@highstate/library 0.8.0 → 0.9.1

package/dist/highstate.manifest.json

@@ -1,5 +1,5 @@
 {
   "sourceHashes": {
-    "./dist/index.js": "87b93b45d5c7ee264151628635db26d22961524bc86f599c8bfb9655f27980e9"
+    "./dist/index.js": "1ab143e511c4a91fc067388c4cdcde7726707de91dcb701b1f064047eef6dd8e"
   }
 }

package/dist/index.js

@@ -7,11 +7,12 @@ var __export = (target, all) => {
 // src/common.ts
 var common_exports = {};
 __export(common_exports, {
-  endpointEntity: () => endpointEntity,
   existingServer: () => existingServer,
   fileContentEntity: () => fileContentEntity,
   fileEntity: () => fileEntity,
   fileMetaEntity: () => fileMetaEntity,
+  l3EndpointEntity: () => l3EndpointEntity,
+  l4EndpointEntity: () => l4EndpointEntity,
   script: () => script,
   serverEntity: () => serverEntity
 });
@@ -84,14 +85,25 @@ var serverEntity = defineEntity2({
     color: "#009688"
   }
 });
-var endpointEntity = defineEntity2({
-  type: "common.endpoint",
+var l3EndpointEntity = defineEntity2({
+  type: "common.l3-endpoint",
   schema: Type2.Object({
     endpoint: Type2.String()
   }),
   meta: {
-    color: "#FFC107",
-    description: "The L3-L4 endpoint for some network service."
+    color: "#1B5E20",
+    description: "The L3 endpoint for some service. May be a domain name or an IP address."
+  }
+});
+var l4EndpointEntity = defineEntity2({
+  type: "common.l4-endpoint",
+  schema: Type2.Object({
+    endpoint: Type2.String(),
+    port: Type2.Number()
+  }),
+  meta: {
+    color: "#F57F17",
+    description: "The L4 endpoint for some service. Extends an L3 endpoint with a port."
   }
 });
 var existingServer = defineUnit2({
@@ -373,9 +385,11 @@ __export(k8s_exports, {
   serviceTypeSchema: () => serviceTypeSchema,
   sharedClusterArgs: () => sharedClusterArgs,
   statefulSetEntity: () => statefulSetEntity,
-  tlsIssuerEntity: () => tlsIssuerEntity
+  tlsIssuerEntity: () => tlsIssuerEntity,
+  tunDevicePolicySchema: () => tunDevicePolicySchema
 });
 import { defineEntity as defineEntity5, defineUnit as defineUnit5, Type as Type5 } from "@highstate/contract";
+import { Literal } from "@sinclair/typebox";
 
 // src/dns.ts
 var dns_exports = {};
@@ -420,6 +434,16 @@ var record = defineUnit4({
 });
 
 // src/k8s.ts
+var tunDevicePolicySchema = Type5.Union([
+  Type5.Object({
+    type: Literal("host")
+  }),
+  Type5.Object({
+    type: Literal("plugin"),
+    resourceName: Type5.String(),
+    resourceValue: Type5.String()
+  })
+]);
 var clusterInfoSchema = Type5.Object({
   id: Type5.String(),
   name: Type5.String(),
@@ -427,7 +451,15 @@ var clusterInfoSchema = Type5.Object({
   externalIps: Type5.Array(Type5.String()),
   fqdn: Type5.Optional(Type5.String()),
   kubeApiServerIp: Type5.Optional(Type5.String()),
-  kubeApiServerPort: Type5.Optional(Type5.Number())
+  kubeApiServerPort: Type5.Optional(Type5.Number()),
+  /**
+   * Specifies the policy for using the tun device inside containers.
+   *
+   * If not provided, the default policy is `host` which assumes just mounting /dev/net/tun from the host.
+   *
+   * For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
+   */
+  tunDevicePolicy: Type5.Optional(tunDevicePolicySchema)
 });
 var serviceTypeSchema = Type5.StringEnum(["NodePort", "LoadBalancer", "ClusterIP"]);
 var metadataSchema = Type5.Object({
@@ -534,7 +566,24 @@ var sharedClusterArgs = {
 var existingCluster = defineUnit5({
   type: "k8s.existing-cluster",
   args: {
-    ...sharedClusterArgs
+    ...sharedClusterArgs,
+    /**
+     * The policy for using the tun device inside containers.
+     *
+     * If not provided, the default policy is `host` which assumes just mounting /dev/net/tun from the host.
+     *
+     * For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
+     *
+     * @schema
+     */
+    tunDevicePolicy: {
+      ...Type5.Optional(tunDevicePolicySchema),
+      description: `The policy for using the tun device inside containers.
+
+ If not provided, the default policy is \`host\` which assumes just mounting /dev/net/tun from the host.
+
+ For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.`
+    }
   },
   secrets: {
     /**
@@ -788,20 +837,41 @@ var cluster = defineUnit6({
      * Allow scheduling workloads on the master nodes.
      *
      * By default, "true" if no worker nodes are provided.
+     *
+     * @schema
      */
-    scheduleOnMasters: Type6.Boolean(),
+    scheduleOnMasters: {
+      ...Type6.Boolean(),
+      description: `Allow scheduling workloads on the master nodes.
+
+ By default, "true" if no worker nodes are provided.`
+    },
     /**
      * The endpoint of the cluster.
      *
      * By default, the first master node's endpoint is used.
+     *
+     * @schema
      */
-    endpoint: Type6.Optional(Type6.String()),
+    endpoint: {
+      ...Type6.Optional(Type6.String()),
+      description: `The endpoint of the cluster.
+
+ By default, the first master node's endpoint is used.`
+    },
     /**
      * The name of the cluster.
      *
      * By default, the name of the instance is used.
+     *
+     * @schema
      */
-    clusterName: Type6.Optional(Type6.String()),
+    clusterName: {
+      ...Type6.Optional(Type6.String()),
+      description: `The name of the cluster.
+
+ By default, the name of the instance is used.`
+    },
     /**
      * The CNI plugin to use.
      *
@@ -811,31 +881,70 @@ var cluster = defineUnit6({
      * - "none" (disable CNI, must be installed manually)
      *
      * The "cilium" CNI plugin is recommended to cover advanced network policies like FQDNs.
+     *
+     * @schema
      */
-    cni: { ...cniSchema, default: "cilium" },
+    cni: {
+      ...Type6.Default(cniSchema, "cilium"),
+      description: `The CNI plugin to use.
+
+ The following options are available:
+ - "cilium" (default)
+ - "flannel" (built-in in Talos)
+ - "none" (disable CNI, must be installed manually)
+
+ The "cilium" CNI plugin is recommended to cover advanced network policies like FQDNs.`
+    },
     /**
      * The CSI plugin to use.
      *
      * The following options are available:
      * - "local-path-provisioner" (default)
      * - "none" (disable CSI, must be installed manually if needed)
+     *
+     * @schema
      */
-    csi: { ...csiSchema, default: "local-path-provisioner" },
+    csi: {
+      ...Type6.Default(csiSchema, "local-path-provisioner"),
+      description: `The CSI plugin to use.
+
+ The following options are available:
+ - "local-path-provisioner" (default)
+ - "none" (disable CSI, must be installed manually if needed)`
+    },
     /**
      * The shared configuration patch.
      * It will be applied to all nodes.
+     *
+     * @schema
      */
-    sharedConfigPatch: Type6.Optional(Type6.Record(Type6.String(), Type6.Any())),
+    sharedConfigPatch: {
+      ...Type6.Optional(Type6.Record(Type6.String(), Type6.Any())),
+      description: `The shared configuration patch.
+ It will be applied to all nodes.`
+    },
     /**
      * The master configuration patch.
      * It will be applied to all master nodes.
+     *
+     * @schema
      */
-    masterConfigPatch: Type6.Optional(Type6.Record(Type6.String(), Type6.Any())),
+    masterConfigPatch: {
+      ...Type6.Optional(Type6.Record(Type6.String(), Type6.Any())),
+      description: `The master configuration patch.
+ It will be applied to all master nodes.`
+    },
     /**
      * The worker configuration patch.
      * It will be applied to all worker nodes.
+     *
+     * @schema
      */
-    workerConfigPatch: Type6.Optional(Type6.Record(Type6.String(), Type6.Any()))
+    workerConfigPatch: {
+      ...Type6.Optional(Type6.Record(Type6.String(), Type6.Any())),
+      description: `The worker configuration patch.
+ It will be applied to all worker nodes.`
+    }
   },
   inputs: {
     masters: {
@@ -954,7 +1063,7 @@ var network = defineUnit7({
      * @schema
      */
     backend: {
-      ...backendSchema,
+      ...Type7.Default(backendSchema, "wireguard"),
       description: `The backend to use for the WireGuard network.
 
  Possible values are:
@@ -1216,7 +1325,7 @@ var peer = defineUnit7({
      * @schema
      */
     publicKey: {
-      ...Type7.String(),
+      ...Type7.Optional(Type7.String()),
       description: `The public key of the WireGuard peer.`
     }
   },
@@ -1236,6 +1345,34 @@ var peer = defineUnit7({
       description: `The network to use for the WireGuard peer.
 
  If not provided, the peer will use default network configuration.`
+    },
+    /**
+     * The existing WireGuard peer to extend.
+     *
+     * @schema
+     */
+    peer: {
+      ...{
+        entity: peerEntity,
+        required: false
+      },
+      description: `The existing WireGuard peer to extend.`
+    },
+    /**
+     * The L4 endpoint of the peer.
+     *
+     * Will take priority over all calculated endpoints if provided.
+     *
+     * @schema
+     */
+    l4Endpoint: {
+      ...{
+        entity: l4EndpointEntity,
+        required: false
+      },
+      description: `The L4 endpoint of the peer.
+
+ Will take priority over all calculated endpoints if provided.`
     }
   },
   outputs: {
@@ -1289,6 +1426,8 @@ var identity = defineUnit7({
      *
      * If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
      *
+     * Will take priority over all calculated endpoints and `l4Endpoint` input.
+     *
      * @schema
      */
     endpoint: {
@@ -1297,7 +1436,9 @@ var identity = defineUnit7({
 
  By default, the endpoint is calculated as \`externalIp:listenPort\`.
 
- If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.`
+ If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
+
+ Will take priority over all calculated endpoints and \`l4Endpoint\` input.`
     },
     /**
      * The FQDN of the WireGuard identity.
@@ -1317,7 +1458,7 @@ var identity = defineUnit7({
  the FQDN will be registered with the DNS provider.`
     },
     /**
-     * Whether to register the FQDN of the identity with the DNS provider.
+     * Whether to register the FQDN of the identity with the matching DNS providers.
      *
      * By default, `true`.
      *
@@ -1325,7 +1466,7 @@ var identity = defineUnit7({
      */
     registerFqdn: {
       ...Type7.Default(Type7.Boolean(), true),
-      description: `Whether to register the FQDN of the identity with the DNS provider.
+      description: `Whether to register the FQDN of the identity with the matching DNS providers.
 
  By default, \`true\`.`
     }
@@ -1396,19 +1537,55 @@ var identity = defineUnit7({
      * The Kubernetes cluster associated with the identity.
      *
      * If provided, will be used to obtain the external IP or FQDN of the identity.
+     *
+     * @schema
      */
     k8sCluster: {
-      entity: clusterEntity2,
-      required: false
+      ...{
+        entity: clusterEntity2,
+        required: false
+      },
+      description: `The Kubernetes cluster associated with the identity.
+
+ If provided, will be used to obtain the external IP or FQDN of the identity.`
     },
-    dnsProvider: {
-      entity: providerEntity,
-      required: false
+    /**
+     * The L4 endpoint of the identity.
+     *
+     * Will take priority over all calculated endpoints if provided.
+     *
+     * @schema
+     */
+    l4Endpoint: {
+      ...{
+        entity: l4EndpointEntity,
+        required: false
+      },
+      description: `The L4 endpoint of the identity.
+
+ Will take priority over all calculated endpoints if provided.`
+    },
+    /**
+     * The DNS providers to register the FQDN of the identity with.
+     *
+     * @schema
+     */
+    dnsProviders: {
+      ...{
+        entity: providerEntity,
+        required: false,
+        multiple: true
+      },
+      description: `The DNS providers to register the FQDN of the identity with.`
     }
   },
   outputs: {
     identity: identityEntity,
-    peer: peerEntity
+    peer: peerEntity,
+    l4Endpoint: {
+      entity: l4EndpointEntity,
+      required: false
+    }
   },
   meta: {
     description: "The WireGuard identity with the public key.",
@@ -2215,7 +2392,16 @@ var peer2 = defineUnit22({
   type: "mullvad.peer",
   args: {
     hostname: Type22.Optional(Type22.String()),
-    endpointType: Type22.Optional({ ...endpointType, default: "fqdn" })
+    endpointType: Type22.Optional({ ...endpointType, default: "fqdn" }),
+    /**
+     * Whether to include Mullvad DNS servers in the peer configuration.
+     *
+     * @schema
+     */
+    includeDns: {
+      ...Type22.Default(Type22.Boolean(), true),
+      description: `Whether to include Mullvad DNS servers in the peer configuration.`
+    }
   },
   inputs: {
     /**
@@ -2229,7 +2415,8 @@ var peer2 = defineUnit22({
     }
   },
   outputs: {
-    peer: peerEntity
+    peer: peerEntity,
+    l4Endpoint: l4EndpointEntity
   },
   meta: {
     displayName: "Mullvad Peer",
@@ -2488,6 +2675,152 @@ var secrets = defineUnit25({
     path: "secrets"
   }
 });
+
+// src/obfuscators/index.ts
+var obfuscators_exports = {};
+__export(obfuscators_exports, {
+  phantun: () => phantun_exports
+});
+
+// src/obfuscators/phantun.ts
+var phantun_exports = {};
+__export(phantun_exports, {
+  deobfuscator: () => deobfuscator,
+  obfuscator: () => obfuscator
+});
+import { defineUnit as defineUnit26 } from "@highstate/contract";
+
+// src/obfuscators/shared.ts
+import { Type as Type26 } from "@sinclair/typebox";
+var deobfuscatorSpec = {
+  args: {
+    /**
+     * The L4 endpoint to forward deobfuscated traffic to.
+     *
+     * Will take precedence over the `targetEndpoint` input.
+     *
+     * @schema
+     */
+    targetEndpoint: {
+      ...Type26.Optional(Type26.String()),
+      description: `The L4 endpoint to forward deobfuscated traffic to.
+
+ Will take precedence over the \`targetEndpoint\` input.`
+    }
+  },
+  inputs: {
+    /**
+     * The Kubernetes cluster to deploy the deobfuscator on.
+     *
+     * @schema
+     */
+    k8sCluster: {
+      ...clusterEntity2,
+      description: `The Kubernetes cluster to deploy the deobfuscator on.`
+    },
+    /**
+     * The L4 endpoint to forward deobfuscated traffic to.
+     *
+     * @schema
+     */
+    targetEndpoint: {
+      ...l4EndpointEntity,
+      description: `The L4 endpoint to forward deobfuscated traffic to.`
+    }
+  },
+  outputs: {
+    /**
+     * The L4 endpoint of the deobfuscator accepting obfuscated traffic.
+     *
+     * @schema
+     */
+    endpoint: {
+      ...l4EndpointEntity,
+      description: `The L4 endpoint of the deobfuscator accepting obfuscated traffic.`
+    }
+  }
+};
+var obfuscatorSpec = {
+  args: {
+    /**
+     * The endpoint of the deobfuscator to pass obfuscated traffic to.
+     *
+     * Will take precedence over the `l4Endpoint` input.
+     *
+     * @schema
+     */
+    endpoint: {
+      ...Type26.Optional(Type26.String()),
+      description: `The endpoint of the deobfuscator to pass obfuscated traffic to.
+
+ Will take precedence over the \`l4Endpoint\` input.`
+    }
+  },
+  inputs: {
+    /**
+     * The Kubernetes cluster to deploy the obfuscator on.
+     *
+     * @schema
+     */
+    k8sCluster: {
+      ...clusterEntity2,
+      description: `The Kubernetes cluster to deploy the obfuscator on.`
+    },
+    /**
+     * The L4 endpoint of the deobfuscator to pass obfuscated traffic to.
+     *
+     * @schema
+     */
+    endpoint: {
+      ...{
+        entity: l4EndpointEntity,
+        required: false
+      },
+      description: `The L4 endpoint of the deobfuscator to pass obfuscated traffic to.`
+    }
+  },
+  outputs: {
+    /**
+     * The L4 endpoint accepting unobfuscated traffic.
+     *
+     * @schema
+     */
+    entryEndpoint: {
+      ...l4EndpointEntity,
+      description: `The L4 endpoint accepting unobfuscated traffic.`
+    }
+  }
+};
+
+// src/obfuscators/phantun.ts
+var deobfuscator = defineUnit26({
+  type: "obfuscators.phantun.deobfuscator",
+  ...deobfuscatorSpec,
+  meta: {
+    displayName: "Phantun Deobfuscator",
+    description: "The Phantun Deobfuscator deployed on Kubernetes.",
+    primaryIcon: "mdi:network-outline",
+    secondaryIcon: "mdi:hide"
+  },
+  source: {
+    package: "@highstate/obfuscators",
+    path: "phantun/deobfuscator"
+  }
+});
+var obfuscator = defineUnit26({
+  type: "obfuscators.phantun.obfuscator",
+  ...obfuscatorSpec,
+  meta: {
+    displayName: "Phantun Obfuscator",
+    description: "The Phantun Obfuscator deployed on Kubernetes.",
+    primaryIcon: "mdi:network-outline",
+    secondaryIcon: "mdi:hide"
+  },
+  source: {
+    package: "@highstate/obfuscators",
+    path: "phantun/obfuscator"
+  }
+});
 export {
   apps_exports as apps,
   cloudflare_exports as cloudflare,
@@ -2497,6 +2830,7 @@ export {
   k8s_exports as k8s,
   mullvad_exports as mullvad,
   nixos_exports as nixos,
+  obfuscators_exports as obfuscators,
   proxmox_exports as proxmox,
   restic_exports as restic,
   sops_exports as sops,