@highstate/wireguard 0.4.3 → 0.4.5

package/dist/config/index.js

@@ -1,15 +1,45 @@
 import { wireguard } from '@highstate/library';
-import { forUnit } from '@highstate/pulumi';
-import { b as generateIdentityConfig } from '../shared-RypNC0-F.js';
+import { forUnit, output } from '@highstate/pulumi';
+import { b as generateIdentityConfig } from '../shared-BVOzbQ3O.js';
 import '@noble/curves/ed25519';
 
+function text(array, ...values) {
+  const str = array.reduce(
+    // eslint-disable-next-line @typescript-eslint/no-base-to-string
+    (result, part, i) => result + part + (values[i] ? String(values[i]) : ""),
+    ""
+  );
+  return trimIndentation(str);
+}
+function trimIndentation(text2) {
+  const lines = text2.split("\n");
+  const indent = lines.filter((line) => line.trim() !== "").map((line) => line.match(/^\s*/)?.[0].length ?? 0).reduce((min, indent2) => Math.min(min, indent2), Infinity);
+  return lines.map((line) => line.slice(indent)).join("\n").trim();
+}
+
 const { inputs, outputs } = forUnit(wireguard.config);
+const configContent = output(inputs).apply(({ identity, peers }) => {
+  return generateIdentityConfig(identity, peers);
+});
 var index = outputs({
-  $representation: {
-    showQRCode: true,
-    content: inputs.apply(({ identity, peers }) => {
-      return generateIdentityConfig(identity, peers);
-    })
+  $pages: {
+    index: {
+      title: "WireGuard Configuration",
+      content: [
+        {
+          type: "markdown",
+          content: text`
+            You can use this configuration to setup an external WireGuard device via \`wg-quick\` command.
+          `
+        },
+        {
+          type: "qr",
+          content: configContent,
+          showContent: true,
+          language: "ini"
+        }
+      ]
+    }
   }
 });
 

package/dist/identity/index.js

@@ -1,32 +1,50 @@
 import { wireguard } from '@highstate/library';
-import { forUnit, getOrCreateSecret } from '@highstate/pulumi';
-import { g as generateKey, a as generatePresharedKey, c as convertPrivateKeyToPublicKey } from '../shared-RypNC0-F.js';
+import { forUnit, getOrCreateSecret, toPromise } from '@highstate/pulumi';
+import { g as generateKey, a as generatePresharedKey, c as convertPrivateKeyToPublicKey } from '../shared-BVOzbQ3O.js';
 import '@noble/curves/ed25519';
 
 const { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity);
 const privateKey = getOrCreateSecret(secrets, "privateKey", generateKey);
 const presharedKeyPart = getOrCreateSecret(secrets, "presharedKeyPart", () => {
-  return inputs.network.apply((network) => {
-    return network?.presharedKeyMode === "secure" ? generatePresharedKey() : undefined;
+  return inputs.network?.apply((network) => {
+    return network?.presharedKeyMode === "secure" ? generatePresharedKey() : void 0;
   });
 });
+const allowedIps = await toPromise(addK8sServiceIps(args.allowedIps ?? [args.address]));
+const argsAllowedIpsString = args.allowedIps?.join(", ");
+const calculatedAllowedIpsString = allowedIps.join(", ");
+const calculatedEndpoint = args.externalIp && args.listenPort ? ` ${args.externalIp}:${args.listenPort}` : void 0;
 var index = outputs({
   identity: {
     name: args.peerName ?? name,
     network: inputs.network,
     address: args.address,
     privateKey,
-    presharedKeyPart
+    presharedKeyPart,
+    k8sServices: inputs.k8sServices,
+    exitNode: args.exitNode ?? false,
+    listenPort: args.listenPort,
+    externalIp: args.externalIp
   },
   peer: {
     name: args.peerName ?? name,
     network: inputs.network,
     address: args.address,
     publicKey: privateKey.apply(convertPrivateKeyToPublicKey),
-    allowedIps: args.allowedIps ?? [args.address],
-    endpoint: args.endpoint,
+    allowedIps,
+    endpoint: args.endpoint ?? calculatedEndpoint,
     presharedKeyPart
+  },
+  $status: {
+    allowedIps: calculatedAllowedIpsString !== argsAllowedIpsString ? calculatedAllowedIpsString : void 0,
+    endpoint: calculatedEndpoint !== args.endpoint ? calculatedEndpoint : void 0
   }
 });
+function addK8sServiceIps(allowedIps2) {
+  return inputs.k8sServices.apply((k8sServices) => {
+    const ips = k8sServices.map((service) => service.ip).filter((ip) => ip !== void 0);
+    return allowedIps2.concat(ips);
+  });
+}
 
 export { index as default };

package/dist/node/index.js

@@ -0,0 +1,135 @@
+import { createProvider, createNamespace, mapMetadata, Deployment, NetworkPolicy } from '@highstate/k8s';
+import { wireguard } from '@highstate/library';
+import { forUnit, toPromise, output } from '@highstate/pulumi';
+import { core } from '@pulumi/kubernetes';
+import { b as generateIdentityConfig } from '../shared-BVOzbQ3O.js';
+import '@noble/curves/ed25519';
+
+const { name, args, inputs } = forUnit(wireguard.node);
+const identity = await toPromise(inputs.identity);
+const appName = args.appName ?? `wg-${name}`;
+const containerPort = 51820;
+const serviceType = args.serviceType ?? "ClusterIP";
+const provider = await createProvider(inputs.k8sCluster);
+const namespace = createNamespace(appName, provider, {
+  metadata: {
+    labels: {
+      "pod-security.kubernetes.io/enforce": "privileged"
+    }
+  }
+});
+const configSecret = new core.v1.Secret(
+  appName,
+  {
+    metadata: mapMetadata({ name: appName, namespace }),
+    stringData: {
+      "wg0.conf": output(inputs).apply(({ identity: identity2, peers }) => {
+        return generateIdentityConfig(identity2, peers, containerPort, [
+          "iptables -t nat -A POSTROUTING -j MASQUERADE"
+        ]);
+      })
+    }
+  },
+  { provider }
+);
+const deployment = new Deployment(
+  appName,
+  {
+    namespace,
+    container: {
+      image: "linuxserver/wireguard:latest",
+      environment: {
+        PUID: "1000",
+        PGID: "1000",
+        TZ: "Etc/UTC"
+      },
+      securityContext: {
+        capabilities: {
+          add: ["NET_ADMIN"]
+        }
+      },
+      port: {
+        containerPort,
+        protocol: "UDP"
+      },
+      volume: configSecret,
+      volumeMount: {
+        volume: configSecret,
+        mountPath: "/config/wg_confs"
+      }
+    },
+    service: {
+      type: serviceType,
+      externalIPs: identity.externalIp ? [identity.externalIp] : void 0,
+      port: {
+        port: containerPort,
+        protocol: "UDP",
+        nodePort: serviceType === "NodePort" ? identity.listenPort : void 0
+      }
+    }
+  },
+  { provider }
+);
+NetworkPolicy.create(
+  "allow-wireguard-ingress",
+  {
+    cni: inputs.k8sCluster.cni,
+    namespace,
+    description: "Allow encapsulated WireGuard traffic to the node from anywhere.",
+    selector: deployment.deployment.spec.selector,
+    ingressRule: {
+      fromAll: true,
+      toPort: { port: containerPort, protocol: "UDP" }
+    }
+  },
+  { provider }
+);
+if (identity.exitNode) {
+  NetworkPolicy.create(
+    "allow-all-egress",
+    {
+      cni: inputs.k8sCluster.cni,
+      namespace,
+      description: "Allow all egress traffic from the WireGuard node.",
+      selector: deployment.deployment.spec.selector,
+      egressRule: {
+        toAll: true
+      }
+    },
+    { provider }
+  );
+}
+for (const service of identity.k8sServices) {
+  NetworkPolicy.create(
+    `allow-egress-to-${service.namespace}-${service.name}`,
+    {
+      cni: inputs.k8sCluster.cni,
+      namespace,
+      description: `Allow egress traffic from the WireGuard node to ${service.namespace}/${service.name}.`,
+      selector: deployment.deployment.spec.selector,
+      egressRules: [
+        {
+          toNamespace: service.namespace,
+          toSelector: service.selector
+        },
+        // for compatibility with Cilium which cannot correctly detect the destination endpoint when the packet is redirected by the WireGuard node
+        ...service.serviceType === "ClusterIP" && service.ip ? [{ toCidr: `${service.ip}/32` }] : []
+      ]
+    },
+    { provider }
+  );
+  NetworkPolicy.create(
+    `allow-ingress-from-${appName}-to-${service.name}`,
+    {
+      cni: inputs.k8sCluster.cni,
+      namespace: service.namespace,
+      description: `Allow ingress traffic from the WireGuard node ${appName} to ${service.name}.`,
+      selector: service.selector,
+      ingressRule: {
+        fromNamespace: namespace,
+        fromSelector: deployment.deployment.spec.selector
+      }
+    },
+    { provider }
+  );
+}

package/dist/{shared-RypNC0-F.js → shared-BVOzbQ3O.js}

@@ -1,39 +1,24 @@
-import { ed25519 } from '@noble/curves/ed25519';
+import { x25519 } from '@noble/curves/ed25519';
 
-const crypto = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
+const crypto = typeof globalThis === "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
 
-/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-/**
- * Utilities for hex, bytes, CSPRNG.
- * @module
- */
-// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
-// node.js versions earlier than v19 don't declare it in global scope.
-// For node.js, package.json#exports field mapping rewrites import
-// from `crypto` to `cryptoNode`, which imports native module.
-// Makes the utils un-importable in browsers without a bundler.
-// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.
-/**
- * Secure PRNG. Uses `crypto.getRandomValues`, which defers to OS.
- */
 function randomBytes(bytesLength = 32) {
-    if (crypto && typeof crypto.getRandomValues === 'function') {
-        return crypto.getRandomValues(new Uint8Array(bytesLength));
-    }
-    // Legacy Node.js compatibility
-    if (crypto && typeof crypto.randomBytes === 'function') {
-        return crypto.randomBytes(bytesLength);
-    }
-    throw new Error('crypto.getRandomValues must be defined');
+  if (crypto && typeof crypto.getRandomValues === "function") {
+    return crypto.getRandomValues(new Uint8Array(bytesLength));
+  }
+  if (crypto && typeof crypto.randomBytes === "function") {
+    return crypto.randomBytes(bytesLength);
+  }
+  throw new Error("crypto.getRandomValues must be defined");
 }
 
 function generateKey() {
-  const key = ed25519.utils.randomPrivateKey();
+  const key = x25519.utils.randomPrivateKey();
   return Buffer.from(key).toString("base64");
 }
 function convertPrivateKeyToPublicKey(privateKey) {
   const key = Buffer.from(privateKey, "base64");
-  return Buffer.from(ed25519.getPublicKey(key)).toString("base64");
+  return Buffer.from(x25519.getPublicKey(key)).toString("base64");
 }
 function generatePresharedKey() {
   const key = randomBytes(32);
@@ -69,14 +54,25 @@ function generatePeerConfig(identity, peer) {
   }
   return lines.join("\n");
 }
-function generateIdentityConfig(identity, peers) {
+function generateIdentityConfig(identity, peers, listenPort, postUp) {
   const lines = [
     "[Interface]",
     `# ${identity.name}`,
     `Address = ${identity.address}`,
-    `PrivateKey = ${identity.privateKey}`
+    `PrivateKey = ${identity.privateKey}`,
+    "MTU = 1280"
   ];
-  for (const peer of peers) {
+  if (listenPort) {
+    lines.push(`ListenPort = ${listenPort}`);
+  }
+  if (postUp) {
+    lines.push();
+    for (const command of postUp) {
+      lines.push(`PostUp = ${command}`);
+    }
+  }
+  const otherPeers = peers.filter((peer) => peer.name !== identity.name);
+  for (const peer of otherPeers) {
     lines.push("");
     lines.push(generatePeerConfig(identity, peer));
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highstate/wireguard",
-  "version": "0.4.3",
+  "version": "0.4.5",
   "type": "module",
   "files": [
     "dist"
@@ -8,7 +8,8 @@
   "exports": {
     "./network": "./dist/network/index.js",
     "./identity": "./dist/identity/index.js",
-    "./config": "./dist/config/index.js"
+    "./config": "./dist/config/index.js",
+    "./node": "./dist/node/index.js"
   },
   "publishConfig": {
     "access": "public"
@@ -17,15 +18,16 @@
     "build": "pkgroll --tsconfig=tsconfig.build.json"
   },
   "dependencies": {
-    "@highstate/pulumi": "^0.4.3",
+    "@highstate/k8s": "^0.4.5",
+    "@highstate/pulumi": "^0.4.5",
     "@noble/curves": "^1.8.0",
-    "@pulumi/command": "^1.0.1"
+    "@pulumi/kubernetes": "^4.18.0"
   },
   "peerDependencies": {
-    "@highstate/library": "workspace:^"
+    "@highstate/library": "workspace:^0.4.4"
   },
   "devDependencies": {
     "pkgroll": "^2.5.1"
   },
-  "gitHead": "5b99600bd04872a4817c97b26501e1f22c8a0780"
+  "gitHead": "afd601fdade1bcf31af58072eea3c08ee26349b8"
 }