@highstate/library 0.8.0 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/highstate.manifest.json +1 -1
- package/dist/index.js +363 -29
- package/dist/index.js.map +1 -1
- package/package.json +4 -4
- package/src/common.ts +20 -5
- package/src/index.ts +1 -1
- package/src/k8s.ts +32 -0
- package/src/mullvad.ts +9 -0
- package/src/obfuscators/index.ts +1 -0
- package/src/obfuscators/phantun.ts +36 -0
- package/src/obfuscators/shared.ts +82 -0
- package/src/talos.ts +18 -2
- package/src/wireguard.ts +54 -4
- package/src/xt-wgobfs.ts +0 -49
package/package.json
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
{
|
2
2
|
"name": "@highstate/library",
|
3
|
-
"version": "0.
|
3
|
+
"version": "0.9.1",
|
4
4
|
"type": "module",
|
5
5
|
"files": [
|
6
6
|
"dist",
|
@@ -19,12 +19,12 @@
|
|
19
19
|
"build": "highstate build --library"
|
20
20
|
},
|
21
21
|
"dependencies": {
|
22
|
-
"@highstate/contract": "^0.
|
22
|
+
"@highstate/contract": "^0.9.1",
|
23
23
|
"@sinclair/typebox": "^0.34.11",
|
24
24
|
"remeda": "^2.21.0"
|
25
25
|
},
|
26
26
|
"devDependencies": {
|
27
|
-
"@highstate/cli": "^0.
|
27
|
+
"@highstate/cli": "^0.9.1"
|
28
28
|
},
|
29
|
-
"gitHead": "
|
29
|
+
"gitHead": "2f9fdd9542fbdd11d4337fb59ac4f5728535fa0c"
|
30
30
|
}
|
package/src/common.ts
CHANGED
@@ -15,16 +15,30 @@ export const serverEntity = defineEntity({
|
|
15
15
|
},
|
16
16
|
})
|
17
17
|
|
18
|
-
export const
|
19
|
-
type: "common.endpoint",
|
18
|
+
export const l3EndpointEntity = defineEntity({
|
19
|
+
type: "common.l3-endpoint",
|
20
20
|
|
21
21
|
schema: Type.Object({
|
22
22
|
endpoint: Type.String(),
|
23
23
|
}),
|
24
24
|
|
25
25
|
meta: {
|
26
|
-
color: "#
|
27
|
-
description: "The L3
|
26
|
+
color: "#1B5E20",
|
27
|
+
description: "The L3 endpoint for some service. May be a domain name or an IP address.",
|
28
|
+
},
|
29
|
+
})
|
30
|
+
|
31
|
+
export const l4EndpointEntity = defineEntity({
|
32
|
+
type: "common.l4-endpoint",
|
33
|
+
|
34
|
+
schema: Type.Object({
|
35
|
+
endpoint: Type.String(),
|
36
|
+
port: Type.Number(),
|
37
|
+
}),
|
38
|
+
|
39
|
+
meta: {
|
40
|
+
color: "#F57F17",
|
41
|
+
description: "The L4 endpoint for some service. Extends an L3 endpoint with a port.",
|
28
42
|
},
|
29
43
|
})
|
30
44
|
|
@@ -145,7 +159,8 @@ export const fileEntity = defineEntity({
|
|
145
159
|
})
|
146
160
|
|
147
161
|
export type Server = Static<typeof serverEntity.schema>
|
148
|
-
export type
|
162
|
+
export type L3Endpoint = Static<typeof l3EndpointEntity.schema>
|
163
|
+
export type L4Endpoint = Static<typeof l4EndpointEntity.schema>
|
149
164
|
|
150
165
|
export type File = Static<typeof fileEntity.schema>
|
151
166
|
export type FileMeta = Static<typeof fileMetaEntity.schema>
|
package/src/index.ts
CHANGED
@@ -7,10 +7,10 @@ export * as wireguard from "./wireguard"
|
|
7
7
|
export * as apps from "./apps"
|
8
8
|
export * as cloudflare from "./cloudflare"
|
9
9
|
export * as k3s from "./k3s"
|
10
|
-
// export * as xtWgobfs from "./xt-wgobfs"
|
11
10
|
export * as restic from "./restic"
|
12
11
|
export * as mullvad from "./mullvad"
|
13
12
|
export * as dns from "./dns"
|
14
13
|
export * as timeweb from "./timeweb"
|
15
14
|
export * as nixos from "./nixos"
|
16
15
|
export * as sops from "./sops"
|
16
|
+
export * as obfuscators from "./obfuscators"
|
package/src/k8s.ts
CHANGED
@@ -1,6 +1,18 @@
|
|
1
1
|
import { defineEntity, defineUnit, Type, type Static } from "@highstate/contract"
|
2
|
+
import { Literal } from "@sinclair/typebox"
|
2
3
|
import { providerEntity } from "./dns"
|
3
4
|
|
5
|
+
export const tunDevicePolicySchema = Type.Union([
|
6
|
+
Type.Object({
|
7
|
+
type: Literal("host"),
|
8
|
+
}),
|
9
|
+
Type.Object({
|
10
|
+
type: Literal("plugin"),
|
11
|
+
resourceName: Type.String(),
|
12
|
+
resourceValue: Type.String(),
|
13
|
+
}),
|
14
|
+
])
|
15
|
+
|
4
16
|
export const clusterInfoSchema = Type.Object({
|
5
17
|
id: Type.String(),
|
6
18
|
name: Type.String(),
|
@@ -9,6 +21,15 @@ export const clusterInfoSchema = Type.Object({
|
|
9
21
|
fqdn: Type.Optional(Type.String()),
|
10
22
|
kubeApiServerIp: Type.Optional(Type.String()),
|
11
23
|
kubeApiServerPort: Type.Optional(Type.Number()),
|
24
|
+
|
25
|
+
/**
|
26
|
+
* Specifies the policy for using the tun device inside containers.
|
27
|
+
*
|
28
|
+
* If not provided, the default policy is `host` which assumes just mounting /dev/net/tun from the host.
|
29
|
+
*
|
30
|
+
* For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
|
31
|
+
*/
|
32
|
+
tunDevicePolicy: Type.Optional(tunDevicePolicySchema),
|
12
33
|
})
|
13
34
|
|
14
35
|
export const serviceTypeSchema = Type.StringEnum(["NodePort", "LoadBalancer", "ClusterIP"])
|
@@ -111,6 +132,17 @@ export const existingCluster = defineUnit({
|
|
111
132
|
|
112
133
|
args: {
|
113
134
|
...sharedClusterArgs,
|
135
|
+
|
136
|
+
/**
|
137
|
+
* The policy for using the tun device inside containers.
|
138
|
+
*
|
139
|
+
* If not provided, the default policy is `host` which assumes just mounting /dev/net/tun from the host.
|
140
|
+
*
|
141
|
+
* For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
|
142
|
+
*
|
143
|
+
* @schema
|
144
|
+
*/
|
145
|
+
tunDevicePolicy: Type.Optional(tunDevicePolicySchema),
|
114
146
|
},
|
115
147
|
|
116
148
|
secrets: {
|
package/src/mullvad.ts
CHANGED
@@ -1,5 +1,6 @@
|
|
1
1
|
import { defineUnit, Type } from "@highstate/contract"
|
2
2
|
import { networkEntity, peerEntity } from "./wireguard"
|
3
|
+
import { l4EndpointEntity } from "./common"
|
3
4
|
|
4
5
|
export const endpointType = Type.Union([
|
5
6
|
Type.Literal("fqdn"),
|
@@ -13,6 +14,13 @@ export const peer = defineUnit({
|
|
13
14
|
args: {
|
14
15
|
hostname: Type.Optional(Type.String()),
|
15
16
|
endpointType: Type.Optional({ ...endpointType, default: "fqdn" }),
|
17
|
+
|
18
|
+
/**
|
19
|
+
* Whether to include Mullvad DNS servers in the peer configuration.
|
20
|
+
*
|
21
|
+
* @schema
|
22
|
+
*/
|
23
|
+
includeDns: Type.Default(Type.Boolean(), true),
|
16
24
|
},
|
17
25
|
|
18
26
|
inputs: {
|
@@ -29,6 +37,7 @@ export const peer = defineUnit({
|
|
29
37
|
|
30
38
|
outputs: {
|
31
39
|
peer: peerEntity,
|
40
|
+
l4Endpoint: l4EndpointEntity,
|
32
41
|
},
|
33
42
|
|
34
43
|
meta: {
|
@@ -0,0 +1 @@
|
|
1
|
+
export * as phantun from "./phantun"
|
@@ -0,0 +1,36 @@
|
|
1
|
+
import { defineUnit } from "@highstate/contract"
|
2
|
+
import { deobfuscatorSpec, obfuscatorSpec } from "./shared"
|
3
|
+
|
4
|
+
export const deobfuscator = defineUnit({
|
5
|
+
type: "obfuscators.phantun.deobfuscator",
|
6
|
+
...deobfuscatorSpec,
|
7
|
+
|
8
|
+
meta: {
|
9
|
+
displayName: "Phantun Deobfuscator",
|
10
|
+
description: "The Phantun Deobfuscator deployed on Kubernetes.",
|
11
|
+
primaryIcon: "mdi:network-outline",
|
12
|
+
secondaryIcon: "mdi:hide",
|
13
|
+
},
|
14
|
+
|
15
|
+
source: {
|
16
|
+
package: "@highstate/obfuscators",
|
17
|
+
path: "phantun/deobfuscator",
|
18
|
+
},
|
19
|
+
})
|
20
|
+
|
21
|
+
export const obfuscator = defineUnit({
|
22
|
+
type: "obfuscators.phantun.obfuscator",
|
23
|
+
...obfuscatorSpec,
|
24
|
+
|
25
|
+
meta: {
|
26
|
+
displayName: "Phantun Obfuscator",
|
27
|
+
description: "The Phantun Obfuscator deployed on Kubernetes.",
|
28
|
+
primaryIcon: "mdi:network-outline",
|
29
|
+
secondaryIcon: "mdi:hide",
|
30
|
+
},
|
31
|
+
|
32
|
+
source: {
|
33
|
+
package: "@highstate/obfuscators",
|
34
|
+
path: "phantun/obfuscator",
|
35
|
+
},
|
36
|
+
})
|
@@ -0,0 +1,82 @@
|
|
1
|
+
import { Type } from "@sinclair/typebox"
|
2
|
+
import { clusterEntity } from "../k8s"
|
3
|
+
import { l4EndpointEntity } from "../common"
|
4
|
+
|
5
|
+
export const deobfuscatorSpec = {
|
6
|
+
args: {
|
7
|
+
/**
|
8
|
+
* The L4 endpoint to forward deobfuscated traffic to.
|
9
|
+
*
|
10
|
+
* Will take precedence over the `targetEndpoint` input.
|
11
|
+
*
|
12
|
+
* @schema
|
13
|
+
*/
|
14
|
+
targetEndpoint: Type.Optional(Type.String()),
|
15
|
+
},
|
16
|
+
|
17
|
+
inputs: {
|
18
|
+
/**
|
19
|
+
* The Kubernetes cluster to deploy the deobfuscator on.
|
20
|
+
*
|
21
|
+
* @schema
|
22
|
+
*/
|
23
|
+
k8sCluster: clusterEntity,
|
24
|
+
|
25
|
+
/**
|
26
|
+
* The L4 endpoint to forward deobfuscated traffic to.
|
27
|
+
*
|
28
|
+
* @schema
|
29
|
+
*/
|
30
|
+
targetEndpoint: l4EndpointEntity,
|
31
|
+
},
|
32
|
+
|
33
|
+
outputs: {
|
34
|
+
/**
|
35
|
+
* The L4 endpoint of the deobfuscator accepting obfuscated traffic.
|
36
|
+
*
|
37
|
+
* @schema
|
38
|
+
*/
|
39
|
+
endpoint: l4EndpointEntity,
|
40
|
+
},
|
41
|
+
}
|
42
|
+
|
43
|
+
export const obfuscatorSpec = {
|
44
|
+
args: {
|
45
|
+
/**
|
46
|
+
* The endpoint of the deobfuscator to pass obfuscated traffic to.
|
47
|
+
*
|
48
|
+
* Will take precedence over the `l4Endpoint` input.
|
49
|
+
*
|
50
|
+
* @schema
|
51
|
+
*/
|
52
|
+
endpoint: Type.Optional(Type.String()),
|
53
|
+
},
|
54
|
+
|
55
|
+
inputs: {
|
56
|
+
/**
|
57
|
+
* The Kubernetes cluster to deploy the obfuscator on.
|
58
|
+
*
|
59
|
+
* @schema
|
60
|
+
*/
|
61
|
+
k8sCluster: clusterEntity,
|
62
|
+
|
63
|
+
/**
|
64
|
+
* The L4 endpoint of the deobfuscator to pass obfuscated traffic to.
|
65
|
+
*
|
66
|
+
* @schema
|
67
|
+
*/
|
68
|
+
endpoint: {
|
69
|
+
entity: l4EndpointEntity,
|
70
|
+
required: false,
|
71
|
+
},
|
72
|
+
},
|
73
|
+
|
74
|
+
outputs: {
|
75
|
+
/**
|
76
|
+
* The L4 endpoint accepting unobfuscated traffic.
|
77
|
+
*
|
78
|
+
* @schema
|
79
|
+
*/
|
80
|
+
entryEndpoint: l4EndpointEntity,
|
81
|
+
},
|
82
|
+
}
|
package/src/talos.ts
CHANGED
@@ -26,6 +26,8 @@ export const cluster = defineUnit({
|
|
26
26
|
* Allow scheduling workloads on the master nodes.
|
27
27
|
*
|
28
28
|
* By default, "true" if no worker nodes are provided.
|
29
|
+
*
|
30
|
+
* @schema
|
29
31
|
*/
|
30
32
|
scheduleOnMasters: Type.Boolean(),
|
31
33
|
|
@@ -33,6 +35,8 @@ export const cluster = defineUnit({
|
|
33
35
|
* The endpoint of the cluster.
|
34
36
|
*
|
35
37
|
* By default, the first master node's endpoint is used.
|
38
|
+
*
|
39
|
+
* @schema
|
36
40
|
*/
|
37
41
|
endpoint: Type.Optional(Type.String()),
|
38
42
|
|
@@ -40,6 +44,8 @@ export const cluster = defineUnit({
|
|
40
44
|
* The name of the cluster.
|
41
45
|
*
|
42
46
|
* By default, the name of the instance is used.
|
47
|
+
*
|
48
|
+
* @schema
|
43
49
|
*/
|
44
50
|
clusterName: Type.Optional(Type.String()),
|
45
51
|
|
@@ -52,8 +58,10 @@ export const cluster = defineUnit({
|
|
52
58
|
* - "none" (disable CNI, must be installed manually)
|
53
59
|
*
|
54
60
|
* The "cilium" CNI plugin is recommended to cover advanced network policies like FQDNs.
|
61
|
+
*
|
62
|
+
* @schema
|
55
63
|
*/
|
56
|
-
cni:
|
64
|
+
cni: Type.Default(cniSchema, "cilium"),
|
57
65
|
|
58
66
|
/**
|
59
67
|
* The CSI plugin to use.
|
@@ -61,24 +69,32 @@ export const cluster = defineUnit({
|
|
61
69
|
* The following options are available:
|
62
70
|
* - "local-path-provisioner" (default)
|
63
71
|
* - "none" (disable CSI, must be installed manually if needed)
|
72
|
+
*
|
73
|
+
* @schema
|
64
74
|
*/
|
65
|
-
csi:
|
75
|
+
csi: Type.Default(csiSchema, "local-path-provisioner"),
|
66
76
|
|
67
77
|
/**
|
68
78
|
* The shared configuration patch.
|
69
79
|
* It will be applied to all nodes.
|
80
|
+
*
|
81
|
+
* @schema
|
70
82
|
*/
|
71
83
|
sharedConfigPatch: Type.Optional(Type.Record(Type.String(), Type.Any())),
|
72
84
|
|
73
85
|
/**
|
74
86
|
* The master configuration patch.
|
75
87
|
* It will be applied to all master nodes.
|
88
|
+
*
|
89
|
+
* @schema
|
76
90
|
*/
|
77
91
|
masterConfigPatch: Type.Optional(Type.Record(Type.String(), Type.Any())),
|
78
92
|
|
79
93
|
/**
|
80
94
|
* The worker configuration patch.
|
81
95
|
* It will be applied to all worker nodes.
|
96
|
+
*
|
97
|
+
* @schema
|
82
98
|
*/
|
83
99
|
workerConfigPatch: Type.Optional(Type.Record(Type.String(), Type.Any())),
|
84
100
|
},
|
package/src/wireguard.ts
CHANGED
@@ -8,6 +8,7 @@ import {
|
|
8
8
|
statefulSetEntity,
|
9
9
|
} from "./k8s"
|
10
10
|
import { providerEntity } from "./dns"
|
11
|
+
import { l4EndpointEntity } from "./common"
|
11
12
|
|
12
13
|
export const backendSchema = Type.StringEnum(["wireguard", "amneziawg"])
|
13
14
|
export const presharedKeyModeSchema = Type.StringEnum(["none", "global", "secure"])
|
@@ -101,7 +102,7 @@ export const network = defineUnit({
|
|
101
102
|
*
|
102
103
|
* @schema
|
103
104
|
*/
|
104
|
-
backend: backendSchema,
|
105
|
+
backend: Type.Default(backendSchema, "wireguard"),
|
105
106
|
|
106
107
|
/**
|
107
108
|
* The option which defines how to handle pre-shared keys between peers.
|
@@ -284,7 +285,7 @@ export const peer = defineUnit({
|
|
284
285
|
*
|
285
286
|
* @schema
|
286
287
|
*/
|
287
|
-
publicKey: Type.String(),
|
288
|
+
publicKey: Type.Optional(Type.String()),
|
288
289
|
},
|
289
290
|
|
290
291
|
inputs: {
|
@@ -299,6 +300,28 @@ export const peer = defineUnit({
|
|
299
300
|
entity: networkEntity,
|
300
301
|
required: false,
|
301
302
|
},
|
303
|
+
|
304
|
+
/**
|
305
|
+
* The existing WireGuard peer to extend.
|
306
|
+
*
|
307
|
+
* @schema
|
308
|
+
*/
|
309
|
+
peer: {
|
310
|
+
entity: peerEntity,
|
311
|
+
required: false,
|
312
|
+
},
|
313
|
+
|
314
|
+
/**
|
315
|
+
* The L4 endpoint of the peer.
|
316
|
+
*
|
317
|
+
* Will take priority over all calculated endpoints if provided.
|
318
|
+
*
|
319
|
+
* @schema
|
320
|
+
*/
|
321
|
+
l4Endpoint: {
|
322
|
+
entity: l4EndpointEntity,
|
323
|
+
required: false,
|
324
|
+
},
|
302
325
|
},
|
303
326
|
|
304
327
|
outputs: {
|
@@ -349,6 +372,8 @@ export const identity = defineUnit({
|
|
349
372
|
*
|
350
373
|
* If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
|
351
374
|
*
|
375
|
+
* Will take priority over all calculated endpoints and `l4Endpoint` input.
|
376
|
+
*
|
352
377
|
* @schema
|
353
378
|
*/
|
354
379
|
endpoint: Type.Optional(Type.String()),
|
@@ -365,7 +390,7 @@ export const identity = defineUnit({
|
|
365
390
|
fqdn: Type.Optional(Type.String()),
|
366
391
|
|
367
392
|
/**
|
368
|
-
* Whether to register the FQDN of the identity with the DNS
|
393
|
+
* Whether to register the FQDN of the identity with the matching DNS providers.
|
369
394
|
*
|
370
395
|
* By default, `true`.
|
371
396
|
*
|
@@ -424,21 +449,46 @@ export const identity = defineUnit({
|
|
424
449
|
* The Kubernetes cluster associated with the identity.
|
425
450
|
*
|
426
451
|
* If provided, will be used to obtain the external IP or FQDN of the identity.
|
452
|
+
*
|
453
|
+
* @schema
|
427
454
|
*/
|
428
455
|
k8sCluster: {
|
429
456
|
entity: clusterEntity,
|
430
457
|
required: false,
|
431
458
|
},
|
432
459
|
|
433
|
-
|
460
|
+
/**
|
461
|
+
* The L4 endpoint of the identity.
|
462
|
+
*
|
463
|
+
* Will take priority over all calculated endpoints if provided.
|
464
|
+
*
|
465
|
+
* @schema
|
466
|
+
*/
|
467
|
+
l4Endpoint: {
|
468
|
+
entity: l4EndpointEntity,
|
469
|
+
required: false,
|
470
|
+
},
|
471
|
+
|
472
|
+
/**
|
473
|
+
* The DNS providers to register the FQDN of the identity with.
|
474
|
+
*
|
475
|
+
* @schema
|
476
|
+
*/
|
477
|
+
dnsProviders: {
|
434
478
|
entity: providerEntity,
|
435
479
|
required: false,
|
480
|
+
multiple: true,
|
436
481
|
},
|
437
482
|
},
|
438
483
|
|
439
484
|
outputs: {
|
440
485
|
identity: identityEntity,
|
441
486
|
peer: peerEntity,
|
487
|
+
|
488
|
+
l4Endpoint: {
|
489
|
+
entity: l4EndpointEntity,
|
490
|
+
required: false,
|
491
|
+
},
|
442
492
|
},
|
443
493
|
|
444
494
|
meta: {
|
package/src/xt-wgobfs.ts
DELETED
@@ -1,49 +0,0 @@
|
|
1
|
-
import { defineEntity, defineUnit, Type } from "@highstate/contract"
|
2
|
-
import { endpointEntity } from "./common"
|
3
|
-
|
4
|
-
export const channelEntity = defineEntity({
|
5
|
-
type: "xt-wgobfs.target",
|
6
|
-
|
7
|
-
schema: Type.Object({
|
8
|
-
endpoint: Type.String(),
|
9
|
-
}),
|
10
|
-
})
|
11
|
-
|
12
|
-
export const obfuscatorNode = defineUnit({
|
13
|
-
type: "xt-wgobfs.obfuscator",
|
14
|
-
|
15
|
-
outputs: {
|
16
|
-
outerCircuit: endpointEntity,
|
17
|
-
channel: channelEntity,
|
18
|
-
},
|
19
|
-
|
20
|
-
source: {
|
21
|
-
package: "@highstate/xt-wgobfs",
|
22
|
-
path: "target-node",
|
23
|
-
},
|
24
|
-
|
25
|
-
meta: {
|
26
|
-
displayName: "xt-wgobfs Deobfuscator",
|
27
|
-
},
|
28
|
-
})
|
29
|
-
|
30
|
-
export const deobfuscatorNode = defineUnit({
|
31
|
-
type: "xt-wgobfs.deobfuscator",
|
32
|
-
|
33
|
-
inputs: {
|
34
|
-
channel: channelEntity,
|
35
|
-
},
|
36
|
-
|
37
|
-
outputs: {
|
38
|
-
outerCircuit: endpointEntity,
|
39
|
-
},
|
40
|
-
|
41
|
-
source: {
|
42
|
-
package: "@highstate/xt-wgobfs",
|
43
|
-
path: "source-node",
|
44
|
-
},
|
45
|
-
|
46
|
-
meta: {
|
47
|
-
displayName: "xt-wgobfs Obfuscator",
|
48
|
-
},
|
49
|
-
})
|