@highstate/library 0.7.11 → 0.9.0

package/dist/index.js

@@ -7,11 +7,12 @@ var __export = (target, all) => {
 // src/common.ts
 var common_exports = {};
 __export(common_exports, {
-  endpointEntity: () => endpointEntity,
   existingServer: () => existingServer,
   fileContentEntity: () => fileContentEntity,
   fileEntity: () => fileEntity,
   fileMetaEntity: () => fileMetaEntity,
+  l3EndpointEntity: () => l3EndpointEntity,
+  l4EndpointEntity: () => l4EndpointEntity,
   script: () => script,
   serverEntity: () => serverEntity
 });
@@ -84,14 +85,25 @@ var serverEntity = defineEntity2({
     color: "#009688"
   }
 });
-var endpointEntity = defineEntity2({
-  type: "common.endpoint",
+var l3EndpointEntity = defineEntity2({
+  type: "common.l3-endpoint",
   schema: Type2.Object({
     endpoint: Type2.String()
   }),
   meta: {
-    color: "#FFC107",
-    description: "The L3-L4 endpoint for some network service."
+    color: "#1B5E20",
+    description: "The L3 endpoint for some service. May be a domain name or an IP address."
+  }
+});
+var l4EndpointEntity = defineEntity2({
+  type: "common.l4-endpoint",
+  schema: Type2.Object({
+    endpoint: Type2.String(),
+    port: Type2.Number()
+  }),
+  meta: {
+    color: "#F57F17",
+    description: "The L4 endpoint for some service. Extends an L3 endpoint with a port."
   }
 });
 var existingServer = defineUnit2({
@@ -360,6 +372,7 @@ __export(k8s_exports, {
   deploymentSpecSchema: () => deploymentSpecSchema,
   dns01TlsIssuer: () => dns01TlsIssuer,
   existingCluster: () => existingCluster,
+  gatewayApi: () => gatewayApi,
   gatewayEntity: () => gatewayEntity,
   interfaceEntity: () => interfaceEntity,
   internalIpsPolicySchema: () => internalIpsPolicySchema,
@@ -372,9 +385,11 @@ __export(k8s_exports, {
   serviceTypeSchema: () => serviceTypeSchema,
   sharedClusterArgs: () => sharedClusterArgs,
   statefulSetEntity: () => statefulSetEntity,
-  tlsIssuerEntity: () => tlsIssuerEntity
+  tlsIssuerEntity: () => tlsIssuerEntity,
+  tunDevicePolicySchema: () => tunDevicePolicySchema
 });
 import { defineEntity as defineEntity5, defineUnit as defineUnit5, Type as Type5 } from "@highstate/contract";
+import { Literal } from "@sinclair/typebox";
 
 // src/dns.ts
 var dns_exports = {};
@@ -419,11 +434,32 @@ var record = defineUnit4({
 });
 
 // src/k8s.ts
+var tunDevicePolicySchema = Type5.Union([
+  Type5.Object({
+    type: Literal("host")
+  }),
+  Type5.Object({
+    type: Literal("plugin"),
+    resourceName: Type5.String(),
+    resourceValue: Type5.String()
+  })
+]);
 var clusterInfoSchema = Type5.Object({
   id: Type5.String(),
   name: Type5.String(),
   cni: Type5.Optional(Type5.String()),
-  externalIps: Type5.Array(Type5.String())
+  externalIps: Type5.Array(Type5.String()),
+  fqdn: Type5.Optional(Type5.String()),
+  kubeApiServerIp: Type5.Optional(Type5.String()),
+  kubeApiServerPort: Type5.Optional(Type5.Number()),
+  /**
+   * Specifies the policy for using the tun device inside containers.
+   *
+   * If not provided, the default policy is `host` which assumes just mounting /dev/net/tun from the host.
+   *
+   * For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
+   */
+  tunDevicePolicy: Type5.Optional(tunDevicePolicySchema)
 });
 var serviceTypeSchema = Type5.StringEnum(["NodePort", "LoadBalancer", "ClusterIP"]);
 var metadataSchema = Type5.Object({
@@ -530,7 +566,24 @@ var sharedClusterArgs = {
 var existingCluster = defineUnit5({
   type: "k8s.existing-cluster",
   args: {
-    ...sharedClusterArgs
+    ...sharedClusterArgs,
+    /**
+     * The policy for using the tun device inside containers.
+     *
+     * If not provided, the default policy is `host` which assumes just mounting /dev/net/tun from the host.
+     *
+     * For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
+     *
+     * @schema
+     */
+    tunDevicePolicy: {
+      ...Type5.Optional(tunDevicePolicySchema),
+      description: `The policy for using the tun device inside containers.
+
+ If not provided, the default policy is \`host\` which assumes just mounting /dev/net/tun from the host.
+
+ For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.`
+    }
   },
   secrets: {
     /**
@@ -585,14 +638,14 @@ var tlsIssuerEntity = defineEntity5({
   }
 });
 var accessPointEntity = defineEntity5({
-  type: "common.access-point",
+  type: "k8s.access-point",
   schema: Type5.Object({
     gateway: gatewayEntity.schema,
     tlsIssuer: tlsIssuerEntity.schema,
-    dnsProvider: providerEntity.schema
+    dnsProviders: Type5.Array(providerEntity.schema)
   }),
   meta: {
-    color: "#FFC107"
+    color: "#F57F17"
   }
 });
 var accessPoint = defineUnit5({
@@ -600,7 +653,10 @@ var accessPoint = defineUnit5({
   inputs: {
     gateway: gatewayEntity,
     tlsIssuer: tlsIssuerEntity,
-    dnsProvider: providerEntity
+    dnsProviders: {
+      entity: providerEntity,
+      multiple: true
+    }
   },
   outputs: {
     accessPoint: accessPointEntity
@@ -635,9 +691,27 @@ var certManager = defineUnit5({
 });
 var dns01TlsIssuer = defineUnit5({
   type: "k8s.dns01-issuer",
+  args: {
+    /**
+     * The top-level domains to filter the DNS01 challenge for.
+     *
+     * If not provided, will use all domains passed to the DNS providers.
+     *
+     * @schema
+     */
+    domains: {
+      ...Type5.Optional(Type5.Array(Type5.String())),
+      description: `The top-level domains to filter the DNS01 challenge for.
+
+ If not provided, will use all domains passed to the DNS providers.`
+    }
+  },
   inputs: {
     k8sCluster: clusterEntity2,
-    dnsProvider: providerEntity
+    dnsProviders: {
+      entity: providerEntity,
+      multiple: true
+    }
   },
   outputs: {
     tlsIssuer: tlsIssuerEntity
@@ -715,6 +789,25 @@ var interfaceEntity = defineEntity5({
     description: "The interface in a network space of pod kernel which can accept or transmit packets."
   }
 });
+var gatewayApi = defineUnit5({
+  type: "k8s.gateway-api",
+  inputs: {
+    k8sCluster: clusterEntity2
+  },
+  outputs: {
+    k8sCluster: clusterEntity2
+  },
+  meta: {
+    displayName: "Gateway API",
+    description: "Installs the Gateway API CRDs to the cluster.",
+    primaryIcon: "mdi:kubernetes",
+    primaryIconColor: "#4CAF50"
+  },
+  source: {
+    package: "@highstate/k8s",
+    path: "units/gateway-api"
+  }
+});
 
 // src/talos.ts
 var talos_exports = {};
@@ -910,7 +1003,7 @@ var network = defineUnit7({
      * @schema
      */
     backend: {
-      ...backendSchema,
+      ...Type7.Default(backendSchema, "wireguard"),
       description: `The backend to use for the WireGuard network.
 
  Possible values are:
@@ -1172,7 +1265,7 @@ var peer = defineUnit7({
      * @schema
      */
     publicKey: {
-      ...Type7.String(),
+      ...Type7.Optional(Type7.String()),
       description: `The public key of the WireGuard peer.`
     }
   },
@@ -1192,6 +1285,34 @@ var peer = defineUnit7({
       description: `The network to use for the WireGuard peer.
 
  If not provided, the peer will use default network configuration.`
+    },
+    /**
+     * The existing WireGuard peer to extend.
+     *
+     * @schema
+     */
+    peer: {
+      ...{
+        entity: peerEntity,
+        required: false
+      },
+      description: `The existing WireGuard peer to extend.`
+    },
+    /**
+     * The L4 endpoint of the peer.
+     *
+     * Will take priority over all calculated endpoints if provided.
+     *
+     * @schema
+     */
+    l4Endpoint: {
+      ...{
+        entity: l4EndpointEntity,
+        required: false
+      },
+      description: `The L4 endpoint of the peer.
+
+ Will take priority over all calculated endpoints if provided.`
     }
   },
   outputs: {
@@ -1245,6 +1366,8 @@ var identity = defineUnit7({
      *
      * If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
      *
+     * Will take priority over all calculated endpoints and `l4Endpoint` input.
+     *
      * @schema
      */
     endpoint: {
@@ -1253,13 +1376,16 @@ var identity = defineUnit7({
 
  By default, the endpoint is calculated as \`externalIp:listenPort\`.
 
- If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.`
+ If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
+
+ Will take priority over all calculated endpoints and \`l4Endpoint\` input.`
     },
     /**
      * The FQDN of the WireGuard identity.
      * Will be used as endpoint for the peer.
      *
-     * If `dnsProvider` is provided and `externalIp` is available, the FQDN will be registered automatically.
+     * If `dnsProvider` is provided, external IP is available and `registerFqdn` is set to `true`, and FQDN is provided explicitly (not obtained from the k8s cluster),
+     * the FQDN will be registered with the DNS provider.
      *
      * @schema
      */
@@ -1268,7 +1394,21 @@ var identity = defineUnit7({
       description: `The FQDN of the WireGuard identity.
  Will be used as endpoint for the peer.
 
- If \`dnsProvider\` is provided and \`externalIp\` is available, the FQDN will be registered automatically.`
+ If \`dnsProvider\` is provided, external IP is available and \`registerFqdn\` is set to \`true\`, and FQDN is provided explicitly (not obtained from the k8s cluster),
+ the FQDN will be registered with the DNS provider.`
+    },
+    /**
+     * Whether to register the FQDN of the identity with the matching DNS providers.
+     *
+     * By default, `true`.
+     *
+     * @schema
+     */
+    registerFqdn: {
+      ...Type7.Default(Type7.Boolean(), true),
+      description: `Whether to register the FQDN of the identity with the matching DNS providers.
+
+ By default, \`true\`.`
     }
   },
   secrets: {
@@ -1333,14 +1473,59 @@ var identity = defineUnit7({
 
  Their IP addresses will be added to the \`allowedIps\` of the identity and passed to the node to set up network policies.`
     },
-    dnsProvider: {
-      entity: providerEntity,
-      required: false
+    /**
+     * The Kubernetes cluster associated with the identity.
+     *
+     * If provided, will be used to obtain the external IP or FQDN of the identity.
+     *
+     * @schema
+     */
+    k8sCluster: {
+      ...{
+        entity: clusterEntity2,
+        required: false
+      },
+      description: `The Kubernetes cluster associated with the identity.
+
+ If provided, will be used to obtain the external IP or FQDN of the identity.`
+    },
+    /**
+     * The L4 endpoint of the identity.
+     *
+     * Will take priority over all calculated endpoints if provided.
+     *
+     * @schema
+     */
+    l4Endpoint: {
+      ...{
+        entity: l4EndpointEntity,
+        required: false
+      },
+      description: `The L4 endpoint of the identity.
+
+ Will take priority over all calculated endpoints if provided.`
+    },
+    /**
+     * The DNS providers to register the FQDN of the identity with.
+     *
+     * @schema
+     */
+    dnsProviders: {
+      ...{
+        entity: providerEntity,
+        required: false,
+        multiple: true
+      },
+      description: `The DNS providers to register the FQDN of the identity with.`
     }
   },
   outputs: {
     identity: identityEntity,
-    peer: peerEntity
+    peer: peerEntity,
+    l4Endpoint: {
+      entity: l4EndpointEntity,
+      required: false
+    }
   },
   meta: {
     description: "The WireGuard identity with the public key.",
@@ -2100,13 +2285,20 @@ __export(k3s_exports, {
   cluster: () => cluster2
 });
 import { defineUnit as defineUnit21 } from "@highstate/contract";
+import { Type as Type21 } from "@sinclair/typebox";
 var cluster2 = defineUnit21({
   type: "k3s.cluster",
   args: {
-    ...sharedClusterArgs
+    ...sharedClusterArgs,
+    config: Type21.Optional(Type21.Record(Type21.String(), Type21.Any()))
   },
   inputs: {
-    server: serverEntity
+    server: serverEntity,
+    dnsProviders: {
+      entity: providerEntity,
+      required: false,
+      multiple: true
+    }
   },
   outputs: {
     k8sCluster: clusterEntity2
@@ -2130,17 +2322,26 @@ __export(mullvad_exports, {
   endpointType: () => endpointType,
   peer: () => peer2
 });
-import { defineUnit as defineUnit22, Type as Type21 } from "@highstate/contract";
-var endpointType = Type21.Union([
-  Type21.Literal("fqdn"),
-  Type21.Literal("ipv4"),
-  Type21.Literal("ipv6")
+import { defineUnit as defineUnit22, Type as Type22 } from "@highstate/contract";
+var endpointType = Type22.Union([
+  Type22.Literal("fqdn"),
+  Type22.Literal("ipv4"),
+  Type22.Literal("ipv6")
 ]);
 var peer2 = defineUnit22({
   type: "mullvad.peer",
   args: {
-    hostname: Type21.Optional(Type21.String()),
-    endpointType: Type21.Optional({ ...endpointType, default: "fqdn" })
+    hostname: Type22.Optional(Type22.String()),
+    endpointType: Type22.Optional({ ...endpointType, default: "fqdn" }),
+    /**
+     * Whether to include Mullvad DNS servers in the peer configuration.
+     *
+     * @schema
+     */
+    includeDns: {
+      ...Type22.Default(Type22.Boolean(), true),
+      description: `Whether to include Mullvad DNS servers in the peer configuration.`
+    }
   },
   inputs: {
     /**
@@ -2154,7 +2355,8 @@ var peer2 = defineUnit22({
     }
   },
   outputs: {
-    peer: peerEntity
+    peer: peerEntity,
+    l4Endpoint: l4EndpointEntity
   },
   meta: {
     displayName: "Mullvad Peer",
@@ -2176,18 +2378,18 @@ __export(timeweb_exports, {
   connectionEntity: () => connectionEntity,
   virtualMachine: () => virtualMachine2
 });
-import { defineEntity as defineEntity12, defineUnit as defineUnit23, Type as Type22 } from "@highstate/contract";
+import { defineEntity as defineEntity12, defineUnit as defineUnit23, Type as Type23 } from "@highstate/contract";
 var connectionEntity = defineEntity12({
   type: "timeweb.connection",
-  schema: Type22.Object({
-    name: Type22.String(),
-    apiToken: Type22.String()
+  schema: Type23.Object({
+    name: Type23.String(),
+    apiToken: Type23.String()
   })
 });
 var connection3 = defineUnit23({
   type: "timeweb.connection",
   secrets: {
-    apiToken: Type22.String()
+    apiToken: Type23.String()
   },
   outputs: {
     connection: connectionEntity
@@ -2205,9 +2407,9 @@ var connection3 = defineUnit23({
 var virtualMachine2 = defineUnit23({
   type: "timeweb.virtual-machine",
   args: {
-    presetId: Type22.Optional(Type22.Number()),
-    osId: Type22.Optional(Type22.Number()),
-    availabilityZone: Type22.String()
+    presetId: Type23.Optional(Type23.Number()),
+    osId: Type23.Optional(Type23.Number()),
+    availabilityZone: Type23.String()
   },
   inputs: {
     connection: connectionEntity,
@@ -2217,7 +2419,7 @@ var virtualMachine2 = defineUnit23({
     }
   },
   secrets: {
-    sshPrivateKey: Type22.Optional(Type22.String())
+    sshPrivateKey: Type23.Optional(Type23.String())
   },
   outputs: {
     server: serverEntity
@@ -2244,11 +2446,11 @@ __export(nixos_exports, {
   remoteFlake: () => remoteFlake,
   system: () => system
 });
-import { defineEntity as defineEntity13, defineUnit as defineUnit24, Type as Type23 } from "@highstate/contract";
+import { defineEntity as defineEntity13, defineUnit as defineUnit24, Type as Type24 } from "@highstate/contract";
 var inlineModuleEntity = defineEntity13({
   type: "nixos.inline-module",
-  schema: Type23.Object({
-    code: Type23.String()
+  schema: Type24.Object({
+    code: Type24.String()
   }),
   meta: {
     displayName: "NixOS Inline Module",
@@ -2259,7 +2461,7 @@ var inlineModuleEntity = defineEntity13({
 var inlineModule = defineUnit24({
   type: "nixos.inline-module",
   args: {
-    code: Type23.String({ language: "nix" })
+    code: Type24.String({ language: "nix" })
   },
   inputs: {
     files: {
@@ -2285,8 +2487,8 @@ var inlineModule = defineUnit24({
 });
 var flakeEntity = defineEntity13({
   type: "nixos.flake",
-  schema: Type23.Object({
-    url: Type23.String()
+  schema: Type24.Object({
+    url: Type24.String()
   }),
   meta: {
     displayName: "NixOS Flake",
@@ -2297,7 +2499,7 @@ var flakeEntity = defineEntity13({
 var remoteFlake = defineUnit24({
   type: "nixos.remote-flake",
   args: {
-    url: Type23.String()
+    url: Type24.String()
   },
   outputs: {
     flake: flakeEntity
@@ -2318,7 +2520,7 @@ var remoteFlake = defineUnit24({
 var inlineFlake = defineUnit24({
   type: "nixos.inline-flake",
   args: {
-    code: Type23.String({ language: "nix" })
+    code: Type24.String({ language: "nix" })
   },
   inputs: {
     flakes: {
@@ -2355,7 +2557,7 @@ var inlineFlake = defineUnit24({
 var system = defineUnit24({
   type: "nixos.system",
   args: {
-    system: Type23.Optional(Type23.String())
+    system: Type24.Optional(Type24.String())
   },
   inputs: {
     flake: flakeEntity,
@@ -2387,11 +2589,11 @@ var sops_exports = {};
 __export(sops_exports, {
   secrets: () => secrets
 });
-import { defineUnit as defineUnit25, Type as Type24 } from "@highstate/contract";
+import { defineUnit as defineUnit25, Type as Type25 } from "@highstate/contract";
 var secrets = defineUnit25({
   type: "sops.secrets",
   args: {
-    secrets: Type24.Record(Type24.String(), Type24.Any())
+    secrets: Type25.Record(Type25.String(), Type25.Any())
   },
   inputs: {
     servers: {
@@ -2413,6 +2615,152 @@ var secrets = defineUnit25({
     path: "secrets"
   }
 });
+
+// src/obfuscators/index.ts
+var obfuscators_exports = {};
+__export(obfuscators_exports, {
+  phantun: () => phantun_exports
+});
+
+// src/obfuscators/phantun.ts
+var phantun_exports = {};
+__export(phantun_exports, {
+  deobfuscator: () => deobfuscator,
+  obfuscator: () => obfuscator
+});
+import { defineUnit as defineUnit26 } from "@highstate/contract";
+
+// src/obfuscators/shared.ts
+import { Type as Type26 } from "@sinclair/typebox";
+var deobfuscatorSpec = {
+  args: {
+    /**
+     * The L4 endpoint to forward deobfuscated traffic to.
+     *
+     * Will take precedence over the `targetEndpoint` input.
+     *
+     * @schema
+     */
+    targetEndpoint: {
+      ...Type26.Optional(Type26.String()),
+      description: `The L4 endpoint to forward deobfuscated traffic to.
+
+ Will take precedence over the \`targetEndpoint\` input.`
+    }
+  },
+  inputs: {
+    /**
+     * The Kubernetes cluster to deploy the deobfuscator on.
+     *
+     * @schema
+     */
+    k8sCluster: {
+      ...clusterEntity2,
+      description: `The Kubernetes cluster to deploy the deobfuscator on.`
+    },
+    /**
+     * The L4 endpoint to forward deobfuscated traffic to.
+     *
+     * @schema
+     */
+    targetEndpoint: {
+      ...l4EndpointEntity,
+      description: `The L4 endpoint to forward deobfuscated traffic to.`
+    }
+  },
+  outputs: {
+    /**
+     * The L4 endpoint of the deobfuscator accepting obfuscated traffic.
+     *
+     * @schema
+     */
+    endpoint: {
+      ...l4EndpointEntity,
+      description: `The L4 endpoint of the deobfuscator accepting obfuscated traffic.`
+    }
+  }
+};
+var obfuscatorSpec = {
+  args: {
+    /**
+     * The endpoint of the deobfuscator to pass obfuscated traffic to.
+     *
+     * Will take precedence over the `l4Endpoint` input.
+     *
+     * @schema
+     */
+    endpoint: {
+      ...Type26.Optional(Type26.String()),
+      description: `The endpoint of the deobfuscator to pass obfuscated traffic to.
+
+ Will take precedence over the \`l4Endpoint\` input.`
+    }
+  },
+  inputs: {
+    /**
+     * The Kubernetes cluster to deploy the obfuscator on.
+     *
+     * @schema
+     */
+    k8sCluster: {
+      ...clusterEntity2,
+      description: `The Kubernetes cluster to deploy the obfuscator on.`
+    },
+    /**
+     * The L4 endpoint of the deobfuscator to pass obfuscated traffic to.
+     *
+     * @schema
+     */
+    endpoint: {
+      ...{
+        entity: l4EndpointEntity,
+        required: false
+      },
+      description: `The L4 endpoint of the deobfuscator to pass obfuscated traffic to.`
+    }
+  },
+  outputs: {
+    /**
+     * The L4 endpoint accepting unobfuscated traffic.
+     *
+     * @schema
+     */
+    entryEndpoint: {
+      ...l4EndpointEntity,
+      description: `The L4 endpoint accepting unobfuscated traffic.`
+    }
+  }
+};
+
+// src/obfuscators/phantun.ts
+var deobfuscator = defineUnit26({
+  type: "obfuscators.phantun.deobfuscator",
+  ...deobfuscatorSpec,
+  meta: {
+    displayName: "Phantun Deobfuscator",
+    description: "The Phantun Deobfuscator deployed on Kubernetes.",
+    primaryIcon: "mdi:network-outline",
+    secondaryIcon: "mdi:hide"
+  },
+  source: {
+    package: "@highstate/obfuscators",
+    path: "phantun/deobfuscator"
+  }
+});
+var obfuscator = defineUnit26({
+  type: "obfuscators.phantun.obfuscator",
+  ...obfuscatorSpec,
+  meta: {
+    displayName: "Phantun Obfuscator",
+    description: "The Phantun Obfuscator deployed on Kubernetes.",
+    primaryIcon: "mdi:network-outline",
+    secondaryIcon: "mdi:hide"
+  },
+  source: {
+    package: "@highstate/obfuscators",
+    path: "phantun/obfuscator"
+  }
+});
 export {
   apps_exports as apps,
   cloudflare_exports as cloudflare,
@@ -2422,6 +2770,7 @@ export {
   k8s_exports as k8s,
   mullvad_exports as mullvad,
   nixos_exports as nixos,
+  obfuscators_exports as obfuscators,
   proxmox_exports as proxmox,
   restic_exports as restic,
   sops_exports as sops,