From 5decf9bbd747d66c597073992130b78e9d6b2a5c Mon Sep 17 00:00:00 2001
From: CodeMaster4711 <cedi27@t-online.de>
Date: Thu, 25 Jun 2026 20:43:17 +0200
Subject: [PATCH 1/5] fix: for local dev env

---
 Cargo.toml                | 2 +-
 app/src/lib/api/nodes.ts  | 2 +-
 app/src/lib/api/system.ts | 2 +-
 app/src/lib/auth/api.ts   | 2 +-
 docker-compose.yml        | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index b3f8233a..2fdf864c 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -48,7 +48,7 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter", "registry"] }
 
 # Security
-jsonwebtoken = "10.0.0"
+jsonwebtoken = { version = "10.0.0", features = ["rust_crypto"] }
 bcrypt = "0.19"
 rsa = { version = "0.9", features = ["sha2"] }
 totp-rs = { version = "5.6", features = ["qr", "otpauth"] }
diff --git a/app/src/lib/api/nodes.ts b/app/src/lib/api/nodes.ts
index f48afaaa..d8073408 100644
--- a/app/src/lib/api/nodes.ts
+++ b/app/src/lib/api/nodes.ts
@@ -1,4 +1,4 @@
-const API_BASE = (import.meta.env.VITE_API_URL || '') + '/api';
+const API_BASE = '/api';
 
 export interface Node {
     id: string;
diff --git a/app/src/lib/api/system.ts b/app/src/lib/api/system.ts
index ddc2818a..216676cd 100644
--- a/app/src/lib/api/system.ts
+++ b/app/src/lib/api/system.ts
@@ -1,4 +1,4 @@
-const API_BASE = (import.meta.env.VITE_API_URL || '') + '/api';
+const API_BASE = '/api';
 
 export interface UpdateStatus {
     current_version: string;
diff --git a/app/src/lib/auth/api.ts b/app/src/lib/auth/api.ts
index 36bdff22..6554eb23 100644
--- a/app/src/lib/auth/api.ts
+++ b/app/src/lib/auth/api.ts
@@ -1,4 +1,4 @@
-const API_BASE = (import.meta.env.VITE_API_URL || '') + '/api';
+const API_BASE = '/api';
 
 export interface AuthResponse {
     token: string;
diff --git a/docker-compose.yml b/docker-compose.yml
index da71700e..d3707687 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -293,7 +293,7 @@ services:
       dockerfile: Dockerfile
     container_name: csfx-app-dev
     environment:
-      VITE_API_URL: https://api-gateway:8000
+      VITE_API_URL: http://api-gateway:8000
     ports:
       - "5173:5173"
     volumes:

From e818f2f9f29fe2b58b2561c7855e8e046668a721 Mon Sep 17 00:00:00 2001
From: CodeMaster4711 <cedi27@t-online.de>
Date: Thu, 25 Jun 2026 21:26:13 +0200
Subject: [PATCH 2/5] feat: added ressource groups

---
 Cargo.lock                                    | 196 ++++++++++
 control-plane/api-gateway/src/auth/rbac.rs    |  18 +-
 control-plane/api-gateway/src/init.rs         |  19 +-
 control-plane/api-gateway/src/main.rs         |  13 +-
 control-plane/api-gateway/src/routes/mod.rs   |   2 +
 .../api-gateway/src/routes/resource_groups.rs | 357 ++++++++++++++++++
 control-plane/scheduler/src/db/workloads.rs   |   2 +
 .../scheduler/src/models/workload.rs          |   2 +
 .../sdn-controller/src/db/networks.rs         |   1 +
 control-plane/sdn-controller/src/models.rs    |   1 +
 .../shared/entity/src/entities/mod.rs         |   2 +
 .../shared/entity/src/entities/networks.rs    |  15 +
 .../entity/src/entities/resource_groups.rs    |  59 +++
 .../shared/entity/src/entities/volumes.rs     |  15 +
 .../shared/entity/src/entities/workloads.rs   |  15 +
 control-plane/shared/migration/src/lib.rs     |   2 +
 .../m20260625_000000_add_resource_groups.rs   | 190 ++++++++++
 .../volume-manager/src/db/volumes.rs          |   2 +
 .../volume-manager/src/models/volume.rs       |   2 +
 19 files changed, 898 insertions(+), 15 deletions(-)
 create mode 100644 control-plane/api-gateway/src/routes/resource_groups.rs
 create mode 100644 control-plane/shared/entity/src/entities/resource_groups.rs
 create mode 100644 control-plane/shared/migration/src/m20260625_000000_add_resource_groups.rs

diff --git a/Cargo.lock b/Cargo.lock
index f5019f8b..3677127e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -603,6 +603,12 @@ dependencies = [
  "tower-service",
 ]
 
+[[package]]
+name = "base16ct"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
+
 [[package]]
 name = "base32"
 version = "0.5.1"
@@ -1132,6 +1138,18 @@ version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
 
+[[package]]
+name = "crypto-bigint"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
+dependencies = [
+ "generic-array",
+ "rand_core 0.6.4",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "crypto-common"
 version = "0.1.7"
@@ -1212,6 +1230,33 @@ dependencies = [
  "cipher 0.4.4",
 ]
 
+[[package]]
+name = "curve25519-dalek"
+version = "4.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
+dependencies = [
+ "cfg-if",
+ "cpufeatures 0.2.17",
+ "curve25519-dalek-derive",
+ "digest 0.10.7",
+ "fiat-crypto",
+ "rustc_version",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "curve25519-dalek-derive"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.118",
+]
+
 [[package]]
 name = "darling"
 version = "0.20.11"
@@ -1373,6 +1418,44 @@ version = "0.15.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1aaf95b3e5c8f23aa320147307562d361db0ae0d51242340f558153b4eb2439b"
 
+[[package]]
+name = "ecdsa"
+version = "0.16.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
+dependencies = [
+ "der",
+ "digest 0.10.7",
+ "elliptic-curve",
+ "rfc6979",
+ "signature",
+ "spki",
+]
+
+[[package]]
+name = "ed25519"
+version = "2.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
+dependencies = [
+ "pkcs8",
+ "signature",
+]
+
+[[package]]
+name = "ed25519-dalek"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9"
+dependencies = [
+ "curve25519-dalek",
+ "ed25519",
+ "serde",
+ "sha2 0.10.9",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "either"
 version = "1.16.0"
@@ -1382,6 +1465,27 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "elliptic-curve"
+version = "0.13.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
+dependencies = [
+ "base16ct",
+ "crypto-bigint",
+ "digest 0.10.7",
+ "ff",
+ "generic-array",
+ "group",
+ "hkdf",
+ "pem-rfc7468",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "sec1",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "entity"
 version = "0.2.2"
@@ -1551,6 +1655,22 @@ dependencies = [
  "simd-adler32",
 ]
 
+[[package]]
+name = "ff"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393"
+dependencies = [
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "fiat-crypto"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
+
 [[package]]
 name = "find-msvc-tools"
 version = "0.1.9"
@@ -1762,6 +1882,7 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
 dependencies = [
  "typenum",
  "version_check",
+ "zeroize",
 ]
 
 [[package]]
@@ -1862,6 +1983,17 @@ dependencies = [
  "web-time",
 ]
 
+[[package]]
+name = "group"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
+dependencies = [
+ "ff",
+ "rand_core 0.6.4",
+ "subtle",
+]
+
 [[package]]
 name = "h2"
 version = "0.4.15"
@@ -2482,11 +2614,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eba32bfb4ffdeaca3e34431072faf01745c9b26d25504aa7a6cf5684334fc4fc"
 dependencies = [
  "base64",
+ "ed25519-dalek",
  "getrandom 0.2.17",
+ "hmac",
  "js-sys",
+ "p256",
+ "p384",
  "pem",
+ "rand 0.8.6",
+ "rsa",
  "serde",
  "serde_json",
+ "sha2 0.10.9",
  "signature",
  "simple_asn1",
  "zeroize",
@@ -3034,6 +3173,30 @@ dependencies = [
  "syn 2.0.118",
 ]
 
+[[package]]
+name = "p256"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2 0.10.9",
+]
+
+[[package]]
+name = "p384"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fe42f1670a52a47d448f14b6a5c61dd78fce51856e68edaa38f7ae3a46b8d6b6"
+dependencies = [
+ "ecdsa",
+ "elliptic-curve",
+ "primeorder",
+ "sha2 0.10.9",
+]
+
 [[package]]
 name = "parking"
 version = "2.2.1"
@@ -3275,6 +3438,15 @@ dependencies = [
  "syn 2.0.118",
 ]
 
+[[package]]
+name = "primeorder"
+version = "0.13.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
+dependencies = [
+ "elliptic-curve",
+]
+
 [[package]]
 name = "proc-macro-crate"
 version = "3.5.0"
@@ -3883,6 +4055,16 @@ dependencies = [
  "webpki-roots 1.0.8",
 ]
 
+[[package]]
+name = "rfc6979"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
+dependencies = [
+ "hmac",
+ "subtle",
+]
+
 [[package]]
 name = "rgb"
 version = "0.8.53"
@@ -4393,6 +4575,20 @@ version = "4.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b"
 
+[[package]]
+name = "sec1"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
+dependencies = [
+ "base16ct",
+ "der",
+ "generic-array",
+ "pkcs8",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "security-framework"
 version = "3.7.0"
diff --git a/control-plane/api-gateway/src/auth/rbac.rs b/control-plane/api-gateway/src/auth/rbac.rs
index 69e42bbc..9aa5acdf 100644
--- a/control-plane/api-gateway/src/auth/rbac.rs
+++ b/control-plane/api-gateway/src/auth/rbac.rs
@@ -8,7 +8,7 @@ use axum::{
     http::{request::Parts, StatusCode},
 };
 use chrono::Utc;
-use entity::{organization, InvalidJwt, Organization};
+use entity::{InvalidJwt};
 use sea_orm::{ColumnTrait, EntityTrait, QueryFilter};
 use uuid::Uuid;
 
@@ -26,6 +26,8 @@ pub struct CanManageVolumes(pub Claims);
 pub struct CanViewNetworks(pub Claims);
 pub struct CanManageNetworks(pub Claims);
 pub struct CanManageSystem(pub Claims);
+pub struct CanViewResourceGroups(pub Claims);
+pub struct CanManageResourceGroups(pub Claims);
 
 async fn extract_claims(parts: &mut Parts, state: &AppState) -> Result<Claims, StatusCode> {
     let token = parts
@@ -70,13 +72,9 @@ async fn extract_claims(parts: &mut Parts, state: &AppState) -> Result<Claims, S
     Ok(token_data.claims)
 }
 
-async fn get_default_org(state: &AppState) -> Result<Uuid, StatusCode> {
-    Organization::find()
-        .filter(organization::Column::Name.eq("Default Organization"))
-        .one(&state.db_conn)
-        .await
-        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
-        .map(|o| o.id)
+fn get_default_org(state: &AppState) -> Result<Uuid, StatusCode> {
+    state
+        .default_org_id
         .ok_or(StatusCode::INTERNAL_SERVER_ERROR)
 }
 
@@ -87,7 +85,7 @@ async fn check(
     action: &str,
 ) -> Result<Claims, StatusCode> {
     let claims = extract_claims(parts, state).await?;
-    let org_id = get_default_org(state).await?;
+    let org_id = get_default_org(state)?;
     let rbac = RbacService::new(state.db_conn.clone());
     let allowed = rbac
         .has_permission(claims.user_id, org_id, resource, action)
@@ -124,3 +122,5 @@ impl_extractor!(CanManageVolumes, "volumes", "manage");
 impl_extractor!(CanViewNetworks, "networks", "view");
 impl_extractor!(CanManageNetworks, "networks", "manage");
 impl_extractor!(CanManageSystem, "system", "manage");
+impl_extractor!(CanViewResourceGroups, "resource_groups", "view");
+impl_extractor!(CanManageResourceGroups, "resource_groups", "manage");
diff --git a/control-plane/api-gateway/src/init.rs b/control-plane/api-gateway/src/init.rs
index 9d3e785e..5f851917 100644
--- a/control-plane/api-gateway/src/init.rs
+++ b/control-plane/api-gateway/src/init.rs
@@ -9,7 +9,7 @@ use crate::auth::crypto::{generate_salt, hash_password, RsaKeyPair};
 
 pub async fn initialize_database(
     db: &DatabaseConnection,
-) -> Result<(), Box<dyn std::error::Error>> {
+) -> Result<uuid::Uuid, Box<dyn std::error::Error>> {
     tracing::info!("Initializing database with default data...");
 
     // 1. Create RSA key pair if not exists
@@ -148,6 +148,18 @@ pub async fn initialize_database(
             "manage",
             "Trigger control plane updates",
         ),
+        (
+            "resource_groups.view",
+            "resource_groups",
+            "view",
+            "View resource groups and their resources",
+        ),
+        (
+            "resource_groups.manage",
+            "resource_groups",
+            "manage",
+            "Create, update, and delete resource groups",
+        ),
     ];
 
     let mut permission_map = std::collections::HashMap::new();
@@ -248,6 +260,8 @@ pub async fn initialize_database(
             "networks.view",
             "networks.manage",
             "members.view",
+            "resource_groups.view",
+            "resource_groups.manage",
         ];
         for perm_name in operator_perms {
             if let Some(perm_id) = permission_map.get(perm_name) {
@@ -291,6 +305,7 @@ pub async fn initialize_database(
             "networks.view",
             "organization.view",
             "members.view",
+            "resource_groups.view",
         ];
         for perm_name in viewer_perms {
             if let Some(perm_id) = permission_map.get(perm_name) {
@@ -360,5 +375,5 @@ pub async fn initialize_database(
     }
 
     tracing::info!("Database initialization completed");
-    Ok(())
+    Ok(default_org_id)
 }
diff --git a/control-plane/api-gateway/src/main.rs b/control-plane/api-gateway/src/main.rs
index 585ecd72..64a169bb 100644
--- a/control-plane/api-gateway/src/main.rs
+++ b/control-plane/api-gateway/src/main.rs
@@ -125,6 +125,7 @@ impl utoipa::Modify for SecurityAddon {
 pub struct AppState {
     pub db_conn: DbConn,
     pub service_client: service_client::ServiceClient,
+    pub default_org_id: Option<uuid::Uuid>,
 }
 
 #[tokio::main]
@@ -149,14 +150,18 @@ async fn main() {
         }
     };
 
-    if let Err(e) = init::initialize_database(&db_conn).await {
-        tracing::error!(error = %e, "failed to initialize database");
-        std::process::exit(1);
-    }
+    let default_org_id = match init::initialize_database(&db_conn).await {
+        Ok(id) => id,
+        Err(e) => {
+            tracing::error!(error = %e, "failed to initialize database");
+            std::process::exit(1);
+        }
+    };
 
     let state = AppState {
         db_conn: db_conn.clone(),
         service_client: service_client::ServiceClient::new(),
+        default_org_id: Some(default_org_id),
     };
 
     tracing::info!("starting self-monitoring service");
diff --git a/control-plane/api-gateway/src/routes/mod.rs b/control-plane/api-gateway/src/routes/mod.rs
index fe2338a9..9e7ab1a1 100644
--- a/control-plane/api-gateway/src/routes/mod.rs
+++ b/control-plane/api-gateway/src/routes/mod.rs
@@ -20,6 +20,7 @@ pub mod networks;
 pub mod organizations;
 pub mod registry;
 pub mod releases;
+pub mod resource_groups;
 pub mod ssh_keys;
 pub mod system;
 pub mod update;
@@ -93,6 +94,7 @@ pub fn create_router() -> Router<AppState> {
         .merge(volumes::volumes_routes())
         .merge(workloads::workloads_routes())
         .merge(events::events_routes())
+        .merge(resource_groups::resource_groups_routes())
         .layer(GovernorLayer::new(governor_config));
 
     let api_router = Router::new()
diff --git a/control-plane/api-gateway/src/routes/resource_groups.rs b/control-plane/api-gateway/src/routes/resource_groups.rs
new file mode 100644
index 00000000..ac93567d
--- /dev/null
+++ b/control-plane/api-gateway/src/routes/resource_groups.rs
@@ -0,0 +1,357 @@
+use axum::{
+    extract::{Path, State},
+    http::StatusCode,
+    response::{IntoResponse, Json},
+    routing::get,
+    Router,
+};
+use chrono::Utc;
+use entity::{
+    entities::{networks, resource_groups, volumes, workloads},
+    Networks, ResourceGroups, Volumes, Workloads,
+};
+use sea_orm::{
+    ActiveModelTrait, ActiveValue::Set, ColumnTrait, EntityTrait, PaginatorTrait, QueryFilter,
+};
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use uuid::Uuid;
+
+use crate::{
+    auth::rbac::{CanManageResourceGroups, CanViewResourceGroups},
+    AppState,
+};
+
+#[derive(Debug, Deserialize)]
+pub struct CreateResourceGroupRequest {
+    pub name: String,
+    pub description: Option<String>,
+    pub internal_cidr: String,
+}
+
+#[derive(Debug, Serialize)]
+pub struct ResourceGroupResponse {
+    pub id: Uuid,
+    pub organization_id: Uuid,
+    pub name: String,
+    pub description: Option<String>,
+    pub internal_cidr: String,
+    pub status: String,
+    pub created_at: chrono::NaiveDateTime,
+    pub updated_at: Option<chrono::NaiveDateTime>,
+}
+
+impl From<resource_groups::Model> for ResourceGroupResponse {
+    fn from(m: resource_groups::Model) -> Self {
+        Self {
+            id: m.id,
+            organization_id: m.organization_id,
+            name: m.name,
+            description: m.description,
+            internal_cidr: m.internal_cidr,
+            status: m.status,
+            created_at: m.created_at,
+            updated_at: m.updated_at,
+        }
+    }
+}
+
+fn get_org_id(state: &AppState) -> Uuid {
+    state
+        .default_org_id
+        .expect("default organization not initialized")
+}
+
+pub async fn list_resource_groups(
+    CanViewResourceGroups(_claims): CanViewResourceGroups,
+    State(state): State<AppState>,
+) -> Result<impl IntoResponse, (StatusCode, Json<serde_json::Value>)> {
+    let org_id = get_org_id(&state);
+
+    let groups = ResourceGroups::find()
+        .filter(resource_groups::Column::OrganizationId.eq(org_id))
+        .all(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to list resource groups");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?;
+
+    let resp: Vec<ResourceGroupResponse> = groups.into_iter().map(Into::into).collect();
+    Ok((StatusCode::OK, Json(json!(resp))))
+}
+
+pub async fn create_resource_group(
+    CanManageResourceGroups(_claims): CanManageResourceGroups,
+    State(state): State<AppState>,
+    Json(req): Json<CreateResourceGroupRequest>,
+) -> Result<impl IntoResponse, (StatusCode, Json<serde_json::Value>)> {
+    let org_id = get_org_id(&state);
+    let now = Utc::now().naive_utc();
+
+    let model = resource_groups::ActiveModel {
+        id: Set(Uuid::new_v4()),
+        organization_id: Set(org_id),
+        name: Set(req.name),
+        description: Set(req.description),
+        internal_cidr: Set(req.internal_cidr),
+        status: Set("active".to_string()),
+        created_at: Set(now),
+        updated_at: Set(None),
+    };
+
+    let inserted = model.insert(&state.db_conn).await.map_err(|e| {
+        tracing::error!(error = %e, "failed to create resource group");
+        (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(json!({ "error": "database error" })),
+        )
+    })?;
+
+    Ok((StatusCode::CREATED, Json(json!(ResourceGroupResponse::from(inserted)))))
+}
+
+pub async fn get_resource_group(
+    CanViewResourceGroups(_claims): CanViewResourceGroups,
+    State(state): State<AppState>,
+    Path(id): Path<Uuid>,
+) -> Result<impl IntoResponse, (StatusCode, Json<serde_json::Value>)> {
+    let org_id = get_org_id(&state);
+
+    let group = ResourceGroups::find_by_id(id)
+        .filter(resource_groups::Column::OrganizationId.eq(org_id))
+        .one(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to get resource group");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?
+        .ok_or_else(|| {
+            (
+                StatusCode::NOT_FOUND,
+                Json(json!({ "error": "resource group not found" })),
+            )
+        })?;
+
+    Ok((StatusCode::OK, Json(json!(ResourceGroupResponse::from(group)))))
+}
+
+pub async fn delete_resource_group(
+    CanManageResourceGroups(_claims): CanManageResourceGroups,
+    State(state): State<AppState>,
+    Path(id): Path<Uuid>,
+) -> Result<impl IntoResponse, (StatusCode, Json<serde_json::Value>)> {
+    let org_id = get_org_id(&state);
+
+    let group = ResourceGroups::find_by_id(id)
+        .filter(resource_groups::Column::OrganizationId.eq(org_id))
+        .one(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to find resource group");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?
+        .ok_or_else(|| {
+            (
+                StatusCode::NOT_FOUND,
+                Json(json!({ "error": "resource group not found" })),
+            )
+        })?;
+
+    let active_workloads = Workloads::find()
+        .filter(workloads::Column::ResourceGroupId.eq(id))
+        .filter(workloads::Column::Status.is_in(["pending", "scheduled", "running"]))
+        .count(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to count workloads");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?;
+
+    if active_workloads > 0 {
+        return Err((
+            StatusCode::CONFLICT,
+            Json(json!({ "error": "resource group has active workloads" })),
+        ));
+    }
+
+    let mut active: resource_groups::ActiveModel = group.into();
+    active.status = Set("deleting".to_string());
+    active.updated_at = Set(Some(Utc::now().naive_utc()));
+    active.update(&state.db_conn).await.map_err(|e| {
+        tracing::error!(error = %e, "failed to update resource group status");
+        (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(json!({ "error": "database error" })),
+        )
+    })?;
+
+    ResourceGroups::delete_by_id(id)
+        .exec(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to delete resource group");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?;
+
+    Ok(StatusCode::NO_CONTENT.into_response())
+}
+
+pub async fn list_resource_group_workloads(
+    CanViewResourceGroups(_claims): CanViewResourceGroups,
+    State(state): State<AppState>,
+    Path(id): Path<Uuid>,
+) -> Result<impl IntoResponse, (StatusCode, Json<serde_json::Value>)> {
+    let org_id = get_org_id(&state);
+
+    ResourceGroups::find_by_id(id)
+        .filter(resource_groups::Column::OrganizationId.eq(org_id))
+        .one(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to find resource group");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?
+        .ok_or_else(|| {
+            (
+                StatusCode::NOT_FOUND,
+                Json(json!({ "error": "resource group not found" })),
+            )
+        })?;
+
+    let workloads = Workloads::find()
+        .filter(workloads::Column::ResourceGroupId.eq(id))
+        .all(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to list workloads");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?;
+
+    Ok((StatusCode::OK, Json(json!(workloads))))
+}
+
+pub async fn list_resource_group_volumes(
+    CanViewResourceGroups(_claims): CanViewResourceGroups,
+    State(state): State<AppState>,
+    Path(id): Path<Uuid>,
+) -> Result<impl IntoResponse, (StatusCode, Json<serde_json::Value>)> {
+    let org_id = get_org_id(&state);
+
+    ResourceGroups::find_by_id(id)
+        .filter(resource_groups::Column::OrganizationId.eq(org_id))
+        .one(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to find resource group");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?
+        .ok_or_else(|| {
+            (
+                StatusCode::NOT_FOUND,
+                Json(json!({ "error": "resource group not found" })),
+            )
+        })?;
+
+    let vols = Volumes::find()
+        .filter(volumes::Column::ResourceGroupId.eq(id))
+        .all(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to list volumes");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?;
+
+    Ok((StatusCode::OK, Json(json!(vols))))
+}
+
+pub async fn list_resource_group_networks(
+    CanViewResourceGroups(_claims): CanViewResourceGroups,
+    State(state): State<AppState>,
+    Path(id): Path<Uuid>,
+) -> Result<impl IntoResponse, (StatusCode, Json<serde_json::Value>)> {
+    let org_id = get_org_id(&state);
+
+    ResourceGroups::find_by_id(id)
+        .filter(resource_groups::Column::OrganizationId.eq(org_id))
+        .one(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to find resource group");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?
+        .ok_or_else(|| {
+            (
+                StatusCode::NOT_FOUND,
+                Json(json!({ "error": "resource group not found" })),
+            )
+        })?;
+
+    let nets = Networks::find()
+        .filter(networks::Column::ResourceGroupId.eq(id))
+        .all(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to list networks");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?;
+
+    Ok((StatusCode::OK, Json(json!(nets))))
+}
+
+pub fn resource_groups_routes() -> Router<AppState> {
+    Router::new()
+        .route(
+            "/resource-groups",
+            get(list_resource_groups).post(create_resource_group),
+        )
+        .route(
+            "/resource-groups/{id}",
+            get(get_resource_group).delete(delete_resource_group),
+        )
+        .route(
+            "/resource-groups/{id}/workloads",
+            get(list_resource_group_workloads),
+        )
+        .route(
+            "/resource-groups/{id}/volumes",
+            get(list_resource_group_volumes),
+        )
+        .route(
+            "/resource-groups/{id}/networks",
+            get(list_resource_group_networks),
+        )
+}
diff --git a/control-plane/scheduler/src/db/workloads.rs b/control-plane/scheduler/src/db/workloads.rs
index 9b8c6218..ff497e05 100644
--- a/control-plane/scheduler/src/db/workloads.rs
+++ b/control-plane/scheduler/src/db/workloads.rs
@@ -32,6 +32,7 @@ pub async fn create(
         container_id: Set(None),
         created_by: Set(None),
         organization_id: Set(None),
+        resource_group_id: Set(req.resource_group_id),
         created_at: Set(Utc::now().naive_utc()),
         updated_at: Set(None),
     };
@@ -103,6 +104,7 @@ fn into_response(m: workloads::Model) -> WorkloadResponse {
         status: WorkloadStatus::from_str(&m.status),
         assigned_agent_id: m.assigned_agent_id,
         container_id: m.container_id,
+        resource_group_id: m.resource_group_id,
         created_at: m.created_at.and_utc(),
         updated_at: m.updated_at.map(|dt| dt.and_utc()),
     }
diff --git a/control-plane/scheduler/src/models/workload.rs b/control-plane/scheduler/src/models/workload.rs
index 6ab22942..47ecf109 100644
--- a/control-plane/scheduler/src/models/workload.rs
+++ b/control-plane/scheduler/src/models/workload.rs
@@ -44,6 +44,7 @@ pub struct CreateWorkloadRequest {
     pub disk_bytes: i64,
     pub env_vars: Option<HashMap<String, String>>,
     pub ports: Option<Vec<PortMapping>>,
+    pub resource_group_id: Option<Uuid>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -72,6 +73,7 @@ pub struct WorkloadResponse {
     pub status: WorkloadStatus,
     pub assigned_agent_id: Option<Uuid>,
     pub container_id: Option<String>,
+    pub resource_group_id: Option<Uuid>,
     pub created_at: DateTime<Utc>,
     pub updated_at: Option<DateTime<Utc>>,
 }
diff --git a/control-plane/sdn-controller/src/db/networks.rs b/control-plane/sdn-controller/src/db/networks.rs
index 78cee66e..55ab1a88 100644
--- a/control-plane/sdn-controller/src/db/networks.rs
+++ b/control-plane/sdn-controller/src/db/networks.rs
@@ -19,6 +19,7 @@ pub async fn create_network(
         overlay_type: Set(req.overlay_type),
         status: Set("active".to_string()),
         organization_id: Set(None),
+        resource_group_id: Set(req.resource_group_id),
         created_at: Set(Utc::now().naive_utc()),
         updated_at: Set(None),
     };
diff --git a/control-plane/sdn-controller/src/models.rs b/control-plane/sdn-controller/src/models.rs
index 2526c0fe..22b1f231 100644
--- a/control-plane/sdn-controller/src/models.rs
+++ b/control-plane/sdn-controller/src/models.rs
@@ -5,6 +5,7 @@ pub struct CreateNetworkRequest {
     pub name: String,
     pub cidr: String,
     pub overlay_type: String,
+    pub resource_group_id: Option<uuid::Uuid>,
 }
 
 #[derive(Debug, Serialize, Deserialize)]
diff --git a/control-plane/shared/entity/src/entities/mod.rs b/control-plane/shared/entity/src/entities/mod.rs
index d3ea77fd..6c54b09a 100644
--- a/control-plane/shared/entity/src/entities/mod.rs
+++ b/control-plane/shared/entity/src/entities/mod.rs
@@ -14,6 +14,7 @@ pub mod networks;
 pub mod organization;
 pub mod permission;
 pub mod registry_tokens;
+pub mod resource_groups;
 pub mod role;
 pub mod role_permission;
 pub mod user;
@@ -39,6 +40,7 @@ pub use networks::Entity as Networks;
 pub use organization::Entity as Organization;
 pub use permission::Entity as Permission;
 pub use registry_tokens::Entity as RegistryTokens;
+pub use resource_groups::Entity as ResourceGroups;
 pub use role::Entity as Role;
 pub use role_permission::Entity as RolePermission;
 pub use user::Entity as User;
diff --git a/control-plane/shared/entity/src/entities/networks.rs b/control-plane/shared/entity/src/entities/networks.rs
index 32c38c7d..afd6e57d 100644
--- a/control-plane/shared/entity/src/entities/networks.rs
+++ b/control-plane/shared/entity/src/entities/networks.rs
@@ -11,6 +11,7 @@ pub struct Model {
     pub overlay_type: String,
     pub status: String,
     pub organization_id: Option<Uuid>,
+    pub resource_group_id: Option<Uuid>,
     pub created_at: chrono::NaiveDateTime,
     pub updated_at: Option<chrono::NaiveDateTime>,
 }
@@ -21,6 +22,14 @@ pub enum Relation {
     Policies,
     #[sea_orm(has_many = "super::network_members::Entity")]
     Members,
+    #[sea_orm(
+        belongs_to = "super::resource_groups::Entity",
+        from = "Column::ResourceGroupId",
+        to = "super::resource_groups::Column::Id",
+        on_update = "NoAction",
+        on_delete = "SetNull"
+    )]
+    ResourceGroup,
 }
 
 impl Related<super::network_policies::Entity> for Entity {
@@ -35,4 +44,10 @@ impl Related<super::network_members::Entity> for Entity {
     }
 }
 
+impl Related<super::resource_groups::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::ResourceGroup.def()
+    }
+}
+
 impl ActiveModelBehavior for ActiveModel {}
diff --git a/control-plane/shared/entity/src/entities/resource_groups.rs b/control-plane/shared/entity/src/entities/resource_groups.rs
new file mode 100644
index 00000000..cc63a440
--- /dev/null
+++ b/control-plane/shared/entity/src/entities/resource_groups.rs
@@ -0,0 +1,59 @@
+use sea_orm::entity::prelude::*;
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Serialize, Deserialize)]
+#[sea_orm(table_name = "resource_groups")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: Uuid,
+    pub organization_id: Uuid,
+    pub name: String,
+    pub description: Option<String>,
+    pub internal_cidr: String,
+    pub status: String,
+    pub created_at: chrono::NaiveDateTime,
+    pub updated_at: Option<chrono::NaiveDateTime>,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::organization::Entity",
+        from = "Column::OrganizationId",
+        to = "super::organization::Column::Id",
+        on_delete = "Cascade"
+    )]
+    Organization,
+    #[sea_orm(has_many = "super::workloads::Entity")]
+    Workloads,
+    #[sea_orm(has_many = "super::volumes::Entity")]
+    Volumes,
+    #[sea_orm(has_many = "super::networks::Entity")]
+    Networks,
+}
+
+impl Related<super::organization::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Organization.def()
+    }
+}
+
+impl Related<super::workloads::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Workloads.def()
+    }
+}
+
+impl Related<super::volumes::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Volumes.def()
+    }
+}
+
+impl Related<super::networks::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Networks.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}
diff --git a/control-plane/shared/entity/src/entities/volumes.rs b/control-plane/shared/entity/src/entities/volumes.rs
index c29f7498..2eb6a6d6 100644
--- a/control-plane/shared/entity/src/entities/volumes.rs
+++ b/control-plane/shared/entity/src/entities/volumes.rs
@@ -15,6 +15,7 @@ pub struct Model {
     pub attached_to_workload: Option<Uuid>,
     pub mapped_device: Option<String>,
     pub organization_id: Option<Uuid>,
+    pub resource_group_id: Option<Uuid>,
     pub created_at: chrono::NaiveDateTime,
     pub updated_at: Option<chrono::NaiveDateTime>,
 }
@@ -29,6 +30,14 @@ pub enum Relation {
     Agent,
     #[sea_orm(has_many = "super::volume_snapshots::Entity")]
     Snapshots,
+    #[sea_orm(
+        belongs_to = "super::resource_groups::Entity",
+        from = "Column::ResourceGroupId",
+        to = "super::resource_groups::Column::Id",
+        on_update = "NoAction",
+        on_delete = "SetNull"
+    )]
+    ResourceGroup,
 }
 
 impl Related<super::agents::Entity> for Entity {
@@ -43,4 +52,10 @@ impl Related<super::volume_snapshots::Entity> for Entity {
     }
 }
 
+impl Related<super::resource_groups::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::ResourceGroup.def()
+    }
+}
+
 impl ActiveModelBehavior for ActiveModel {}
diff --git a/control-plane/shared/entity/src/entities/workloads.rs b/control-plane/shared/entity/src/entities/workloads.rs
index d86d7d34..27c97d5c 100644
--- a/control-plane/shared/entity/src/entities/workloads.rs
+++ b/control-plane/shared/entity/src/entities/workloads.rs
@@ -18,6 +18,7 @@ pub struct Model {
     pub container_id: Option<String>,
     pub created_by: Option<Uuid>,
     pub organization_id: Option<Uuid>,
+    pub resource_group_id: Option<Uuid>,
     pub created_at: DateTime,
     pub updated_at: Option<DateTime>,
 }
@@ -32,6 +33,14 @@ pub enum Relation {
         on_delete = "SetNull"
     )]
     Agent,
+    #[sea_orm(
+        belongs_to = "super::resource_groups::Entity",
+        from = "Column::ResourceGroupId",
+        to = "super::resource_groups::Column::Id",
+        on_update = "NoAction",
+        on_delete = "SetNull"
+    )]
+    ResourceGroup,
 }
 
 impl Related<super::agents::Entity> for Entity {
@@ -40,4 +49,10 @@ impl Related<super::agents::Entity> for Entity {
     }
 }
 
+impl Related<super::resource_groups::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::ResourceGroup.def()
+    }
+}
+
 impl ActiveModelBehavior for ActiveModel {}
diff --git a/control-plane/shared/migration/src/lib.rs b/control-plane/shared/migration/src/lib.rs
index 5bf75d02..7764dad3 100644
--- a/control-plane/shared/migration/src/lib.rs
+++ b/control-plane/shared/migration/src/lib.rs
@@ -18,6 +18,7 @@ mod m20260307_000000_add_networks;
 mod m20260308_000000_add_org_scoping;
 mod m20260309_000000_add_bootstrap_tokens;
 mod m20260523_000000_add_ssh_keys;
+mod m20260625_000000_add_resource_groups;
 
 pub struct Migrator;
 
@@ -43,6 +44,7 @@ impl MigratorTrait for Migrator {
             Box::new(m20260308_000000_add_org_scoping::Migration),
             Box::new(m20260309_000000_add_bootstrap_tokens::Migration),
             Box::new(m20260523_000000_add_ssh_keys::Migration),
+            Box::new(m20260625_000000_add_resource_groups::Migration),
         ]
     }
 }
diff --git a/control-plane/shared/migration/src/m20260625_000000_add_resource_groups.rs b/control-plane/shared/migration/src/m20260625_000000_add_resource_groups.rs
new file mode 100644
index 00000000..a862ff88
--- /dev/null
+++ b/control-plane/shared/migration/src/m20260625_000000_add_resource_groups.rs
@@ -0,0 +1,190 @@
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(ResourceGroups::Table)
+                    .if_not_exists()
+                    .col(ColumnDef::new(ResourceGroups::Id).uuid().not_null().primary_key())
+                    .col(ColumnDef::new(ResourceGroups::OrganizationId).uuid().not_null())
+                    .col(ColumnDef::new(ResourceGroups::Name).string().not_null())
+                    .col(ColumnDef::new(ResourceGroups::Description).string().null())
+                    .col(ColumnDef::new(ResourceGroups::InternalCidr).string().not_null())
+                    .col(ColumnDef::new(ResourceGroups::Status).string().not_null().default("active"))
+                    .col(ColumnDef::new(ResourceGroups::CreatedAt).date_time().not_null())
+                    .col(ColumnDef::new(ResourceGroups::UpdatedAt).date_time().null())
+                    .foreign_key(
+                        ForeignKey::create()
+                            .from(ResourceGroups::Table, ResourceGroups::OrganizationId)
+                            .to(Organization::Table, Organization::Id)
+                            .on_delete(ForeignKeyAction::Cascade),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Workloads::Table)
+                    .add_column(ColumnDef::new(Workloads::ResourceGroupId).uuid().null())
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Volumes::Table)
+                    .add_column(ColumnDef::new(Volumes::ResourceGroupId).uuid().null())
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Networks::Table)
+                    .add_column(ColumnDef::new(Networks::ResourceGroupId).uuid().null())
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .table(ResourceGroups::Table)
+                    .col(ResourceGroups::OrganizationId)
+                    .name("idx_resource_groups_organization_id")
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .table(Workloads::Table)
+                    .col(Workloads::ResourceGroupId)
+                    .name("idx_workloads_resource_group_id")
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .table(Volumes::Table)
+                    .col(Volumes::ResourceGroupId)
+                    .name("idx_volumes_resource_group_id")
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_index(
+                Index::create()
+                    .table(Networks::Table)
+                    .col(Networks::ResourceGroupId)
+                    .name("idx_networks_resource_group_id")
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .drop_index(Index::drop().name("idx_networks_resource_group_id").to_owned())
+            .await?;
+        manager
+            .drop_index(Index::drop().name("idx_volumes_resource_group_id").to_owned())
+            .await?;
+        manager
+            .drop_index(Index::drop().name("idx_workloads_resource_group_id").to_owned())
+            .await?;
+        manager
+            .drop_index(
+                Index::drop()
+                    .name("idx_resource_groups_organization_id")
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Networks::Table)
+                    .drop_column(Networks::ResourceGroupId)
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Volumes::Table)
+                    .drop_column(Volumes::ResourceGroupId)
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Workloads::Table)
+                    .drop_column(Workloads::ResourceGroupId)
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .drop_table(Table::drop().table(ResourceGroups::Table).to_owned())
+            .await?;
+
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+enum ResourceGroups {
+    Table,
+    Id,
+    OrganizationId,
+    Name,
+    Description,
+    InternalCidr,
+    Status,
+    CreatedAt,
+    UpdatedAt,
+}
+
+#[derive(DeriveIden)]
+enum Organization {
+    Table,
+    Id,
+}
+
+#[derive(DeriveIden)]
+enum Workloads {
+    Table,
+    ResourceGroupId,
+}
+
+#[derive(DeriveIden)]
+enum Volumes {
+    Table,
+    ResourceGroupId,
+}
+
+#[derive(DeriveIden)]
+enum Networks {
+    Table,
+    ResourceGroupId,
+}
diff --git a/control-plane/volume-manager/src/db/volumes.rs b/control-plane/volume-manager/src/db/volumes.rs
index 7e6921a3..52733ae1 100644
--- a/control-plane/volume-manager/src/db/volumes.rs
+++ b/control-plane/volume-manager/src/db/volumes.rs
@@ -31,6 +31,7 @@ pub async fn create(
         attached_to_workload: Set(None),
         mapped_device: Set(None),
         organization_id: Set(None),
+        resource_group_id: Set(req.resource_group_id),
         created_at: Set(Utc::now().naive_utc()),
         updated_at: Set(None),
     };
@@ -140,6 +141,7 @@ pub fn into_response(m: volumes::Model) -> VolumeResponse {
         attached_to_agent: m.attached_to_agent,
         attached_to_workload: m.attached_to_workload,
         mapped_device: m.mapped_device,
+        resource_group_id: m.resource_group_id,
         created_at: m.created_at.and_utc(),
         updated_at: m.updated_at.map(|dt| dt.and_utc()),
     }
diff --git a/control-plane/volume-manager/src/models/volume.rs b/control-plane/volume-manager/src/models/volume.rs
index 9e3d8434..2192cd2b 100644
--- a/control-plane/volume-manager/src/models/volume.rs
+++ b/control-plane/volume-manager/src/models/volume.rs
@@ -62,6 +62,7 @@ pub struct CreateVolumeRequest {
     pub name: String,
     pub size_gb: i32,
     pub pool: Option<String>,
+    pub resource_group_id: Option<Uuid>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -86,6 +87,7 @@ pub struct VolumeResponse {
     pub attached_to_agent: Option<Uuid>,
     pub attached_to_workload: Option<Uuid>,
     pub mapped_device: Option<String>,
+    pub resource_group_id: Option<Uuid>,
     pub created_at: DateTime<Utc>,
     pub updated_at: Option<DateTime<Utc>>,
 }

From b1cb885b283d785190683537bc40100ade67d0b9 Mon Sep 17 00:00:00 2001
From: CodeMaster4711 <cedi27@t-online.de>
Date: Thu, 25 Jun 2026 21:35:31 +0200
Subject: [PATCH 3/5] fix: build errors and added frontend

---
 app/src/lib/api/resource-groups.ts            |  50 +++++
 .../lib/components/sidebar/app-sidebar.svelte |   2 +-
 .../routes/(app)/resource-groups/+page.svelte | 203 ++++++++++++++++++
 3 files changed, 254 insertions(+), 1 deletion(-)
 create mode 100644 app/src/lib/api/resource-groups.ts
 create mode 100644 app/src/routes/(app)/resource-groups/+page.svelte

diff --git a/app/src/lib/api/resource-groups.ts b/app/src/lib/api/resource-groups.ts
new file mode 100644
index 00000000..11b340e9
--- /dev/null
+++ b/app/src/lib/api/resource-groups.ts
@@ -0,0 +1,50 @@
+const API_BASE = '/api';
+
+export interface ResourceGroup {
+    id: string;
+    organization_id: string;
+    name: string;
+    description: string | null;
+    internal_cidr: string;
+    status: string;
+    created_at: string;
+    updated_at: string | null;
+}
+
+export interface CreateResourceGroupRequest {
+    name: string;
+    description?: string;
+    internal_cidr: string;
+}
+
+export async function listResourceGroups(token: string): Promise<ResourceGroup[]> {
+    const res = await fetch(`${API_BASE}/resource-groups`, {
+        headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) throw new Error(`Failed to list resource groups: ${res.status}`);
+    return res.json();
+}
+
+export async function createResourceGroup(
+    token: string,
+    req: CreateResourceGroupRequest,
+): Promise<ResourceGroup> {
+    const res = await fetch(`${API_BASE}/resource-groups`, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${token}`,
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(req),
+    });
+    if (!res.ok) throw new Error(`Failed to create resource group: ${res.status}`);
+    return res.json();
+}
+
+export async function deleteResourceGroup(token: string, id: string): Promise<void> {
+    const res = await fetch(`${API_BASE}/resource-groups/${id}`, {
+        method: 'DELETE',
+        headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) throw new Error(`Failed to delete resource group: ${res.status}`);
+}
diff --git a/app/src/lib/components/sidebar/app-sidebar.svelte b/app/src/lib/components/sidebar/app-sidebar.svelte
index f46ba238..3376f022 100644
--- a/app/src/lib/components/sidebar/app-sidebar.svelte
+++ b/app/src/lib/components/sidebar/app-sidebar.svelte
@@ -43,7 +43,7 @@
             },
             {
                 title: "Resource groups",
-                url: "#",
+                url: "/resource-groups",
                 icon: Layers,
             },
         ],
diff --git a/app/src/routes/(app)/resource-groups/+page.svelte b/app/src/routes/(app)/resource-groups/+page.svelte
new file mode 100644
index 00000000..3131ba42
--- /dev/null
+++ b/app/src/routes/(app)/resource-groups/+page.svelte
@@ -0,0 +1,203 @@
+<script lang="ts">
+    import { onMount } from "svelte";
+    import { auth } from "$lib/auth/store.svelte";
+    import {
+        listResourceGroups,
+        createResourceGroup,
+        deleteResourceGroup,
+        type ResourceGroup,
+    } from "$lib/api/resource-groups";
+    import * as Sidebar from "$lib/components/ui/sidebar/index.js";
+    import { Button } from "$lib/components/ui/button/index.js";
+
+    let groups = $state<ResourceGroup[]>([]);
+    let loading = $state(true);
+    let error = $state<string | null>(null);
+    let creating = $state(false);
+    let showCreate = $state(false);
+
+    let newName = $state("");
+    let newCidr = $state("10.100.0.0/24");
+    let newDescription = $state("");
+    let createError = $state<string | null>(null);
+
+    async function load() {
+        if (!auth.token) return;
+        try {
+            groups = await listResourceGroups(auth.token);
+        } catch (e) {
+            error = e instanceof Error ? e.message : "Failed to load resource groups";
+        } finally {
+            loading = false;
+        }
+    }
+
+    async function handleCreate() {
+        if (!auth.token || !newName || !newCidr) return;
+        creating = true;
+        createError = null;
+        try {
+            const created = await createResourceGroup(auth.token, {
+                name: newName,
+                description: newDescription || undefined,
+                internal_cidr: newCidr,
+            });
+            groups = [...groups, created];
+            showCreate = false;
+            newName = "";
+            newCidr = "10.100.0.0/24";
+            newDescription = "";
+        } catch (e) {
+            createError = e instanceof Error ? e.message : "Failed to create resource group";
+        } finally {
+            creating = false;
+        }
+    }
+
+    async function handleDelete(id: string) {
+        if (!auth.token) return;
+        try {
+            await deleteResourceGroup(auth.token, id);
+            groups = groups.filter((g) => g.id !== id);
+        } catch (e) {
+            error = e instanceof Error ? e.message : "Failed to delete resource group";
+        }
+    }
+
+    function statusClass(status: string): string {
+        switch (status.toLowerCase()) {
+            case "active": return "text-green-500";
+            case "deleting": return "text-red-500";
+            case "suspended": return "text-yellow-500";
+            default: return "text-muted-foreground";
+        }
+    }
+
+    onMount(load);
+</script>
+
+<header class="flex h-16 shrink-0 items-center gap-2 px-4 border-b">
+    <Sidebar.Trigger class="-ms-1" />
+    <span class="text-sm text-muted-foreground">/</span>
+    <span class="text-sm font-medium">Resource Groups</span>
+</header>
+
+<div class="flex flex-col gap-6 p-6">
+    <div class="flex items-center justify-between">
+        <div>
+            <h1 class="text-xl font-semibold tracking-tight">Resource Groups</h1>
+            <p class="text-sm text-muted-foreground mt-0.5">
+                Isolated namespaces with dedicated internal networks
+            </p>
+        </div>
+        <Button size="sm" onclick={() => (showCreate = true)}>
+            <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                <line x1="12" y1="5" x2="12" y2="19"/>
+                <line x1="5" y1="12" x2="19" y2="12"/>
+            </svg>
+            New Resource Group
+        </Button>
+    </div>
+
+    {#if showCreate}
+        <div class="border rounded-lg p-5 flex flex-col gap-4 bg-muted/20">
+            <h2 class="text-sm font-semibold">Create Resource Group</h2>
+            <div class="grid grid-cols-1 sm:grid-cols-3 gap-3">
+                <div class="flex flex-col gap-1">
+                    <label class="text-xs text-muted-foreground" for="rg-name">Name</label>
+                    <input
+                        id="rg-name"
+                        class="border rounded px-3 py-1.5 text-sm bg-background"
+                        placeholder="production"
+                        bind:value={newName}
+                    />
+                </div>
+                <div class="flex flex-col gap-1">
+                    <label class="text-xs text-muted-foreground" for="rg-cidr">Internal CIDR</label>
+                    <input
+                        id="rg-cidr"
+                        class="border rounded px-3 py-1.5 text-sm bg-background font-mono"
+                        placeholder="10.100.0.0/24"
+                        bind:value={newCidr}
+                    />
+                </div>
+                <div class="flex flex-col gap-1">
+                    <label class="text-xs text-muted-foreground" for="rg-desc">Description</label>
+                    <input
+                        id="rg-desc"
+                        class="border rounded px-3 py-1.5 text-sm bg-background"
+                        placeholder="Optional"
+                        bind:value={newDescription}
+                    />
+                </div>
+            </div>
+            {#if createError}
+                <p class="text-xs text-destructive">{createError}</p>
+            {/if}
+            <div class="flex gap-2">
+                <Button size="sm" onclick={handleCreate} disabled={creating || !newName || !newCidr}>
+                    {creating ? "Creating..." : "Create"}
+                </Button>
+                <Button size="sm" variant="outline" onclick={() => { showCreate = false; createError = null; }}>
+                    Cancel
+                </Button>
+            </div>
+        </div>
+    {/if}
+
+    {#if error}
+        <p class="text-sm text-destructive">{error}</p>
+    {/if}
+
+    <div class="border rounded-lg overflow-hidden">
+        <table class="w-full text-sm">
+            <thead class="bg-muted/50">
+                <tr>
+                    <th class="text-left px-4 py-3 font-medium text-muted-foreground">ID</th>
+                    <th class="text-left px-4 py-3 font-medium text-muted-foreground">Name</th>
+                    <th class="text-left px-4 py-3 font-medium text-muted-foreground">CIDR</th>
+                    <th class="text-left px-4 py-3 font-medium text-muted-foreground">Description</th>
+                    <th class="text-left px-4 py-3 font-medium text-muted-foreground">Status</th>
+                    <th class="text-left px-4 py-3 font-medium text-muted-foreground">Created</th>
+                    <th class="px-4 py-3"></th>
+                </tr>
+            </thead>
+            <tbody>
+                {#if loading}
+                    <tr>
+                        <td colspan="7" class="px-4 py-8 text-center text-muted-foreground">Loading...</td>
+                    </tr>
+                {:else if groups.length === 0}
+                    <tr>
+                        <td colspan="7" class="px-4 py-8 text-center text-muted-foreground">
+                            No resource groups. Create one to get started.
+                        </td>
+                    </tr>
+                {:else}
+                    {#each groups as group (group.id)}
+                        <tr class="border-t hover:bg-muted/30 transition-colors">
+                            <td class="px-4 py-3 font-mono text-xs text-muted-foreground">{group.id.slice(0, 8)}</td>
+                            <td class="px-4 py-3 font-medium">{group.name}</td>
+                            <td class="px-4 py-3 font-mono text-xs">{group.internal_cidr}</td>
+                            <td class="px-4 py-3 text-muted-foreground">{group.description ?? "-"}</td>
+                            <td class="px-4 py-3">
+                                <span class="font-medium {statusClass(group.status)}">{group.status}</span>
+                            </td>
+                            <td class="px-4 py-3 text-xs text-muted-foreground">{group.created_at.slice(0, 10)}</td>
+                            <td class="px-4 py-3 text-right">
+                                <Button
+                                    size="sm"
+                                    variant="ghost"
+                                    class="text-destructive hover:text-destructive"
+                                    onclick={() => handleDelete(group.id)}
+                                >
+                                    Delete
+                                </Button>
+                            </td>
+                        </tr>
+                    {/each}
+                {/if}
+            </tbody>
+        </table>
+    </div>
+</div>

From 7b32db8ee1dacf56062f96dee4f1649048f13464 Mon Sep 17 00:00:00 2001
From: CodeMaster4711 <cedi27@t-online.de>
Date: Sun, 28 Jun 2026 20:52:31 +0200
Subject: [PATCH 4/5] feat(resource-groups): add container deploy, volume
 management, and detail view

---
 agent/src/client.rs                           |   7 +
 agent/src/docker.rs                           |  21 +
 agent/src/main.rs                             |  22 +-
 app/src/lib/api/resource-groups.ts            | 128 +++++
 .../routes/(app)/resource-groups/+page.svelte |   8 +-
 .../(app)/resource-groups/[id]/+page.svelte   | 531 ++++++++++++++++++
 control-plane/scheduler/src/db/workloads.rs   |  11 +
 .../scheduler/src/models/workload.rs          |   8 +
 .../shared/entity/src/entities/workloads.rs   |   1 +
 control-plane/shared/migration/src/lib.rs     |   2 +
 .../src/m20260628_000000_add_volume_mounts.rs |  33 ++
 11 files changed, 769 insertions(+), 3 deletions(-)
 create mode 100644 app/src/routes/(app)/resource-groups/[id]/+page.svelte
 create mode 100644 control-plane/shared/migration/src/m20260628_000000_add_volume_mounts.rs

diff --git a/agent/src/client.rs b/agent/src/client.rs
index d87cfce3..184532eb 100644
--- a/agent/src/client.rs
+++ b/agent/src/client.rs
@@ -63,6 +63,12 @@ pub struct HeartbeatResponse {
     pub post_update_heartbeats: Option<u32>,
 }
 
+#[derive(Debug, Deserialize, Clone)]
+pub struct VolumeMount {
+    pub volume_id: String,
+    pub mount_path: String,
+}
+
 #[derive(Debug, Deserialize)]
 pub struct AssignedWorkload {
     pub id: String,
@@ -73,6 +79,7 @@ pub struct AssignedWorkload {
     pub disk_bytes: i64,
     pub env_vars: Option<HashMap<String, String>>,
     pub ports: Option<Vec<crate::docker::PortMapping>>,
+    pub volume_mounts: Option<Vec<VolumeMount>>,
     pub status: String,
     pub container_id: Option<String>,
 }
diff --git a/agent/src/docker.rs b/agent/src/docker.rs
index 7ca8262d..fbcda9a9 100644
--- a/agent/src/docker.rs
+++ b/agent/src/docker.rs
@@ -16,6 +16,12 @@ pub struct PortMapping {
     pub protocol: Option<String>,
 }
 
+#[derive(Debug, Clone)]
+pub struct VolumeMount {
+    pub volume_id: String,
+    pub mount_path: String,
+}
+
 #[derive(Debug, Clone)]
 pub struct WorkloadSpec {
     pub workload_id: String,
@@ -23,6 +29,7 @@ pub struct WorkloadSpec {
     pub image: String,
     pub env_vars: Option<HashMap<String, String>>,
     pub ports: Option<Vec<PortMapping>>,
+    pub volume_mounts: Option<Vec<VolumeMount>>,
 }
 
 pub struct DockerManager {
@@ -79,12 +86,26 @@ impl DockerManager {
 
         let (port_bindings, exposed_ports) = build_port_config(spec.ports.as_deref());
 
+        let binds = spec.volume_mounts.as_deref().map(|mounts| {
+            mounts
+                .iter()
+                .map(|m| {
+                    format!(
+                        "{}:{}",
+                        crate::rbd::mount_point_for(&m.volume_id),
+                        m.mount_path
+                    )
+                })
+                .collect::<Vec<_>>()
+        });
+
         let host_config = HostConfig {
             port_bindings: if port_bindings.is_empty() {
                 None
             } else {
                 Some(port_bindings)
             },
+            binds,
             ..Default::default()
         };
 
diff --git a/agent/src/main.rs b/agent/src/main.rs
index 9a37e110..60454f18 100644
--- a/agent/src/main.rs
+++ b/agent/src/main.rs
@@ -201,7 +201,7 @@ async fn run_heartbeat_loop(
                 process_volumes(client, agent_id, api_key, &mounted_volumes).await;
 
                 if let Some(ref dm) = docker {
-                    process_workloads(client, api_key, dm, &running_containers).await;
+                    process_workloads(client, api_key, dm, &running_containers, &mounted_volumes).await;
                 }
 
                 let statuses = build_container_statuses(&running_containers).await;
@@ -324,6 +324,7 @@ async fn process_workloads(
     api_key: &str,
     docker: &docker::DockerManager,
     running_containers: &Arc<Mutex<HashMap<String, String>>>,
+    mounted_volumes: &Arc<Mutex<HashMap<String, String>>>,
 ) {
     let workloads = match client.fetch_assigned_workloads(api_key).await {
         Ok(w) => w,
@@ -347,12 +348,31 @@ async fn process_workloads(
             continue;
         }
 
+        if let Some(ref mounts) = workload.volume_mounts {
+            let locked = mounted_volumes.lock().await;
+            let all_ready = mounts.iter().all(|m| locked.contains_key(&m.volume_id));
+            drop(locked);
+            if !all_ready {
+                info!(workload_id = %workload.id, "Waiting for volumes to be mounted, deferring workload");
+                continue;
+            }
+        }
+
         let spec = docker::WorkloadSpec {
             workload_id: workload.id.clone(),
             name: workload.name.clone(),
             image: workload.image.clone(),
             env_vars: workload.env_vars,
             ports: workload.ports,
+            volume_mounts: workload.volume_mounts.map(|mounts| {
+                mounts
+                    .into_iter()
+                    .map(|m| docker::VolumeMount {
+                        volume_id: m.volume_id,
+                        mount_path: m.mount_path,
+                    })
+                    .collect()
+            }),
         };
 
         match docker.start_container(&spec).await {
diff --git a/app/src/lib/api/resource-groups.ts b/app/src/lib/api/resource-groups.ts
index 11b340e9..2bd82fec 100644
--- a/app/src/lib/api/resource-groups.ts
+++ b/app/src/lib/api/resource-groups.ts
@@ -17,6 +17,62 @@ export interface CreateResourceGroupRequest {
     internal_cidr: string;
 }
 
+export interface PortMapping {
+    host_port: number;
+    container_port: number;
+    protocol: string | null;
+}
+
+export interface VolumeMount {
+    volume_id: string;
+    mount_path: string;
+}
+
+export interface Volume {
+    id: string;
+    name: string;
+    size_gb: number;
+    pool: string;
+    status: string;
+    attached_to_workload: string | null;
+    resource_group_id: string | null;
+    created_at: string;
+}
+
+export interface Workload {
+    id: string;
+    name: string;
+    image: string;
+    cpu_millicores: number;
+    memory_bytes: number;
+    disk_bytes: number;
+    status: string;
+    assigned_agent_id: string | null;
+    container_id: string | null;
+    volume_mounts: VolumeMount[] | null;
+    resource_group_id: string | null;
+    created_at: string;
+    updated_at: string | null;
+}
+
+export interface CreateWorkloadRequest {
+    name: string;
+    image: string;
+    cpu_millicores: number;
+    memory_bytes: number;
+    disk_bytes: number;
+    env_vars: Record<string, string> | null;
+    ports: PortMapping[] | null;
+    volume_mounts: VolumeMount[] | null;
+    resource_group_id: string;
+}
+
+export interface CreateVolumeRequest {
+    name: string;
+    size_gb: number;
+    resource_group_id: string;
+}
+
 export async function listResourceGroups(token: string): Promise<ResourceGroup[]> {
     const res = await fetch(`${API_BASE}/resource-groups`, {
         headers: { Authorization: `Bearer ${token}` },
@@ -25,6 +81,14 @@ export async function listResourceGroups(token: string): Promise<ResourceGroup[]
     return res.json();
 }
 
+export async function getResourceGroup(token: string, id: string): Promise<ResourceGroup> {
+    const res = await fetch(`${API_BASE}/resource-groups/${id}`, {
+        headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) throw new Error(`Failed to get resource group: ${res.status}`);
+    return res.json();
+}
+
 export async function createResourceGroup(
     token: string,
     req: CreateResourceGroupRequest,
@@ -48,3 +112,67 @@ export async function deleteResourceGroup(token: string, id: string): Promise<vo
     });
     if (!res.ok) throw new Error(`Failed to delete resource group: ${res.status}`);
 }
+
+export async function listResourceGroupWorkloads(token: string, rgId: string): Promise<Workload[]> {
+    const res = await fetch(`${API_BASE}/resource-groups/${rgId}/workloads`, {
+        headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) throw new Error(`Failed to list workloads: ${res.status}`);
+    return res.json();
+}
+
+export async function createWorkload(token: string, req: CreateWorkloadRequest): Promise<{ workload_id: string; status: string; assigned_agent_id: string | null; message: string }> {
+    const res = await fetch(`${API_BASE}/workloads`, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${token}`,
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(req),
+    });
+    if (!res.ok) {
+        const err = await res.json().catch(() => ({ error: res.status }));
+        throw new Error(err.error ?? `Failed to create workload: ${res.status}`);
+    }
+    return res.json();
+}
+
+export async function deleteWorkload(token: string, id: string): Promise<void> {
+    const res = await fetch(`${API_BASE}/workloads/${id}`, {
+        method: 'DELETE',
+        headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) throw new Error(`Failed to delete workload: ${res.status}`);
+}
+
+export async function listResourceGroupVolumes(token: string, rgId: string): Promise<Volume[]> {
+    const res = await fetch(`${API_BASE}/resource-groups/${rgId}/volumes`, {
+        headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) throw new Error(`Failed to list volumes: ${res.status}`);
+    return res.json();
+}
+
+export async function createVolume(token: string, req: CreateVolumeRequest): Promise<Volume> {
+    const res = await fetch(`${API_BASE}/volumes`, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${token}`,
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(req),
+    });
+    if (!res.ok) {
+        const err = await res.json().catch(() => ({ error: res.status }));
+        throw new Error(err.error ?? `Failed to create volume: ${res.status}`);
+    }
+    return res.json();
+}
+
+export async function deleteVolume(token: string, id: string): Promise<void> {
+    const res = await fetch(`${API_BASE}/volumes/${id}`, {
+        method: 'DELETE',
+        headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) throw new Error(`Failed to delete volume: ${res.status}`);
+}
diff --git a/app/src/routes/(app)/resource-groups/+page.svelte b/app/src/routes/(app)/resource-groups/+page.svelte
index 3131ba42..d6f1ddbb 100644
--- a/app/src/routes/(app)/resource-groups/+page.svelte
+++ b/app/src/routes/(app)/resource-groups/+page.svelte
@@ -1,5 +1,6 @@
 <script lang="ts">
     import { onMount } from "svelte";
+    import { goto } from "$app/navigation";
     import { auth } from "$lib/auth/store.svelte";
     import {
         listResourceGroups,
@@ -175,7 +176,10 @@
                     </tr>
                 {:else}
                     {#each groups as group (group.id)}
-                        <tr class="border-t hover:bg-muted/30 transition-colors">
+                        <tr
+                            class="border-t hover:bg-muted/30 transition-colors cursor-pointer"
+                            onclick={() => goto(`/resource-groups/${group.id}`)}
+                        >
                             <td class="px-4 py-3 font-mono text-xs text-muted-foreground">{group.id.slice(0, 8)}</td>
                             <td class="px-4 py-3 font-medium">{group.name}</td>
                             <td class="px-4 py-3 font-mono text-xs">{group.internal_cidr}</td>
@@ -189,7 +193,7 @@
                                     size="sm"
                                     variant="ghost"
                                     class="text-destructive hover:text-destructive"
-                                    onclick={() => handleDelete(group.id)}
+                                    onclick={(e) => { e.stopPropagation(); handleDelete(group.id); }}
                                 >
                                     Delete
                                 </Button>
diff --git a/app/src/routes/(app)/resource-groups/[id]/+page.svelte b/app/src/routes/(app)/resource-groups/[id]/+page.svelte
new file mode 100644
index 00000000..90f97c80
--- /dev/null
+++ b/app/src/routes/(app)/resource-groups/[id]/+page.svelte
@@ -0,0 +1,531 @@
+<script lang="ts">
+    import { onMount } from "svelte";
+    import { page } from "$app/stores";
+    import { goto } from "$app/navigation";
+    import { auth } from "$lib/auth/store.svelte";
+    import {
+        getResourceGroup,
+        listResourceGroupWorkloads,
+        listResourceGroupVolumes,
+        createWorkload,
+        deleteWorkload,
+        createVolume,
+        deleteVolume,
+        type ResourceGroup,
+        type Workload,
+        type Volume,
+        type PortMapping,
+        type VolumeMount,
+    } from "$lib/api/resource-groups";
+    import * as Sidebar from "$lib/components/ui/sidebar/index.js";
+    import { Button } from "$lib/components/ui/button/index.js";
+
+    const rgId: string = $page.params.id;
+
+    let group = $state<ResourceGroup | null>(null);
+    let workloads = $state<Workload[]>([]);
+    let volumes = $state<Volume[]>([]);
+    let loading = $state(true);
+    let error = $state<string | null>(null);
+
+    let activeTab = $state<"all" | "container" | "volume">("all");
+    let filterText = $state("");
+
+    let showDeployContainer = $state(false);
+    let showCreateVolume = $state(false);
+    let deploying = $state(false);
+    let creatingVolume = $state(false);
+    let deployError = $state<string | null>(null);
+    let volumeError = $state<string | null>(null);
+
+    let formImage = $state("");
+    let formName = $state("");
+    let formCpu = $state("500");
+    let formMemory = $state("512");
+    let formDisk = $state("1024");
+    let formEnv = $state("");
+    let formPorts = $state("");
+    let formVolumeMounts = $state("");
+
+    let volFormName = $state("");
+    let volFormSize = $state("10");
+
+    async function load() {
+        if (!auth.token) return;
+        try {
+            [group, workloads, volumes] = await Promise.all([
+                getResourceGroup(auth.token, rgId),
+                listResourceGroupWorkloads(auth.token, rgId),
+                listResourceGroupVolumes(auth.token, rgId),
+            ]);
+        } catch (e) {
+            error = e instanceof Error ? e.message : "Failed to load";
+        } finally {
+            loading = false;
+        }
+    }
+
+    function parseEnvVars(raw: string): Record<string, string> | null {
+        if (!raw.trim()) return null;
+        const result: Record<string, string> = {};
+        for (const line of raw.trim().split("\n")) {
+            const eq = line.indexOf("=");
+            if (eq === -1) continue;
+            result[line.slice(0, eq).trim()] = line.slice(eq + 1).trim();
+        }
+        return Object.keys(result).length ? result : null;
+    }
+
+    function parsePorts(raw: string): PortMapping[] | null {
+        if (!raw.trim()) return null;
+        const result: PortMapping[] = [];
+        for (const part of raw.trim().split(",")) {
+            const m = part.trim().match(/^(\d+):(\d+)(?:\/(tcp|udp))?$/);
+            if (!m) continue;
+            result.push({ host_port: parseInt(m[1]), container_port: parseInt(m[2]), protocol: m[3] ?? null });
+        }
+        return result.length ? result : null;
+    }
+
+    function parseVolumeMounts(raw: string): VolumeMount[] | null {
+        if (!raw.trim()) return null;
+        const result: VolumeMount[] = [];
+        for (const line of raw.trim().split("\n")) {
+            const parts = line.trim().split(":");
+            if (parts.length < 2) continue;
+            const volumeName = parts[0].trim();
+            const mountPath = parts.slice(1).join(":").trim();
+            const vol = volumes.find((v) => v.name === volumeName || v.id === volumeName);
+            if (!vol || !mountPath) continue;
+            result.push({ volume_id: vol.id, mount_path: mountPath });
+        }
+        return result.length ? result : null;
+    }
+
+    async function handleDeploy() {
+        if (!auth.token || !formImage || !formName) return;
+        deploying = true;
+        deployError = null;
+        try {
+            await createWorkload(auth.token, {
+                name: formName,
+                image: formImage,
+                cpu_millicores: parseInt(formCpu),
+                memory_bytes: parseInt(formMemory) * 1024 * 1024,
+                disk_bytes: parseInt(formDisk) * 1024 * 1024,
+                env_vars: parseEnvVars(formEnv),
+                ports: parsePorts(formPorts),
+                volume_mounts: parseVolumeMounts(formVolumeMounts),
+                resource_group_id: rgId,
+            });
+            showDeployContainer = false;
+            resetDeployForm();
+            workloads = await listResourceGroupWorkloads(auth.token, rgId);
+        } catch (e) {
+            deployError = e instanceof Error ? e.message : "Failed to deploy";
+        } finally {
+            deploying = false;
+        }
+    }
+
+    async function handleCreateVolume() {
+        if (!auth.token || !volFormName) return;
+        creatingVolume = true;
+        volumeError = null;
+        try {
+            await createVolume(auth.token, {
+                name: volFormName,
+                size_gb: parseInt(volFormSize),
+                resource_group_id: rgId,
+            });
+            showCreateVolume = false;
+            volFormName = "";
+            volFormSize = "10";
+            volumes = await listResourceGroupVolumes(auth.token, rgId);
+        } catch (e) {
+            volumeError = e instanceof Error ? e.message : "Failed to create volume";
+        } finally {
+            creatingVolume = false;
+        }
+    }
+
+    async function handleDeleteWorkload(id: string) {
+        if (!auth.token) return;
+        try {
+            await deleteWorkload(auth.token, id);
+            workloads = workloads.filter((w) => w.id !== id);
+        } catch (e) {
+            error = e instanceof Error ? e.message : "Failed to stop workload";
+        }
+    }
+
+    async function handleDeleteVolume(id: string) {
+        if (!auth.token) return;
+        try {
+            await deleteVolume(auth.token, id);
+            volumes = volumes.filter((v) => v.id !== id);
+        } catch (e) {
+            error = e instanceof Error ? e.message : "Failed to delete volume";
+        }
+    }
+
+    function resetDeployForm() {
+        formImage = "";
+        formName = "";
+        formCpu = "500";
+        formMemory = "512";
+        formDisk = "1024";
+        formEnv = "";
+        formPorts = "";
+        formVolumeMounts = "";
+    }
+
+    type ResourceItem =
+        | { kind: "container"; data: Workload }
+        | { kind: "volume"; data: Volume };
+
+    let allResources = $derived<ResourceItem[]>([
+        ...workloads.map((w): ResourceItem => ({ kind: "container", data: w })),
+        ...volumes.map((v): ResourceItem => ({ kind: "volume", data: v })),
+    ]);
+
+    let filteredResources = $derived(
+        allResources.filter((r) => {
+            if (activeTab === "container" && r.kind !== "container") return false;
+            if (activeTab === "volume" && r.kind !== "volume") return false;
+            if (!filterText) return true;
+            const q = filterText.toLowerCase();
+            if (r.kind === "container") {
+                return r.data.name.toLowerCase().includes(q) || r.data.image.toLowerCase().includes(q);
+            }
+            return r.data.name.toLowerCase().includes(q);
+        })
+    );
+
+    function statusClass(status: string): string {
+        switch (status.toLowerCase()) {
+            case "running":
+            case "active":
+            case "available": return "bg-green-500/15 text-green-600 dark:text-green-400";
+            case "failed":
+            case "error": return "bg-red-500/15 text-red-600 dark:text-red-400";
+            case "scheduled":
+            case "attaching": return "bg-blue-500/15 text-blue-600 dark:text-blue-400";
+            case "stopped":
+            case "deleting": return "bg-muted text-muted-foreground";
+            default: return "bg-yellow-500/15 text-yellow-600 dark:text-yellow-400";
+        }
+    }
+
+    function fmtBytes(bytes: number): string {
+        if (bytes >= 1073741824) return `${(bytes / 1073741824).toFixed(1)} GB`;
+        if (bytes >= 1048576) return `${(bytes / 1048576).toFixed(0)} MB`;
+        return `${bytes} B`;
+    }
+
+    function initials(name: string): string {
+        return name.slice(0, 2).toUpperCase();
+    }
+
+    let totalCpu = $derived(workloads.reduce((s, w) => s + w.cpu_millicores, 0));
+    let totalMem = $derived(workloads.reduce((s, w) => s + w.memory_bytes, 0));
+    let totalDisk = $derived(volumes.reduce((s, v) => s + v.size_gb, 0));
+
+    onMount(load);
+</script>
+
+<header class="flex h-16 shrink-0 items-center gap-2 px-4 border-b">
+    <Sidebar.Trigger class="-ms-1" />
+    <span class="text-sm text-muted-foreground">/</span>
+    <button
+        class="text-sm text-muted-foreground hover:text-foreground transition-colors"
+        onclick={() => goto("/resource-groups")}
+    >
+        Resource Groups
+    </button>
+    <span class="text-sm text-muted-foreground">/</span>
+    <span class="text-sm font-medium">{group?.name ?? rgId.slice(0, 8)}</span>
+</header>
+
+<div class="flex flex-col gap-6 p-6">
+    {#if loading}
+        <p class="text-sm text-muted-foreground">Loading...</p>
+    {:else if error && !group}
+        <p class="text-sm text-destructive">{error}</p>
+    {:else if group}
+        <div class="flex items-start gap-4">
+            <div class="flex h-12 w-12 shrink-0 items-center justify-center rounded-lg border bg-muted font-semibold text-sm">
+                {initials(group.name)}
+            </div>
+            <div class="flex-1 min-w-0">
+                <div class="flex items-center gap-3 flex-wrap">
+                    <h1 class="text-xl font-semibold tracking-tight">{group.name}</h1>
+                    <span class="text-xs px-2 py-0.5 rounded-full font-medium {statusClass(group.status)}">{group.status}</span>
+                </div>
+                {#if group.description}
+                    <p class="text-sm text-muted-foreground mt-0.5">{group.description}</p>
+                {/if}
+                <p class="text-xs text-muted-foreground font-mono mt-1">{group.internal_cidr}</p>
+            </div>
+            <div class="flex items-center gap-2 shrink-0">
+                <Button size="sm" variant="outline" onclick={() => { showCreateVolume = true; showDeployContainer = false; }}>
+                    Add Volume
+                </Button>
+                <Button size="sm" onclick={() => { showDeployContainer = true; showCreateVolume = false; }}>
+                    <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="12" y1="5" x2="12" y2="19"/><line x1="5" y1="12" x2="19" y2="12"/></svg>
+                    Deploy Container
+                </Button>
+            </div>
+        </div>
+
+        <div class="grid grid-cols-2 sm:grid-cols-4 gap-3">
+            <div class="border rounded-lg p-4">
+                <p class="text-xs text-muted-foreground">Containers</p>
+                <p class="text-2xl font-semibold mt-1">{workloads.length}</p>
+                <p class="text-xs text-muted-foreground mt-0.5">{workloads.filter(w => w.status === 'running').length} running</p>
+            </div>
+            <div class="border rounded-lg p-4">
+                <p class="text-xs text-muted-foreground">Volumes</p>
+                <p class="text-2xl font-semibold mt-1">{volumes.length}</p>
+                <p class="text-xs text-muted-foreground mt-0.5">{totalDisk} GB total</p>
+            </div>
+            <div class="border rounded-lg p-4">
+                <p class="text-xs text-muted-foreground">CPU Requested</p>
+                <p class="text-2xl font-semibold mt-1">{(totalCpu / 1000).toFixed(1)}</p>
+                <p class="text-xs text-muted-foreground mt-0.5">vCPU</p>
+            </div>
+            <div class="border rounded-lg p-4">
+                <p class="text-xs text-muted-foreground">Memory Requested</p>
+                <p class="text-2xl font-semibold mt-1">{fmtBytes(totalMem)}</p>
+                <p class="text-xs text-muted-foreground mt-0.5">across containers</p>
+            </div>
+        </div>
+
+        {#if showDeployContainer}
+            <div class="border rounded-lg p-5 flex flex-col gap-4 bg-muted/20">
+                <h2 class="text-sm font-semibold">Deploy Container</h2>
+                <div class="grid grid-cols-1 sm:grid-cols-2 gap-3">
+                    <div class="flex flex-col gap-1">
+                        <label class="text-xs text-muted-foreground" for="d-name">Name</label>
+                        <input id="d-name" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="my-app" bind:value={formName} />
+                    </div>
+                    <div class="flex flex-col gap-1">
+                        <label class="text-xs text-muted-foreground" for="d-image">Image</label>
+                        <input id="d-image" class="border rounded px-3 py-1.5 text-sm bg-background font-mono" placeholder="nginx:latest" bind:value={formImage} />
+                    </div>
+                    <div class="flex flex-col gap-1">
+                        <label class="text-xs text-muted-foreground" for="d-cpu">CPU (millicores)</label>
+                        <input id="d-cpu" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="500" bind:value={formCpu} />
+                    </div>
+                    <div class="flex flex-col gap-1">
+                        <label class="text-xs text-muted-foreground" for="d-mem">Memory (MB)</label>
+                        <input id="d-mem" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="512" bind:value={formMemory} />
+                    </div>
+                    <div class="flex flex-col gap-1">
+                        <label class="text-xs text-muted-foreground" for="d-disk">Disk (MB)</label>
+                        <input id="d-disk" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="1024" bind:value={formDisk} />
+                    </div>
+                    <div class="flex flex-col gap-1">
+                        <label class="text-xs text-muted-foreground" for="d-ports">Ports (host:container, comma-separated)</label>
+                        <input id="d-ports" class="border rounded px-3 py-1.5 text-sm bg-background font-mono" placeholder="8080:80, 443:443/tcp" bind:value={formPorts} />
+                    </div>
+                </div>
+                {#if volumes.length > 0}
+                    <div class="flex flex-col gap-1">
+                        <label class="text-xs text-muted-foreground" for="d-vols">
+                            Volume Mounts (name-or-id:/mount/path, one per line)
+                        </label>
+                        <textarea
+                            id="d-vols"
+                            class="border rounded px-3 py-1.5 text-sm bg-background font-mono resize-none"
+                            rows={volumes.length > 3 ? 3 : volumes.length + 1}
+                            placeholder={volumes.map(v => `${v.name}:/data`).slice(0, 2).join("\n")}
+                            bind:value={formVolumeMounts}
+                        ></textarea>
+                        <p class="text-xs text-muted-foreground">Available: {volumes.map(v => v.name).join(", ")}</p>
+                    </div>
+                {/if}
+                <div class="flex flex-col gap-1">
+                    <label class="text-xs text-muted-foreground" for="d-env">Environment Variables (KEY=VALUE, one per line)</label>
+                    <textarea id="d-env" class="border rounded px-3 py-1.5 text-sm bg-background font-mono resize-none" rows={3} placeholder={"NODE_ENV=production\nPORT=3000"} bind:value={formEnv}></textarea>
+                </div>
+                {#if deployError}
+                    <p class="text-xs text-destructive">{deployError}</p>
+                {/if}
+                <div class="flex gap-2">
+                    <Button size="sm" onclick={handleDeploy} disabled={deploying || !formName || !formImage}>
+                        {deploying ? "Deploying..." : "Deploy"}
+                    </Button>
+                    <Button size="sm" variant="outline" onclick={() => { showDeployContainer = false; deployError = null; resetDeployForm(); }}>
+                        Cancel
+                    </Button>
+                </div>
+            </div>
+        {/if}
+
+        {#if showCreateVolume}
+            <div class="border rounded-lg p-5 flex flex-col gap-4 bg-muted/20">
+                <h2 class="text-sm font-semibold">Create Volume</h2>
+                <div class="grid grid-cols-1 sm:grid-cols-2 gap-3">
+                    <div class="flex flex-col gap-1">
+                        <label class="text-xs text-muted-foreground" for="v-name">Name</label>
+                        <input id="v-name" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="postgres-data" bind:value={volFormName} />
+                    </div>
+                    <div class="flex flex-col gap-1">
+                        <label class="text-xs text-muted-foreground" for="v-size">Size (GB)</label>
+                        <input id="v-size" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="10" bind:value={volFormSize} />
+                    </div>
+                </div>
+                {#if volumeError}
+                    <p class="text-xs text-destructive">{volumeError}</p>
+                {/if}
+                <div class="flex gap-2">
+                    <Button size="sm" onclick={handleCreateVolume} disabled={creatingVolume || !volFormName}>
+                        {creatingVolume ? "Creating..." : "Create"}
+                    </Button>
+                    <Button size="sm" variant="outline" onclick={() => { showCreateVolume = false; volumeError = null; }}>
+                        Cancel
+                    </Button>
+                </div>
+            </div>
+        {/if}
+
+        {#if error}
+            <p class="text-xs text-destructive">{error}</p>
+        {/if}
+
+        <div class="border rounded-lg overflow-hidden">
+            <div class="px-4 py-3 border-b flex items-center justify-between gap-4 flex-wrap">
+                <div class="flex items-center gap-1">
+                    {#each [["all", `All ${allResources.length}`], ["container", `Container ${workloads.length}`], ["volume", `Volume ${volumes.length}`]] as [tab, label]}
+                        <button
+                            class="px-3 py-1 rounded text-sm font-medium transition-colors {activeTab === tab ? 'bg-foreground text-background' : 'text-muted-foreground hover:text-foreground'}"
+                            onclick={() => (activeTab = tab as typeof activeTab)}
+                        >
+                            {label}
+                        </button>
+                    {/each}
+                </div>
+                <div class="flex items-center gap-2 border rounded px-3 py-1.5 text-sm min-w-[180px]">
+                    <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="text-muted-foreground shrink-0"><circle cx="11" cy="11" r="8"/><line x1="21" y1="21" x2="16.65" y2="16.65"/></svg>
+                    <input class="bg-transparent outline-none flex-1 text-sm" placeholder="Filter resources..." bind:value={filterText} />
+                </div>
+            </div>
+
+            <table class="w-full text-sm">
+                <thead>
+                    <tr class="bg-muted/30 border-b">
+                        <th class="text-left px-4 py-2.5 font-medium text-muted-foreground text-xs">Resource</th>
+                        <th class="text-left px-4 py-2.5 font-medium text-muted-foreground text-xs">Kind</th>
+                        <th class="text-left px-4 py-2.5 font-medium text-muted-foreground text-xs">Host / Size</th>
+                        <th class="text-left px-4 py-2.5 font-medium text-muted-foreground text-xs">Load</th>
+                        <th class="text-left px-4 py-2.5 font-medium text-muted-foreground text-xs">Status</th>
+                        <th class="px-4 py-2.5"></th>
+                    </tr>
+                </thead>
+                <tbody>
+                    {#if filteredResources.length === 0}
+                        <tr>
+                            <td colspan="6" class="px-4 py-10 text-center text-muted-foreground text-sm">
+                                {allResources.length === 0 ? "No resources yet. Deploy a container or create a volume." : "No resources match filter."}
+                            </td>
+                        </tr>
+                    {:else}
+                        {#each filteredResources as item (item.kind + item.data.id)}
+                            {#if item.kind === "container"}
+                                {@const w = item.data}
+                                <tr class="border-t hover:bg-muted/20 transition-colors">
+                                    <td class="px-4 py-3">
+                                        <div class="flex items-center gap-2.5">
+                                            <div class="flex h-7 w-7 shrink-0 items-center justify-center rounded border bg-muted/50">
+                                                <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><rect x="2" y="7" width="20" height="14" rx="2"/><path d="M16 21V5a2 2 0 0 0-2-2h-4a2 2 0 0 0-2 2v16"/></svg>
+                                            </div>
+                                            <div>
+                                                <p class="font-medium leading-tight">{w.name}</p>
+                                                <p class="text-xs text-muted-foreground font-mono">{w.image}</p>
+                                            </div>
+                                        </div>
+                                    </td>
+                                    <td class="px-4 py-3">
+                                        <span class="text-xs px-2 py-0.5 rounded border font-medium">Container</span>
+                                    </td>
+                                    <td class="px-4 py-3 text-xs text-muted-foreground font-mono">
+                                        {w.assigned_agent_id ? w.assigned_agent_id.slice(0, 8) : "-"}
+                                    </td>
+                                    <td class="px-4 py-3">
+                                        <div class="flex items-center gap-2 min-w-[120px]">
+                                            <span class="text-xs text-muted-foreground w-8">{w.cpu_millicores}m</span>
+                                            <div class="flex-1 h-1 rounded-full bg-muted overflow-hidden">
+                                                <div class="h-full rounded-full bg-foreground/60" style="width: {Math.min(100, w.cpu_millicores / 10)}%"></div>
+                                            </div>
+                                        </div>
+                                    </td>
+                                    <td class="px-4 py-3">
+                                        <span class="text-xs px-2 py-0.5 rounded-full font-medium {statusClass(w.status)}">
+                                            {w.status}
+                                        </span>
+                                    </td>
+                                    <td class="px-4 py-3 text-right">
+                                        <Button
+                                            size="sm"
+                                            variant="ghost"
+                                            class="text-destructive hover:text-destructive h-7 px-2 text-xs"
+                                            onclick={() => handleDeleteWorkload(w.id)}
+                                        >
+                                            Stop
+                                        </Button>
+                                    </td>
+                                </tr>
+                            {:else}
+                                {@const v = item.data}
+                                <tr class="border-t hover:bg-muted/20 transition-colors">
+                                    <td class="px-4 py-3">
+                                        <div class="flex items-center gap-2.5">
+                                            <div class="flex h-7 w-7 shrink-0 items-center justify-center rounded border bg-muted/50">
+                                                <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><ellipse cx="12" cy="5" rx="9" ry="3"/><path d="M21 12c0 1.66-4 3-9 3s-9-1.34-9-3"/><path d="M3 5v14c0 1.66 4 3 9 3s9-1.34 9-3V5"/></svg>
+                                            </div>
+                                            <div>
+                                                <p class="font-medium leading-tight">{v.name}</p>
+                                                <p class="text-xs text-muted-foreground">{v.size_gb} GB · {v.pool}</p>
+                                            </div>
+                                        </div>
+                                    </td>
+                                    <td class="px-4 py-3">
+                                        <span class="text-xs px-2 py-0.5 rounded border font-medium">Volume</span>
+                                    </td>
+                                    <td class="px-4 py-3 text-xs text-muted-foreground">
+                                        {v.size_gb} GB
+                                    </td>
+                                    <td class="px-4 py-3">
+                                        <div class="flex items-center gap-2 min-w-[120px]">
+                                            <span class="text-xs text-muted-foreground w-8">{v.size_gb}G</span>
+                                            <div class="flex-1 h-1 rounded-full bg-muted overflow-hidden">
+                                                <div class="h-full rounded-full bg-foreground/30" style="width: {Math.min(100, v.size_gb)}%"></div>
+                                            </div>
+                                        </div>
+                                    </td>
+                                    <td class="px-4 py-3">
+                                        <span class="text-xs px-2 py-0.5 rounded-full font-medium {statusClass(v.status)}">
+                                            {v.status}
+                                        </span>
+                                    </td>
+                                    <td class="px-4 py-3 text-right">
+                                        <Button
+                                            size="sm"
+                                            variant="ghost"
+                                            class="text-destructive hover:text-destructive h-7 px-2 text-xs"
+                                            onclick={() => handleDeleteVolume(v.id)}
+                                            disabled={v.status === "in_use"}
+                                        >
+                                            Delete
+                                        </Button>
+                                    </td>
+                                </tr>
+                            {/if}
+                        {/each}
+                    {/if}
+                </tbody>
+            </table>
+        </div>
+    {/if}
+</div>
diff --git a/control-plane/scheduler/src/db/workloads.rs b/control-plane/scheduler/src/db/workloads.rs
index ff497e05..8ea7d69d 100644
--- a/control-plane/scheduler/src/db/workloads.rs
+++ b/control-plane/scheduler/src/db/workloads.rs
@@ -17,6 +17,10 @@ pub async fn create(
         .ports
         .as_ref()
         .and_then(|p| serde_json::to_value(p).ok());
+    let volume_mounts = req
+        .volume_mounts
+        .as_ref()
+        .and_then(|v| serde_json::to_value(v).ok());
 
     let model = workloads::ActiveModel {
         id: Set(Uuid::new_v4()),
@@ -27,6 +31,7 @@ pub async fn create(
         disk_bytes: Set(req.disk_bytes),
         env_vars: Set(env_vars),
         ports: Set(ports),
+        volume_mounts: Set(volume_mounts),
         status: Set(WorkloadStatus::Pending.as_str().to_string()),
         assigned_agent_id: Set(None),
         container_id: Set(None),
@@ -94,6 +99,11 @@ pub async fn delete(db: &DatabaseConnection, workload_id: Uuid) -> Result<(), se
 }
 
 fn into_response(m: workloads::Model) -> WorkloadResponse {
+    let volume_mounts = m
+        .volume_mounts
+        .as_ref()
+        .and_then(|v| serde_json::from_value(v.clone()).ok());
+
     WorkloadResponse {
         id: m.id,
         name: m.name,
@@ -104,6 +114,7 @@ fn into_response(m: workloads::Model) -> WorkloadResponse {
         status: WorkloadStatus::from_str(&m.status),
         assigned_agent_id: m.assigned_agent_id,
         container_id: m.container_id,
+        volume_mounts,
         resource_group_id: m.resource_group_id,
         created_at: m.created_at.and_utc(),
         updated_at: m.updated_at.map(|dt| dt.and_utc()),
diff --git a/control-plane/scheduler/src/models/workload.rs b/control-plane/scheduler/src/models/workload.rs
index 47ecf109..4b1f9fbb 100644
--- a/control-plane/scheduler/src/models/workload.rs
+++ b/control-plane/scheduler/src/models/workload.rs
@@ -35,6 +35,12 @@ impl WorkloadStatus {
     }
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct VolumeMount {
+    pub volume_id: Uuid,
+    pub mount_path: String,
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct CreateWorkloadRequest {
     pub name: String,
@@ -44,6 +50,7 @@ pub struct CreateWorkloadRequest {
     pub disk_bytes: i64,
     pub env_vars: Option<HashMap<String, String>>,
     pub ports: Option<Vec<PortMapping>>,
+    pub volume_mounts: Option<Vec<VolumeMount>>,
     pub resource_group_id: Option<Uuid>,
 }
 
@@ -73,6 +80,7 @@ pub struct WorkloadResponse {
     pub status: WorkloadStatus,
     pub assigned_agent_id: Option<Uuid>,
     pub container_id: Option<String>,
+    pub volume_mounts: Option<Vec<VolumeMount>>,
     pub resource_group_id: Option<Uuid>,
     pub created_at: DateTime<Utc>,
     pub updated_at: Option<DateTime<Utc>>,
diff --git a/control-plane/shared/entity/src/entities/workloads.rs b/control-plane/shared/entity/src/entities/workloads.rs
index 27c97d5c..b4c662d9 100644
--- a/control-plane/shared/entity/src/entities/workloads.rs
+++ b/control-plane/shared/entity/src/entities/workloads.rs
@@ -13,6 +13,7 @@ pub struct Model {
     pub disk_bytes: i64,
     pub env_vars: Option<Json>,
     pub ports: Option<Json>,
+    pub volume_mounts: Option<Json>,
     pub status: String,
     pub assigned_agent_id: Option<Uuid>,
     pub container_id: Option<String>,
diff --git a/control-plane/shared/migration/src/lib.rs b/control-plane/shared/migration/src/lib.rs
index 7764dad3..c05f5298 100644
--- a/control-plane/shared/migration/src/lib.rs
+++ b/control-plane/shared/migration/src/lib.rs
@@ -19,6 +19,7 @@ mod m20260308_000000_add_org_scoping;
 mod m20260309_000000_add_bootstrap_tokens;
 mod m20260523_000000_add_ssh_keys;
 mod m20260625_000000_add_resource_groups;
+mod m20260628_000000_add_volume_mounts;
 
 pub struct Migrator;
 
@@ -45,6 +46,7 @@ impl MigratorTrait for Migrator {
             Box::new(m20260309_000000_add_bootstrap_tokens::Migration),
             Box::new(m20260523_000000_add_ssh_keys::Migration),
             Box::new(m20260625_000000_add_resource_groups::Migration),
+            Box::new(m20260628_000000_add_volume_mounts::Migration),
         ]
     }
 }
diff --git a/control-plane/shared/migration/src/m20260628_000000_add_volume_mounts.rs b/control-plane/shared/migration/src/m20260628_000000_add_volume_mounts.rs
new file mode 100644
index 00000000..450fb41e
--- /dev/null
+++ b/control-plane/shared/migration/src/m20260628_000000_add_volume_mounts.rs
@@ -0,0 +1,33 @@
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Alias::new("workloads"))
+                    .add_column_if_not_exists(
+                        ColumnDef::new(Alias::new("volume_mounts"))
+                            .json()
+                            .null(),
+                    )
+                    .to_owned(),
+            )
+            .await
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Alias::new("workloads"))
+                    .drop_column(Alias::new("volume_mounts"))
+                    .to_owned(),
+            )
+            .await
+    }
+}

From d8c098b71064d1e3c1ec32e66d21821ab90e63a8 Mon Sep 17 00:00:00 2001
From: CodeMaster4711 <cedi27@t-online.de>
Date: Sun, 28 Jun 2026 21:36:27 +0200
Subject: [PATCH 5/5] feat(ui,agent,registry): add WireGuard P2S VPN, modal
 forms, and NodePort expose model

---
 Cargo.lock                                    |  14 +
 Cargo.toml                                    |   1 +
 agent/Cargo.toml                              |   2 +
 agent/src/client.rs                           |  24 +-
 agent/src/docker.rs                           |  23 +-
 agent/src/main.rs                             |   7 +-
 app/src/lib/api/resource-groups.ts            |   2 +-
 .../routes/(app)/resource-groups/+page.svelte | 109 +++----
 .../(app)/resource-groups/[id]/+page.svelte   | 271 +++++++++++-------
 app/src/routes/layout.css                     |   3 +
 .../api-gateway/src/routes/agents.rs          |   2 +
 .../api-gateway/src/routes/resource_groups.rs | 144 +++++++++-
 control-plane/api-gateway/src/self_monitor.rs |   2 +
 control-plane/registry/src/db/agents.rs       |  10 +
 control-plane/registry/src/handlers/agent.rs  |   6 +-
 control-plane/registry/src/models/agent.rs    |   2 +
 .../registry/src/services/registry.rs         |  19 +-
 control-plane/scheduler/src/db/agents.rs      |  10 +-
 .../scheduler/src/models/workload.rs          |   2 +-
 .../scheduler/src/services/scheduler.rs       |  40 +++
 .../shared/entity/src/entities/agents.rs      |   2 +
 control-plane/shared/migration/src/lib.rs     |   2 +
 ...20260628_100000_rg_cidr_unique_agent_wg.rs |  63 ++++
 23 files changed, 585 insertions(+), 175 deletions(-)
 create mode 100644 control-plane/shared/migration/src/m20260628_100000_rg_cidr_unique_agent_wg.rs

diff --git a/Cargo.lock b/Cargo.lock
index 3677127e..d2a46e32 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1175,6 +1175,7 @@ name = "csfx-agent"
 version = "0.2.2"
 dependencies = [
  "anyhow",
+ "base64",
  "bollard",
  "chrono",
  "futures-util",
@@ -1189,6 +1190,7 @@ dependencies = [
  "tracing",
  "tracing-subscriber",
  "uuid",
+ "x25519-dalek",
 ]
 
 [[package]]
@@ -6450,6 +6452,18 @@ dependencies = [
  "tap",
 ]
 
+[[package]]
+name = "x25519-dalek"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7e468321c81fb07fa7f4c636c3972b9100f0346e5b6a9f2bd0603a52f7ed277"
+dependencies = [
+ "curve25519-dalek",
+ "rand_core 0.6.4",
+ "serde",
+ "zeroize",
+]
+
 [[package]]
 name = "x509-parser"
 version = "0.18.1"
diff --git a/Cargo.toml b/Cargo.toml
index 2fdf864c..792350f3 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -88,6 +88,7 @@ tracing-opentelemetry = { version = "0.33" }
 
 # Other
 rand = "0.10"
+x25519-dalek = { version = "2", features = ["static_secrets"] }
 aes-gcm = "0.10"
 base64 = "0.22"
 sha1 = "0.11"
diff --git a/agent/Cargo.toml b/agent/Cargo.toml
index fe7acd4c..0bc5d926 100644
--- a/agent/Cargo.toml
+++ b/agent/Cargo.toml
@@ -24,3 +24,5 @@ sysinfo = { workspace = true }
 rcgen = { workspace = true }
 bollard = { workspace = true }
 futures-util = { workspace = true }
+x25519-dalek = { workspace = true }
+base64 = { workspace = true }
diff --git a/agent/src/client.rs b/agent/src/client.rs
index 184532eb..d9b79271 100644
--- a/agent/src/client.rs
+++ b/agent/src/client.rs
@@ -1,5 +1,7 @@
 use anyhow::{Context, Result};
+use base64::{engine::general_purpose::STANDARD as B64, Engine};
 use reqwest::Client;
+use ring::rand::{SecureRandom, SystemRandom};
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::time::Duration;
@@ -48,6 +50,8 @@ struct HeartbeatRequest {
     network_rx_bytes: Option<u64>,
     network_tx_bytes: Option<u64>,
     uptime_seconds: Option<u64>,
+    wg_public_key: Option<String>,
+    wg_endpoint: Option<String>,
 }
 
 #[derive(Debug, Serialize, Deserialize, Clone)]
@@ -88,10 +92,24 @@ pub struct ApiClient {
     client: Client,
     gateway_url: String,
     cert_pem: Option<String>,
+    wg_public_key: String,
+    wg_endpoint: Option<String>,
+}
+
+pub fn generate_wg_keypair() -> (String, String) {
+    let rng = SystemRandom::new();
+    let mut private_bytes = [0u8; 32];
+    rng.fill(&mut private_bytes).expect("failed to generate WireGuard key");
+    private_bytes[0] &= 248;
+    private_bytes[31] &= 127;
+    private_bytes[31] |= 64;
+    let secret = x25519_dalek::StaticSecret::from(private_bytes);
+    let public = x25519_dalek::PublicKey::from(&secret);
+    (B64.encode(private_bytes), B64.encode(public.to_bytes()))
 }
 
 impl ApiClient {
-    pub fn new(gateway_url: String) -> Result<Self> {
+    pub fn new(gateway_url: String, wg_public_key: String, wg_endpoint: Option<String>) -> Result<Self> {
         let client = Client::builder()
             .timeout(std::time::Duration::from_secs(30))
             .danger_accept_invalid_certs(true)
@@ -102,6 +120,8 @@ impl ApiClient {
             client,
             gateway_url,
             cert_pem: None,
+            wg_public_key,
+            wg_endpoint,
         })
     }
 
@@ -221,6 +241,8 @@ impl ApiClient {
                 network_rx_bytes,
                 network_tx_bytes,
                 uptime_seconds,
+                wg_public_key: Some(self.wg_public_key.clone()),
+                wg_endpoint: self.wg_endpoint.clone(),
             });
 
         if let Some(ref cert_pem) = self.cert_pem {
diff --git a/agent/src/docker.rs b/agent/src/docker.rs
index fbcda9a9..702da354 100644
--- a/agent/src/docker.rs
+++ b/agent/src/docker.rs
@@ -11,9 +11,9 @@ use tracing::{info, warn};
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct PortMapping {
-    pub host_port: u16,
     pub container_port: u16,
     pub protocol: Option<String>,
+    pub node_port: Option<u16>,
 }
 
 #[derive(Debug, Clone)]
@@ -181,16 +181,17 @@ fn build_port_config(
         for p in ports {
             let proto = p.protocol.as_deref().unwrap_or("tcp");
             let container_key = format!("{}/{}", p.container_port, proto);
-
-            port_bindings.insert(
-                container_key.clone(),
-                Some(vec![bollard::models::PortBinding {
-                    host_ip: Some("0.0.0.0".to_string()),
-                    host_port: Some(p.host_port.to_string()),
-                }]),
-            );
-
-            exposed_ports.push(container_key);
+            exposed_ports.push(container_key.clone());
+
+            if let Some(node_port) = p.node_port {
+                port_bindings.insert(
+                    container_key,
+                    Some(vec![bollard::models::PortBinding {
+                        host_ip: Some("0.0.0.0".to_string()),
+                        host_port: Some(node_port.to_string()),
+                    }]),
+                );
+            }
         }
     }
 
diff --git a/agent/src/main.rs b/agent/src/main.rs
index 60454f18..a7d6cac5 100644
--- a/agent/src/main.rs
+++ b/agent/src/main.rs
@@ -51,8 +51,11 @@ async fn main() -> Result<()> {
         .and_then(|v| v.parse().ok())
         .unwrap_or(60);
 
-    let api_client =
-        client::ApiClient::new(gateway_url.clone()).context("Failed to initialize API client")?;
+    let wg_endpoint = std::env::var("CSFX_WG_ENDPOINT").ok();
+    let (_wg_private_key, wg_public_key) = client::generate_wg_keypair();
+
+    let api_client = client::ApiClient::new(gateway_url.clone(), wg_public_key, wg_endpoint)
+        .context("Failed to initialize API client")?;
 
     let agent_pki = pki::AgentPki::load_or_generate().context("Failed to initialize PKI")?;
 
diff --git a/app/src/lib/api/resource-groups.ts b/app/src/lib/api/resource-groups.ts
index 2bd82fec..9ef94e8a 100644
--- a/app/src/lib/api/resource-groups.ts
+++ b/app/src/lib/api/resource-groups.ts
@@ -18,9 +18,9 @@ export interface CreateResourceGroupRequest {
 }
 
 export interface PortMapping {
-    host_port: number;
     container_port: number;
     protocol: string | null;
+    node_port: number | null;
 }
 
 export interface VolumeMount {
diff --git a/app/src/routes/(app)/resource-groups/+page.svelte b/app/src/routes/(app)/resource-groups/+page.svelte
index d6f1ddbb..21a6c3bf 100644
--- a/app/src/routes/(app)/resource-groups/+page.svelte
+++ b/app/src/routes/(app)/resource-groups/+page.svelte
@@ -15,7 +15,7 @@
     let loading = $state(true);
     let error = $state<string | null>(null);
     let creating = $state(false);
-    let showCreate = $state(false);
+    let createDialog = $state<HTMLDialogElement | null>(null);
 
     let newName = $state("");
     let newCidr = $state("10.100.0.0/24");
@@ -44,7 +44,7 @@
                 internal_cidr: newCidr,
             });
             groups = [...groups, created];
-            showCreate = false;
+            createDialog?.close();
             newName = "";
             newCidr = "10.100.0.0/24";
             newDescription = "";
@@ -77,6 +77,63 @@
     onMount(load);
 </script>
 
+<dialog
+    bind:this={createDialog}
+    class="fixed inset-0 z-50 m-auto w-full max-w-md rounded-xl border bg-background shadow-xl p-0 backdrop:bg-black/40"
+    onclose={() => { createError = null; }}
+>
+    <div class="flex flex-col gap-5 p-6">
+        <div class="flex items-center justify-between">
+            <h2 class="text-base font-semibold">New Resource Group</h2>
+            <button
+                class="text-muted-foreground hover:text-foreground"
+                onclick={() => createDialog?.close()}
+                aria-label="Close"
+            >
+                <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
+            </button>
+        </div>
+        <div class="flex flex-col gap-3">
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="rg-name">Name</label>
+                <input
+                    id="rg-name"
+                    class="border rounded px-3 py-1.5 text-sm bg-background"
+                    placeholder="production"
+                    bind:value={newName}
+                />
+            </div>
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="rg-cidr">Internal CIDR</label>
+                <input
+                    id="rg-cidr"
+                    class="border rounded px-3 py-1.5 text-sm bg-background font-mono"
+                    placeholder="10.100.0.0/24"
+                    bind:value={newCidr}
+                />
+            </div>
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="rg-desc">Description</label>
+                <input
+                    id="rg-desc"
+                    class="border rounded px-3 py-1.5 text-sm bg-background"
+                    placeholder="Optional"
+                    bind:value={newDescription}
+                />
+            </div>
+        </div>
+        {#if createError}
+            <p class="text-xs text-destructive">{createError}</p>
+        {/if}
+        <div class="flex gap-2 justify-end">
+            <Button size="sm" variant="outline" onclick={() => createDialog?.close()}>Cancel</Button>
+            <Button size="sm" onclick={handleCreate} disabled={creating || !newName || !newCidr}>
+                {creating ? "Creating..." : "Create"}
+            </Button>
+        </div>
+    </div>
+</dialog>
+
 <header class="flex h-16 shrink-0 items-center gap-2 px-4 border-b">
     <Sidebar.Trigger class="-ms-1" />
     <span class="text-sm text-muted-foreground">/</span>
@@ -91,7 +148,7 @@
                 Isolated namespaces with dedicated internal networks
             </p>
         </div>
-        <Button size="sm" onclick={() => (showCreate = true)}>
+        <Button size="sm" onclick={() => createDialog?.showModal()}>
             <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
                 <line x1="12" y1="5" x2="12" y2="19"/>
                 <line x1="5" y1="12" x2="19" y2="12"/>
@@ -100,52 +157,6 @@
         </Button>
     </div>
 
-    {#if showCreate}
-        <div class="border rounded-lg p-5 flex flex-col gap-4 bg-muted/20">
-            <h2 class="text-sm font-semibold">Create Resource Group</h2>
-            <div class="grid grid-cols-1 sm:grid-cols-3 gap-3">
-                <div class="flex flex-col gap-1">
-                    <label class="text-xs text-muted-foreground" for="rg-name">Name</label>
-                    <input
-                        id="rg-name"
-                        class="border rounded px-3 py-1.5 text-sm bg-background"
-                        placeholder="production"
-                        bind:value={newName}
-                    />
-                </div>
-                <div class="flex flex-col gap-1">
-                    <label class="text-xs text-muted-foreground" for="rg-cidr">Internal CIDR</label>
-                    <input
-                        id="rg-cidr"
-                        class="border rounded px-3 py-1.5 text-sm bg-background font-mono"
-                        placeholder="10.100.0.0/24"
-                        bind:value={newCidr}
-                    />
-                </div>
-                <div class="flex flex-col gap-1">
-                    <label class="text-xs text-muted-foreground" for="rg-desc">Description</label>
-                    <input
-                        id="rg-desc"
-                        class="border rounded px-3 py-1.5 text-sm bg-background"
-                        placeholder="Optional"
-                        bind:value={newDescription}
-                    />
-                </div>
-            </div>
-            {#if createError}
-                <p class="text-xs text-destructive">{createError}</p>
-            {/if}
-            <div class="flex gap-2">
-                <Button size="sm" onclick={handleCreate} disabled={creating || !newName || !newCidr}>
-                    {creating ? "Creating..." : "Create"}
-                </Button>
-                <Button size="sm" variant="outline" onclick={() => { showCreate = false; createError = null; }}>
-                    Cancel
-                </Button>
-            </div>
-        </div>
-    {/if}
-
     {#if error}
         <p class="text-sm text-destructive">{error}</p>
     {/if}
diff --git a/app/src/routes/(app)/resource-groups/[id]/+page.svelte b/app/src/routes/(app)/resource-groups/[id]/+page.svelte
index 90f97c80..51da30d1 100644
--- a/app/src/routes/(app)/resource-groups/[id]/+page.svelte
+++ b/app/src/routes/(app)/resource-groups/[id]/+page.svelte
@@ -31,12 +31,13 @@
     let activeTab = $state<"all" | "container" | "volume">("all");
     let filterText = $state("");
 
-    let showDeployContainer = $state(false);
-    let showCreateVolume = $state(false);
+    let deployDialog = $state<HTMLDialogElement | null>(null);
+    let volumeDialog = $state<HTMLDialogElement | null>(null);
     let deploying = $state(false);
     let creatingVolume = $state(false);
     let deployError = $state<string | null>(null);
     let volumeError = $state<string | null>(null);
+    let downloadingVpn = $state(false);
 
     let formImage = $state("");
     let formName = $state("");
@@ -80,9 +81,24 @@
         if (!raw.trim()) return null;
         const result: PortMapping[] = [];
         for (const part of raw.trim().split(",")) {
-            const m = part.trim().match(/^(\d+):(\d+)(?:\/(tcp|udp))?$/);
-            if (!m) continue;
-            result.push({ host_port: parseInt(m[1]), container_port: parseInt(m[2]), protocol: m[3] ?? null });
+            const t = part.trim();
+            const nodePort = t.match(/^(\d+):(\d+)(?:\/(tcp|udp))?$/);
+            if (nodePort) {
+                result.push({
+                    container_port: parseInt(nodePort[2]),
+                    protocol: nodePort[3] ?? null,
+                    node_port: parseInt(nodePort[1]),
+                });
+                continue;
+            }
+            const internal = t.match(/^(\d+)(?:\/(tcp|udp))?$/);
+            if (internal) {
+                result.push({
+                    container_port: parseInt(internal[1]),
+                    protocol: internal[2] ?? null,
+                    node_port: null,
+                });
+            }
         }
         return result.length ? result : null;
     }
@@ -118,7 +134,7 @@
                 volume_mounts: parseVolumeMounts(formVolumeMounts),
                 resource_group_id: rgId,
             });
-            showDeployContainer = false;
+            deployDialog?.close();
             resetDeployForm();
             workloads = await listResourceGroupWorkloads(auth.token, rgId);
         } catch (e) {
@@ -138,7 +154,7 @@
                 size_gb: parseInt(volFormSize),
                 resource_group_id: rgId,
             });
-            showCreateVolume = false;
+            volumeDialog?.close();
             volFormName = "";
             volFormSize = "10";
             volumes = await listResourceGroupVolumes(auth.token, rgId);
@@ -169,6 +185,33 @@
         }
     }
 
+    async function downloadVpnConfig() {
+        if (!auth.token) return;
+        downloadingVpn = true;
+        try {
+            const resp = await fetch(`/api/resource-groups/${rgId}/vpn-config`, {
+                headers: { Authorization: `Bearer ${auth.token}` },
+            });
+            if (!resp.ok) {
+                const body = await resp.json().catch(() => ({}));
+                throw new Error(body.error ?? `HTTP ${resp.status}`);
+            }
+            const blob = await resp.blob();
+            const url = URL.createObjectURL(blob);
+            const a = document.createElement("a");
+            const cd = resp.headers.get("content-disposition") ?? "";
+            const fn = cd.match(/filename="([^"]+)"/)?.[1] ?? `csfx-vpn.conf`;
+            a.href = url;
+            a.download = fn;
+            a.click();
+            URL.revokeObjectURL(url);
+        } catch (e) {
+            error = e instanceof Error ? e.message : "VPN config download failed";
+        } finally {
+            downloadingVpn = false;
+        }
+    }
+
     function resetDeployForm() {
         formImage = "";
         formName = "";
@@ -178,6 +221,7 @@
         formEnv = "";
         formPorts = "";
         formVolumeMounts = "";
+        deployError = null;
     }
 
     type ResourceItem =
@@ -234,6 +278,120 @@
     onMount(load);
 </script>
 
+<dialog
+    bind:this={deployDialog}
+    class="fixed inset-0 z-50 m-auto w-full max-w-lg rounded-xl border bg-background shadow-xl p-0 backdrop:bg-black/40"
+    onclose={() => resetDeployForm()}
+>
+    <div class="flex flex-col gap-5 p-6">
+        <div class="flex items-center justify-between">
+            <h2 class="text-base font-semibold">Deploy Container</h2>
+            <button
+                class="text-muted-foreground hover:text-foreground"
+                onclick={() => deployDialog?.close()}
+                aria-label="Close"
+            >
+                <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
+            </button>
+        </div>
+        <div class="grid grid-cols-1 sm:grid-cols-2 gap-3">
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="d-name">Name</label>
+                <input id="d-name" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="my-app" bind:value={formName} />
+            </div>
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="d-image">Image</label>
+                <input id="d-image" class="border rounded px-3 py-1.5 text-sm bg-background font-mono" placeholder="nginx:latest" bind:value={formImage} />
+            </div>
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="d-cpu">CPU (millicores)</label>
+                <input id="d-cpu" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="500" bind:value={formCpu} />
+            </div>
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="d-mem">Memory (MB)</label>
+                <input id="d-mem" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="512" bind:value={formMemory} />
+            </div>
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="d-disk">Disk (MB)</label>
+                <input id="d-disk" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="1024" bind:value={formDisk} />
+            </div>
+            <div class="flex flex-col gap-1 sm:col-span-2">
+                <label class="text-xs text-muted-foreground" for="d-ports">
+                    Ports — <span class="font-mono">nodePort:containerPort</span> to expose externally,
+                    <span class="font-mono">containerPort</span> for internal mesh only
+                </label>
+                <input id="d-ports" class="border rounded px-3 py-1.5 text-sm bg-background font-mono" placeholder="8080:80, 443 (internal only)" bind:value={formPorts} />
+            </div>
+        </div>
+        {#if volumes.length > 0}
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="d-vols">
+                    Volume Mounts (name-or-id:/mount/path, one per line)
+                </label>
+                <textarea
+                    id="d-vols"
+                    class="border rounded px-3 py-1.5 text-sm bg-background font-mono resize-none"
+                    rows={Math.min(4, volumes.length + 1)}
+                    placeholder={volumes.map(v => `${v.name}:/data`).slice(0, 2).join("\n")}
+                    bind:value={formVolumeMounts}
+                ></textarea>
+                <p class="text-xs text-muted-foreground">Available: {volumes.map(v => v.name).join(", ")}</p>
+            </div>
+        {/if}
+        <div class="flex flex-col gap-1">
+            <label class="text-xs text-muted-foreground" for="d-env">Environment Variables (KEY=VALUE, one per line)</label>
+            <textarea id="d-env" class="border rounded px-3 py-1.5 text-sm bg-background font-mono resize-none" rows={3} placeholder={"NODE_ENV=production\nPORT=3000"} bind:value={formEnv}></textarea>
+        </div>
+        {#if deployError}
+            <p class="text-xs text-destructive">{deployError}</p>
+        {/if}
+        <div class="flex gap-2 justify-end">
+            <Button size="sm" variant="outline" onclick={() => deployDialog?.close()}>Cancel</Button>
+            <Button size="sm" onclick={handleDeploy} disabled={deploying || !formName || !formImage}>
+                {deploying ? "Deploying..." : "Deploy"}
+            </Button>
+        </div>
+    </div>
+</dialog>
+
+<dialog
+    bind:this={volumeDialog}
+    class="fixed inset-0 z-50 m-auto w-full max-w-sm rounded-xl border bg-background shadow-xl p-0 backdrop:bg-black/40"
+    onclose={() => { volumeError = null; }}
+>
+    <div class="flex flex-col gap-5 p-6">
+        <div class="flex items-center justify-between">
+            <h2 class="text-base font-semibold">Create Volume</h2>
+            <button
+                class="text-muted-foreground hover:text-foreground"
+                onclick={() => volumeDialog?.close()}
+                aria-label="Close"
+            >
+                <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
+            </button>
+        </div>
+        <div class="grid grid-cols-1 sm:grid-cols-2 gap-3">
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="v-name">Name</label>
+                <input id="v-name" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="postgres-data" bind:value={volFormName} />
+            </div>
+            <div class="flex flex-col gap-1">
+                <label class="text-xs text-muted-foreground" for="v-size">Size (GB)</label>
+                <input id="v-size" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="10" bind:value={volFormSize} />
+            </div>
+        </div>
+        {#if volumeError}
+            <p class="text-xs text-destructive">{volumeError}</p>
+        {/if}
+        <div class="flex gap-2 justify-end">
+            <Button size="sm" variant="outline" onclick={() => volumeDialog?.close()}>Cancel</Button>
+            <Button size="sm" onclick={handleCreateVolume} disabled={creatingVolume || !volFormName}>
+                {creatingVolume ? "Creating..." : "Create"}
+            </Button>
+        </div>
+    </div>
+</dialog>
+
 <header class="flex h-16 shrink-0 items-center gap-2 px-4 border-b">
     <Sidebar.Trigger class="-ms-1" />
     <span class="text-sm text-muted-foreground">/</span>
@@ -267,11 +425,15 @@
                 {/if}
                 <p class="text-xs text-muted-foreground font-mono mt-1">{group.internal_cidr}</p>
             </div>
-            <div class="flex items-center gap-2 shrink-0">
-                <Button size="sm" variant="outline" onclick={() => { showCreateVolume = true; showDeployContainer = false; }}>
+            <div class="flex items-center gap-2 shrink-0 flex-wrap justify-end">
+                <Button size="sm" variant="outline" onclick={downloadVpnConfig} disabled={downloadingVpn}>
+                    <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"/></svg>
+                    {downloadingVpn ? "Generating..." : "Connect VPN"}
+                </Button>
+                <Button size="sm" variant="outline" onclick={() => volumeDialog?.showModal()}>
                     Add Volume
                 </Button>
-                <Button size="sm" onclick={() => { showDeployContainer = true; showCreateVolume = false; }}>
+                <Button size="sm" onclick={() => deployDialog?.showModal()}>
                     <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="12" y1="5" x2="12" y2="19"/><line x1="5" y1="12" x2="19" y2="12"/></svg>
                     Deploy Container
                 </Button>
@@ -301,95 +463,6 @@
             </div>
         </div>
 
-        {#if showDeployContainer}
-            <div class="border rounded-lg p-5 flex flex-col gap-4 bg-muted/20">
-                <h2 class="text-sm font-semibold">Deploy Container</h2>
-                <div class="grid grid-cols-1 sm:grid-cols-2 gap-3">
-                    <div class="flex flex-col gap-1">
-                        <label class="text-xs text-muted-foreground" for="d-name">Name</label>
-                        <input id="d-name" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="my-app" bind:value={formName} />
-                    </div>
-                    <div class="flex flex-col gap-1">
-                        <label class="text-xs text-muted-foreground" for="d-image">Image</label>
-                        <input id="d-image" class="border rounded px-3 py-1.5 text-sm bg-background font-mono" placeholder="nginx:latest" bind:value={formImage} />
-                    </div>
-                    <div class="flex flex-col gap-1">
-                        <label class="text-xs text-muted-foreground" for="d-cpu">CPU (millicores)</label>
-                        <input id="d-cpu" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="500" bind:value={formCpu} />
-                    </div>
-                    <div class="flex flex-col gap-1">
-                        <label class="text-xs text-muted-foreground" for="d-mem">Memory (MB)</label>
-                        <input id="d-mem" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="512" bind:value={formMemory} />
-                    </div>
-                    <div class="flex flex-col gap-1">
-                        <label class="text-xs text-muted-foreground" for="d-disk">Disk (MB)</label>
-                        <input id="d-disk" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="1024" bind:value={formDisk} />
-                    </div>
-                    <div class="flex flex-col gap-1">
-                        <label class="text-xs text-muted-foreground" for="d-ports">Ports (host:container, comma-separated)</label>
-                        <input id="d-ports" class="border rounded px-3 py-1.5 text-sm bg-background font-mono" placeholder="8080:80, 443:443/tcp" bind:value={formPorts} />
-                    </div>
-                </div>
-                {#if volumes.length > 0}
-                    <div class="flex flex-col gap-1">
-                        <label class="text-xs text-muted-foreground" for="d-vols">
-                            Volume Mounts (name-or-id:/mount/path, one per line)
-                        </label>
-                        <textarea
-                            id="d-vols"
-                            class="border rounded px-3 py-1.5 text-sm bg-background font-mono resize-none"
-                            rows={volumes.length > 3 ? 3 : volumes.length + 1}
-                            placeholder={volumes.map(v => `${v.name}:/data`).slice(0, 2).join("\n")}
-                            bind:value={formVolumeMounts}
-                        ></textarea>
-                        <p class="text-xs text-muted-foreground">Available: {volumes.map(v => v.name).join(", ")}</p>
-                    </div>
-                {/if}
-                <div class="flex flex-col gap-1">
-                    <label class="text-xs text-muted-foreground" for="d-env">Environment Variables (KEY=VALUE, one per line)</label>
-                    <textarea id="d-env" class="border rounded px-3 py-1.5 text-sm bg-background font-mono resize-none" rows={3} placeholder={"NODE_ENV=production\nPORT=3000"} bind:value={formEnv}></textarea>
-                </div>
-                {#if deployError}
-                    <p class="text-xs text-destructive">{deployError}</p>
-                {/if}
-                <div class="flex gap-2">
-                    <Button size="sm" onclick={handleDeploy} disabled={deploying || !formName || !formImage}>
-                        {deploying ? "Deploying..." : "Deploy"}
-                    </Button>
-                    <Button size="sm" variant="outline" onclick={() => { showDeployContainer = false; deployError = null; resetDeployForm(); }}>
-                        Cancel
-                    </Button>
-                </div>
-            </div>
-        {/if}
-
-        {#if showCreateVolume}
-            <div class="border rounded-lg p-5 flex flex-col gap-4 bg-muted/20">
-                <h2 class="text-sm font-semibold">Create Volume</h2>
-                <div class="grid grid-cols-1 sm:grid-cols-2 gap-3">
-                    <div class="flex flex-col gap-1">
-                        <label class="text-xs text-muted-foreground" for="v-name">Name</label>
-                        <input id="v-name" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="postgres-data" bind:value={volFormName} />
-                    </div>
-                    <div class="flex flex-col gap-1">
-                        <label class="text-xs text-muted-foreground" for="v-size">Size (GB)</label>
-                        <input id="v-size" type="number" class="border rounded px-3 py-1.5 text-sm bg-background" placeholder="10" bind:value={volFormSize} />
-                    </div>
-                </div>
-                {#if volumeError}
-                    <p class="text-xs text-destructive">{volumeError}</p>
-                {/if}
-                <div class="flex gap-2">
-                    <Button size="sm" onclick={handleCreateVolume} disabled={creatingVolume || !volFormName}>
-                        {creatingVolume ? "Creating..." : "Create"}
-                    </Button>
-                    <Button size="sm" variant="outline" onclick={() => { showCreateVolume = false; volumeError = null; }}>
-                        Cancel
-                    </Button>
-                </div>
-            </div>
-        {/if}
-
         {#if error}
             <p class="text-xs text-destructive">{error}</p>
         {/if}
diff --git a/app/src/routes/layout.css b/app/src/routes/layout.css
index cf53eeb0..704e1533 100644
--- a/app/src/routes/layout.css
+++ b/app/src/routes/layout.css
@@ -136,4 +136,7 @@
     html {
         @apply font-sans;
     }
+    dialog {
+        @apply bg-background text-foreground;
+    }
 }
diff --git a/control-plane/api-gateway/src/routes/agents.rs b/control-plane/api-gateway/src/routes/agents.rs
index fbfa1474..c5f1c4d1 100644
--- a/control-plane/api-gateway/src/routes/agents.rs
+++ b/control-plane/api-gateway/src/routes/agents.rs
@@ -166,6 +166,8 @@ pub async fn register_agent(
             tags: ActiveValue::Set(registration.tags),
             capabilities: ActiveValue::Set(None),
             public_key_pem: ActiveValue::Set(None),
+            wg_public_key: ActiveValue::Set(None),
+            wg_endpoint: ActiveValue::Set(None),
         };
 
         new_agent.insert(&state.db_conn).await.map_err(|e| {
diff --git a/control-plane/api-gateway/src/routes/resource_groups.rs b/control-plane/api-gateway/src/routes/resource_groups.rs
index ac93567d..559cf8d1 100644
--- a/control-plane/api-gateway/src/routes/resource_groups.rs
+++ b/control-plane/api-gateway/src/routes/resource_groups.rs
@@ -1,17 +1,20 @@
 use axum::{
     extract::{Path, State},
-    http::StatusCode,
-    response::{IntoResponse, Json},
+    http::{header, StatusCode},
+    response::{IntoResponse, Json, Response},
     routing::get,
     Router,
 };
+use base64::{engine::general_purpose::STANDARD as B64, Engine};
 use chrono::Utc;
 use entity::{
-    entities::{networks, resource_groups, volumes, workloads},
-    Networks, ResourceGroups, Volumes, Workloads,
+    entities::{agents, networks, resource_groups, volumes, workloads},
+    Agents, Networks, ResourceGroups, Volumes, Workloads,
 };
+use ring::rand::{SecureRandom, SystemRandom};
 use sea_orm::{
     ActiveModelTrait, ActiveValue::Set, ColumnTrait, EntityTrait, PaginatorTrait, QueryFilter,
+    QueryOrder,
 };
 use serde::{Deserialize, Serialize};
 use serde_json::json;
@@ -90,8 +93,27 @@ pub async fn create_resource_group(
     Json(req): Json<CreateResourceGroupRequest>,
 ) -> Result<impl IntoResponse, (StatusCode, Json<serde_json::Value>)> {
     let org_id = get_org_id(&state);
-    let now = Utc::now().naive_utc();
 
+    let existing = ResourceGroups::find()
+        .filter(resource_groups::Column::InternalCidr.eq(&req.internal_cidr))
+        .one(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to check cidr uniqueness");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?;
+
+    if existing.is_some() {
+        return Err((
+            StatusCode::CONFLICT,
+            Json(json!({ "error": format!("CIDR {} is already in use by another resource group", req.internal_cidr) })),
+        ));
+    }
+
+    let now = Utc::now().naive_utc();
     let model = resource_groups::ActiveModel {
         id: Set(Uuid::new_v4()),
         organization_id: Set(org_id),
@@ -332,6 +354,117 @@ pub async fn list_resource_group_networks(
     Ok((StatusCode::OK, Json(json!(nets))))
 }
 
+pub async fn get_vpn_config(
+    CanViewResourceGroups(_claims): CanViewResourceGroups,
+    State(state): State<AppState>,
+    Path(id): Path<Uuid>,
+) -> Result<Response, (StatusCode, Json<serde_json::Value>)> {
+    let org_id = get_org_id(&state);
+
+    let group = ResourceGroups::find_by_id(id)
+        .filter(resource_groups::Column::OrganizationId.eq(org_id))
+        .one(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to get resource group");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?
+        .ok_or_else(|| {
+            (
+                StatusCode::NOT_FOUND,
+                Json(json!({ "error": "resource group not found" })),
+            )
+        })?;
+
+    let gateway_agent = Agents::find()
+        .filter(agents::Column::Status.eq("Online"))
+        .filter(agents::Column::WgPublicKey.is_not_null())
+        .filter(agents::Column::WgEndpoint.is_not_null())
+        .order_by_asc(agents::Column::RegisteredAt)
+        .one(&state.db_conn)
+        .await
+        .map_err(|e| {
+            tracing::error!(error = %e, "failed to find gateway agent");
+            (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(json!({ "error": "database error" })),
+            )
+        })?
+        .ok_or_else(|| {
+            (
+                StatusCode::SERVICE_UNAVAILABLE,
+                Json(json!({ "error": "no WireGuard-enabled agent online" })),
+            )
+        })?;
+
+    let server_pubkey = gateway_agent.wg_public_key.as_deref().unwrap_or("");
+    let endpoint = gateway_agent.wg_endpoint.as_deref().unwrap_or("");
+
+    let client_private_key = generate_wg_key().map_err(|_| {
+        (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(json!({ "error": "failed to generate keypair" })),
+        )
+    })?;
+
+    let dns = first_host_ip(&group.internal_cidr).unwrap_or_else(|| "1.1.1.1".to_string());
+
+    let config = format!(
+        "[Interface]\nPrivateKey = {client_private_key}\nAddress = {dns}/32\nDNS = {dns}\n\n[Peer]\nPublicKey = {server_pubkey}\nEndpoint = {endpoint}\nAllowedIPs = {cidr}\nPersistentKeepalive = 25\n",
+        client_private_key = client_private_key,
+        dns = dns,
+        server_pubkey = server_pubkey,
+        endpoint = endpoint,
+        cidr = group.internal_cidr,
+    );
+
+    let filename = format!("csfx-{}.conf", group.name.to_lowercase().replace(' ', "-"));
+
+    Ok((
+        StatusCode::OK,
+        [
+            (header::CONTENT_TYPE, "text/plain; charset=utf-8"),
+            (
+                header::CONTENT_DISPOSITION,
+                &format!("attachment; filename=\"{}\"", filename),
+            ),
+        ],
+        config,
+    )
+        .into_response())
+}
+
+fn generate_wg_key() -> Result<String, ring::error::Unspecified> {
+    let rng = SystemRandom::new();
+    let mut key_bytes = [0u8; 32];
+    rng.fill(&mut key_bytes)?;
+    key_bytes[0] &= 248;
+    key_bytes[31] &= 127;
+    key_bytes[31] |= 64;
+    Ok(B64.encode(key_bytes))
+}
+
+fn first_host_ip(cidr: &str) -> Option<String> {
+    let parts: Vec<&str> = cidr.split('/').collect();
+    if parts.len() != 2 {
+        return None;
+    }
+    let octets: Vec<u8> = parts[0]
+        .split('.')
+        .filter_map(|o| o.parse().ok())
+        .collect();
+    if octets.len() != 4 {
+        return None;
+    }
+    let n = u32::from_be_bytes([octets[0], octets[1], octets[2], octets[3]]);
+    let host = n + 1;
+    let [a, b, c, d] = host.to_be_bytes();
+    Some(format!("{}.{}.{}.{}", a, b, c, d))
+}
+
 pub fn resource_groups_routes() -> Router<AppState> {
     Router::new()
         .route(
@@ -354,4 +487,5 @@ pub fn resource_groups_routes() -> Router<AppState> {
             "/resource-groups/{id}/networks",
             get(list_resource_group_networks),
         )
+        .route("/resource-groups/{id}/vpn-config", get(get_vpn_config))
 }
diff --git a/control-plane/api-gateway/src/self_monitor.rs b/control-plane/api-gateway/src/self_monitor.rs
index 9c9604d7..c0d7ace0 100644
--- a/control-plane/api-gateway/src/self_monitor.rs
+++ b/control-plane/api-gateway/src/self_monitor.rs
@@ -90,6 +90,8 @@ impl SelfMonitor {
                     "self-monitor".to_string(),
                 )]))),
                 public_key_pem: ActiveValue::Set(None),
+                wg_public_key: ActiveValue::Set(None),
+                wg_endpoint: ActiveValue::Set(None),
             };
 
             let agent = new_agent.insert(db_conn.as_ref()).await?;
diff --git a/control-plane/registry/src/db/agents.rs b/control-plane/registry/src/db/agents.rs
index c23ce15b..263848a4 100644
--- a/control-plane/registry/src/db/agents.rs
+++ b/control-plane/registry/src/db/agents.rs
@@ -78,6 +78,8 @@ pub async fn create(
         tags: Set(tags),
         capabilities: Set(capabilities),
         public_key_pem: Set(public_key_pem),
+        wg_public_key: Set(None),
+        wg_endpoint: Set(None),
     };
 
     Ok(model.insert(db).await?)
@@ -95,6 +97,8 @@ pub async fn update_heartbeat(
     db: &DatabaseConnection,
     agent_id: Uuid,
     status: String,
+    wg_public_key: Option<String>,
+    wg_endpoint: Option<String>,
 ) -> Result<()> {
     let mut agent: agents::ActiveModel = agents::Entity::find_by_id(agent_id)
         .one(db)
@@ -105,6 +109,12 @@ pub async fn update_heartbeat(
     agent.last_heartbeat = Set(Some(chrono::Utc::now().naive_utc()));
     agent.status = Set(status);
     agent.updated_at = Set(Some(chrono::Utc::now().naive_utc()));
+    if wg_public_key.is_some() {
+        agent.wg_public_key = Set(wg_public_key);
+    }
+    if wg_endpoint.is_some() {
+        agent.wg_endpoint = Set(wg_endpoint);
+    }
     agent.update(db).await?;
 
     Ok(())
diff --git a/control-plane/registry/src/handlers/agent.rs b/control-plane/registry/src/handlers/agent.rs
index c6992bd7..eb8f8a9a 100644
--- a/control-plane/registry/src/handlers/agent.rs
+++ b/control-plane/registry/src/handlers/agent.rs
@@ -208,7 +208,11 @@ pub async fn heartbeat(
         }
     }
 
-    match state.agent_registry.update_heartbeat(agent_id).await {
+    match state
+        .agent_registry
+        .update_heartbeat(agent_id, request.wg_public_key.clone(), request.wg_endpoint.clone())
+        .await
+    {
         Ok(_) => {
             forward_metrics(&state, agent_id, &request).await;
 
diff --git a/control-plane/registry/src/models/agent.rs b/control-plane/registry/src/models/agent.rs
index e38537be..ac65f3b5 100644
--- a/control-plane/registry/src/models/agent.rs
+++ b/control-plane/registry/src/models/agent.rs
@@ -128,6 +128,8 @@ pub struct HeartbeatRequest {
     pub network_rx_bytes: Option<u64>,
     pub network_tx_bytes: Option<u64>,
     pub uptime_seconds: Option<u64>,
+    pub wg_public_key: Option<String>,
+    pub wg_endpoint: Option<String>,
 }
 
 #[derive(Debug, Serialize, Deserialize)]
diff --git a/control-plane/registry/src/services/registry.rs b/control-plane/registry/src/services/registry.rs
index 3df0ec69..73fa39a8 100644
--- a/control-plane/registry/src/services/registry.rs
+++ b/control-plane/registry/src/services/registry.rs
@@ -209,10 +209,21 @@ impl AgentRegistry {
         Ok((agent, false))
     }
 
-    pub async fn update_heartbeat(&self, agent_id: Uuid) -> Result<(), String> {
-        crate::db::agents::update_heartbeat(&self.db, agent_id, "Online".to_string())
-            .await
-            .map_err(|e| format!("Failed to update heartbeat: {}", e))?;
+    pub async fn update_heartbeat(
+        &self,
+        agent_id: Uuid,
+        wg_public_key: Option<String>,
+        wg_endpoint: Option<String>,
+    ) -> Result<(), String> {
+        crate::db::agents::update_heartbeat(
+            &self.db,
+            agent_id,
+            "Online".to_string(),
+            wg_public_key,
+            wg_endpoint,
+        )
+        .await
+        .map_err(|e| format!("Failed to update heartbeat: {}", e))?;
 
         crate::log_debug!(
             "agent_registry",
diff --git a/control-plane/scheduler/src/db/agents.rs b/control-plane/scheduler/src/db/agents.rs
index fba9b0f7..f29eb4a4 100644
--- a/control-plane/scheduler/src/db/agents.rs
+++ b/control-plane/scheduler/src/db/agents.rs
@@ -1,4 +1,4 @@
-use entity::entities::{agent_metrics, agents};
+use entity::entities::{agent_metrics, agents, volumes};
 use sea_orm::{ColumnTrait, DatabaseConnection, EntityTrait, QueryFilter, QueryOrder};
 use uuid::Uuid;
 
@@ -69,3 +69,11 @@ pub async fn get_assigned_workload_resources(
 
     Ok((cpu, mem, disk))
 }
+
+pub async fn get_volume_agent(
+    db: &DatabaseConnection,
+    volume_id: Uuid,
+) -> Result<Option<Uuid>, sea_orm::DbErr> {
+    let vol = volumes::Entity::find_by_id(volume_id).one(db).await?;
+    Ok(vol.and_then(|v| v.attached_to_agent))
+}
diff --git a/control-plane/scheduler/src/models/workload.rs b/control-plane/scheduler/src/models/workload.rs
index 4b1f9fbb..676d178a 100644
--- a/control-plane/scheduler/src/models/workload.rs
+++ b/control-plane/scheduler/src/models/workload.rs
@@ -56,9 +56,9 @@ pub struct CreateWorkloadRequest {
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct PortMapping {
-    pub host_port: u16,
     pub container_port: u16,
     pub protocol: Option<String>,
+    pub node_port: Option<u16>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
diff --git a/control-plane/scheduler/src/services/scheduler.rs b/control-plane/scheduler/src/services/scheduler.rs
index 1835c5fe..8ae77ebc 100644
--- a/control-plane/scheduler/src/services/scheduler.rs
+++ b/control-plane/scheduler/src/services/scheduler.rs
@@ -43,6 +43,12 @@ impl SchedulerService {
             agent.free_disk_bytes -= reserved_disk;
         }
 
+        let volume_pinned_agent = self.resolve_volume_affinity(&req).await?;
+
+        if let Some(required_agent) = volume_pinned_agent {
+            agents.retain(|a| a.agent_id == required_agent);
+        }
+
         match self.first_fit(&req, &agents) {
             Some(agent_id) => {
                 crate::db::workloads::assign(&self.db, workload.id, agent_id)
@@ -92,6 +98,40 @@ impl SchedulerService {
         }
     }
 
+    async fn resolve_volume_affinity(
+        &self,
+        req: &CreateWorkloadRequest,
+    ) -> Result<Option<Uuid>, String> {
+        let mounts = match &req.volume_mounts {
+            Some(m) if !m.is_empty() => m,
+            _ => return Ok(None),
+        };
+
+        let mut pinned: Option<Uuid> = None;
+
+        for mount in mounts {
+            let agent_id =
+                crate::db::agents::get_volume_agent(&self.db, mount.volume_id)
+                    .await
+                    .map_err(|e| format!("Failed to check volume affinity: {}", e))?;
+
+            if let Some(aid) = agent_id {
+                match pinned {
+                    None => pinned = Some(aid),
+                    Some(existing) if existing != aid => {
+                        return Err(format!(
+                            "Volume mounts require conflicting agents: {} vs {}",
+                            existing, aid
+                        ));
+                    }
+                    _ => {}
+                }
+            }
+        }
+
+        Ok(pinned)
+    }
+
     fn first_fit(&self, req: &CreateWorkloadRequest, agents: &[AgentResources]) -> Option<Uuid> {
         let mut sorted: Vec<&AgentResources> = agents.iter().collect();
         sorted.sort_by(|a, b| {
diff --git a/control-plane/shared/entity/src/entities/agents.rs b/control-plane/shared/entity/src/entities/agents.rs
index fe64aeb9..b26103df 100644
--- a/control-plane/shared/entity/src/entities/agents.rs
+++ b/control-plane/shared/entity/src/entities/agents.rs
@@ -21,6 +21,8 @@ pub struct Model {
     pub tags: Option<Json>,
     pub capabilities: Option<Json>,
     pub public_key_pem: Option<String>,
+    pub wg_public_key: Option<String>,
+    pub wg_endpoint: Option<String>,
 }
 
 #[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
diff --git a/control-plane/shared/migration/src/lib.rs b/control-plane/shared/migration/src/lib.rs
index c05f5298..4365d679 100644
--- a/control-plane/shared/migration/src/lib.rs
+++ b/control-plane/shared/migration/src/lib.rs
@@ -20,6 +20,7 @@ mod m20260309_000000_add_bootstrap_tokens;
 mod m20260523_000000_add_ssh_keys;
 mod m20260625_000000_add_resource_groups;
 mod m20260628_000000_add_volume_mounts;
+mod m20260628_100000_rg_cidr_unique_agent_wg;
 
 pub struct Migrator;
 
@@ -47,6 +48,7 @@ impl MigratorTrait for Migrator {
             Box::new(m20260523_000000_add_ssh_keys::Migration),
             Box::new(m20260625_000000_add_resource_groups::Migration),
             Box::new(m20260628_000000_add_volume_mounts::Migration),
+            Box::new(m20260628_100000_rg_cidr_unique_agent_wg::Migration),
         ]
     }
 }
diff --git a/control-plane/shared/migration/src/m20260628_100000_rg_cidr_unique_agent_wg.rs b/control-plane/shared/migration/src/m20260628_100000_rg_cidr_unique_agent_wg.rs
new file mode 100644
index 00000000..e1f0eb75
--- /dev/null
+++ b/control-plane/shared/migration/src/m20260628_100000_rg_cidr_unique_agent_wg.rs
@@ -0,0 +1,63 @@
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_index(
+                Index::create()
+                    .name("idx_resource_groups_cidr_unique")
+                    .table(Alias::new("resource_groups"))
+                    .col(Alias::new("internal_cidr"))
+                    .unique()
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Alias::new("agents"))
+                    .add_column_if_not_exists(
+                        ColumnDef::new(Alias::new("wg_public_key"))
+                            .text()
+                            .null(),
+                    )
+                    .add_column_if_not_exists(
+                        ColumnDef::new(Alias::new("wg_endpoint"))
+                            .string()
+                            .null(),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .drop_index(
+                Index::drop()
+                    .name("idx_resource_groups_cidr_unique")
+                    .table(Alias::new("resource_groups"))
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .alter_table(
+                Table::alter()
+                    .table(Alias::new("agents"))
+                    .drop_column(Alias::new("wg_public_key"))
+                    .drop_column(Alias::new("wg_endpoint"))
+                    .to_owned(),
+            )
+            .await?;
+
+        Ok(())
+    }
+}