_NOT_SUPPORTED_ERROR)
+	}
+}
+
+// NewTokenCreds returns a struct containing proxmox token
+// credentials that can be passed to the [New] function.
+//
+// To create a pve token, read the [docs].
+//
+// [docs]: https://pve.proxmox.com/wiki/Proxmox_VE_API#API_Tokens
+func NewTokenCreds(user, tokenName, token string) *Credentials {
+	return &Credentials{
+		credType:  CREDENTIALS_TOKEN,
+		username:  user,
+		tokenName: tokenName,
+		token:     token,
+	}
+}
+
+// NewEnvCreds get [environment variables] values and detects
+// the type of credentials based on which envs are configured.
+//
+// It returns an error when a credential type is not detected.
+//
+// [environment variables]: https://go-proxmox.iolave.com/getting-started/#enviroment-variables
+func NewEnvCreds() (*Credentials, error) {
+	username := os.Getenv("PROXMOX_USERNAME")
+	password := os.Getenv("PROXMOX_PASSWORD")
+	tokenName := os.Getenv("PROXMOX_TOKEN_NAME")
+	token := os.Getenv("PROXMOX_TOKEN")
+
+	// If no username is found
+	if username == "" {
+		return nil, errors.New(CREDENTIALS_NOT_DETECTED_ERROR)
+	}
+
+	if tokenName != "" && token != "" {
+		return NewTokenCreds(username, tokenName, token), nil
+	}
+
+	if password != "" {
+		return nil, errors.New(CREDENTIALS_NOT_SUPPORTED_ERROR)
+	}
+
+	return nil, errors.New(CREDENTIALS_NOT_DETECTED_ERROR)
+}