npm - @highstate/wireguard - Versions diffs - 0.7.2 → 0.7.3 - Mend

@highstate/wireguard 0.7.2 → 0.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/chunk-HWKQLLAH.js +255 -0
package/dist/chunk-HWKQLLAH.js.map +1 -0
package/dist/config/index.js +20 -24
package/dist/config/index.js.map +1 -0
package/dist/config-bundle/index.js +92 -0
package/dist/config-bundle/index.js.map +1 -0
package/dist/highstate.manifest.json +10 -0
package/dist/identity/index.js +52 -29
package/dist/identity/index.js.map +1 -0
package/dist/network/index.js +9 -7
package/dist/network/index.js.map +1 -0
package/dist/node/index.js +101 -56
package/dist/node/index.js.map +1 -0
package/dist/peer/index.js +28 -12
package/dist/peer/index.js.map +1 -0
package/package.json +13 -7
package/dist/shared-D24icZbJ.js +0 -91

package/dist/chunk-HWKQLLAH.js ADDED Viewed

@@ -0,0 +1,255 @@
+// src/shared.ts
+import { x25519 } from "@noble/curves/ed25519";
+// ../../node_modules/@noble/hashes/esm/cryptoNode.js
+import * as nc from "node:crypto";
+var crypto = nc && typeof nc === "object" && "webcrypto" in nc ? nc.webcrypto : nc && typeof nc === "object" && "randomBytes" in nc ? nc : void 0;
+// ../../node_modules/@noble/hashes/esm/utils.js
+function randomBytes(bytesLength = 32) {
+  if (crypto && typeof crypto.getRandomValues === "function") {
+    return crypto.getRandomValues(new Uint8Array(bytesLength));
+  }
+  if (crypto && typeof crypto.randomBytes === "function") {
+    return crypto.randomBytes(bytesLength);
+  }
+  throw new Error("crypto.getRandomValues must be defined");
+}
+// ../../node_modules/remeda/dist/chunk-ANXBDSUI.js
+var s = { done: false, hasNext: false };
+// ../../node_modules/remeda/dist/chunk-3GOCSNFN.js
+function C(t, ...o) {
+  let n = t, u = o.map((e) => "lazy" in e ? y(e) : void 0), p = 0;
+  for (; p < o.length; ) {
+    if (u[p] === void 0 || !B(n)) {
+      let i2 = o[p];
+      n = i2(n), p += 1;
+      continue;
+    }
+    let r = [];
+    for (let i2 = p; i2 < o.length; i2++) {
+      let l = u[i2];
+      if (l === void 0 || (r.push(l), l.isSingle)) break;
+    }
+    let a2 = [];
+    for (let i2 of n) if (f(i2, a2, r)) break;
+    let { isSingle: s2 } = r.at(-1);
+    n = s2 ? a2[0] : a2, p += r.length;
+  }
+  return n;
+}
+function f(t, o, n) {
+  if (n.length === 0) return o.push(t), false;
+  let u = t, p = s, e = false;
+  for (let [r, a2] of n.entries()) {
+    let { index: s2, items: i2 } = a2;
+    if (i2.push(u), p = a2(u, s2, i2), a2.index += 1, p.hasNext) {
+      if (p.hasMany ?? false) {
+        for (let l of p.next) if (f(l, o, n.slice(r + 1))) return true;
+        return e;
+      }
+      u = p.next;
+    }
+    if (!p.hasNext) break;
+    p.done && (e = true);
+  }
+  return p.hasNext && o.push(u), e;
+}
+function y(t) {
+  let { lazy: o, lazyArgs: n } = t, u = o(...n);
+  return Object.assign(u, { isSingle: o.single ?? false, index: 0, items: [] });
+}
+function B(t) {
+  return typeof t == "string" || typeof t == "object" && t !== null && Symbol.iterator in t;
+}
+// ../../node_modules/remeda/dist/chunk-LFJW7BOT.js
+function y2(t, i2) {
+  let a2 = i2.length - t.length;
+  if (a2 === 1) {
+    let [n, ...r] = i2;
+    return C(n, { lazy: t, lazyArgs: r });
+  }
+  if (a2 === 0) {
+    let n = { lazy: t, lazyArgs: i2 };
+    return Object.assign((e) => C(e, n), n);
+  }
+  throw new Error("Wrong number of arguments");
+}
+// ../../node_modules/remeda/dist/chunk-QJLMYOTX.js
+function i(...e) {
+  return y2(a, e);
+}
+function a() {
+  let e = /* @__PURE__ */ new Set();
+  return (t) => e.has(t) ? s : (e.add(t), { done: false, hasNext: true, next: t });
+}
+// src/shared.ts
+function generateKey() {
+  const key = x25519.utils.randomPrivateKey();
+  return Buffer.from(key).toString("base64");
+}
+function convertPrivateKeyToPublicKey(privateKey) {
+  const key = Buffer.from(privateKey, "base64");
+  return Buffer.from(x25519.getPublicKey(key)).toString("base64");
+}
+function generatePresharedKey() {
+  const key = randomBytes(32);
+  return Buffer.from(key).toString("base64");
+}
+function combinePresharedKeyParts(part1, part2) {
+  const key1 = Buffer.from(part1, "base64");
+  const key2 = Buffer.from(part2, "base64");
+  const result = new Uint8Array(32);
+  for (let i2 = 0; i2 < 32; i2++) {
+    result[i2] = key1[i2] ^ key2[i2];
+  }
+  return Buffer.from(result).toString("base64");
+}
+function generatePeerConfig(identity, peer) {
+  const lines = [
+    //
+    "[Peer]",
+    `# ${peer.name}`,
+    `PublicKey = ${peer.publicKey}`
+  ];
+  if (peer.allowedIps.length > 0) {
+    lines.push(`AllowedIPs = ${peer.allowedIps.join(", ")}`);
+  }
+  if (peer.endpoint) {
+    lines.push(`Endpoint = ${peer.endpoint}`);
+  }
+  if (identity.presharedKeyPart && peer.presharedKeyPart) {
+    const presharedKey = combinePresharedKeyParts(identity.presharedKeyPart, peer.presharedKeyPart);
+    lines.push(`PresharedKey = ${presharedKey}`);
+  } else if (identity.network?.globalPresharedKey) {
+    if (identity.network.globalPresharedKey !== peer.network?.globalPresharedKey) {
+      throw new Error("The global preshared key must be the same for all peers.");
+    }
+    lines.push(`PresharedKey = ${identity.network.globalPresharedKey}`);
+  }
+  return lines.join("\n");
+}
+function generateIdentityConfig({
+  identity,
+  peers,
+  listenPort,
+  dns,
+  postUp,
+  defaultInterface
+}) {
+  const allDns = i(peers.flatMap((peer) => peer.dns ?? []).concat(dns ?? []));
+  const excludedIps = i(peers.flatMap((peer) => peer.excludedIps ?? []));
+  const lines = [
+    //
+    "[Interface]",
+    `# ${identity.name}`
+  ];
+  if (identity.address) {
+    lines.push(`Address = ${identity.address}`);
+  }
+  lines.push(
+    //
+    `PrivateKey = ${identity.privateKey}`,
+    "MTU = 1280"
+  );
+  if (allDns.length > 0) {
+    lines.push(`DNS = ${allDns.join(", ")}`);
+  }
+  if (listenPort) {
+    lines.push(`ListenPort = ${listenPort}`);
+  }
+  if (postUp) {
+    lines.push();
+    for (const command of postUp) {
+      lines.push(`PostUp = ${command}`);
+    }
+  }
+  if (defaultInterface) {
+    for (const excludedIp of excludedIps) {
+      lines.push(`PostUp = ip route add ${excludedIp} dev ${defaultInterface}`);
+    }
+  }
+  const otherPeers = peers.filter((peer) => peer.name !== identity.name);
+  for (const peer of otherPeers) {
+    lines.push("");
+    lines.push(generatePeerConfig(identity, peer));
+  }
+  return lines.join("\n");
+}
+function calculateAllowedIps({ address, allowedIps, exitNode }, network, k8sServices) {
+  const result = /* @__PURE__ */ new Set();
+  if (address) {
+    result.add(address);
+  }
+  if (allowedIps) {
+    for (const ip of allowedIps) {
+      result.add(ip);
+    }
+  }
+  if (exitNode) {
+    result.add("0.0.0.0/0");
+    if (network?.ipv6) {
+      result.add("::/0");
+    }
+  }
+  if (k8sServices) {
+    for (const service of k8sServices) {
+      if (service.spec.clusterIP) {
+        result.add(service.spec.clusterIP);
+      }
+    }
+  }
+  return Array.from(result);
+}
+function calculateExcludedIps({ excludedIps, excludePrivateIps }, network) {
+  const result = /* @__PURE__ */ new Set();
+  if (excludedIps) {
+    for (const ip of excludedIps) {
+      result.add(ip);
+    }
+  }
+  if (excludePrivateIps) {
+    result.add("10.0.0.0/8");
+    result.add("172.16.0.0/12");
+    result.add("192.168.0.0/16");
+    if (network?.ipv6) {
+      result.add("fc00::/7");
+      result.add("fe80::/10");
+    }
+  }
+  return Array.from(result);
+}
+function calculateEndpoint({
+  externalIp,
+  listenPort,
+  endpoint
+}) {
+  if (endpoint) {
+    return endpoint;
+  }
+  if (externalIp && listenPort) {
+    return `${externalIp}:${listenPort}`;
+  }
+  return void 0;
+}
+export {
+  generateKey,
+  convertPrivateKeyToPublicKey,
+  generatePresharedKey,
+  generateIdentityConfig,
+  calculateAllowedIps,
+  calculateExcludedIps,
+  calculateEndpoint
+};
+/*! Bundled license information:
+@noble/hashes/esm/utils.js:
+  (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+*/
+//# sourceMappingURL=chunk-HWKQLLAH.js.map

package/dist/chunk-HWKQLLAH.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/shared.ts","../../../node_modules/@noble/hashes/src/cryptoNode.ts","../../../node_modules/@noble/hashes/src/utils.ts","../../../node_modules/remeda/dist/chunk-ANXBDSUI.js","../../../node_modules/remeda/dist/chunk-3GOCSNFN.js","../../../node_modules/remeda/dist/chunk-LFJW7BOT.js","../../../node_modules/remeda/dist/chunk-QJLMYOTX.js"],"sourcesContent":["import type { k8s, wireguard } from \"@highstate/library\"\nimport { x25519 } from \"@noble/curves/ed25519\"\nimport { randomBytes } from \"@noble/hashes/utils\"\nimport { unique } from \"remeda\"\n\nexport function generateKey(): string {\n const key = x25519.utils.randomPrivateKey()\n\n return Buffer.from(key).toString(\"base64\")\n}\n\nexport function convertPrivateKeyToPublicKey(privateKey: string): string {\n const key = Buffer.from(privateKey, \"base64\")\n\n return Buffer.from(x25519.getPublicKey(key)).toString(\"base64\")\n}\n\nexport function generatePresharedKey(): string {\n const key = randomBytes(32)\n\n return Buffer.from(key).toString(\"base64\")\n}\n\nexport function combinePresharedKeyParts(part1: string, part2: string): string {\n const key1 = Buffer.from(part1, \"base64\")\n const key2 = Buffer.from(part2, \"base64\")\n const result = new Uint8Array(32)\n\n for (let i = 0; i < 32; i++) {\n result[i] = key1[i] ^ key2[i]\n }\n\n return Buffer.from(result).toString(\"base64\")\n}\n\nfunction generatePeerConfig(identity: wireguard.Identity, peer: wireguard.Peer): string {\n const lines = [\n //\n \"[Peer]\",\n `# ${peer.name}`,\n `PublicKey = ${peer.publicKey}`,\n ]\n\n if (peer.allowedIps.length > 0) {\n lines.push(`AllowedIPs = ${peer.allowedIps.join(\", \")}`)\n }\n\n if (peer.endpoint) {\n lines.push(`Endpoint = ${peer.endpoint}`)\n }\n\n if (identity.presharedKeyPart && peer.presharedKeyPart) {\n const presharedKey = combinePresharedKeyParts(identity.presharedKeyPart, peer.presharedKeyPart)\n\n lines.push(`PresharedKey = ${presharedKey}`)\n } else if (identity.network?.globalPresharedKey) {\n if (identity.network.globalPresharedKey !== peer.network?.globalPresharedKey) {\n throw new Error(\"The global preshared key must be the same for all peers.\")\n }\n\n lines.push(`PresharedKey = ${identity.network.globalPresharedKey}`)\n }\n\n return lines.join(\"\\n\")\n}\n\nexport type IdentityConfigArgs = {\n identity: wireguard.Identity\n peers: wireguard.Peer[]\n listenPort?: number\n dns?: string[]\n postUp?: string[]\n defaultInterface?: string\n}\n\nexport function generateIdentityConfig({\n identity,\n peers,\n listenPort,\n dns,\n postUp,\n defaultInterface,\n}: IdentityConfigArgs): string {\n const allDns = unique(peers.flatMap(peer => peer.dns ?? []).concat(dns ?? []))\n const excludedIps = unique(peers.flatMap(peer => peer.excludedIps ?? []))\n\n const lines = [\n //\n \"[Interface]\",\n `# ${identity.name}`,\n ]\n\n if (identity.address) {\n lines.push(`Address = ${identity.address}`)\n }\n\n lines.push(\n //\n `PrivateKey = ${identity.privateKey}`,\n \"MTU = 1280\",\n )\n\n if (allDns.length > 0) {\n lines.push(`DNS = ${allDns.join(\", \")}`)\n }\n\n if (listenPort) {\n lines.push(`ListenPort = ${listenPort}`)\n }\n\n if (postUp) {\n lines.push()\n for (const command of postUp) {\n lines.push(`PostUp = ${command}`)\n }\n }\n\n if (defaultInterface) {\n for (const excludedIp of excludedIps) {\n lines.push(`PostUp = ip route add ${excludedIp} dev ${defaultInterface}`)\n }\n }\n\n const otherPeers = peers.filter(peer => peer.name !== identity.name)\n\n for (const peer of otherPeers) {\n lines.push(\"\")\n lines.push(generatePeerConfig(identity, peer))\n }\n\n return lines.join(\"\\n\")\n}\n\ntype AllowedIpsArgs = {\n address?: string\n allowedIps?: string[]\n exitNode?: boolean\n}\n\nexport function calculateAllowedIps(\n { address, allowedIps, exitNode }: AllowedIpsArgs,\n network: wireguard.Network | undefined,\n k8sServices?: k8s.Service[],\n): string[] {\n const result = new Set<string>()\n\n if (address) {\n result.add(address)\n }\n\n if (allowedIps) {\n for (const ip of allowedIps) {\n result.add(ip)\n }\n }\n\n if (exitNode) {\n result.add(\"0.0.0.0/0\")\n\n if (network?.ipv6) {\n result.add(\"::/0\")\n }\n }\n\n if (k8sServices) {\n for (const service of k8sServices) {\n if (service.spec.clusterIP) {\n result.add(service.spec.clusterIP)\n }\n }\n }\n\n return Array.from(result)\n}\n\ntype ExcludedIpsArgs = {\n excludedIps?: string[]\n excludePrivateIps?: boolean\n}\n\nexport function calculateExcludedIps(\n { excludedIps, excludePrivateIps }: ExcludedIpsArgs,\n network: wireguard.Network | undefined,\n): string[] {\n const result = new Set<string>()\n\n if (excludedIps) {\n for (const ip of excludedIps) {\n result.add(ip)\n }\n }\n\n if (excludePrivateIps) {\n result.add(\"10.0.0.0/8\")\n result.add(\"172.16.0.0/12\")\n result.add(\"192.168.0.0/16\")\n\n if (network?.ipv6) {\n result.add(\"fc00::/7\")\n result.add(\"fe80::/10\")\n }\n }\n\n return Array.from(result)\n}\n\ntype EndpointArgs = {\n externalIp?: string\n listenPort?: number\n endpoint?: string\n}\n\nexport function calculateEndpoint({\n externalIp,\n listenPort,\n endpoint,\n}: EndpointArgs): string | undefined {\n if (endpoint) {\n return endpoint\n }\n\n if (externalIp && listenPort) {\n return `${externalIp}:${listenPort}`\n }\n\n return undefined\n}\n","/**\n * Internal webcrypto alias.\n * We prefer WebCrypto aka globalThis.crypto, which exists in node.js 16+.\n * Falls back to Node.js built-in crypto for Node.js <=v14.\n * See utils.ts for details.\n * @module\n */\n// @ts-ignore\nimport * as nc from 'node:crypto';\nexport const crypto: any =\n nc && typeof nc === 'object' && 'webcrypto' in nc\n ? (nc.webcrypto as any)\n : nc && typeof nc === 'object' && 'randomBytes' in nc\n ? nc\n : undefined;\n","/**\n * Utilities for hex, bytes, CSPRNG.\n * @module\n */\n/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n\n// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.\n// node.js versions earlier than v19 don't declare it in global scope.\n// For node.js, package.json#exports field mapping rewrites import\n// from `crypto` to `cryptoNode`, which imports native module.\n// Makes the utils un-importable in browsers without a bundler.\n// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.\nimport { crypto } from '@noble/hashes/crypto';\nimport { abytes } from './_assert.js';\n// export { isBytes } from './_assert.js';\n// We can't reuse isBytes from _assert, because somehow this causes huge perf issues\nexport function isBytes(a: unknown): a is Uint8Array {\n return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');\n}\n\n// prettier-ignore\nexport type TypedArray = Int8Array | Uint8ClampedArray | Uint8Array |\n Uint16Array | Int16Array | Uint32Array | Int32Array;\n\n// Cast array to different type\nexport function u8(arr: TypedArray): Uint8Array {\n return new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);\n}\nexport function u32(arr: TypedArray): Uint32Array {\n return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n}\n\n// Cast array to view\nexport function createView(arr: TypedArray): DataView {\n return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);\n}\n\n/** The rotate right (circular right shift) operation for uint32 */\nexport function rotr(word: number, shift: number): number {\n return (word << (32 - shift)) | (word >>> shift);\n}\n/** The rotate left (circular left shift) operation for uint32 */\nexport function rotl(word: number, shift: number): number {\n return (word << shift) | ((word >>> (32 - shift)) >>> 0);\n}\n\n/** Is current platform little-endian? Most are. Big-Endian platform: IBM */\nexport const isLE: boolean = /* @__PURE__ */ (() =>\n new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();\n// The byte swap operation for uint32\nexport function byteSwap(word: number): number {\n return (\n ((word << 24) & 0xff000000) |\n ((word << 8) & 0xff0000) |\n ((word >>> 8) & 0xff00) |\n ((word >>> 24) & 0xff)\n );\n}\n/** Conditionally byte swap if on a big-endian platform */\nexport const byteSwapIfBE: (n: number) => number = isLE\n ? (n: number) => n\n : (n: number) => byteSwap(n);\n\n/** In place byte swap for Uint32Array */\nexport function byteSwap32(arr: Uint32Array): void {\n for (let i = 0; i < arr.length; i++) {\n arr[i] = byteSwap(arr[i]);\n }\n}\n\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>\n i.toString(16).padStart(2, '0')\n);\n/**\n * Convert byte array to hex string.\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes: Uint8Array): string {\n abytes(bytes);\n // pre-caching improves the speed 6x\n let hex = '';\n for (let i = 0; i < bytes.length; i++) {\n hex += hexes[bytes[i]];\n }\n return hex;\n}\n\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 } as const;\nfunction asciiToBase16(ch: number): number | undefined {\n if (ch >= asciis._0 && ch <= asciis._9) return ch - asciis._0; // '2' => 50-48\n if (ch >= asciis.A && ch <= asciis.F) return ch - (asciis.A - 10); // 'B' => 66-(65-10)\n if (ch >= asciis.a && ch <= asciis.f) return ch - (asciis.a - 10); // 'b' => 98-(97-10)\n return;\n}\n\n/**\n * Convert hex string to byte array.\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex: string): Uint8Array {\n if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);\n const hl = hex.length;\n const al = hl / 2;\n if (hl % 2) throw new Error('hex string expected, got unpadded hex of length ' + hl);\n const array = new Uint8Array(al);\n for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n const n1 = asciiToBase16(hex.charCodeAt(hi));\n const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n if (n1 === undefined || n2 === undefined) {\n const char = hex[hi] + hex[hi + 1];\n throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' + hi);\n }\n array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163\n }\n return array;\n}\n\n/**\n * There is no setImmediate in browser and setTimeout is slow.\n * Call of async fn will return Promise, which will be fullfiled only on\n * next scheduler queue processing step and this is exactly what we need.\n */\nexport const nextTick = async (): Promise<void> => {};\n\n/** Returns control to thread each 'tick' ms to avoid blocking. */\nexport async function asyncLoop(\n iters: number,\n tick: number,\n cb: (i: number) => void\n): Promise<void> {\n let ts = Date.now();\n for (let i = 0; i < iters; i++) {\n cb(i);\n // Date.now() is not monotonic, so in case if clock goes backwards we return return control too\n const diff = Date.now() - ts;\n if (diff >= 0 && diff < tick) continue;\n await nextTick();\n ts += diff;\n }\n}\n\n// Global symbols in both browsers and Node.js since v11\n// See https://github.com/microsoft/TypeScript/issues/31535\ndeclare const TextEncoder: any;\n\n/**\n * Convert JS string to byte array.\n * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])\n */\nexport function utf8ToBytes(str: string): Uint8Array {\n if (typeof str !== 'string') throw new Error('utf8ToBytes expected string, got ' + typeof str);\n return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n\n/** Accepted input of hash functions. Strings are converted to byte arrays. */\nexport type Input = Uint8Array | string;\n/**\n * Normalizes (non-hex) string or Uint8Array to Uint8Array.\n * Warning: when Uint8Array is passed, it would NOT get copied.\n * Keep in mind for future mutable operations.\n */\nexport function toBytes(data: Input): Uint8Array {\n if (typeof data === 'string') data = utf8ToBytes(data);\n abytes(data);\n return data;\n}\n\n/**\n * Copies several Uint8Arrays into one.\n */\nexport function concatBytes(...arrays: Uint8Array[]): Uint8Array {\n let sum = 0;\n for (let i = 0; i < arrays.length; i++) {\n const a = arrays[i];\n abytes(a);\n sum += a.length;\n }\n const res = new Uint8Array(sum);\n for (let i = 0, pad = 0; i < arrays.length; i++) {\n const a = arrays[i];\n res.set(a, pad);\n pad += a.length;\n }\n return res;\n}\n\n/** For runtime check if class implements interface */\nexport abstract class Hash<T extends Hash<T>> {\n abstract blockLen: number; // Bytes per block\n abstract outputLen: number; // Bytes in output\n abstract update(buf: Input): this;\n // Writes digest into buf\n abstract digestInto(buf: Uint8Array): void;\n abstract digest(): Uint8Array;\n /**\n * Resets internal state. Makes Hash instance unusable.\n * Reset is impossible for keyed hashes if key is consumed into state. If digest is not consumed\n * by user, they will need to manually call `destroy()` when zeroing is necessary.\n */\n abstract destroy(): void;\n /**\n * Clones hash instance. Unsafe: doesn't check whether `to` is valid. Can be used as `clone()`\n * when no options are passed.\n * Reasons to use `_cloneInto` instead of clone: 1) performance 2) reuse instance => all internal\n * buffers are overwritten => causes buffer overwrite which is used for digest in some cases.\n * There are no guarantees for clean-up because it's impossible in JS.\n */\n abstract _cloneInto(to?: T): T;\n // Safe version that clones internal state\n clone(): T {\n return this._cloneInto();\n }\n}\n\n/**\n * XOF: streaming API to read digest in chunks.\n * Same as 'squeeze' in keccak/k12 and 'seek' in blake3, but more generic name.\n * When hash used in XOF mode it is up to user to call '.destroy' afterwards, since we cannot\n * destroy state, next call can require more bytes.\n */\nexport type HashXOF<T extends Hash<T>> = Hash<T> & {\n xof(bytes: number): Uint8Array; // Read 'bytes' bytes from digest stream\n xofInto(buf: Uint8Array): Uint8Array; // read buf.length bytes from digest stream into buf\n};\n\ntype EmptyObj = {};\nexport function checkOpts<T1 extends EmptyObj, T2 extends EmptyObj>(\n defaults: T1,\n opts?: T2\n): T1 & T2 {\n if (opts !== undefined && {}.toString.call(opts) !== '[object Object]')\n throw new Error('Options should be object or undefined');\n const merged = Object.assign(defaults, opts);\n return merged as T1 & T2;\n}\n\n/** Hash function */\nexport type CHash = ReturnType<typeof wrapConstructor>;\n/** Hash function with output */\nexport type CHashO = ReturnType<typeof wrapConstructorWithOpts>;\n/** XOF with output */\nexport type CHashXO = ReturnType<typeof wrapXOFConstructorWithOpts>;\n\n/** Wraps hash function, creating an interface on top of it */\nexport function wrapConstructor<T extends Hash<T>>(\n hashCons: () => Hash<T>\n): {\n (msg: Input): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(): Hash<T>;\n} {\n const hashC = (msg: Input): Uint8Array => hashCons().update(toBytes(msg)).digest();\n const tmp = hashCons();\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = () => hashCons();\n return hashC;\n}\n\nexport function wrapConstructorWithOpts<H extends Hash<H>, T extends Object>(\n hashCons: (opts?: T) => Hash<H>\n): {\n (msg: Input, opts?: T): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(opts: T): Hash<H>;\n} {\n const hashC = (msg: Input, opts?: T): Uint8Array => hashCons(opts).update(toBytes(msg)).digest();\n const tmp = hashCons({} as T);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts: T) => hashCons(opts);\n return hashC;\n}\n\nexport function wrapXOFConstructorWithOpts<H extends HashXOF<H>, T extends Object>(\n hashCons: (opts?: T) => HashXOF<H>\n): {\n (msg: Input, opts?: T): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(opts: T): HashXOF<H>;\n} {\n const hashC = (msg: Input, opts?: T): Uint8Array => hashCons(opts).update(toBytes(msg)).digest();\n const tmp = hashCons({} as T);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts: T) => hashCons(opts);\n return hashC;\n}\n\n/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */\nexport function randomBytes(bytesLength = 32): Uint8Array {\n if (crypto && typeof crypto.getRandomValues === 'function') {\n return crypto.getRandomValues(new Uint8Array(bytesLength));\n }\n // Legacy Node.js compatibility\n if (crypto && typeof crypto.randomBytes === 'function') {\n return crypto.randomBytes(bytesLength);\n }\n throw new Error('crypto.getRandomValues must be defined');\n}\n","var e={done:!0,hasNext:!1},s={done:!1,hasNext:!1},a=()=>e,o=t=>({hasNext:!0,next:t,done:!1});export{s as a,a as b,o as c};\n","import{a as A}from\"./chunk-ANXBDSUI.js\";function C(t,...o){let n=t,u=o.map(e=>\"lazy\"in e?y(e):void 0),p=0;for(;p<o.length;){if(u[p]===void 0||!B(n)){let i=o[p];n=i(n),p+=1;continue}let r=[];for(let i=p;i<o.length;i++){let l=u[i];if(l===void 0||(r.push(l),l.isSingle))break}let a=[];for(let i of n)if(f(i,a,r))break;let{isSingle:s}=r.at(-1);n=s?a[0]:a,p+=r.length}return n}function f(t,o,n){if(n.length===0)return o.push(t),!1;let u=t,p=A,e=!1;for(let[r,a]of n.entries()){let{index:s,items:i}=a;if(i.push(u),p=a(u,s,i),a.index+=1,p.hasNext){if(p.hasMany??!1){for(let l of p.next)if(f(l,o,n.slice(r+1)))return!0;return e}u=p.next}if(!p.hasNext)break;p.done&&(e=!0)}return p.hasNext&&o.push(u),e}function y(t){let{lazy:o,lazyArgs:n}=t,u=o(...n);return Object.assign(u,{isSingle:o.single??!1,index:0,items:[]})}function B(t){return typeof t==\"string\"||typeof t==\"object\"&&t!==null&&Symbol.iterator in t}export{C as a};\n","import{a as o}from\"./chunk-3GOCSNFN.js\";function y(t,i){let a=i.length-t.length;if(a===1){let[n,...r]=i;return o(n,{lazy:t,lazyArgs:r})}if(a===0){let n={lazy:t,lazyArgs:i};return Object.assign(e=>o(e,n),n)}throw new Error(\"Wrong number of arguments\")}export{y as a};\n","import{a as r}from\"./chunk-LFJW7BOT.js\";import{a as n}from\"./chunk-ANXBDSUI.js\";function i(...e){return r(a,e)}function a(){let e=new Set;return t=>e.has(t)?n:(e.add(t),{done:!1,hasNext:!0,next:t})}export{i as a};\n"],"mappings":";AACA,SAAS,cAAc;;;ACOvB,YAAY,QAAQ;AACb,IAAM,SACX,MAAM,OAAO,OAAO,YAAY,eAAe,KACvC,eACJ,MAAM,OAAO,OAAO,YAAY,iBAAiB,KAC/C,KACA;;;ACyRF,SAAU,YAAY,cAAc,IAAE;AAC1C,MAAI,UAAU,OAAO,OAAO,oBAAoB,YAAY;AAC1D,WAAO,OAAO,gBAAgB,IAAI,WAAW,WAAW,CAAC;EAC3D;AAEA,MAAI,UAAU,OAAO,OAAO,gBAAgB,YAAY;AACtD,WAAO,OAAO,YAAY,WAAW;EACvC;AACA,QAAM,IAAI,MAAM,wCAAwC;AAC1D;;;AChTA,IAA2B,IAAE,EAAC,MAAK,OAAG,SAAQ,MAAE;;;ACAR,SAAS,EAAE,MAAK,GAAE;AAAC,MAAI,IAAE,GAAE,IAAE,EAAE,IAAI,OAAG,UAAS,IAAE,EAAE,CAAC,IAAE,MAAM,GAAE,IAAE;AAAE,SAAK,IAAE,EAAE,UAAQ;AAAC,QAAG,EAAE,CAAC,MAAI,UAAQ,CAAC,EAAE,CAAC,GAAE;AAAC,UAAIA,KAAE,EAAE,CAAC;AAAE,UAAEA,GAAE,CAAC,GAAE,KAAG;AAAE;AAAA,IAAQ;AAAC,QAAI,IAAE,CAAC;AAAE,aAAQA,KAAE,GAAEA,KAAE,EAAE,QAAOA,MAAI;AAAC,UAAI,IAAE,EAAEA,EAAC;AAAE,UAAG,MAAI,WAAS,EAAE,KAAK,CAAC,GAAE,EAAE,UAAU;AAAA,IAAK;AAAC,QAAIC,KAAE,CAAC;AAAE,aAAQD,MAAK,EAAE,KAAG,EAAEA,IAAEC,IAAE,CAAC,EAAE;AAAM,QAAG,EAAC,UAASC,GAAC,IAAE,EAAE,GAAG,EAAE;AAAE,QAAEA,KAAED,GAAE,CAAC,IAAEA,IAAE,KAAG,EAAE;AAAA,EAAM;AAAC,SAAO;AAAC;AAAC,SAAS,EAAE,GAAE,GAAE,GAAE;AAAC,MAAG,EAAE,WAAS,EAAE,QAAO,EAAE,KAAK,CAAC,GAAE;AAAG,MAAI,IAAE,GAAE,IAAE,GAAE,IAAE;AAAG,WAAO,CAAC,GAAEA,EAAC,KAAI,EAAE,QAAQ,GAAE;AAAC,QAAG,EAAC,OAAMC,IAAE,OAAMF,GAAC,IAAEC;AAAE,QAAGD,GAAE,KAAK,CAAC,GAAE,IAAEC,GAAE,GAAEC,IAAEF,EAAC,GAAEC,GAAE,SAAO,GAAE,EAAE,SAAQ;AAAC,UAAG,EAAE,WAAS,OAAG;AAAC,iBAAQ,KAAK,EAAE,KAAK,KAAG,EAAE,GAAE,GAAE,EAAE,MAAM,IAAE,CAAC,CAAC,EAAE,QAAM;AAAG,eAAO;AAAA,MAAC;AAAC,UAAE,EAAE;AAAA,IAAI;AAAC,QAAG,CAAC,EAAE,QAAQ;AAAM,MAAE,SAAO,IAAE;AAAA,EAAG;AAAC,SAAO,EAAE,WAAS,EAAE,KAAK,CAAC,GAAE;AAAC;AAAC,SAAS,EAAE,GAAE;AAAC,MAAG,EAAC,MAAK,GAAE,UAAS,EAAC,IAAE,GAAE,IAAE,EAAE,GAAG,CAAC;AAAE,SAAO,OAAO,OAAO,GAAE,EAAC,UAAS,EAAE,UAAQ,OAAG,OAAM,GAAE,OAAM,CAAC,EAAC,CAAC;AAAC;AAAC,SAAS,EAAE,GAAE;AAAC,SAAO,OAAO,KAAG,YAAU,OAAO,KAAG,YAAU,MAAI,QAAM,OAAO,YAAY;AAAC;;;ACA11B,SAASE,GAAE,GAAEC,IAAE;AAAC,MAAIC,KAAED,GAAE,SAAO,EAAE;AAAO,MAAGC,OAAI,GAAE;AAAC,QAAG,CAAC,GAAE,GAAG,CAAC,IAAED;AAAE,WAAO,EAAE,GAAE,EAAC,MAAK,GAAE,UAAS,EAAC,CAAC;AAAA,EAAC;AAAC,MAAGC,OAAI,GAAE;AAAC,QAAI,IAAE,EAAC,MAAK,GAAE,UAASD,GAAC;AAAE,WAAO,OAAO,OAAO,OAAG,EAAE,GAAE,CAAC,GAAE,CAAC;AAAA,EAAC;AAAC,QAAM,IAAI,MAAM,2BAA2B;AAAC;;;ACA1K,SAAS,KAAK,GAAE;AAAC,SAAOE,GAAE,GAAE,CAAC;AAAC;AAAC,SAAS,IAAG;AAAC,MAAI,IAAE,oBAAI;AAAI,SAAO,OAAG,EAAE,IAAI,CAAC,IAAE,KAAG,EAAE,IAAI,CAAC,GAAE,EAAC,MAAK,OAAG,SAAQ,MAAG,MAAK,EAAC;AAAE;;;ANK9L,SAAS,cAAsB;AACpC,QAAM,MAAM,OAAO,MAAM,iBAAiB;AAE1C,SAAO,OAAO,KAAK,GAAG,EAAE,SAAS,QAAQ;AAC3C;AAEO,SAAS,6BAA6B,YAA4B;AACvE,QAAM,MAAM,OAAO,KAAK,YAAY,QAAQ;AAE5C,SAAO,OAAO,KAAK,OAAO,aAAa,GAAG,CAAC,EAAE,SAAS,QAAQ;AAChE;AAEO,SAAS,uBAA+B;AAC7C,QAAM,MAAM,YAAY,EAAE;AAE1B,SAAO,OAAO,KAAK,GAAG,EAAE,SAAS,QAAQ;AAC3C;AAEO,SAAS,yBAAyB,OAAe,OAAuB;AAC7E,QAAM,OAAO,OAAO,KAAK,OAAO,QAAQ;AACxC,QAAM,OAAO,OAAO,KAAK,OAAO,QAAQ;AACxC,QAAM,SAAS,IAAI,WAAW,EAAE;AAEhC,WAASC,KAAI,GAAGA,KAAI,IAAIA,MAAK;AAC3B,WAAOA,EAAC,IAAI,KAAKA,EAAC,IAAI,KAAKA,EAAC;AAAA,EAC9B;AAEA,SAAO,OAAO,KAAK,MAAM,EAAE,SAAS,QAAQ;AAC9C;AAEA,SAAS,mBAAmB,UAA8B,MAA8B;AACtF,QAAM,QAAQ;AAAA;AAAA,IAEZ;AAAA,IACA,KAAK,KAAK,IAAI;AAAA,IACd,eAAe,KAAK,SAAS;AAAA,EAC/B;AAEA,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,KAAK,gBAAgB,KAAK,WAAW,KAAK,IAAI,CAAC,EAAE;AAAA,EACzD;AAEA,MAAI,KAAK,UAAU;AACjB,UAAM,KAAK,cAAc,KAAK,QAAQ,EAAE;AAAA,EAC1C;AAEA,MAAI,SAAS,oBAAoB,KAAK,kBAAkB;AACtD,UAAM,eAAe,yBAAyB,SAAS,kBAAkB,KAAK,gBAAgB;AAE9F,UAAM,KAAK,kBAAkB,YAAY,EAAE;AAAA,EAC7C,WAAW,SAAS,SAAS,oBAAoB;AAC/C,QAAI,SAAS,QAAQ,uBAAuB,KAAK,SAAS,oBAAoB;AAC5E,YAAM,IAAI,MAAM,0DAA0D;AAAA,IAC5E;AAEA,UAAM,KAAK,kBAAkB,SAAS,QAAQ,kBAAkB,EAAE;AAAA,EACpE;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AAWO,SAAS,uBAAuB;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAA+B;AAC7B,QAAM,SAAS,EAAO,MAAM,QAAQ,UAAQ,KAAK,OAAO,CAAC,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC,CAAC;AAC7E,QAAM,cAAc,EAAO,MAAM,QAAQ,UAAQ,KAAK,eAAe,CAAC,CAAC,CAAC;AAExE,QAAM,QAAQ;AAAA;AAAA,IAEZ;AAAA,IACA,KAAK,SAAS,IAAI;AAAA,EACpB;AAEA,MAAI,SAAS,SAAS;AACpB,UAAM,KAAK,aAAa,SAAS,OAAO,EAAE;AAAA,EAC5C;AAEA,QAAM;AAAA;AAAA,IAEJ,gBAAgB,SAAS,UAAU;AAAA,IACnC;AAAA,EACF;AAEA,MAAI,OAAO,SAAS,GAAG;AACrB,UAAM,KAAK,SAAS,OAAO,KAAK,IAAI,CAAC,EAAE;AAAA,EACzC;AAEA,MAAI,YAAY;AACd,UAAM,KAAK,gBAAgB,UAAU,EAAE;AAAA,EACzC;AAEA,MAAI,QAAQ;AACV,UAAM,KAAK;AACX,eAAW,WAAW,QAAQ;AAC5B,YAAM,KAAK,YAAY,OAAO,EAAE;AAAA,IAClC;AAAA,EACF;AAEA,MAAI,kBAAkB;AACpB,eAAW,cAAc,aAAa;AACpC,YAAM,KAAK,yBAAyB,UAAU,QAAQ,gBAAgB,EAAE;AAAA,IAC1E;AAAA,EACF;AAEA,QAAM,aAAa,MAAM,OAAO,UAAQ,KAAK,SAAS,SAAS,IAAI;AAEnE,aAAW,QAAQ,YAAY;AAC7B,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,mBAAmB,UAAU,IAAI,CAAC;AAAA,EAC/C;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AAQO,SAAS,oBACd,EAAE,SAAS,YAAY,SAAS,GAChC,SACA,aACU;AACV,QAAM,SAAS,oBAAI,IAAY;AAE/B,MAAI,SAAS;AACX,WAAO,IAAI,OAAO;AAAA,EACpB;AAEA,MAAI,YAAY;AACd,eAAW,MAAM,YAAY;AAC3B,aAAO,IAAI,EAAE;AAAA,IACf;AAAA,EACF;AAEA,MAAI,UAAU;AACZ,WAAO,IAAI,WAAW;AAEtB,QAAI,SAAS,MAAM;AACjB,aAAO,IAAI,MAAM;AAAA,IACnB;AAAA,EACF;AAEA,MAAI,aAAa;AACf,eAAW,WAAW,aAAa;AACjC,UAAI,QAAQ,KAAK,WAAW;AAC1B,eAAO,IAAI,QAAQ,KAAK,SAAS;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,MAAM;AAC1B;AAOO,SAAS,qBACd,EAAE,aAAa,kBAAkB,GACjC,SACU;AACV,QAAM,SAAS,oBAAI,IAAY;AAE/B,MAAI,aAAa;AACf,eAAW,MAAM,aAAa;AAC5B,aAAO,IAAI,EAAE;AAAA,IACf;AAAA,EACF;AAEA,MAAI,mBAAmB;AACrB,WAAO,IAAI,YAAY;AACvB,WAAO,IAAI,eAAe;AAC1B,WAAO,IAAI,gBAAgB;AAE3B,QAAI,SAAS,MAAM;AACjB,aAAO,IAAI,UAAU;AACrB,aAAO,IAAI,WAAW;AAAA,IACxB;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,MAAM;AAC1B;AAQO,SAAS,kBAAkB;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AACF,GAAqC;AACnC,MAAI,UAAU;AACZ,WAAO;AAAA,EACT;AAEA,MAAI,cAAc,YAAY;AAC5B,WAAO,GAAG,UAAU,IAAI,UAAU;AAAA,EACpC;AAEA,SAAO;AACT;","names":["i","a","s","y","i","a","y","i"]}

package/dist/config/index.js CHANGED Viewed

@@ -1,27 +1,21 @@
-import { wireguard } from '@highstate/library';
-import { forUnit, output } from '@highstate/pulumi';
-import { b as generateIdentityConfig } from '../shared-D24icZbJ.js';
-import '@noble/curves/ed25519';
+import {
+  generateIdentityConfig
+} from "../chunk-HWKQLLAH.js";
-function text(array, ...values) {
-  const str = array.reduce(
-    // eslint-disable-next-line @typescript-eslint/no-base-to-string
-    (result, part, i) => result + part + (values[i] ? String(values[i]) : ""),
-    ""
-  );
-  return trimIndentation(str);
-}
-function trimIndentation(text2) {
-  const lines = text2.split("\n");
-  const indent = lines.filter((line) => line.trim() !== "").map((line) => line.match(/^\s*/)?.[0].length ?? 0).reduce((min, indent2) => Math.min(min, indent2), Infinity);
-  return lines.map((line) => line.slice(indent)).join("\n").trim();
-}
-const { inputs, outputs } = forUnit(wireguard.config);
-const configContent = output(inputs).apply(({ identity, peers }) => {
-  return generateIdentityConfig(identity, peers);
+// src/config/index.ts
+import { wireguard } from "@highstate/library";
+import { forUnit, toPromise } from "@highstate/pulumi";
+import { text } from "@highstate/contract";
+var { inputs, args, outputs } = forUnit(wireguard.config);
+var { identity, peers } = await toPromise(inputs);
+var configContent = generateIdentityConfig({
+  identity,
+  peers,
+  dns: args.dns,
+  defaultInterface: args.defaultInterface,
+  listenPort: args.listenPort ?? identity.listenPort
 });
-var index = outputs({
+var config_default = outputs({
   $pages: {
     index: {
       title: "WireGuard Configuration",
@@ -42,5 +36,7 @@ var index = outputs({
     }
   }
 });
-export { index as default };
+export {
+  config_default as default
+};
+//# sourceMappingURL=index.js.map

package/dist/config/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/config/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { text } from \"@highstate/contract\"\nimport { generateIdentityConfig } from \"../shared\"\n\nconst { inputs, args, outputs } = forUnit(wireguard.config)\n\nconst { identity, peers } = await toPromise(inputs)\n\nconst configContent = generateIdentityConfig({\n identity,\n peers,\n dns: args.dns,\n defaultInterface: args.defaultInterface,\n listenPort: args.listenPort ?? identity.listenPort,\n})\n\nexport default outputs({\n $pages: {\n index: {\n title: \"WireGuard Configuration\",\n content: [\n {\n type: \"markdown\",\n content: text`\n You can use this configuration to setup an external WireGuard device via \\`wg-quick\\` command.\n `,\n },\n {\n type: \"qr\",\n content: configContent,\n showContent: true,\n language: \"ini\",\n },\n ],\n },\n },\n})\n"],"mappings":";;;;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,SAAS,iBAAiB;AACnC,SAAS,YAAY;AAGrB,IAAM,EAAE,QAAQ,MAAM,QAAQ,IAAI,QAAQ,UAAU,MAAM;AAE1D,IAAM,EAAE,UAAU,MAAM,IAAI,MAAM,UAAU,MAAM;AAElD,IAAM,gBAAgB,uBAAuB;AAAA,EAC3C;AAAA,EACA;AAAA,EACA,KAAK,KAAK;AAAA,EACV,kBAAkB,KAAK;AAAA,EACvB,YAAY,KAAK,cAAc,SAAS;AAC1C,CAAC;AAED,IAAO,iBAAQ,QAAQ;AAAA,EACrB,QAAQ;AAAA,IACN,OAAO;AAAA,MACL,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,UACE,MAAM;AAAA,UACN,SAAS;AAAA;AAAA;AAAA,QAGX;AAAA,QACA;AAAA,UACE,MAAM;AAAA,UACN,SAAS;AAAA,UACT,aAAa;AAAA,UACb,UAAU;AAAA,QACZ;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF,CAAC;","names":[]}

package/dist/config-bundle/index.js ADDED Viewed

@@ -0,0 +1,92 @@
+import {
+  generateIdentityConfig
+} from "../chunk-HWKQLLAH.js";
+// src/config-bundle/index.ts
+import { wireguard } from "@highstate/library";
+import {
+  fileFromBuffer,
+  forUnit,
+  secret,
+  toPromise
+} from "@highstate/pulumi";
+import { text } from "@highstate/contract";
+import ZipStream from "zip-stream";
+var { name, inputs, args, outputs } = forUnit(wireguard.configBundle);
+var { identity, peers, sharedPeers } = await toPromise(inputs);
+var blocks = [];
+var zipStream = new ZipStream();
+for (const peer of peers) {
+  const configContent = generateIdentityConfig({
+    identity,
+    peers: [...sharedPeers, peer],
+    dns: args.dns,
+    defaultInterface: args.defaultInterface,
+    listenPort: args.listenPort ?? identity.listenPort
+  });
+  await new Promise((resolve, reject) => {
+    return zipStream.entry(
+      configContent,
+      {
+        name: `${peer.name}.conf`,
+        // to prevent zip-stream from using the current date, for reproducibility
+        date: /* @__PURE__ */ new Date(0)
+      },
+      (err) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve(null);
+        }
+      }
+    );
+  });
+  blocks.push(
+    {
+      type: "markdown",
+      content: `### ${peer.name}`
+    },
+    {
+      type: "qr",
+      content: secret(configContent),
+      showContent: true,
+      language: "ini"
+    }
+  );
+}
+zipStream.finish();
+var content = await new Promise((resolve, reject) => {
+  const buffers = [];
+  zipStream.on("data", (data) => buffers.push(data));
+  zipStream.on("error", (err) => reject(err));
+  zipStream.on("end", () => resolve(Buffer.concat(buffers)));
+});
+var zipFile = fileFromBuffer(`${name}.zip`, content, "application/zip", true);
+var config_bundle_default = outputs({
+  $pages: {
+    index: {
+      title: "WireGuard Configuration Bundle",
+      content: [
+        {
+          type: "markdown",
+          content: text`
+            You can use the following configurations to setup an external WireGuard device via \`wg-quick\` command or
+            using the WireGuard app on your desktop or mobile device.
+            You can also bulk import all configurations from zip file using the WireGuard app.
+          `
+        },
+        {
+          type: "file",
+          fileMeta: zipFile.meta
+        },
+        ...blocks
+      ]
+    }
+  },
+  $files: [zipFile]
+});
+export {
+  config_bundle_default as default
+};
+//# sourceMappingURL=index.js.map

package/dist/config-bundle/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/config-bundle/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport {\n fileFromBuffer,\n forUnit,\n secret,\n toPromise,\n type InstancePageBlock,\n} from \"@highstate/pulumi\"\nimport { text } from \"@highstate/contract\"\nimport ZipStream from \"zip-stream\"\nimport { generateIdentityConfig } from \"../shared\"\n\nconst { name, inputs, args, outputs } = forUnit(wireguard.configBundle)\n\nconst { identity, peers, sharedPeers } = await toPromise(inputs)\n\nconst blocks: InstancePageBlock[] = []\nconst zipStream = new ZipStream()\n\nfor (const peer of peers) {\n const configContent = generateIdentityConfig({\n identity,\n peers: [...sharedPeers, peer],\n dns: args.dns,\n defaultInterface: args.defaultInterface,\n listenPort: args.listenPort ?? identity.listenPort,\n })\n\n await new Promise((resolve, reject) => {\n return zipStream.entry(\n configContent,\n {\n name: `${peer.name}.conf`,\n\n // to prevent zip-stream from using the current date, for reproducibility\n date: new Date(0),\n },\n err => {\n if (err) {\n reject(err)\n } else {\n resolve(null)\n }\n },\n )\n })\n\n blocks.push(\n {\n type: \"markdown\",\n content: `### ${peer.name}`,\n },\n {\n type: \"qr\",\n content: secret(configContent),\n showContent: true,\n language: \"ini\",\n },\n )\n}\n\nzipStream.finish()\n\nconst content = await new Promise<Buffer>((resolve, reject) => {\n const buffers: Buffer[] = []\n\n zipStream.on(\"data\", data => buffers.push(data as Buffer))\n zipStream.on(\"error\", err => reject(err as Error))\n zipStream.on(\"end\", () => resolve(Buffer.concat(buffers)))\n})\n\nconst zipFile = fileFromBuffer(`${name}.zip`, content, \"application/zip\", true)\n\nexport default outputs({\n $pages: {\n index: {\n title: \"WireGuard Configuration Bundle\",\n content: [\n {\n type: \"markdown\",\n content: text`\n You can use the following configurations to setup an external WireGuard device via \\`wg-quick\\` command or\n using the WireGuard app on your desktop or mobile device.\n \n You can also bulk import all configurations from zip file using the WireGuard app.\n `,\n },\n {\n type: \"file\",\n fileMeta: zipFile.meta,\n },\n ...blocks,\n ],\n },\n },\n $files: [zipFile],\n})\n"],"mappings":";;;;;AAAA,SAAS,iBAAiB;AAC1B;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AACP,SAAS,YAAY;AACrB,OAAO,eAAe;AAGtB,IAAM,EAAE,MAAM,QAAQ,MAAM,QAAQ,IAAI,QAAQ,UAAU,YAAY;AAEtE,IAAM,EAAE,UAAU,OAAO,YAAY,IAAI,MAAM,UAAU,MAAM;AAE/D,IAAM,SAA8B,CAAC;AACrC,IAAM,YAAY,IAAI,UAAU;AAEhC,WAAW,QAAQ,OAAO;AACxB,QAAM,gBAAgB,uBAAuB;AAAA,IAC3C;AAAA,IACA,OAAO,CAAC,GAAG,aAAa,IAAI;AAAA,IAC5B,KAAK,KAAK;AAAA,IACV,kBAAkB,KAAK;AAAA,IACvB,YAAY,KAAK,cAAc,SAAS;AAAA,EAC1C,CAAC;AAED,QAAM,IAAI,QAAQ,CAAC,SAAS,WAAW;AACrC,WAAO,UAAU;AAAA,MACf;AAAA,MACA;AAAA,QACE,MAAM,GAAG,KAAK,IAAI;AAAA;AAAA,QAGlB,MAAM,oBAAI,KAAK,CAAC;AAAA,MAClB;AAAA,MACA,SAAO;AACL,YAAI,KAAK;AACP,iBAAO,GAAG;AAAA,QACZ,OAAO;AACL,kBAAQ,IAAI;AAAA,QACd;AAAA,MACF;AAAA,IACF;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL;AAAA,MACE,MAAM;AAAA,MACN,SAAS,OAAO,KAAK,IAAI;AAAA,IAC3B;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN,SAAS,OAAO,aAAa;AAAA,MAC7B,aAAa;AAAA,MACb,UAAU;AAAA,IACZ;AAAA,EACF;AACF;AAEA,UAAU,OAAO;AAEjB,IAAM,UAAU,MAAM,IAAI,QAAgB,CAAC,SAAS,WAAW;AAC7D,QAAM,UAAoB,CAAC;AAE3B,YAAU,GAAG,QAAQ,UAAQ,QAAQ,KAAK,IAAc,CAAC;AACzD,YAAU,GAAG,SAAS,SAAO,OAAO,GAAY,CAAC;AACjD,YAAU,GAAG,OAAO,MAAM,QAAQ,OAAO,OAAO,OAAO,CAAC,CAAC;AAC3D,CAAC;AAED,IAAM,UAAU,eAAe,GAAG,IAAI,QAAQ,SAAS,mBAAmB,IAAI;AAE9E,IAAO,wBAAQ,QAAQ;AAAA,EACrB,QAAQ;AAAA,IACN,OAAO;AAAA,MACL,OAAO;AAAA,MACP,SAAS;AAAA,QACP;AAAA,UACE,MAAM;AAAA,UACN,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAMX;AAAA,QACA;AAAA,UACE,MAAM;AAAA,UACN,UAAU,QAAQ;AAAA,QACpB;AAAA,QACA,GAAG;AAAA,MACL;AAAA,IACF;AAAA,EACF;AAAA,EACA,QAAQ,CAAC,OAAO;AAClB,CAAC;","names":[]}

package/dist/highstate.manifest.json ADDED Viewed

@@ -0,0 +1,10 @@
+{
+  "sourceHashes": {
+    "./dist/network/index.js": "3be6217a8a618a0ab026aa792f12d3ebdf97ad031bf7f8a2ccba3fbad838f5eb",
+    "./dist/identity/index.js": "b0be75155ac325d13ee6aa5a81761d0621b8b0aef5d1ffddbba2ea33b997b848",
+    "./dist/config/index.js": "2d5c6d18d33420d35bd587027951c045560c965e69892afa5ef8bf0d4662a347",
+    "./dist/config-bundle/index.js": "39f687f65e5bc77a48743c250d17207309eff2c34daa6227531e66e9148c4fac",
+    "./dist/node/index.js": "aef0e7fcda643d637266481ae99d88afae2896d72ba0edf0ad6a5cecc7c02786",
+    "./dist/peer/index.js": "9a463687e53c2e5cdef23ecaf799f90128c58c2d801f98da7d13c676a0095758"
+  }
+}

package/dist/identity/index.js CHANGED Viewed

@@ -1,22 +1,37 @@
-import { wireguard } from '@highstate/library';
-import { forUnit, getOrCreateSecret, toPromise } from '@highstate/pulumi';
-import { g as generateKey, a as generatePresharedKey, c as convertPrivateKeyToPublicKey } from '../shared-D24icZbJ.js';
-import '@noble/curves/ed25519';
+import {
+  calculateAllowedIps,
+  calculateEndpoint,
+  calculateExcludedIps,
+  convertPrivateKeyToPublicKey,
+  generateKey,
+  generatePresharedKey
+} from "../chunk-HWKQLLAH.js";
-const { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity);
-const privateKey = getOrCreateSecret(secrets, "privateKey", generateKey);
-const presharedKeyPart = getOrCreateSecret(secrets, "presharedKeyPart", () => {
-  return inputs.network?.apply((network) => {
-    return network?.presharedKeyMode === "secure" ? generatePresharedKey() : void 0;
+// src/identity/index.ts
+import { wireguard } from "@highstate/library";
+import { forUnit, getOrCreateSecret, toPromise } from "@highstate/pulumi";
+import { DnsRecord } from "@highstate/common";
+var { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity);
+var privateKey = getOrCreateSecret(secrets, "privateKey", generateKey);
+var presharedKeyPart = getOrCreateSecret(secrets, "presharedKeyPart", () => {
+  return inputs.network?.apply((network2) => {
+    return network2?.presharedKeyMode === "secure" ? generatePresharedKey() : void 0;
   });
 });
-const defaultAllowedIps = args.address ? [args.address] : [];
-const allowedIps = await toPromise(addK8sServiceIps(args.allowedIps ?? defaultAllowedIps));
-const argsAllowedIpsString = args.allowedIps?.join(", ");
-const calculatedAllowedIpsString = allowedIps.join(", ");
-const calculatedEndpoint = args.externalIp && args.listenPort ? ` ${args.externalIp}:${args.listenPort}` : void 0;
-const publicKey = privateKey.apply(convertPrivateKeyToPublicKey);
-var index = outputs({
+var { network, k8sServices } = await toPromise(inputs);
+var allowedIps = calculateAllowedIps(args, network, k8sServices);
+var excludedIps = calculateExcludedIps(args, network);
+var endpoint = calculateEndpoint(args);
+var publicKey = privateKey.apply(convertPrivateKeyToPublicKey);
+if (args.fqdn && inputs.dnsProvider && args.externalIp) {
+  DnsRecord.create(args.fqdn, {
+    provider: inputs.dnsProvider,
+    type: "A",
+    value: args.externalIp
+  });
+}
+var isExitNode = allowedIps.includes("0.0.0.0/0") || allowedIps.includes("::/0");
+var identity_default = outputs({
   identity: {
     name: args.peerName ?? name,
     network: inputs.network,
@@ -24,10 +39,10 @@ var index = outputs({
     privateKey,
     presharedKeyPart,
     k8sServices: inputs.k8sServices,
-    exitNode: args.exitNode ?? false,
+    exitNode: args.exitNode ?? isExitNode,
     listenPort: args.listenPort,
     externalIp: args.externalIp,
-    endpoint: args.endpoint ?? calculatedEndpoint
+    endpoint
   },
   peer: {
     name: args.peerName ?? name,
@@ -35,20 +50,28 @@ var index = outputs({
     address: args.address,
     publicKey,
     allowedIps,
-    endpoint: args.endpoint ?? calculatedEndpoint,
+    excludedIps,
+    endpoint,
+    dns: args.dns,
     presharedKeyPart
   },
   $status: {
     publicKey,
-    allowedIps: calculatedAllowedIpsString !== argsAllowedIpsString ? calculatedAllowedIpsString : void 0,
-    endpoint: calculatedEndpoint !== args.endpoint ? calculatedEndpoint : void 0
+    endpoint: {
+      value: endpoint,
+      complementaryTo: "endpoint"
+    },
+    allowedIps: {
+      value: allowedIps.join(", "),
+      complementaryTo: "allowedIps"
+    },
+    excludedIps: {
+      value: excludedIps.join(", "),
+      complementaryTo: "excludedIps"
+    }
   }
 });
-function addK8sServiceIps(allowedIps2) {
-  return inputs.k8sServices.apply((k8sServices) => {
-    const ips = k8sServices.map((service) => service.spec.clusterIP).filter((ip) => ip !== void 0);
-    return allowedIps2.concat(ips);
-  });
-}
-export { index as default };
+export {
+  identity_default as default
+};
+//# sourceMappingURL=index.js.map

package/dist/identity/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/identity/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, getOrCreateSecret, toPromise } from \"@highstate/pulumi\"\nimport { DnsRecord } from \"@highstate/common\"\nimport {\n calculateAllowedIps,\n calculateEndpoint,\n calculateExcludedIps,\n convertPrivateKeyToPublicKey,\n generateKey,\n generatePresharedKey,\n} from \"../shared\"\n\nconst { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity)\n\nconst privateKey = getOrCreateSecret(secrets, \"privateKey\", generateKey)\n\nconst presharedKeyPart = getOrCreateSecret(secrets, \"presharedKeyPart\", () => {\n return inputs.network?.apply(network => {\n return network?.presharedKeyMode === \"secure\" ? generatePresharedKey() : undefined\n })\n})\n\nconst { network, k8sServices } = await toPromise(inputs)\n\nconst allowedIps = calculateAllowedIps(args, network, k8sServices)\nconst excludedIps = calculateExcludedIps(args, network)\nconst endpoint = calculateEndpoint(args)\n\nconst publicKey = privateKey.apply(convertPrivateKeyToPublicKey)\n\nif (args.fqdn && inputs.dnsProvider && args.externalIp) {\n DnsRecord.create(args.fqdn, {\n provider: inputs.dnsProvider,\n type: \"A\",\n value: args.externalIp,\n })\n}\n\nconst isExitNode = allowedIps.includes(\"0.0.0.0/0\") || allowedIps.includes(\"::/0\")\n\nexport default outputs({\n identity: {\n name: args.peerName ?? name,\n network: inputs.network,\n address: args.address,\n privateKey,\n presharedKeyPart,\n k8sServices: inputs.k8sServices,\n exitNode: args.exitNode ?? isExitNode,\n listenPort: args.listenPort,\n externalIp: args.externalIp,\n endpoint,\n },\n peer: {\n name: args.peerName ?? name,\n network: inputs.network,\n address: args.address,\n publicKey,\n allowedIps,\n excludedIps,\n endpoint,\n dns: args.dns,\n presharedKeyPart,\n },\n $status: {\n publicKey,\n endpoint: {\n value: endpoint,\n complementaryTo: \"endpoint\",\n },\n allowedIps: {\n value: allowedIps.join(\", \"),\n complementaryTo: \"allowedIps\",\n },\n excludedIps: {\n value: excludedIps.join(\", \"),\n complementaryTo: \"excludedIps\",\n },\n },\n})\n"],"mappings":";;;;;;;;;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,SAAS,mBAAmB,iBAAiB;AACtD,SAAS,iBAAiB;AAU1B,IAAM,EAAE,MAAM,MAAM,QAAQ,SAAS,QAAQ,IAAI,QAAQ,UAAU,QAAQ;AAE3E,IAAM,aAAa,kBAAkB,SAAS,cAAc,WAAW;AAEvE,IAAM,mBAAmB,kBAAkB,SAAS,oBAAoB,MAAM;AAC5E,SAAO,OAAO,SAAS,MAAM,CAAAA,aAAW;AACtC,WAAOA,UAAS,qBAAqB,WAAW,qBAAqB,IAAI;AAAA,EAC3E,CAAC;AACH,CAAC;AAED,IAAM,EAAE,SAAS,YAAY,IAAI,MAAM,UAAU,MAAM;AAEvD,IAAM,aAAa,oBAAoB,MAAM,SAAS,WAAW;AACjE,IAAM,cAAc,qBAAqB,MAAM,OAAO;AACtD,IAAM,WAAW,kBAAkB,IAAI;AAEvC,IAAM,YAAY,WAAW,MAAM,4BAA4B;AAE/D,IAAI,KAAK,QAAQ,OAAO,eAAe,KAAK,YAAY;AACtD,YAAU,OAAO,KAAK,MAAM;AAAA,IAC1B,UAAU,OAAO;AAAA,IACjB,MAAM;AAAA,IACN,OAAO,KAAK;AAAA,EACd,CAAC;AACH;AAEA,IAAM,aAAa,WAAW,SAAS,WAAW,KAAK,WAAW,SAAS,MAAM;AAEjF,IAAO,mBAAQ,QAAQ;AAAA,EACrB,UAAU;AAAA,IACR,MAAM,KAAK,YAAY;AAAA,IACvB,SAAS,OAAO;AAAA,IAChB,SAAS,KAAK;AAAA,IACd;AAAA,IACA;AAAA,IACA,aAAa,OAAO;AAAA,IACpB,UAAU,KAAK,YAAY;AAAA,IAC3B,YAAY,KAAK;AAAA,IACjB,YAAY,KAAK;AAAA,IACjB;AAAA,EACF;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,KAAK,YAAY;AAAA,IACvB,SAAS,OAAO;AAAA,IAChB,SAAS,KAAK;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,KAAK,KAAK;AAAA,IACV;AAAA,EACF;AAAA,EACA,SAAS;AAAA,IACP;AAAA,IACA,UAAU;AAAA,MACR,OAAO;AAAA,MACP,iBAAiB;AAAA,IACnB;AAAA,IACA,YAAY;AAAA,MACV,OAAO,WAAW,KAAK,IAAI;AAAA,MAC3B,iBAAiB;AAAA,IACnB;AAAA,IACA,aAAa;AAAA,MACX,OAAO,YAAY,KAAK,IAAI;AAAA,MAC5B,iBAAiB;AAAA,IACnB;AAAA,EACF;AACF,CAAC;","names":["network"]}

package/dist/network/index.js CHANGED Viewed

@@ -1,13 +1,15 @@
-import { wireguard } from '@highstate/library';
-import { forUnit } from '@highstate/pulumi';
-const { args, secrets, outputs } = forUnit(wireguard.network);
-var index = outputs({
+// src/network/index.ts
+import { wireguard } from "@highstate/library";
+import { forUnit } from "@highstate/pulumi";
+var { args, secrets, outputs } = forUnit(wireguard.network);
+var network_default = outputs({
   network: {
     backend: args.backend ?? "wireguard",
     presharedKeyMode: args.presharedKeyMode ?? "none",
     globalPresharedKey: secrets.globalPresharedKey
   }
 });
-export { index as default };
+export {
+  network_default as default
+};
+//# sourceMappingURL=index.js.map

package/dist/network/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/network/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit } from \"@highstate/pulumi\"\n\nconst { args, secrets, outputs } = forUnit(wireguard.network)\n\nexport default outputs({\n network: {\n backend: args.backend ?? \"wireguard\",\n presharedKeyMode: args.presharedKeyMode ?? \"none\",\n globalPresharedKey: secrets.globalPresharedKey,\n },\n})\n"],"mappings":";AAAA,SAAS,iBAAiB;AAC1B,SAAS,eAAe;AAExB,IAAM,EAAE,MAAM,SAAS,QAAQ,IAAI,QAAQ,UAAU,OAAO;AAE5D,IAAO,kBAAQ,QAAQ;AAAA,EACrB,SAAS;AAAA,IACP,SAAS,KAAK,WAAW;AAAA,IACzB,kBAAkB,KAAK,oBAAoB;AAAA,IAC3C,oBAAoB,QAAQ;AAAA,EAC9B;AACF,CAAC;","names":[]}

package/dist/node/index.js CHANGED Viewed

@@ -1,20 +1,33 @@
-import { createProvider, getNamespace, createNamespace, mapMetadata, Deployment, StatefulSet, NetworkPolicy, getAppDisplayName, getAppName } from '@highstate/k8s';
-import { wireguard } from '@highstate/library';
-import { forUnit, toPromise, output } from '@highstate/pulumi';
-import { core } from '@pulumi/kubernetes';
-import { b as generateIdentityConfig } from '../shared-D24icZbJ.js';
-import '@noble/curves/ed25519';
+import {
+  generateIdentityConfig
+} from "../chunk-HWKQLLAH.js";
-const { name, args, inputs, outputs } = forUnit(wireguard.node);
-const identity = await toPromise(inputs.identity);
-const appName = args.appName ?? `wg-${name}`;
-const containerPort = 51820;
-const serviceType = args.serviceType ?? "ClusterIP";
-const provider = await createProvider(inputs.k8sCluster);
-const existingNamespace = await toPromise(
-  inputs.deployment?.metadata?.namespace ?? inputs.statefulSet?.metadata?.namespace
+// src/node/index.ts
+import {
+  createNamespace,
+  createProvider,
+  Deployment,
+  getAppDisplayName,
+  getAppName,
+  getNamespace,
+  mapMetadata,
+  NetworkPolicy,
+  StatefulSet
+} from "@highstate/k8s";
+import { wireguard } from "@highstate/library";
+import { forUnit, toPromise } from "@highstate/pulumi";
+import { core } from "@pulumi/kubernetes";
+import { deepmerge } from "deepmerge-ts";
+var { name, args, inputs, outputs } = forUnit(wireguard.node);
+var { identity, peers } = await toPromise(inputs);
+var identityName = (identity.name ?? name).replaceAll(".", "-");
+var appName = args.appName ?? `wg-${identityName}`;
+var serviceType = args.serviceType ?? "ClusterIP";
+var provider = await createProvider(inputs.k8sCluster);
+var existingNamespace = await toPromise(
+  inputs.deployment?.metadata?.namespace ?? inputs.statefulSet?.metadata?.namespace ?? inputs.interface?.deployment.metadata.namespace
 );
-const namespace = existingNamespace ? getNamespace(existingNamespace, provider) : createNamespace(appName, provider);
+var namespace = existingNamespace ? getNamespace(existingNamespace, provider) : createNamespace(appName, provider);
 new core.v1.NamespacePatch(
   "allow-privileged",
   {
@@ -27,56 +40,82 @@ new core.v1.NamespacePatch(
   },
   { provider }
 );
-const configSecret = new core.v1.Secret(
+var listenPort = identity.listenPort ?? args.listenPort;
+var externalIp = identity.externalIp ?? args.externalIp;
+var downstreamInterface = await toPromise(inputs.interface);
+var postUp = [
+  // enable masquerading for all traffic going out of the WireGuard node
+  // TODO: consider adding more specific and restrictive rules
+  "iptables -t nat -A POSTROUTING -j MASQUERADE"
+];
+if (downstreamInterface) {
+  postUp.push(
+    `iptables -t mangle -A PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`
+  );
+  postUp.push("ip rule del not from all fwmark 0xca6c lookup 51820");
+  postUp.push("ip rule add from all fwmark 0x1 lookup 51820");
+}
+var interfaceName = identityName.substring(0, 15);
+var configSecret = new core.v1.Secret(
   appName,
   {
     metadata: mapMetadata({ name: appName, namespace }),
     stringData: {
-      "wg0.conf": output(inputs).apply(({ identity: identity2, peers: peers2 }) => {
-        return generateIdentityConfig(identity2, peers2, containerPort, args.dns, [
-          "iptables -t nat -A POSTROUTING -j MASQUERADE"
-        ]);
+      [`${interfaceName}.conf`]: generateIdentityConfig({
+        identity,
+        peers,
+        listenPort,
+        dns: args.dns,
+        postUp,
+        defaultInterface: "eth0"
       })
     }
   },
   { provider }
 );
-const workloadOptions = {
+var workloadOptions = {
   namespace,
   cluster: inputs.k8sCluster,
-  container: {
-    image: "linuxserver/wireguard:latest",
-    environment: {
-      PUID: "1000",
-      PGID: "1000",
-      TZ: "Etc/UTC"
-    },
-    securityContext: {
-      capabilities: {
-        add: ["NET_ADMIN"]
+  container: deepmerge(
+    {
+      image: "linuxserver/wireguard:latest",
+      environment: {
+        PUID: "1000",
+        PGID: "1000",
+        TZ: "Etc/UTC"
+      },
+      securityContext: {
+        capabilities: {
+          add: ["NET_ADMIN"]
+        }
+      },
+      port: identity.endpoint && listenPort ? { containerPort: listenPort, protocol: "UDP" } : void 0,
+      volumeMount: {
+        volume: configSecret,
+        mountPath: "/config/wg_confs"
       }
     },
-    port: identity.endpoint ? { containerPort, protocol: "UDP" } : void 0,
-    volumeMount: {
-      volume: configSecret,
-      mountPath: "/config/wg_confs"
-    }
-  },
-  service: {
+    args.containerSpec ?? {}
+  ),
+  service: identity.endpoint && listenPort ? {
     type: serviceType,
-    externalIPs: identity.externalIp ? [identity.externalIp] : void 0,
-    port: identity.endpoint ? {
-      port: containerPort,
+    externalIPs: externalIp ? [externalIp] : void 0,
+    port: {
+      port: listenPort,
       protocol: "UDP",
-      nodePort: identity.listenPort
-    } : void 0
-  }
+      nodePort: serviceType !== "ClusterIP" ? listenPort : void 0
+    }
+  } : void 0
 };
-const deployment = !inputs.statefulSet ? Deployment.create(appName, { ...workloadOptions, patch: inputs.deployment }, { provider }) : void 0;
-const statefulSet = inputs.statefulSet ? StatefulSet.create(appName, { ...workloadOptions, patch: inputs.statefulSet }, { provider }) : void 0;
-const selector = deployment?.spec.selector ?? statefulSet?.spec.selector;
-const service = deployment?.service ?? statefulSet?.service;
-if (identity.listenPort) {
+var deployment = !inputs.statefulSet ? Deployment.create(
+  appName,
+  { ...workloadOptions, patch: inputs.deployment ?? inputs.interface?.deployment },
+  { provider }
+) : void 0;
+var statefulSet = inputs.statefulSet ? StatefulSet.create(appName, { ...workloadOptions, patch: inputs.statefulSet }, { provider }) : void 0;
+var selector = deployment?.spec.selector ?? statefulSet?.spec.selector;
+var service = deployment?.optionalService ?? statefulSet?.optionalService;
+if (externalIp && listenPort) {
   NetworkPolicy.create(
     "allow-wireguard-ingress",
     {
@@ -86,7 +125,7 @@ if (identity.listenPort) {
       description: "Allow encapsulated WireGuard traffic to the node from anywhere.",
       ingressRule: {
         fromAll: true,
-        toPort: { port: containerPort, protocol: "UDP" }
+        toPort: { port: listenPort, protocol: "UDP" }
       }
     },
     { provider }
@@ -143,7 +182,6 @@ for (const service2 of identity.k8sServices) {
     { provider }
   );
 }
-const peers = await toPromise(inputs.peers);
 for (const peer of peers) {
   if (!peer.endpoint) {
     continue;
@@ -158,15 +196,22 @@ for (const peer of peers) {
       description: `Allow egress traffic from the WireGuard node to the endpoint of the peer "${peer.name}".`,
       egressRule: {
         toEndpoint: endpoint,
-        toPort: { port: port ? parseInt(port) : containerPort, protocol: "UDP" }
+        toPort: { port: port ? parseInt(port) : 51820, protocol: "UDP" }
       }
     },
     { provider }
   );
 }
-var index = outputs({
+var node_default = outputs({
   deployment: deployment?.entity,
-  service: service?.entity
+  interface: {
+    name: interfaceName,
+    deployment: deployment?.entity
+  },
+  service: service?.apply((service2) => service2?.entity),
+  $terminals: [deployment?.terminal]
 });
-export { index as default };
+export {
+  node_default as default
+};
+//# sourceMappingURL=index.js.map

package/dist/node/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/node/index.ts"],"sourcesContent":["import {\n createNamespace,\n createProvider,\n Deployment,\n getAppDisplayName,\n getAppName,\n getNamespace,\n mapMetadata,\n NetworkPolicy,\n StatefulSet,\n type DeploymentArgs,\n type StatefulSetArgs,\n} from \"@highstate/k8s\"\nimport { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { core } from \"@pulumi/kubernetes\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { generateIdentityConfig } from \"../shared\"\n\nconst { name, args, inputs, outputs } = forUnit(wireguard.node)\n\nconst { identity, peers } = await toPromise(inputs)\n\nconst identityName = (identity.name ?? name).replaceAll(\".\", \"-\")\nconst appName = args.appName ?? `wg-${identityName}`\nconst serviceType = args.serviceType ?? \"ClusterIP\"\n\nconst provider = await createProvider(inputs.k8sCluster)\n\nconst existingNamespace = await toPromise(\n inputs.deployment?.metadata?.namespace ??\n inputs.statefulSet?.metadata?.namespace ??\n inputs.interface?.deployment.metadata.namespace,\n)\n\nconst namespace = existingNamespace\n ? getNamespace(existingNamespace, provider)\n : createNamespace(appName, provider)\n\nnew core.v1.NamespacePatch(\n \"allow-privileged\",\n {\n metadata: {\n name: namespace.metadata.name,\n labels: {\n \"pod-security.kubernetes.io/enforce\": \"privileged\",\n },\n },\n },\n { provider },\n)\n\nconst listenPort = identity.listenPort ?? args.listenPort\nconst externalIp = identity.externalIp ?? args.externalIp\n\nconst downstreamInterface = await toPromise(inputs.interface)\n\nconst postUp: string[] = [\n // enable masquerading for all traffic going out of the WireGuard node\n // TODO: consider adding more specific and restrictive rules\n \"iptables -t nat -A POSTROUTING -j MASQUERADE\",\n]\n\nif (downstreamInterface) {\n // mark all downstream traffic with 0x1\n postUp.push(\n `iptables -t mangle -A PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`,\n )\n\n // remove the default rule to route all non-encapsulated traffic to upstream wireguard interface\n postUp.push(\"ip rule del not from all fwmark 0xca6c lookup 51820\")\n\n // add a rule to route all downstream traffic to the upstream wireguard interface\n postUp.push(\"ip rule add from all fwmark 0x1 lookup 51820\")\n}\n\nconst interfaceName = identityName.substring(0, 15) // linux kernel limit\n\nconst configSecret = new core.v1.Secret(\n appName,\n {\n metadata: mapMetadata({ name: appName, namespace }),\n stringData: {\n [`${interfaceName}.conf`]: generateIdentityConfig({\n identity,\n peers,\n listenPort,\n dns: args.dns,\n postUp,\n defaultInterface: \"eth0\",\n }),\n },\n },\n { provider },\n)\n\nconst workloadOptions: DeploymentArgs & StatefulSetArgs = {\n namespace,\n cluster: inputs.k8sCluster,\n\n container: deepmerge(\n {\n image: \"linuxserver/wireguard:latest\",\n\n environment: {\n PUID: \"1000\",\n PGID: \"1000\",\n TZ: \"Etc/UTC\",\n },\n\n securityContext: {\n capabilities: {\n add: [\"NET_ADMIN\"],\n },\n },\n\n port:\n identity.endpoint && listenPort\n ? { containerPort: listenPort, protocol: \"UDP\" }\n : undefined,\n\n volumeMount: {\n volume: configSecret,\n mountPath: \"/config/wg_confs\",\n },\n },\n args.containerSpec ?? {},\n ),\n\n service:\n identity.endpoint && listenPort\n ? {\n type: serviceType,\n externalIPs: externalIp ? [externalIp] : undefined,\n\n port: {\n port: listenPort,\n protocol: \"UDP\",\n nodePort: serviceType !== \"ClusterIP\" ? listenPort : undefined,\n },\n }\n : undefined,\n}\n\nconst deployment = !inputs.statefulSet\n ? Deployment.create(\n appName,\n { ...workloadOptions, patch: inputs.deployment ?? inputs.interface?.deployment },\n { provider },\n )\n : undefined\n\nconst statefulSet = inputs.statefulSet\n ? StatefulSet.create(appName, { ...workloadOptions, patch: inputs.statefulSet }, { provider })\n : undefined\n\nconst selector = deployment?.spec.selector ?? statefulSet?.spec.selector\nconst service = deployment?.optionalService ?? statefulSet?.optionalService\n\nif (externalIp && listenPort) {\n NetworkPolicy.create(\n \"allow-wireguard-ingress\",\n {\n cni: inputs.k8sCluster.info.cni,\n namespace,\n selector,\n\n description: \"Allow encapsulated WireGuard traffic to the node from anywhere.\",\n\n ingressRule: {\n fromAll: true,\n toPort: { port: listenPort, protocol: \"UDP\" },\n },\n },\n { provider },\n )\n}\n\nif (identity.exitNode) {\n NetworkPolicy.create(\n \"allow-all-egress\",\n {\n cni: inputs.k8sCluster.info.cni,\n namespace,\n selector,\n\n description: \"Allow all egress traffic from the WireGuard node.\",\n\n egressRule: {\n toAll: true,\n },\n },\n { provider },\n )\n}\n\nfor (const service of identity.k8sServices) {\n const displayName = getAppDisplayName(service.metadata)\n\n NetworkPolicy.create(\n `allow-egress-to-${getAppName(service.metadata)}`,\n {\n cni: inputs.k8sCluster.info.cni,\n namespace,\n selector,\n\n description: `Allow egress traffic from the WireGuard node to the service \"${displayName}\".`,\n\n egressRules: [\n {\n toNamespace: service.metadata.namespace,\n toSelector: service.spec.selector,\n },\n\n // for compatibility with Cilium which cannot correctly detect the destination endpoint when the packet is redirected by the WireGuard node\n ...(service.spec.clusterIP ? [{ toCidr: `${service.spec.clusterIP}/32` }] : []),\n ],\n },\n { provider },\n )\n\n NetworkPolicy.create(\n `allow-ingress-to-${getAppName(service.metadata)}`,\n {\n name: `allow-ingress-from-${appName}`,\n\n cni: inputs.k8sCluster.info.cni,\n namespace: service.metadata.namespace,\n selector: service.spec.selector,\n\n description: `Allow ingress traffic from the WireGuard node \"${appName}\" to the service \"${displayName}\".`,\n\n ingressRule: {\n fromNamespace: namespace,\n fromSelector: selector,\n },\n },\n { provider },\n )\n}\n\nfor (const peer of peers) {\n if (!peer.endpoint) {\n continue\n }\n\n const [endpoint, port] = peer.endpoint.split(\":\")\n\n NetworkPolicy.create(\n `allow-egress-to-peer-${peer.name}`,\n {\n cni: inputs.k8sCluster.info.cni,\n namespace,\n selector,\n\n description: `Allow egress traffic from the WireGuard node to the endpoint of the peer \"${peer.name}\".`,\n\n egressRule: {\n toEndpoint: endpoint,\n toPort: { port: port ? parseInt(port) : 51820, protocol: \"UDP\" },\n },\n },\n { provider },\n )\n}\n\nexport default outputs({\n deployment: deployment?.entity,\n interface: {\n name: interfaceName,\n deployment: deployment?.entity,\n },\n service: service?.apply(service => service?.entity),\n $terminals: [deployment?.terminal],\n})\n"],"mappings":";;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAGK;AACP,SAAS,iBAAiB;AAC1B,SAAS,SAAS,iBAAiB;AACnC,SAAS,YAAY;AACrB,SAAS,iBAAiB;AAG1B,IAAM,EAAE,MAAM,MAAM,QAAQ,QAAQ,IAAI,QAAQ,UAAU,IAAI;AAE9D,IAAM,EAAE,UAAU,MAAM,IAAI,MAAM,UAAU,MAAM;AAElD,IAAM,gBAAgB,SAAS,QAAQ,MAAM,WAAW,KAAK,GAAG;AAChE,IAAM,UAAU,KAAK,WAAW,MAAM,YAAY;AAClD,IAAM,cAAc,KAAK,eAAe;AAExC,IAAM,WAAW,MAAM,eAAe,OAAO,UAAU;AAEvD,IAAM,oBAAoB,MAAM;AAAA,EAC9B,OAAO,YAAY,UAAU,aAC3B,OAAO,aAAa,UAAU,aAC9B,OAAO,WAAW,WAAW,SAAS;AAC1C;AAEA,IAAM,YAAY,oBACd,aAAa,mBAAmB,QAAQ,IACxC,gBAAgB,SAAS,QAAQ;AAErC,IAAI,KAAK,GAAG;AAAA,EACV;AAAA,EACA;AAAA,IACE,UAAU;AAAA,MACR,MAAM,UAAU,SAAS;AAAA,MACzB,QAAQ;AAAA,QACN,sCAAsC;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAAA,EACA,EAAE,SAAS;AACb;AAEA,IAAM,aAAa,SAAS,cAAc,KAAK;AAC/C,IAAM,aAAa,SAAS,cAAc,KAAK;AAE/C,IAAM,sBAAsB,MAAM,UAAU,OAAO,SAAS;AAE5D,IAAM,SAAmB;AAAA;AAAA;AAAA,EAGvB;AACF;AAEA,IAAI,qBAAqB;AAEvB,SAAO;AAAA,IACL,uCAAuC,oBAAoB,IAAI;AAAA,EACjE;AAGA,SAAO,KAAK,qDAAqD;AAGjE,SAAO,KAAK,8CAA8C;AAC5D;AAEA,IAAM,gBAAgB,aAAa,UAAU,GAAG,EAAE;AAElD,IAAM,eAAe,IAAI,KAAK,GAAG;AAAA,EAC/B;AAAA,EACA;AAAA,IACE,UAAU,YAAY,EAAE,MAAM,SAAS,UAAU,CAAC;AAAA,IAClD,YAAY;AAAA,MACV,CAAC,GAAG,aAAa,OAAO,GAAG,uBAAuB;AAAA,QAChD;AAAA,QACA;AAAA,QACA;AAAA,QACA,KAAK,KAAK;AAAA,QACV;AAAA,QACA,kBAAkB;AAAA,MACpB,CAAC;AAAA,IACH;AAAA,EACF;AAAA,EACA,EAAE,SAAS;AACb;AAEA,IAAM,kBAAoD;AAAA,EACxD;AAAA,EACA,SAAS,OAAO;AAAA,EAEhB,WAAW;AAAA,IACT;AAAA,MACE,OAAO;AAAA,MAEP,aAAa;AAAA,QACX,MAAM;AAAA,QACN,MAAM;AAAA,QACN,IAAI;AAAA,MACN;AAAA,MAEA,iBAAiB;AAAA,QACf,cAAc;AAAA,UACZ,KAAK,CAAC,WAAW;AAAA,QACnB;AAAA,MACF;AAAA,MAEA,MACE,SAAS,YAAY,aACjB,EAAE,eAAe,YAAY,UAAU,MAAM,IAC7C;AAAA,MAEN,aAAa;AAAA,QACX,QAAQ;AAAA,QACR,WAAW;AAAA,MACb;AAAA,IACF;AAAA,IACA,KAAK,iBAAiB,CAAC;AAAA,EACzB;AAAA,EAEA,SACE,SAAS,YAAY,aACjB;AAAA,IACE,MAAM;AAAA,IACN,aAAa,aAAa,CAAC,UAAU,IAAI;AAAA,IAEzC,MAAM;AAAA,MACJ,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU,gBAAgB,cAAc,aAAa;AAAA,IACvD;AAAA,EACF,IACA;AACR;AAEA,IAAM,aAAa,CAAC,OAAO,cACvB,WAAW;AAAA,EACT;AAAA,EACA,EAAE,GAAG,iBAAiB,OAAO,OAAO,cAAc,OAAO,WAAW,WAAW;AAAA,EAC/E,EAAE,SAAS;AACb,IACA;AAEJ,IAAM,cAAc,OAAO,cACvB,YAAY,OAAO,SAAS,EAAE,GAAG,iBAAiB,OAAO,OAAO,YAAY,GAAG,EAAE,SAAS,CAAC,IAC3F;AAEJ,IAAM,WAAW,YAAY,KAAK,YAAY,aAAa,KAAK;AAChE,IAAM,UAAU,YAAY,mBAAmB,aAAa;AAE5D,IAAI,cAAc,YAAY;AAC5B,gBAAc;AAAA,IACZ;AAAA,IACA;AAAA,MACE,KAAK,OAAO,WAAW,KAAK;AAAA,MAC5B;AAAA,MACA;AAAA,MAEA,aAAa;AAAA,MAEb,aAAa;AAAA,QACX,SAAS;AAAA,QACT,QAAQ,EAAE,MAAM,YAAY,UAAU,MAAM;AAAA,MAC9C;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,IAAI,SAAS,UAAU;AACrB,gBAAc;AAAA,IACZ;AAAA,IACA;AAAA,MACE,KAAK,OAAO,WAAW,KAAK;AAAA,MAC5B;AAAA,MACA;AAAA,MAEA,aAAa;AAAA,MAEb,YAAY;AAAA,QACV,OAAO;AAAA,MACT;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,WAAWA,YAAW,SAAS,aAAa;AAC1C,QAAM,cAAc,kBAAkBA,SAAQ,QAAQ;AAEtD,gBAAc;AAAA,IACZ,mBAAmB,WAAWA,SAAQ,QAAQ,CAAC;AAAA,IAC/C;AAAA,MACE,KAAK,OAAO,WAAW,KAAK;AAAA,MAC5B;AAAA,MACA;AAAA,MAEA,aAAa,gEAAgE,WAAW;AAAA,MAExF,aAAa;AAAA,QACX;AAAA,UACE,aAAaA,SAAQ,SAAS;AAAA,UAC9B,YAAYA,SAAQ,KAAK;AAAA,QAC3B;AAAA;AAAA,QAGA,GAAIA,SAAQ,KAAK,YAAY,CAAC,EAAE,QAAQ,GAAGA,SAAQ,KAAK,SAAS,MAAM,CAAC,IAAI,CAAC;AAAA,MAC/E;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AAEA,gBAAc;AAAA,IACZ,oBAAoB,WAAWA,SAAQ,QAAQ,CAAC;AAAA,IAChD;AAAA,MACE,MAAM,sBAAsB,OAAO;AAAA,MAEnC,KAAK,OAAO,WAAW,KAAK;AAAA,MAC5B,WAAWA,SAAQ,SAAS;AAAA,MAC5B,UAAUA,SAAQ,KAAK;AAAA,MAEvB,aAAa,kDAAkD,OAAO,qBAAqB,WAAW;AAAA,MAEtG,aAAa;AAAA,QACX,eAAe;AAAA,QACf,cAAc;AAAA,MAChB;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,WAAW,QAAQ,OAAO;AACxB,MAAI,CAAC,KAAK,UAAU;AAClB;AAAA,EACF;AAEA,QAAM,CAAC,UAAU,IAAI,IAAI,KAAK,SAAS,MAAM,GAAG;AAEhD,gBAAc;AAAA,IACZ,wBAAwB,KAAK,IAAI;AAAA,IACjC;AAAA,MACE,KAAK,OAAO,WAAW,KAAK;AAAA,MAC5B;AAAA,MACA;AAAA,MAEA,aAAa,6EAA6E,KAAK,IAAI;AAAA,MAEnG,YAAY;AAAA,QACV,YAAY;AAAA,QACZ,QAAQ,EAAE,MAAM,OAAO,SAAS,IAAI,IAAI,OAAO,UAAU,MAAM;AAAA,MACjE;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,IAAO,eAAQ,QAAQ;AAAA,EACrB,YAAY,YAAY;AAAA,EACxB,WAAW;AAAA,IACT,MAAM;AAAA,IACN,YAAY,YAAY;AAAA,EAC1B;AAAA,EACA,SAAS,SAAS,MAAM,CAAAA,aAAWA,UAAS,MAAM;AAAA,EAClD,YAAY,CAAC,YAAY,QAAQ;AACnC,CAAC;","names":["service"]}

package/dist/peer/index.js CHANGED Viewed

@@ -1,22 +1,38 @@
-import { wireguard } from '@highstate/library';
-import { forUnit } from '@highstate/pulumi';
+import {
+  calculateAllowedIps,
+  calculateExcludedIps
+} from "../chunk-HWKQLLAH.js";
-const { name, args, inputs, outputs } = forUnit(wireguard.peer);
-const calculatedAllowedIpds = args.address ? [args.address] : [];
-const argsAllowedIpsString = args.allowedIps?.join(", ");
-const calculatedAllowedIpsString = calculatedAllowedIpds.join(", ");
-var index = outputs({
+// src/peer/index.ts
+import { wireguard } from "@highstate/library";
+import { forUnit, toPromise } from "@highstate/pulumi";
+var { name, args, inputs, outputs } = forUnit(wireguard.peer);
+var network = await toPromise(inputs.network);
+var allowedIps = calculateAllowedIps(args, network);
+var excludedIps = calculateExcludedIps(args, network);
+var peer_default = outputs({
   peer: {
     name: args.peerName ?? name,
     network: inputs.network,
     address: args.address,
     publicKey: args.publicKey,
-    allowedIps: args.allowedIps ?? calculatedAllowedIpds,
-    endpoint: args.endpoint
+    allowedIps,
+    endpoint: args.endpoint,
+    excludedIps,
+    dns: args.dns
   },
   $status: {
-    allowedIps: calculatedAllowedIpsString !== argsAllowedIpsString ? calculatedAllowedIpsString : void 0
+    allowedIps: {
+      value: allowedIps.join(", "),
+      complementaryTo: "allowedIps"
+    },
+    excludedIps: {
+      value: excludedIps.join(", "),
+      complementaryTo: "excludedIps"
+    }
   }
 });
-export { index as default };
+export {
+  peer_default as default
+};
+//# sourceMappingURL=index.js.map

package/dist/peer/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/peer/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { calculateAllowedIps, calculateExcludedIps } from \"../shared\"\n\nconst { name, args, inputs, outputs } = forUnit(wireguard.peer)\n\nconst network = await toPromise(inputs.network)\n\nconst allowedIps = calculateAllowedIps(args, network)\nconst excludedIps = calculateExcludedIps(args, network)\n\nexport default outputs({\n peer: {\n name: args.peerName ?? name,\n network: inputs.network,\n address: args.address,\n publicKey: args.publicKey,\n allowedIps,\n endpoint: args.endpoint,\n excludedIps,\n dns: args.dns,\n },\n $status: {\n allowedIps: {\n value: allowedIps.join(\", \"),\n complementaryTo: \"allowedIps\",\n },\n excludedIps: {\n value: excludedIps.join(\", \"),\n complementaryTo: \"excludedIps\",\n },\n },\n})\n"],"mappings":";;;;;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,SAAS,iBAAiB;AAGnC,IAAM,EAAE,MAAM,MAAM,QAAQ,QAAQ,IAAI,QAAQ,UAAU,IAAI;AAE9D,IAAM,UAAU,MAAM,UAAU,OAAO,OAAO;AAE9C,IAAM,aAAa,oBAAoB,MAAM,OAAO;AACpD,IAAM,cAAc,qBAAqB,MAAM,OAAO;AAEtD,IAAO,eAAQ,QAAQ;AAAA,EACrB,MAAM;AAAA,IACJ,MAAM,KAAK,YAAY;AAAA,IACvB,SAAS,OAAO;AAAA,IAChB,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,IAChB;AAAA,IACA,UAAU,KAAK;AAAA,IACf;AAAA,IACA,KAAK,KAAK;AAAA,EACZ;AAAA,EACA,SAAS;AAAA,IACP,YAAY;AAAA,MACV,OAAO,WAAW,KAAK,IAAI;AAAA,MAC3B,iBAAiB;AAAA,IACnB;AAAA,IACA,aAAa;AAAA,MACX,OAAO,YAAY,KAAK,IAAI;AAAA,MAC5B,iBAAiB;AAAA,IACnB;AAAA,EACF;AACF,CAAC;","names":[]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@highstate/wireguard",
-  "version": "0.7.2",
+  "version": "0.7.3",
   "type": "module",
   "files": [
     "dist"
@@ -9,6 +9,7 @@
     "./network": "./dist/network/index.js",
     "./identity": "./dist/identity/index.js",
     "./config": "./dist/config/index.js",
+    "./config-bundle": "./dist/config-bundle/index.js",
     "./node": "./dist/node/index.js",
     "./peer": "./dist/peer/index.js"
   },
@@ -16,19 +17,24 @@
     "access": "public"
   },
   "scripts": {
-    "build": "pkgroll --tsconfig=tsconfig.build.json"
+    "build": "highstate build"
   },
   "dependencies": {
-    "@highstate/k8s": "^0.7.2",
-    "@highstate/pulumi": "^0.7.2",
+    "@highstate/common": "^0.7.3",
+    "@highstate/contract": "^0.7.3",
+    "@highstate/k8s": "^0.7.3",
+    "@highstate/pulumi": "^0.7.3",
     "@noble/curves": "^1.8.0",
-    "@pulumi/kubernetes": "^4.18.0"
+    "@pulumi/kubernetes": "^4.18.0",
+    "deepmerge-ts": "^7.1.5",
+    "zip-stream": "^7.0.2"
   },
   "peerDependencies": {
     "@highstate/library": "workspace:^0.4.4"
   },
   "devDependencies": {
-    "pkgroll": "^2.5.1"
+    "@highstate/cli": "^0.7.3",
+    "@types/zip-stream": "^7.0.0"
   },
-  "gitHead": "e177535015e0fa3c74ae8ddc0bc6d31b191d2c54"
+  "gitHead": "5cf7cec27262c8fa1d96f6478833b94841459d64"
 }

package/dist/shared-D24icZbJ.js DELETED Viewed

@@ -1,91 +0,0 @@
-import { x25519 } from '@noble/curves/ed25519';
-const crypto = typeof globalThis === "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
-function randomBytes(bytesLength = 32) {
-  if (crypto && typeof crypto.getRandomValues === "function") {
-    return crypto.getRandomValues(new Uint8Array(bytesLength));
-  }
-  if (crypto && typeof crypto.randomBytes === "function") {
-    return crypto.randomBytes(bytesLength);
-  }
-  throw new Error("crypto.getRandomValues must be defined");
-}
-function generateKey() {
-  const key = x25519.utils.randomPrivateKey();
-  return Buffer.from(key).toString("base64");
-}
-function convertPrivateKeyToPublicKey(privateKey) {
-  const key = Buffer.from(privateKey, "base64");
-  return Buffer.from(x25519.getPublicKey(key)).toString("base64");
-}
-function generatePresharedKey() {
-  const key = randomBytes(32);
-  return Buffer.from(key).toString("base64");
-}
-function combinePresharedKeyParts(part1, part2) {
-  const key1 = Buffer.from(part1, "base64");
-  const key2 = Buffer.from(part2, "base64");
-  const result = new Uint8Array(32);
-  for (let i = 0; i < 32; i++) {
-    result[i] = key1[i] ^ key2[i];
-  }
-  return Buffer.from(result).toString("base64");
-}
-function generatePeerConfig(identity, peer) {
-  const lines = [
-    "[Peer]",
-    `# ${peer.name}`,
-    `PublicKey = ${peer.publicKey}`,
-    `AllowedIPs = ${peer.allowedIps.join(", ")}`
-  ];
-  if (peer.endpoint) {
-    lines.push(`Endpoint = ${peer.endpoint}`);
-  }
-  if (identity.presharedKeyPart && peer.presharedKeyPart) {
-    const presharedKey = combinePresharedKeyParts(identity.presharedKeyPart, peer.presharedKeyPart);
-    lines.push(`PresharedKey = ${presharedKey}`);
-  } else if (identity.network?.globalPresharedKey) {
-    if (identity.network.globalPresharedKey !== peer.network?.globalPresharedKey) {
-      throw new Error("The global preshared key must be the same for all peers.");
-    }
-    lines.push(`PresharedKey = ${identity.network.globalPresharedKey}`);
-  }
-  return lines.join("\n");
-}
-function generateIdentityConfig(identity, peers, listenPort, dns, postUp) {
-  const lines = [
-    //
-    "[Interface]",
-    `# ${identity.name}`
-  ];
-  if (identity.address) {
-    lines.push(`Address = ${identity.address}`);
-  }
-  lines.push(
-    //
-    `PrivateKey = ${identity.privateKey}`,
-    "MTU = 1280"
-  );
-  if (dns) {
-    lines.push(`DNS = ${dns.join(", ")}`);
-  }
-  if (listenPort) {
-    lines.push(`ListenPort = ${listenPort}`);
-  }
-  if (postUp) {
-    lines.push();
-    for (const command of postUp) {
-      lines.push(`PostUp = ${command}`);
-    }
-  }
-  const otherPeers = peers.filter((peer) => peer.name !== identity.name);
-  for (const peer of otherPeers) {
-    lines.push("");
-    lines.push(generatePeerConfig(identity, peer));
-  }
-  return lines.join("\n");
-}
-export { generatePresharedKey as a, generateIdentityConfig as b, convertPrivateKeyToPublicKey as c, generateKey as g };