@highstate/wireguard 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/dist/{chunk-EIST65M3.js → chunk-7BHZHUOK.js} +39 -6
  2. package/dist/chunk-7BHZHUOK.js.map +1 -0
  3. package/dist/config/index.js +1 -1
  4. package/dist/config-bundle/index.js +1 -1
  5. package/dist/highstate.manifest.json +6 -6
  6. package/dist/identity/index.js +7 -8
  7. package/dist/identity/index.js.map +1 -1
  8. package/dist/node/index.js +18 -3
  9. package/dist/node/index.js.map +1 -1
  10. package/dist/peer/index.js +16 -9
  11. package/dist/peer/index.js.map +1 -1
  12. package/package.json +7 -7
  13. package/dist/chunk-EIST65M3.js.map +0 -1
package/dist/{chunk-EIST65M3.js → chunk-7BHZHUOK.js} RENAMED
@@ -139,7 +139,10 @@ function generateIdentityConfig({
139
139
  peers,
140
140
  listenPort,
141
141
  dns,
142
+ preUp,
142
143
  postUp,
144
+ preDown,
145
+ postDown,
143
146
  defaultInterface
144
147
  }) {
145
148
  const allDns = i(peers.flatMap((peer) => peer.dns ?? []).concat(dns ?? []));
@@ -163,12 +166,30 @@ function generateIdentityConfig({
163
166
  if (listenPort) {
164
167
  lines.push(`ListenPort = ${listenPort}`);
165
168
  }
169
+ if (preUp) {
170
+ lines.push();
171
+ for (const command of preUp) {
172
+ lines.push(`PreUp = ${command}`);
173
+ }
174
+ }
166
175
  if (postUp) {
167
176
  lines.push();
168
177
  for (const command of postUp) {
169
178
  lines.push(`PostUp = ${command}`);
170
179
  }
171
180
  }
181
+ if (preDown) {
182
+ lines.push();
183
+ for (const command of preDown) {
184
+ lines.push(`PreDown = ${command}`);
185
+ }
186
+ }
187
+ if (postDown) {
188
+ lines.push();
189
+ for (const command of postDown) {
190
+ lines.push(`PostDown = ${command}`);
191
+ }
192
+ }
172
193
  if (defaultInterface) {
173
194
  for (const excludedIp of excludedIps) {
174
195
  lines.push(`PostUp = ip route add ${excludedIp} dev ${defaultInterface}`);
@@ -224,17 +245,29 @@ function calculateExcludedIps({ excludedIps, excludePrivateIps }, network) {
224
245
  }
225
246
  return Array.from(result);
226
247
  }
227
- function calculateEndpoint({ externalIp, listenPort, endpoint }, fqdn) {
248
+ function calculateEndpoint({
249
+ externalIp,
250
+ listenPort,
251
+ fqdn,
252
+ endpoint,
253
+ clusterInfo
254
+ }) {
228
255
  if (endpoint) {
229
- return endpoint;
256
+ return {
257
+ endpoint,
258
+ externalIp,
259
+ listenPort
260
+ };
230
261
  }
262
+ fqdn ??= clusterInfo?.fqdn;
263
+ externalIp ??= clusterInfo?.externalIps[0];
231
264
  if (fqdn && listenPort) {
232
- return `${fqdn}:${listenPort}`;
265
+ return { endpoint: `${fqdn}:${listenPort}`, fqdn, externalIp };
233
266
  }
234
267
  if (externalIp && listenPort) {
235
- return `${externalIp}:${listenPort}`;
268
+ return { endpoint: `${externalIp}:${listenPort}`, externalIp, fqdn };
236
269
  }
237
- return void 0;
270
+ return { endpoint, externalIp, listenPort, fqdn };
238
271
  }
239
272
 
240
273
  export {
@@ -251,4 +284,4 @@ export {
251
284
  @noble/hashes/esm/utils.js:
252
285
  (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
253
286
  */
254
- //# sourceMappingURL=chunk-EIST65M3.js.map
287
+ //# sourceMappingURL=chunk-7BHZHUOK.js.map
package/dist/chunk-7BHZHUOK.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/shared.ts","../../../node_modules/@noble/hashes/src/cryptoNode.ts","../../../node_modules/@noble/hashes/src/utils.ts","../../../node_modules/remeda/dist/chunk-ANXBDSUI.js","../../../node_modules/remeda/dist/chunk-3GOCSNFN.js","../../../node_modules/remeda/dist/chunk-LFJW7BOT.js","../../../node_modules/remeda/dist/chunk-QJLMYOTX.js"],"sourcesContent":["import type { k8s, wireguard } from \"@highstate/library\"\nimport { x25519 } from \"@noble/curves/ed25519\"\nimport { randomBytes } from \"@noble/hashes/utils\"\nimport { unique } from \"remeda\"\n\nexport function generateKey(): string {\n const key = x25519.utils.randomPrivateKey()\n\n return Buffer.from(key).toString(\"base64\")\n}\n\nexport function convertPrivateKeyToPublicKey(privateKey: string): string {\n const key = Buffer.from(privateKey, \"base64\")\n\n return Buffer.from(x25519.getPublicKey(key)).toString(\"base64\")\n}\n\nexport function generatePresharedKey(): string {\n const key = randomBytes(32)\n\n return Buffer.from(key).toString(\"base64\")\n}\n\nexport function combinePresharedKeyParts(part1: string, part2: string): string {\n const key1 = Buffer.from(part1, \"base64\")\n const key2 = Buffer.from(part2, \"base64\")\n const result = new Uint8Array(32)\n\n for (let i = 0; i < 32; i++) {\n result[i] = key1[i] ^ key2[i]\n }\n\n return Buffer.from(result).toString(\"base64\")\n}\n\nfunction generatePeerConfig(identity: wireguard.Identity, peer: wireguard.Peer): string {\n const lines = [\n //\n \"[Peer]\",\n `# ${peer.name}`,\n `PublicKey = ${peer.publicKey}`,\n ]\n\n if (peer.allowedIps.length > 0) {\n lines.push(`AllowedIPs = ${peer.allowedIps.join(\", \")}`)\n }\n\n if (peer.endpoint) {\n lines.push(`Endpoint = ${peer.endpoint}`)\n }\n\n if (identity.presharedKeyPart && peer.presharedKeyPart) {\n const presharedKey = combinePresharedKeyParts(identity.presharedKeyPart, peer.presharedKeyPart)\n\n lines.push(`PresharedKey = ${presharedKey}`)\n } else if (identity.network?.globalPresharedKey) {\n if (identity.network.globalPresharedKey !== peer.network?.globalPresharedKey) {\n throw new Error(\"The global preshared key must be the same for all peers.\")\n }\n\n lines.push(`PresharedKey = ${identity.network.globalPresharedKey}`)\n }\n\n return lines.join(\"\\n\")\n}\n\nexport type IdentityConfigArgs = {\n identity: wireguard.Identity\n peers: wireguard.Peer[]\n listenPort?: number\n dns?: string[]\n postUp?: string[]\n preUp?: string[]\n preDown?: string[]\n postDown?: string[]\n defaultInterface?: string\n}\n\nexport function generateIdentityConfig({\n identity,\n peers,\n listenPort,\n dns,\n preUp,\n postUp,\n preDown,\n postDown,\n defaultInterface,\n}: IdentityConfigArgs): string {\n const allDns = unique(peers.flatMap(peer => peer.dns ?? []).concat(dns ?? []))\n const excludedIps = unique(peers.flatMap(peer => peer.excludedIps ?? []))\n\n const lines = [\n //\n \"[Interface]\",\n `# ${identity.name}`,\n ]\n\n if (identity.address) {\n lines.push(`Address = ${identity.address}`)\n }\n\n lines.push(\n //\n `PrivateKey = ${identity.privateKey}`,\n \"MTU = 1280\",\n )\n\n if (allDns.length > 0) {\n lines.push(`DNS = ${allDns.join(\", \")}`)\n }\n\n if (listenPort) {\n lines.push(`ListenPort = ${listenPort}`)\n }\n\n if (preUp) {\n lines.push()\n for (const command of preUp) {\n lines.push(`PreUp = ${command}`)\n }\n }\n\n if (postUp) {\n lines.push()\n for (const command of postUp) {\n lines.push(`PostUp = ${command}`)\n }\n }\n\n if (preDown) {\n lines.push()\n for (const command of preDown) {\n lines.push(`PreDown = ${command}`)\n }\n }\n\n if (postDown) {\n lines.push()\n for (const command of postDown) {\n lines.push(`PostDown = ${command}`)\n }\n }\n\n if (defaultInterface) {\n for (const excludedIp of excludedIps) {\n lines.push(`PostUp = ip route add ${excludedIp} dev ${defaultInterface}`)\n }\n }\n\n const otherPeers = peers.filter(peer => peer.name !== identity.name)\n\n for (const peer of otherPeers) {\n lines.push(\"\")\n lines.push(generatePeerConfig(identity, peer))\n }\n\n return lines.join(\"\\n\")\n}\n\ntype AllowedIpsArgs = {\n address?: string\n allowedIps?: string[]\n exitNode?: boolean\n}\n\nexport function calculateAllowedIps(\n { address, allowedIps, exitNode }: AllowedIpsArgs,\n network: wireguard.Network | undefined,\n k8sServices?: k8s.Service[],\n): string[] {\n const result = new Set<string>()\n\n if (address) {\n result.add(address)\n }\n\n if (allowedIps) {\n for (const ip of allowedIps) {\n result.add(ip)\n }\n }\n\n if (exitNode) {\n result.add(\"0.0.0.0/0\")\n\n if (network?.ipv6) {\n result.add(\"::/0\")\n }\n }\n\n if (k8sServices) {\n for (const service of k8sServices) {\n if (service.spec.clusterIP) {\n result.add(service.spec.clusterIP)\n }\n }\n }\n\n return Array.from(result)\n}\n\ntype ExcludedIpsArgs = {\n excludedIps?: string[]\n excludePrivateIps?: boolean\n}\n\nexport function calculateExcludedIps(\n { excludedIps, excludePrivateIps }: ExcludedIpsArgs,\n network: wireguard.Network | undefined,\n): string[] {\n const result = new Set<string>()\n\n if (excludedIps) {\n for (const ip of excludedIps) {\n result.add(ip)\n }\n }\n\n if (excludePrivateIps) {\n result.add(\"10.0.0.0/8\")\n result.add(\"172.16.0.0/12\")\n result.add(\"192.168.0.0/16\")\n\n if (network?.ipv6) {\n result.add(\"fc00::/7\")\n result.add(\"fe80::/10\")\n }\n }\n\n return Array.from(result)\n}\n\ntype EndpointArgs = {\n externalIp?: string\n listenPort?: number\n endpoint?: string\n fqdn?: string\n clusterInfo?: k8s.ClusterInfo\n}\n\nexport function calculateEndpoint({\n externalIp,\n listenPort,\n fqdn,\n endpoint,\n clusterInfo,\n}: EndpointArgs): EndpointArgs {\n if (endpoint) {\n return {\n endpoint,\n externalIp,\n listenPort,\n }\n }\n\n fqdn ??= clusterInfo?.fqdn\n externalIp ??= clusterInfo?.externalIps[0]\n\n if (fqdn && listenPort) {\n return { endpoint: `${fqdn}:${listenPort}`, fqdn, externalIp }\n }\n\n if (externalIp && listenPort) {\n return { endpoint: `${externalIp}:${listenPort}`, externalIp, fqdn }\n }\n\n return { endpoint, externalIp, listenPort, fqdn }\n}\n","/**\n * Internal webcrypto alias.\n * We prefer WebCrypto aka globalThis.crypto, which exists in node.js 16+.\n * Falls back to Node.js built-in crypto for Node.js <=v14.\n * See utils.ts for details.\n * @module\n */\n// @ts-ignore\nimport * as nc from 'node:crypto';\nexport const crypto: any =\n nc && typeof nc === 'object' && 'webcrypto' in nc\n ? (nc.webcrypto as any)\n : nc && typeof nc === 'object' && 'randomBytes' in nc\n ? nc\n : undefined;\n","/**\n * Utilities for hex, bytes, CSPRNG.\n * @module\n */\n/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n\n// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.\n// node.js versions earlier than v19 don't declare it in global scope.\n// For node.js, package.json#exports field mapping rewrites import\n// from `crypto` to `cryptoNode`, which imports native module.\n// Makes the utils un-importable in browsers without a bundler.\n// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.\nimport { crypto } from '@noble/hashes/crypto';\nimport { abytes } from './_assert.js';\n// export { isBytes } from './_assert.js';\n// We can't reuse isBytes from _assert, because somehow this causes huge perf issues\nexport function isBytes(a: unknown): a is Uint8Array {\n return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');\n}\n\n// prettier-ignore\nexport type TypedArray = Int8Array | Uint8ClampedArray | Uint8Array |\n Uint16Array | Int16Array | Uint32Array | Int32Array;\n\n// Cast array to different type\nexport function u8(arr: TypedArray): Uint8Array {\n return new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);\n}\nexport function u32(arr: TypedArray): Uint32Array {\n return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n}\n\n// Cast array to view\nexport function createView(arr: TypedArray): DataView {\n return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);\n}\n\n/** The rotate right (circular right shift) operation for uint32 */\nexport function rotr(word: number, shift: number): number {\n return (word << (32 - shift)) | (word >>> shift);\n}\n/** The rotate left (circular left shift) operation for uint32 */\nexport function rotl(word: number, shift: number): number {\n return (word << shift) | ((word >>> (32 - shift)) >>> 0);\n}\n\n/** Is current platform little-endian? Most are. Big-Endian platform: IBM */\nexport const isLE: boolean = /* @__PURE__ */ (() =>\n new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();\n// The byte swap operation for uint32\nexport function byteSwap(word: number): number {\n return (\n ((word << 24) & 0xff000000) |\n ((word << 8) & 0xff0000) |\n ((word >>> 8) & 0xff00) |\n ((word >>> 24) & 0xff)\n );\n}\n/** Conditionally byte swap if on a big-endian platform */\nexport const byteSwapIfBE: (n: number) => number = isLE\n ? (n: number) => n\n : (n: number) => byteSwap(n);\n\n/** In place byte swap for Uint32Array */\nexport function byteSwap32(arr: Uint32Array): void {\n for (let i = 0; i < arr.length; i++) {\n arr[i] = byteSwap(arr[i]);\n }\n}\n\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>\n i.toString(16).padStart(2, '0')\n);\n/**\n * Convert byte array to hex string.\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes: Uint8Array): string {\n abytes(bytes);\n // pre-caching improves the speed 6x\n let hex = '';\n for (let i = 0; i < bytes.length; i++) {\n hex += hexes[bytes[i]];\n }\n return hex;\n}\n\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 } as const;\nfunction asciiToBase16(ch: number): number | undefined {\n if (ch >= asciis._0 && ch <= asciis._9) return ch - asciis._0; // '2' => 50-48\n if (ch >= asciis.A && ch <= asciis.F) return ch - (asciis.A - 10); // 'B' => 66-(65-10)\n if (ch >= asciis.a && ch <= asciis.f) return ch - (asciis.a - 10); // 'b' => 98-(97-10)\n return;\n}\n\n/**\n * Convert hex string to byte array.\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex: string): Uint8Array {\n if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);\n const hl = hex.length;\n const al = hl / 2;\n if (hl % 2) throw new Error('hex string expected, got unpadded hex of length ' + hl);\n const array = new Uint8Array(al);\n for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n const n1 = asciiToBase16(hex.charCodeAt(hi));\n const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n if (n1 === undefined || n2 === undefined) {\n const char = hex[hi] + hex[hi + 1];\n throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' + hi);\n }\n array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163\n }\n return array;\n}\n\n/**\n * There is no setImmediate in browser and setTimeout is slow.\n * Call of async fn will return Promise, which will be fullfiled only on\n * next scheduler queue processing step and this is exactly what we need.\n */\nexport const nextTick = async (): Promise<void> => {};\n\n/** Returns control to thread each 'tick' ms to avoid blocking. */\nexport async function asyncLoop(\n iters: number,\n tick: number,\n cb: (i: number) => void\n): Promise<void> {\n let ts = Date.now();\n for (let i = 0; i < iters; i++) {\n cb(i);\n // Date.now() is not monotonic, so in case if clock goes backwards we return return control too\n const diff = Date.now() - ts;\n if (diff >= 0 && diff < tick) continue;\n await nextTick();\n ts += diff;\n }\n}\n\n// Global symbols in both browsers and Node.js since v11\n// See https://github.com/microsoft/TypeScript/issues/31535\ndeclare const TextEncoder: any;\n\n/**\n * Convert JS string to byte array.\n * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])\n */\nexport function utf8ToBytes(str: string): Uint8Array {\n if (typeof str !== 'string') throw new Error('utf8ToBytes expected string, got ' + typeof str);\n return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n\n/** Accepted input of hash functions. Strings are converted to byte arrays. */\nexport type Input = Uint8Array | string;\n/**\n * Normalizes (non-hex) string or Uint8Array to Uint8Array.\n * Warning: when Uint8Array is passed, it would NOT get copied.\n * Keep in mind for future mutable operations.\n */\nexport function toBytes(data: Input): Uint8Array {\n if (typeof data === 'string') data = utf8ToBytes(data);\n abytes(data);\n return data;\n}\n\n/**\n * Copies several Uint8Arrays into one.\n */\nexport function concatBytes(...arrays: Uint8Array[]): Uint8Array {\n let sum = 0;\n for (let i = 0; i < arrays.length; i++) {\n const a = arrays[i];\n abytes(a);\n sum += a.length;\n }\n const res = new Uint8Array(sum);\n for (let i = 0, pad = 0; i < arrays.length; i++) {\n const a = arrays[i];\n res.set(a, pad);\n pad += a.length;\n }\n return res;\n}\n\n/** For runtime check if class implements interface */\nexport abstract class Hash<T extends Hash<T>> {\n abstract blockLen: number; // Bytes per block\n abstract outputLen: number; // Bytes in output\n abstract update(buf: Input): this;\n // Writes digest into buf\n abstract digestInto(buf: Uint8Array): void;\n abstract digest(): Uint8Array;\n /**\n * Resets internal state. Makes Hash instance unusable.\n * Reset is impossible for keyed hashes if key is consumed into state. If digest is not consumed\n * by user, they will need to manually call `destroy()` when zeroing is necessary.\n */\n abstract destroy(): void;\n /**\n * Clones hash instance. Unsafe: doesn't check whether `to` is valid. Can be used as `clone()`\n * when no options are passed.\n * Reasons to use `_cloneInto` instead of clone: 1) performance 2) reuse instance => all internal\n * buffers are overwritten => causes buffer overwrite which is used for digest in some cases.\n * There are no guarantees for clean-up because it's impossible in JS.\n */\n abstract _cloneInto(to?: T): T;\n // Safe version that clones internal state\n clone(): T {\n return this._cloneInto();\n }\n}\n\n/**\n * XOF: streaming API to read digest in chunks.\n * Same as 'squeeze' in keccak/k12 and 'seek' in blake3, but more generic name.\n * When hash used in XOF mode it is up to user to call '.destroy' afterwards, since we cannot\n * destroy state, next call can require more bytes.\n */\nexport type HashXOF<T extends Hash<T>> = Hash<T> & {\n xof(bytes: number): Uint8Array; // Read 'bytes' bytes from digest stream\n xofInto(buf: Uint8Array): Uint8Array; // read buf.length bytes from digest stream into buf\n};\n\ntype EmptyObj = {};\nexport function checkOpts<T1 extends EmptyObj, T2 extends EmptyObj>(\n defaults: T1,\n opts?: T2\n): T1 & T2 {\n if (opts !== undefined && {}.toString.call(opts) !== '[object Object]')\n throw new Error('Options should be object or undefined');\n const merged = Object.assign(defaults, opts);\n return merged as T1 & T2;\n}\n\n/** Hash function */\nexport type CHash = ReturnType<typeof wrapConstructor>;\n/** Hash function with output */\nexport type CHashO = ReturnType<typeof wrapConstructorWithOpts>;\n/** XOF with output */\nexport type CHashXO = ReturnType<typeof wrapXOFConstructorWithOpts>;\n\n/** Wraps hash function, creating an interface on top of it */\nexport function wrapConstructor<T extends Hash<T>>(\n hashCons: () => Hash<T>\n): {\n (msg: Input): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(): Hash<T>;\n} {\n const hashC = (msg: Input): Uint8Array => hashCons().update(toBytes(msg)).digest();\n const tmp = hashCons();\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = () => hashCons();\n return hashC;\n}\n\nexport function wrapConstructorWithOpts<H extends Hash<H>, T extends Object>(\n hashCons: (opts?: T) => Hash<H>\n): {\n (msg: Input, opts?: T): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(opts: T): Hash<H>;\n} {\n const hashC = (msg: Input, opts?: T): Uint8Array => hashCons(opts).update(toBytes(msg)).digest();\n const tmp = hashCons({} as T);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts: T) => hashCons(opts);\n return hashC;\n}\n\nexport function wrapXOFConstructorWithOpts<H extends HashXOF<H>, T extends Object>(\n hashCons: (opts?: T) => HashXOF<H>\n): {\n (msg: Input, opts?: T): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(opts: T): HashXOF<H>;\n} {\n const hashC = (msg: Input, opts?: T): Uint8Array => hashCons(opts).update(toBytes(msg)).digest();\n const tmp = hashCons({} as T);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts: T) => hashCons(opts);\n return hashC;\n}\n\n/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */\nexport function randomBytes(bytesLength = 32): Uint8Array {\n if (crypto && typeof crypto.getRandomValues === 'function') {\n return crypto.getRandomValues(new Uint8Array(bytesLength));\n }\n // Legacy Node.js compatibility\n if (crypto && typeof crypto.randomBytes === 'function') {\n return crypto.randomBytes(bytesLength);\n }\n throw new Error('crypto.getRandomValues must be defined');\n}\n","var e={done:!0,hasNext:!1},s={done:!1,hasNext:!1},a=()=>e,o=t=>({hasNext:!0,next:t,done:!1});export{s as a,a as b,o as c};\n","import{a as A}from\"./chunk-ANXBDSUI.js\";function C(t,...o){let n=t,u=o.map(e=>\"lazy\"in e?y(e):void 0),p=0;for(;p<o.length;){if(u[p]===void 0||!B(n)){let i=o[p];n=i(n),p+=1;continue}let r=[];for(let i=p;i<o.length;i++){let l=u[i];if(l===void 0||(r.push(l),l.isSingle))break}let a=[];for(let i of n)if(f(i,a,r))break;let{isSingle:s}=r.at(-1);n=s?a[0]:a,p+=r.length}return n}function f(t,o,n){if(n.length===0)return o.push(t),!1;let u=t,p=A,e=!1;for(let[r,a]of n.entries()){let{index:s,items:i}=a;if(i.push(u),p=a(u,s,i),a.index+=1,p.hasNext){if(p.hasMany??!1){for(let l of p.next)if(f(l,o,n.slice(r+1)))return!0;return e}u=p.next}if(!p.hasNext)break;p.done&&(e=!0)}return p.hasNext&&o.push(u),e}function y(t){let{lazy:o,lazyArgs:n}=t,u=o(...n);return Object.assign(u,{isSingle:o.single??!1,index:0,items:[]})}function B(t){return typeof t==\"string\"||typeof t==\"object\"&&t!==null&&Symbol.iterator in t}export{C as a};\n","import{a as o}from\"./chunk-3GOCSNFN.js\";function y(t,i){let a=i.length-t.length;if(a===1){let[n,...r]=i;return o(n,{lazy:t,lazyArgs:r})}if(a===0){let n={lazy:t,lazyArgs:i};return Object.assign(e=>o(e,n),n)}throw new Error(\"Wrong number of arguments\")}export{y as a};\n","import{a as r}from\"./chunk-LFJW7BOT.js\";import{a as n}from\"./chunk-ANXBDSUI.js\";function i(...e){return r(a,e)}function a(){let e=new Set;return t=>e.has(t)?n:(e.add(t),{done:!1,hasNext:!0,next:t})}export{i as a};\n"],"mappings":";AACA,SAAS,cAAc;;;ACOvB,YAAY,QAAQ;AACb,IAAM,SACX,MAAM,OAAO,OAAO,YAAY,eAAe,KACvC,eACJ,MAAM,OAAO,OAAO,YAAY,iBAAiB,KAC/C,KACA;;;ACyRF,SAAU,YAAY,cAAc,IAAE;AAC1C,MAAI,UAAU,OAAO,OAAO,oBAAoB,YAAY;AAC1D,WAAO,OAAO,gBAAgB,IAAI,WAAW,WAAW,CAAC;EAC3D;AAEA,MAAI,UAAU,OAAO,OAAO,gBAAgB,YAAY;AACtD,WAAO,OAAO,YAAY,WAAW;EACvC;AACA,QAAM,IAAI,MAAM,wCAAwC;AAC1D;;;AChTA,IAA2B,IAAE,EAAC,MAAK,OAAG,SAAQ,MAAE;;;ACAR,SAAS,EAAE,MAAK,GAAE;AAAC,MAAI,IAAE,GAAE,IAAE,EAAE,IAAI,OAAG,UAAS,IAAE,EAAE,CAAC,IAAE,MAAM,GAAE,IAAE;AAAE,SAAK,IAAE,EAAE,UAAQ;AAAC,QAAG,EAAE,CAAC,MAAI,UAAQ,CAAC,EAAE,CAAC,GAAE;AAAC,UAAIA,KAAE,EAAE,CAAC;AAAE,UAAEA,GAAE,CAAC,GAAE,KAAG;AAAE;AAAA,IAAQ;AAAC,QAAI,IAAE,CAAC;AAAE,aAAQA,KAAE,GAAEA,KAAE,EAAE,QAAOA,MAAI;AAAC,UAAI,IAAE,EAAEA,EAAC;AAAE,UAAG,MAAI,WAAS,EAAE,KAAK,CAAC,GAAE,EAAE,UAAU;AAAA,IAAK;AAAC,QAAIC,KAAE,CAAC;AAAE,aAAQD,MAAK,EAAE,KAAG,EAAEA,IAAEC,IAAE,CAAC,EAAE;AAAM,QAAG,EAAC,UAASC,GAAC,IAAE,EAAE,GAAG,EAAE;AAAE,QAAEA,KAAED,GAAE,CAAC,IAAEA,IAAE,KAAG,EAAE;AAAA,EAAM;AAAC,SAAO;AAAC;AAAC,SAAS,EAAE,GAAE,GAAE,GAAE;AAAC,MAAG,EAAE,WAAS,EAAE,QAAO,EAAE,KAAK,CAAC,GAAE;AAAG,MAAI,IAAE,GAAE,IAAE,GAAE,IAAE;AAAG,WAAO,CAAC,GAAEA,EAAC,KAAI,EAAE,QAAQ,GAAE;AAAC,QAAG,EAAC,OAAMC,IAAE,OAAMF,GAAC,IAAEC;AAAE,QAAGD,GAAE,KAAK,CAAC,GAAE,IAAEC,GAAE,GAAEC,IAAEF,EAAC,GAAEC,GAAE,SAAO,GAAE,EAAE,SAAQ;AAAC,UAAG,EAAE,WAAS,OAAG;AAAC,iBAAQ,KAAK,EAAE,KAAK,KAAG,EAAE,GAAE,GAAE,EAAE,MAAM,IAAE,CAAC,CAAC,EAAE,QAAM;AAAG,eAAO;AAAA,MAAC;AAAC,UAAE,EAAE;AAAA,IAAI;AAAC,QAAG,CAAC,EAAE,QAAQ;AAAM,MAAE,SAAO,IAAE;AAAA,EAAG;AAAC,SAAO,EAAE,WAAS,EAAE,KAAK,CAAC,GAAE;AAAC;AAAC,SAAS,EAAE,GAAE;AAAC,MAAG,EAAC,MAAK,GAAE,UAAS,EAAC,IAAE,GAAE,IAAE,EAAE,GAAG,CAAC;AAAE,SAAO,OAAO,OAAO,GAAE,EAAC,UAAS,EAAE,UAAQ,OAAG,OAAM,GAAE,OAAM,CAAC,EAAC,CAAC;AAAC;AAAC,SAAS,EAAE,GAAE;AAAC,SAAO,OAAO,KAAG,YAAU,OAAO,KAAG,YAAU,MAAI,QAAM,OAAO,YAAY;AAAC;;;ACA11B,SAASE,GAAE,GAAEC,IAAE;AAAC,MAAIC,KAAED,GAAE,SAAO,EAAE;AAAO,MAAGC,OAAI,GAAE;AAAC,QAAG,CAAC,GAAE,GAAG,CAAC,IAAED;AAAE,WAAO,EAAE,GAAE,EAAC,MAAK,GAAE,UAAS,EAAC,CAAC;AAAA,EAAC;AAAC,MAAGC,OAAI,GAAE;AAAC,QAAI,IAAE,EAAC,MAAK,GAAE,UAASD,GAAC;AAAE,WAAO,OAAO,OAAO,OAAG,EAAE,GAAE,CAAC,GAAE,CAAC;AAAA,EAAC;AAAC,QAAM,IAAI,MAAM,2BAA2B;AAAC;;;ACA1K,SAAS,KAAK,GAAE;AAAC,SAAOE,GAAE,GAAE,CAAC;AAAC;AAAC,SAAS,IAAG;AAAC,MAAI,IAAE,oBAAI;AAAI,SAAO,OAAG,EAAE,IAAI,CAAC,IAAE,KAAG,EAAE,IAAI,CAAC,GAAE,EAAC,MAAK,OAAG,SAAQ,MAAG,MAAK,EAAC;AAAE;;;ANK9L,SAAS,cAAsB;AACpC,QAAM,MAAM,OAAO,MAAM,iBAAiB;AAE1C,SAAO,OAAO,KAAK,GAAG,EAAE,SAAS,QAAQ;AAC3C;AAEO,SAAS,6BAA6B,YAA4B;AACvE,QAAM,MAAM,OAAO,KAAK,YAAY,QAAQ;AAE5C,SAAO,OAAO,KAAK,OAAO,aAAa,GAAG,CAAC,EAAE,SAAS,QAAQ;AAChE;AAEO,SAAS,uBAA+B;AAC7C,QAAM,MAAM,YAAY,EAAE;AAE1B,SAAO,OAAO,KAAK,GAAG,EAAE,SAAS,QAAQ;AAC3C;AAEO,SAAS,yBAAyB,OAAe,OAAuB;AAC7E,QAAM,OAAO,OAAO,KAAK,OAAO,QAAQ;AACxC,QAAM,OAAO,OAAO,KAAK,OAAO,QAAQ;AACxC,QAAM,SAAS,IAAI,WAAW,EAAE;AAEhC,WAASC,KAAI,GAAGA,KAAI,IAAIA,MAAK;AAC3B,WAAOA,EAAC,IAAI,KAAKA,EAAC,IAAI,KAAKA,EAAC;AAAA,EAC9B;AAEA,SAAO,OAAO,KAAK,MAAM,EAAE,SAAS,QAAQ;AAC9C;AAEA,SAAS,mBAAmB,UAA8B,MAA8B;AACtF,QAAM,QAAQ;AAAA;AAAA,IAEZ;AAAA,IACA,KAAK,KAAK,IAAI;AAAA,IACd,eAAe,KAAK,SAAS;AAAA,EAC/B;AAEA,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,KAAK,gBAAgB,KAAK,WAAW,KAAK,IAAI,CAAC,EAAE;AAAA,EACzD;AAEA,MAAI,KAAK,UAAU;AACjB,UAAM,KAAK,cAAc,KAAK,QAAQ,EAAE;AAAA,EAC1C;AAEA,MAAI,SAAS,oBAAoB,KAAK,kBAAkB;AACtD,UAAM,eAAe,yBAAyB,SAAS,kBAAkB,KAAK,gBAAgB;AAE9F,UAAM,KAAK,kBAAkB,YAAY,EAAE;AAAA,EAC7C,WAAW,SAAS,SAAS,oBAAoB;AAC/C,QAAI,SAAS,QAAQ,uBAAuB,KAAK,SAAS,oBAAoB;AAC5E,YAAM,IAAI,MAAM,0DAA0D;AAAA,IAC5E;AAEA,UAAM,KAAK,kBAAkB,SAAS,QAAQ,kBAAkB,EAAE;AAAA,EACpE;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AAcO,SAAS,uBAAuB;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAA+B;AAC7B,QAAM,SAAS,EAAO,MAAM,QAAQ,UAAQ,KAAK,OAAO,CAAC,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC,CAAC;AAC7E,QAAM,cAAc,EAAO,MAAM,QAAQ,UAAQ,KAAK,eAAe,CAAC,CAAC,CAAC;AAExE,QAAM,QAAQ;AAAA;AAAA,IAEZ;AAAA,IACA,KAAK,SAAS,IAAI;AAAA,EACpB;AAEA,MAAI,SAAS,SAAS;AACpB,UAAM,KAAK,aAAa,SAAS,OAAO,EAAE;AAAA,EAC5C;AAEA,QAAM;AAAA;AAAA,IAEJ,gBAAgB,SAAS,UAAU;AAAA,IACnC;AAAA,EACF;AAEA,MAAI,OAAO,SAAS,GAAG;AACrB,UAAM,KAAK,SAAS,OAAO,KAAK,IAAI,CAAC,EAAE;AAAA,EACzC;AAEA,MAAI,YAAY;AACd,UAAM,KAAK,gBAAgB,UAAU,EAAE;AAAA,EACzC;AAEA,MAAI,OAAO;AACT,UAAM,KAAK;AACX,eAAW,WAAW,OAAO;AAC3B,YAAM,KAAK,WAAW,OAAO,EAAE;AAAA,IACjC;AAAA,EACF;AAEA,MAAI,QAAQ;AACV,UAAM,KAAK;AACX,eAAW,WAAW,QAAQ;AAC5B,YAAM,KAAK,YAAY,OAAO,EAAE;AAAA,IAClC;AAAA,EACF;AAEA,MAAI,SAAS;AACX,UAAM,KAAK;AACX,eAAW,WAAW,SAAS;AAC7B,YAAM,KAAK,aAAa,OAAO,EAAE;AAAA,IACnC;AAAA,EACF;AAEA,MAAI,UAAU;AACZ,UAAM,KAAK;AACX,eAAW,WAAW,UAAU;AAC9B,YAAM,KAAK,cAAc,OAAO,EAAE;AAAA,IACpC;AAAA,EACF;AAEA,MAAI,kBAAkB;AACpB,eAAW,cAAc,aAAa;AACpC,YAAM,KAAK,yBAAyB,UAAU,QAAQ,gBAAgB,EAAE;AAAA,IAC1E;AAAA,EACF;AAEA,QAAM,aAAa,MAAM,OAAO,UAAQ,KAAK,SAAS,SAAS,IAAI;AAEnE,aAAW,QAAQ,YAAY;AAC7B,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,mBAAmB,UAAU,IAAI,CAAC;AAAA,EAC/C;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AAQO,SAAS,oBACd,EAAE,SAAS,YAAY,SAAS,GAChC,SACA,aACU;AACV,QAAM,SAAS,oBAAI,IAAY;AAE/B,MAAI,SAAS;AACX,WAAO,IAAI,OAAO;AAAA,EACpB;AAEA,MAAI,YAAY;AACd,eAAW,MAAM,YAAY;AAC3B,aAAO,IAAI,EAAE;AAAA,IACf;AAAA,EACF;AAEA,MAAI,UAAU;AACZ,WAAO,IAAI,WAAW;AAEtB,QAAI,SAAS,MAAM;AACjB,aAAO,IAAI,MAAM;AAAA,IACnB;AAAA,EACF;AAEA,MAAI,aAAa;AACf,eAAW,WAAW,aAAa;AACjC,UAAI,QAAQ,KAAK,WAAW;AAC1B,eAAO,IAAI,QAAQ,KAAK,SAAS;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,MAAM;AAC1B;AAOO,SAAS,qBACd,EAAE,aAAa,kBAAkB,GACjC,SACU;AACV,QAAM,SAAS,oBAAI,IAAY;AAE/B,MAAI,aAAa;AACf,eAAW,MAAM,aAAa;AAC5B,aAAO,IAAI,EAAE;AAAA,IACf;AAAA,EACF;AAEA,MAAI,mBAAmB;AACrB,WAAO,IAAI,YAAY;AACvB,WAAO,IAAI,eAAe;AAC1B,WAAO,IAAI,gBAAgB;AAE3B,QAAI,SAAS,MAAM;AACjB,aAAO,IAAI,UAAU;AACrB,aAAO,IAAI,WAAW;AAAA,IACxB;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,MAAM;AAC1B;AAUO,SAAS,kBAAkB;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAA+B;AAC7B,MAAI,UAAU;AACZ,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,WAAS,aAAa;AACtB,iBAAe,aAAa,YAAY,CAAC;AAEzC,MAAI,QAAQ,YAAY;AACtB,WAAO,EAAE,UAAU,GAAG,IAAI,IAAI,UAAU,IAAI,MAAM,WAAW;AAAA,EAC/D;AAEA,MAAI,cAAc,YAAY;AAC5B,WAAO,EAAE,UAAU,GAAG,UAAU,IAAI,UAAU,IAAI,YAAY,KAAK;AAAA,EACrE;AAEA,SAAO,EAAE,UAAU,YAAY,YAAY,KAAK;AAClD;","names":["i","a","s","y","i","a","y","i"]}
package/dist/config/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  generateIdentityConfig
3
- } from "../chunk-EIST65M3.js";
3
+ } from "../chunk-7BHZHUOK.js";
4
4
 
5
5
  // src/config/index.ts
6
6
  import { wireguard } from "@highstate/library";
package/dist/config-bundle/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  generateIdentityConfig
3
- } from "../chunk-EIST65M3.js";
3
+ } from "../chunk-7BHZHUOK.js";
4
4
 
5
5
  // src/config-bundle/index.ts
6
6
  import { wireguard } from "@highstate/library";
package/dist/highstate.manifest.json CHANGED
@@ -1,10 +1,10 @@
1
1
  {
2
2
  "sourceHashes": {
3
- "./dist/network/index.js": "4adfd0ba780caedba24072ea4b6ea5dfeefdaa2386e4fd4a6d144ab1bd6ac71e",
4
- "./dist/identity/index.js": "e595f5651436f393837471606c44b5206845c4d1aa50c6035647271f388f08f1",
5
- "./dist/config/index.js": "2bf66ae9b13ce6d5d459d6c4f9170f2f8f173a798929fd0548255dc35f0a8c78",
6
- "./dist/config-bundle/index.js": "a3c33c2ef72ab102b5c7dfd9d93625471683d72302056fc32ead5bd2e81b6f96",
7
- "./dist/node/index.js": "beba682ff98b83285e4c829d2b130b01054011bd3406b1b4c2c059ea0c7d702f",
8
- "./dist/peer/index.js": "35ccccd395fb96758cba4b73ccfc1eff90897d9eceab4cbfb999799d8a9c5a80"
3
+ "./dist/network/index.js": "19b763b259899d62b7a075d39aa26f44e0f5ee3d29f2fdb46602399ac964625e",
4
+ "./dist/identity/index.js": "df95a4978d767c39289ebc31edcd274cd75b0033dabc4938570ff52ef0c514b5",
5
+ "./dist/config/index.js": "47ffd3411ca00f5450b179d1da861a6e65ee1c32fd188835e5cdb59383b04c88",
6
+ "./dist/config-bundle/index.js": "22eccb991186155195a5823ea762e0c257e5c312ad3336519cd6c94010d6b277",
7
+ "./dist/node/index.js": "5cdd456cf14e94569e546dee7214a48f7cd236eb03fd8278f5d72e6fbe4dbff7",
8
+ "./dist/peer/index.js": "10d5b6de80728a9d3995d9ad8d9af5e7b4f86b1c6f043b08b36928d816a04ee6"
9
9
  }
10
10
  }
package/dist/identity/index.js CHANGED
@@ -5,12 +5,12 @@ import {
5
5
  convertPrivateKeyToPublicKey,
6
6
  generateKey,
7
7
  generatePresharedKey
8
- } from "../chunk-EIST65M3.js";
8
+ } from "../chunk-7BHZHUOK.js";
9
9
 
10
10
  // src/identity/index.ts
11
11
  import { wireguard } from "@highstate/library";
12
12
  import { forUnit, getOrCreateSecret, toPromise } from "@highstate/pulumi";
13
- import { DnsRecord } from "@highstate/common";
13
+ import { DnsRecord, parseL4Endpoint } from "@highstate/common";
14
14
  var { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity);
15
15
  var privateKey = getOrCreateSecret(secrets, "privateKey", generateKey);
16
16
  var presharedKeyPart = getOrCreateSecret(secrets, "presharedKeyPart", () => {
@@ -19,15 +19,13 @@ var presharedKeyPart = getOrCreateSecret(secrets, "presharedKeyPart", () => {
19
19
  });
20
20
  });
21
21
  var { network, k8sServices, k8sCluster } = await toPromise(inputs);
22
- var fqdn = args.fqdn ?? k8sCluster?.info.fqdn;
23
22
  var allowedIps = calculateAllowedIps(args, network, k8sServices);
24
23
  var excludedIps = calculateExcludedIps(args, network);
25
- var endpoint = calculateEndpoint(args, fqdn);
24
+ var { endpoint, externalIp, fqdn } = calculateEndpoint({ ...args, clusterInfo: k8sCluster?.info });
26
25
  var publicKey = privateKey.apply(convertPrivateKeyToPublicKey);
27
- var externalIp = args.externalIp ?? k8sCluster?.info.externalIps[0];
28
- if (args.fqdn && inputs.dnsProvider && externalIp) {
29
- DnsRecord.create(args.fqdn, {
30
- provider: inputs.dnsProvider,
26
+ if (args.fqdn && inputs.dnsProviders && externalIp) {
27
+ DnsRecord.createSet(args.fqdn, {
28
+ providers: inputs.dnsProviders,
31
29
  type: "A",
32
30
  value: externalIp
33
31
  });
@@ -58,6 +56,7 @@ var identity_default = outputs({
58
56
  dns: args.dns,
59
57
  presharedKeyPart
60
58
  },
59
+ l4Endpoint: endpoint ? parseL4Endpoint(endpoint) : void 0,
61
60
  $status: {
62
61
  publicKey,
63
62
  endpoint: {
package/dist/identity/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/identity/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, getOrCreateSecret, toPromise } from \"@highstate/pulumi\"\nimport { DnsRecord } from \"@highstate/common\"\nimport {\n calculateAllowedIps,\n calculateEndpoint,\n calculateExcludedIps,\n convertPrivateKeyToPublicKey,\n generateKey,\n generatePresharedKey,\n} from \"../shared\"\n\nconst { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity)\n\nconst privateKey = getOrCreateSecret(secrets, \"privateKey\", generateKey)\n\nconst presharedKeyPart = getOrCreateSecret(secrets, \"presharedKeyPart\", () => {\n return inputs.network?.apply(network => {\n return network?.presharedKeyMode === \"secure\" ? generatePresharedKey() : undefined\n })\n})\n\nconst { network, k8sServices, k8sCluster } = await toPromise(inputs)\n\nconst fqdn = args.fqdn ?? k8sCluster?.info.fqdn\n\nconst allowedIps = calculateAllowedIps(args, network, k8sServices)\nconst excludedIps = calculateExcludedIps(args, network)\nconst endpoint = calculateEndpoint(args, fqdn)\n\nconst publicKey = privateKey.apply(convertPrivateKeyToPublicKey)\n\nconst externalIp = args.externalIp ?? k8sCluster?.info.externalIps[0]\n\nif (args.fqdn && inputs.dnsProvider && externalIp) {\n DnsRecord.create(args.fqdn, {\n provider: inputs.dnsProvider,\n type: \"A\",\n value: externalIp,\n })\n}\n\nconst isExitNode = allowedIps.includes(\"0.0.0.0/0\") || allowedIps.includes(\"::/0\")\n\nexport default outputs({\n identity: {\n name: args.peerName ?? name,\n network: inputs.network,\n address: args.address,\n privateKey,\n presharedKeyPart,\n k8sServices: inputs.k8sServices,\n exitNode: args.exitNode ?? isExitNode,\n listenPort: args.listenPort,\n externalIp,\n endpoint,\n fqdn,\n },\n peer: {\n name: args.peerName ?? name,\n network: inputs.network,\n address: args.address,\n publicKey,\n allowedIps,\n excludedIps,\n endpoint,\n dns: args.dns,\n presharedKeyPart,\n },\n $status: {\n publicKey,\n endpoint: {\n value: endpoint,\n complementaryTo: \"endpoint\",\n },\n externalIp: {\n value: externalIp,\n complementaryTo: \"externalIp\",\n },\n fqdn: {\n value: fqdn,\n complementaryTo: \"fqdn\",\n },\n allowedIps: {\n value: allowedIps.join(\", \"),\n complementaryTo: \"allowedIps\",\n },\n excludedIps: {\n value: excludedIps.join(\", \"),\n complementaryTo: \"excludedIps\",\n },\n },\n})\n"],"mappings":";;;;;;;;;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,SAAS,mBAAmB,iBAAiB;AACtD,SAAS,iBAAiB;AAU1B,IAAM,EAAE,MAAM,MAAM,QAAQ,SAAS,QAAQ,IAAI,QAAQ,UAAU,QAAQ;AAE3E,IAAM,aAAa,kBAAkB,SAAS,cAAc,WAAW;AAEvE,IAAM,mBAAmB,kBAAkB,SAAS,oBAAoB,MAAM;AAC5E,SAAO,OAAO,SAAS,MAAM,CAAAA,aAAW;AACtC,WAAOA,UAAS,qBAAqB,WAAW,qBAAqB,IAAI;AAAA,EAC3E,CAAC;AACH,CAAC;AAED,IAAM,EAAE,SAAS,aAAa,WAAW,IAAI,MAAM,UAAU,MAAM;AAEnE,IAAM,OAAO,KAAK,QAAQ,YAAY,KAAK;AAE3C,IAAM,aAAa,oBAAoB,MAAM,SAAS,WAAW;AACjE,IAAM,cAAc,qBAAqB,MAAM,OAAO;AACtD,IAAM,WAAW,kBAAkB,MAAM,IAAI;AAE7C,IAAM,YAAY,WAAW,MAAM,4BAA4B;AAE/D,IAAM,aAAa,KAAK,cAAc,YAAY,KAAK,YAAY,CAAC;AAEpE,IAAI,KAAK,QAAQ,OAAO,eAAe,YAAY;AACjD,YAAU,OAAO,KAAK,MAAM;AAAA,IAC1B,UAAU,OAAO;AAAA,IACjB,MAAM;AAAA,IACN,OAAO;AAAA,EACT,CAAC;AACH;AAEA,IAAM,aAAa,WAAW,SAAS,WAAW,KAAK,WAAW,SAAS,MAAM;AAEjF,IAAO,mBAAQ,QAAQ;AAAA,EACrB,UAAU;AAAA,IACR,MAAM,KAAK,YAAY;AAAA,IACvB,SAAS,OAAO;AAAA,IAChB,SAAS,KAAK;AAAA,IACd;AAAA,IACA;AAAA,IACA,aAAa,OAAO;AAAA,IACpB,UAAU,KAAK,YAAY;AAAA,IAC3B,YAAY,KAAK;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,KAAK,YAAY;AAAA,IACvB,SAAS,OAAO;AAAA,IAChB,SAAS,KAAK;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,KAAK,KAAK;AAAA,IACV;AAAA,EACF;AAAA,EACA,SAAS;AAAA,IACP;AAAA,IACA,UAAU;AAAA,MACR,OAAO;AAAA,MACP,iBAAiB;AAAA,IACnB;AAAA,IACA,YAAY;AAAA,MACV,OAAO;AAAA,MACP,iBAAiB;AAAA,IACnB;AAAA,IACA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,iBAAiB;AAAA,IACnB;AAAA,IACA,YAAY;AAAA,MACV,OAAO,WAAW,KAAK,IAAI;AAAA,MAC3B,iBAAiB;AAAA,IACnB;AAAA,IACA,aAAa;AAAA,MACX,OAAO,YAAY,KAAK,IAAI;AAAA,MAC5B,iBAAiB;AAAA,IACnB;AAAA,EACF;AACF,CAAC;","names":["network"]}
1
+ {"version":3,"sources":["../../src/identity/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, getOrCreateSecret, toPromise } from \"@highstate/pulumi\"\nimport { DnsRecord, parseL4Endpoint } from \"@highstate/common\"\nimport {\n calculateAllowedIps,\n calculateEndpoint,\n calculateExcludedIps,\n convertPrivateKeyToPublicKey,\n generateKey,\n generatePresharedKey,\n} from \"../shared\"\n\nconst { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity)\n\nconst privateKey = getOrCreateSecret(secrets, \"privateKey\", generateKey)\n\nconst presharedKeyPart = getOrCreateSecret(secrets, \"presharedKeyPart\", () => {\n return inputs.network?.apply(network => {\n return network?.presharedKeyMode === \"secure\" ? generatePresharedKey() : undefined\n })\n})\n\nconst { network, k8sServices, k8sCluster } = await toPromise(inputs)\n\nconst allowedIps = calculateAllowedIps(args, network, k8sServices)\nconst excludedIps = calculateExcludedIps(args, network)\nconst { endpoint, externalIp, fqdn } = calculateEndpoint({ ...args, clusterInfo: k8sCluster?.info })\n\nconst publicKey = privateKey.apply(convertPrivateKeyToPublicKey)\n\nif (args.fqdn && inputs.dnsProviders && externalIp) {\n DnsRecord.createSet(args.fqdn, {\n providers: inputs.dnsProviders,\n type: \"A\",\n value: externalIp,\n })\n}\n\nconst isExitNode = allowedIps.includes(\"0.0.0.0/0\") || allowedIps.includes(\"::/0\")\n\nexport default outputs({\n identity: {\n name: args.peerName ?? name,\n network: inputs.network,\n address: args.address,\n privateKey,\n presharedKeyPart,\n k8sServices: inputs.k8sServices,\n exitNode: args.exitNode ?? isExitNode,\n listenPort: args.listenPort,\n externalIp,\n endpoint,\n fqdn,\n },\n peer: {\n name: args.peerName ?? name,\n network: inputs.network,\n address: args.address,\n publicKey,\n allowedIps,\n excludedIps,\n endpoint,\n dns: args.dns,\n presharedKeyPart,\n },\n l4Endpoint: endpoint ? parseL4Endpoint(endpoint) : undefined,\n $status: {\n publicKey,\n endpoint: {\n value: endpoint,\n complementaryTo: \"endpoint\",\n },\n externalIp: {\n value: externalIp,\n complementaryTo: \"externalIp\",\n },\n fqdn: {\n value: fqdn,\n complementaryTo: \"fqdn\",\n },\n allowedIps: {\n value: allowedIps.join(\", \"),\n complementaryTo: \"allowedIps\",\n },\n excludedIps: {\n value: excludedIps.join(\", \"),\n complementaryTo: \"excludedIps\",\n },\n },\n})\n"],"mappings":";;;;;;;;;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,SAAS,mBAAmB,iBAAiB;AACtD,SAAS,WAAW,uBAAuB;AAU3C,IAAM,EAAE,MAAM,MAAM,QAAQ,SAAS,QAAQ,IAAI,QAAQ,UAAU,QAAQ;AAE3E,IAAM,aAAa,kBAAkB,SAAS,cAAc,WAAW;AAEvE,IAAM,mBAAmB,kBAAkB,SAAS,oBAAoB,MAAM;AAC5E,SAAO,OAAO,SAAS,MAAM,CAAAA,aAAW;AACtC,WAAOA,UAAS,qBAAqB,WAAW,qBAAqB,IAAI;AAAA,EAC3E,CAAC;AACH,CAAC;AAED,IAAM,EAAE,SAAS,aAAa,WAAW,IAAI,MAAM,UAAU,MAAM;AAEnE,IAAM,aAAa,oBAAoB,MAAM,SAAS,WAAW;AACjE,IAAM,cAAc,qBAAqB,MAAM,OAAO;AACtD,IAAM,EAAE,UAAU,YAAY,KAAK,IAAI,kBAAkB,EAAE,GAAG,MAAM,aAAa,YAAY,KAAK,CAAC;AAEnG,IAAM,YAAY,WAAW,MAAM,4BAA4B;AAE/D,IAAI,KAAK,QAAQ,OAAO,gBAAgB,YAAY;AAClD,YAAU,UAAU,KAAK,MAAM;AAAA,IAC7B,WAAW,OAAO;AAAA,IAClB,MAAM;AAAA,IACN,OAAO;AAAA,EACT,CAAC;AACH;AAEA,IAAM,aAAa,WAAW,SAAS,WAAW,KAAK,WAAW,SAAS,MAAM;AAEjF,IAAO,mBAAQ,QAAQ;AAAA,EACrB,UAAU;AAAA,IACR,MAAM,KAAK,YAAY;AAAA,IACvB,SAAS,OAAO;AAAA,IAChB,SAAS,KAAK;AAAA,IACd;AAAA,IACA;AAAA,IACA,aAAa,OAAO;AAAA,IACpB,UAAU,KAAK,YAAY;AAAA,IAC3B,YAAY,KAAK;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,MAAM;AAAA,IACJ,MAAM,KAAK,YAAY;AAAA,IACvB,SAAS,OAAO;AAAA,IAChB,SAAS,KAAK;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,KAAK,KAAK;AAAA,IACV;AAAA,EACF;AAAA,EACA,YAAY,WAAW,gBAAgB,QAAQ,IAAI;AAAA,EACnD,SAAS;AAAA,IACP;AAAA,IACA,UAAU;AAAA,MACR,OAAO;AAAA,MACP,iBAAiB;AAAA,IACnB;AAAA,IACA,YAAY;AAAA,MACV,OAAO;AAAA,MACP,iBAAiB;AAAA,IACnB;AAAA,IACA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,iBAAiB;AAAA,IACnB;AAAA,IACA,YAAY;AAAA,MACV,OAAO,WAAW,KAAK,IAAI;AAAA,MAC3B,iBAAiB;AAAA,IACnB;AAAA,IACA,aAAa;AAAA,MACX,OAAO,YAAY,KAAK,IAAI;AAAA,MAC5B,iBAAiB;AAAA,IACnB;AAAA,EACF;AACF,CAAC;","names":["network"]}
package/dist/node/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  generateIdentityConfig
3
- } from "../chunk-EIST65M3.js";
3
+ } from "../chunk-7BHZHUOK.js";
4
4
 
5
5
  // src/node/index.ts
6
6
  import {
@@ -43,17 +43,30 @@ new core.v1.NamespacePatch(
43
43
  var listenPort = identity.listenPort ?? args.listenPort;
44
44
  var externalIp = identity.externalIp ?? args.externalIp;
45
45
  var downstreamInterface = await toPromise(inputs.interface);
46
+ var preUp = [
47
+ // idk why
48
+ "sleep 5"
49
+ ];
46
50
  var postUp = [
47
51
  // enable masquerading for all traffic going out of the WireGuard node
48
52
  // TODO: consider adding more specific and restrictive rules
49
53
  "iptables -t nat -A POSTROUTING -j MASQUERADE"
50
54
  ];
55
+ var preDown = [
56
+ // remove the masquerading rule
57
+ "iptables -t nat -D POSTROUTING -j MASQUERADE"
58
+ ];
51
59
  if (downstreamInterface) {
60
+ preUp.push(`while ! ip link show ${downstreamInterface.name} | grep -q 'UP' ; do sleep 1; done`);
61
+ postUp.push("ip rule del not from all fwmark 0xca6c lookup 51820");
62
+ postUp.push("ip rule add from all fwmark 0x1 lookup 51820");
52
63
  postUp.push(
53
64
  `iptables -t mangle -A PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`
54
65
  );
55
- postUp.push("ip rule del not from all fwmark 0xca6c lookup 51820");
56
- postUp.push("ip rule add from all fwmark 0x1 lookup 51820");
66
+ preDown.push(
67
+ `iptables -t mangle -D PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`
68
+ );
69
+ preDown.push("ip rule del from all fwmark 0x1 lookup 51820");
57
70
  }
58
71
  var interfaceName = identityName.substring(0, 15);
59
72
  var configSecret = new core.v1.Secret(
@@ -66,7 +79,9 @@ var configSecret = new core.v1.Secret(
66
79
  peers,
67
80
  listenPort,
68
81
  dns: args.dns,
82
+ preUp,
69
83
  postUp,
84
+ preDown,
70
85
  defaultInterface: "eth0"
71
86
  })
72
87
  }
package/dist/node/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/node/index.ts"],"sourcesContent":["import {\n createNamespace,\n createProvider,\n Deployment,\n getAppDisplayName,\n getAppName,\n getNamespace,\n mapMetadata,\n NetworkPolicy,\n StatefulSet,\n type DeploymentArgs,\n type StatefulSetArgs,\n} from \"@highstate/k8s\"\nimport { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { core } from \"@pulumi/kubernetes\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { generateIdentityConfig } from \"../shared\"\n\nconst { name, args, inputs, outputs } = forUnit(wireguard.node)\n\nconst { identity, peers } = await toPromise(inputs)\n\nconst identityName = (identity.name ?? name).replaceAll(\".\", \"-\")\nconst appName = args.appName ?? `wg-${identityName}`\nconst serviceType = args.serviceType ?? \"ClusterIP\"\n\nconst provider = await createProvider(inputs.k8sCluster)\n\nconst existingNamespace = await toPromise(\n inputs.deployment?.metadata?.namespace ??\n inputs.statefulSet?.metadata?.namespace ??\n inputs.interface?.deployment.metadata.namespace,\n)\n\nconst namespace = existingNamespace\n ? getNamespace(existingNamespace, provider)\n : createNamespace(appName, provider)\n\nnew core.v1.NamespacePatch(\n \"allow-privileged\",\n {\n metadata: {\n name: namespace.metadata.name,\n labels: {\n \"pod-security.kubernetes.io/enforce\": \"privileged\",\n },\n },\n },\n { provider },\n)\n\nconst listenPort = identity.listenPort ?? args.listenPort\nconst externalIp = identity.externalIp ?? args.externalIp\n\nconst downstreamInterface = await toPromise(inputs.interface)\n\nconst postUp: string[] = [\n // enable masquerading for all traffic going out of the WireGuard node\n // TODO: consider adding more specific and restrictive rules\n \"iptables -t nat -A POSTROUTING -j MASQUERADE\",\n]\n\nif (downstreamInterface) {\n // mark all downstream traffic with 0x1\n postUp.push(\n `iptables -t mangle -A PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`,\n )\n\n // remove the default rule to route all non-encapsulated traffic to upstream wireguard interface\n postUp.push(\"ip rule del not from all fwmark 0xca6c lookup 51820\")\n\n // add a rule to route all downstream traffic to the upstream wireguard interface\n postUp.push(\"ip rule add from all fwmark 0x1 lookup 51820\")\n}\n\nconst interfaceName = identityName.substring(0, 15) // linux kernel limit\n\nconst configSecret = new core.v1.Secret(\n appName,\n {\n metadata: mapMetadata({ name: appName, namespace }),\n stringData: {\n [`${interfaceName}.conf`]: generateIdentityConfig({\n identity,\n peers,\n listenPort,\n dns: args.dns,\n postUp,\n defaultInterface: \"eth0\",\n }),\n },\n },\n { provider },\n)\n\nconst workloadOptions: DeploymentArgs & StatefulSetArgs = {\n namespace,\n cluster: inputs.k8sCluster,\n\n container: deepmerge(\n {\n image: \"linuxserver/wireguard:latest\",\n\n environment: {\n PUID: \"1000\",\n PGID: \"1000\",\n TZ: \"Etc/UTC\",\n },\n\n securityContext: {\n capabilities: {\n add: [\"NET_ADMIN\"],\n },\n },\n\n port:\n identity.endpoint && listenPort\n ? { containerPort: listenPort, protocol: \"UDP\" }\n : undefined,\n\n volumeMount: {\n volume: configSecret,\n mountPath: \"/config/wg_confs\",\n },\n },\n args.containerSpec ?? {},\n ),\n\n service:\n identity.endpoint && listenPort\n ? {\n type: serviceType,\n externalIPs: externalIp ? [externalIp] : undefined,\n\n port: {\n port: listenPort,\n protocol: \"UDP\",\n nodePort: serviceType !== \"ClusterIP\" ? listenPort : undefined,\n },\n }\n : undefined,\n}\n\nconst deployment = !inputs.statefulSet\n ? Deployment.create(\n appName,\n { ...workloadOptions, patch: inputs.deployment ?? inputs.interface?.deployment },\n { provider },\n )\n : undefined\n\nconst statefulSet = inputs.statefulSet\n ? StatefulSet.create(appName, { ...workloadOptions, patch: inputs.statefulSet }, { provider })\n : undefined\n\nconst selector = deployment?.spec.selector ?? statefulSet?.spec.selector\nconst service = deployment?.optionalService ?? statefulSet?.optionalService\n\nif (externalIp && listenPort) {\n NetworkPolicy.create(\n \"allow-wireguard-ingress\",\n {\n namespace,\n cluster: inputs.k8sCluster,\n selector,\n\n description: \"Allow encapsulated WireGuard traffic to the node from anywhere.\",\n\n ingressRule: {\n fromAll: true,\n toPort: { port: listenPort, protocol: \"UDP\" },\n },\n },\n { provider },\n )\n}\n\nif (identity.exitNode) {\n NetworkPolicy.create(\n \"allow-all-egress\",\n {\n namespace,\n cluster: inputs.k8sCluster,\n selector,\n\n description: \"Allow all egress traffic from the WireGuard node.\",\n\n egressRule: {\n toAll: true,\n },\n },\n { provider },\n )\n}\n\nfor (const service of identity.k8sServices) {\n const displayName = getAppDisplayName(service.metadata)\n\n NetworkPolicy.create(\n `allow-egress-to-${getAppName(service.metadata)}`,\n {\n namespace,\n cluster: inputs.k8sCluster,\n selector,\n\n description: `Allow egress traffic from the WireGuard node to the service \"${displayName}\".`,\n\n egressRules: [\n {\n toNamespace: service.metadata.namespace,\n toSelector: service.spec.selector,\n },\n\n // for compatibility with Cilium which cannot correctly detect the destination endpoint when the packet is redirected by the WireGuard node\n ...(service.spec.clusterIP ? [{ toCidr: `${service.spec.clusterIP}/32` }] : []),\n ],\n },\n { provider },\n )\n\n NetworkPolicy.create(\n `allow-ingress-to-${getAppName(service.metadata)}`,\n {\n name: `allow-ingress-from-${appName}`,\n\n namespace: service.metadata.namespace,\n cluster: inputs.k8sCluster,\n selector: service.spec.selector,\n\n description: `Allow ingress traffic from the WireGuard node \"${appName}\" to the service \"${displayName}\".`,\n\n ingressRule: {\n fromNamespace: namespace,\n fromSelector: selector,\n },\n },\n { provider },\n )\n}\n\nfor (const peer of peers) {\n if (!peer.endpoint) {\n continue\n }\n\n const [endpoint, port] = peer.endpoint.split(\":\")\n\n NetworkPolicy.create(\n `allow-egress-to-peer-${peer.name}`,\n {\n namespace,\n cluster: inputs.k8sCluster,\n selector,\n\n description: `Allow egress traffic from the WireGuard node to the endpoint of the peer \"${peer.name}\".`,\n\n egressRule: {\n toEndpoint: endpoint,\n toPort: { port: port ? parseInt(port) : 51820, protocol: \"UDP\" },\n },\n },\n { provider },\n )\n}\n\nexport default outputs({\n deployment: deployment?.entity,\n interface: {\n name: interfaceName,\n deployment: deployment?.entity,\n },\n service: service?.apply(service => service?.entity),\n $terminals: [deployment?.terminal],\n})\n"],"mappings":";;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAGK;AACP,SAAS,iBAAiB;AAC1B,SAAS,SAAS,iBAAiB;AACnC,SAAS,YAAY;AACrB,SAAS,iBAAiB;AAG1B,IAAM,EAAE,MAAM,MAAM,QAAQ,QAAQ,IAAI,QAAQ,UAAU,IAAI;AAE9D,IAAM,EAAE,UAAU,MAAM,IAAI,MAAM,UAAU,MAAM;AAElD,IAAM,gBAAgB,SAAS,QAAQ,MAAM,WAAW,KAAK,GAAG;AAChE,IAAM,UAAU,KAAK,WAAW,MAAM,YAAY;AAClD,IAAM,cAAc,KAAK,eAAe;AAExC,IAAM,WAAW,MAAM,eAAe,OAAO,UAAU;AAEvD,IAAM,oBAAoB,MAAM;AAAA,EAC9B,OAAO,YAAY,UAAU,aAC3B,OAAO,aAAa,UAAU,aAC9B,OAAO,WAAW,WAAW,SAAS;AAC1C;AAEA,IAAM,YAAY,oBACd,aAAa,mBAAmB,QAAQ,IACxC,gBAAgB,SAAS,QAAQ;AAErC,IAAI,KAAK,GAAG;AAAA,EACV;AAAA,EACA;AAAA,IACE,UAAU;AAAA,MACR,MAAM,UAAU,SAAS;AAAA,MACzB,QAAQ;AAAA,QACN,sCAAsC;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAAA,EACA,EAAE,SAAS;AACb;AAEA,IAAM,aAAa,SAAS,cAAc,KAAK;AAC/C,IAAM,aAAa,SAAS,cAAc,KAAK;AAE/C,IAAM,sBAAsB,MAAM,UAAU,OAAO,SAAS;AAE5D,IAAM,SAAmB;AAAA;AAAA;AAAA,EAGvB;AACF;AAEA,IAAI,qBAAqB;AAEvB,SAAO;AAAA,IACL,uCAAuC,oBAAoB,IAAI;AAAA,EACjE;AAGA,SAAO,KAAK,qDAAqD;AAGjE,SAAO,KAAK,8CAA8C;AAC5D;AAEA,IAAM,gBAAgB,aAAa,UAAU,GAAG,EAAE;AAElD,IAAM,eAAe,IAAI,KAAK,GAAG;AAAA,EAC/B;AAAA,EACA;AAAA,IACE,UAAU,YAAY,EAAE,MAAM,SAAS,UAAU,CAAC;AAAA,IAClD,YAAY;AAAA,MACV,CAAC,GAAG,aAAa,OAAO,GAAG,uBAAuB;AAAA,QAChD;AAAA,QACA;AAAA,QACA;AAAA,QACA,KAAK,KAAK;AAAA,QACV;AAAA,QACA,kBAAkB;AAAA,MACpB,CAAC;AAAA,IACH;AAAA,EACF;AAAA,EACA,EAAE,SAAS;AACb;AAEA,IAAM,kBAAoD;AAAA,EACxD;AAAA,EACA,SAAS,OAAO;AAAA,EAEhB,WAAW;AAAA,IACT;AAAA,MACE,OAAO;AAAA,MAEP,aAAa;AAAA,QACX,MAAM;AAAA,QACN,MAAM;AAAA,QACN,IAAI;AAAA,MACN;AAAA,MAEA,iBAAiB;AAAA,QACf,cAAc;AAAA,UACZ,KAAK,CAAC,WAAW;AAAA,QACnB;AAAA,MACF;AAAA,MAEA,MACE,SAAS,YAAY,aACjB,EAAE,eAAe,YAAY,UAAU,MAAM,IAC7C;AAAA,MAEN,aAAa;AAAA,QACX,QAAQ;AAAA,QACR,WAAW;AAAA,MACb;AAAA,IACF;AAAA,IACA,KAAK,iBAAiB,CAAC;AAAA,EACzB;AAAA,EAEA,SACE,SAAS,YAAY,aACjB;AAAA,IACE,MAAM;AAAA,IACN,aAAa,aAAa,CAAC,UAAU,IAAI;AAAA,IAEzC,MAAM;AAAA,MACJ,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU,gBAAgB,cAAc,aAAa;AAAA,IACvD;AAAA,EACF,IACA;AACR;AAEA,IAAM,aAAa,CAAC,OAAO,cACvB,WAAW;AAAA,EACT;AAAA,EACA,EAAE,GAAG,iBAAiB,OAAO,OAAO,cAAc,OAAO,WAAW,WAAW;AAAA,EAC/E,EAAE,SAAS;AACb,IACA;AAEJ,IAAM,cAAc,OAAO,cACvB,YAAY,OAAO,SAAS,EAAE,GAAG,iBAAiB,OAAO,OAAO,YAAY,GAAG,EAAE,SAAS,CAAC,IAC3F;AAEJ,IAAM,WAAW,YAAY,KAAK,YAAY,aAAa,KAAK;AAChE,IAAM,UAAU,YAAY,mBAAmB,aAAa;AAE5D,IAAI,cAAc,YAAY;AAC5B,gBAAc;AAAA,IACZ;AAAA,IACA;AAAA,MACE;AAAA,MACA,SAAS,OAAO;AAAA,MAChB;AAAA,MAEA,aAAa;AAAA,MAEb,aAAa;AAAA,QACX,SAAS;AAAA,QACT,QAAQ,EAAE,MAAM,YAAY,UAAU,MAAM;AAAA,MAC9C;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,IAAI,SAAS,UAAU;AACrB,gBAAc;AAAA,IACZ;AAAA,IACA;AAAA,MACE;AAAA,MACA,SAAS,OAAO;AAAA,MAChB;AAAA,MAEA,aAAa;AAAA,MAEb,YAAY;AAAA,QACV,OAAO;AAAA,MACT;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,WAAWA,YAAW,SAAS,aAAa;AAC1C,QAAM,cAAc,kBAAkBA,SAAQ,QAAQ;AAEtD,gBAAc;AAAA,IACZ,mBAAmB,WAAWA,SAAQ,QAAQ,CAAC;AAAA,IAC/C;AAAA,MACE;AAAA,MACA,SAAS,OAAO;AAAA,MAChB;AAAA,MAEA,aAAa,gEAAgE,WAAW;AAAA,MAExF,aAAa;AAAA,QACX;AAAA,UACE,aAAaA,SAAQ,SAAS;AAAA,UAC9B,YAAYA,SAAQ,KAAK;AAAA,QAC3B;AAAA;AAAA,QAGA,GAAIA,SAAQ,KAAK,YAAY,CAAC,EAAE,QAAQ,GAAGA,SAAQ,KAAK,SAAS,MAAM,CAAC,IAAI,CAAC;AAAA,MAC/E;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AAEA,gBAAc;AAAA,IACZ,oBAAoB,WAAWA,SAAQ,QAAQ,CAAC;AAAA,IAChD;AAAA,MACE,MAAM,sBAAsB,OAAO;AAAA,MAEnC,WAAWA,SAAQ,SAAS;AAAA,MAC5B,SAAS,OAAO;AAAA,MAChB,UAAUA,SAAQ,KAAK;AAAA,MAEvB,aAAa,kDAAkD,OAAO,qBAAqB,WAAW;AAAA,MAEtG,aAAa;AAAA,QACX,eAAe;AAAA,QACf,cAAc;AAAA,MAChB;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,WAAW,QAAQ,OAAO;AACxB,MAAI,CAAC,KAAK,UAAU;AAClB;AAAA,EACF;AAEA,QAAM,CAAC,UAAU,IAAI,IAAI,KAAK,SAAS,MAAM,GAAG;AAEhD,gBAAc;AAAA,IACZ,wBAAwB,KAAK,IAAI;AAAA,IACjC;AAAA,MACE;AAAA,MACA,SAAS,OAAO;AAAA,MAChB;AAAA,MAEA,aAAa,6EAA6E,KAAK,IAAI;AAAA,MAEnG,YAAY;AAAA,QACV,YAAY;AAAA,QACZ,QAAQ,EAAE,MAAM,OAAO,SAAS,IAAI,IAAI,OAAO,UAAU,MAAM;AAAA,MACjE;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,IAAO,eAAQ,QAAQ;AAAA,EACrB,YAAY,YAAY;AAAA,EACxB,WAAW;AAAA,IACT,MAAM;AAAA,IACN,YAAY,YAAY;AAAA,EAC1B;AAAA,EACA,SAAS,SAAS,MAAM,CAAAA,aAAWA,UAAS,MAAM;AAAA,EAClD,YAAY,CAAC,YAAY,QAAQ;AACnC,CAAC;","names":["service"]}
1
+ {"version":3,"sources":["../../src/node/index.ts"],"sourcesContent":["import {\n createNamespace,\n createProvider,\n Deployment,\n getAppDisplayName,\n getAppName,\n getNamespace,\n mapMetadata,\n NetworkPolicy,\n StatefulSet,\n type DeploymentArgs,\n type StatefulSetArgs,\n} from \"@highstate/k8s\"\nimport { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { core } from \"@pulumi/kubernetes\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { generateIdentityConfig } from \"../shared\"\n\nconst { name, args, inputs, outputs } = forUnit(wireguard.node)\n\nconst { identity, peers } = await toPromise(inputs)\n\nconst identityName = (identity.name ?? name).replaceAll(\".\", \"-\")\nconst appName = args.appName ?? `wg-${identityName}`\nconst serviceType = args.serviceType ?? \"ClusterIP\"\n\nconst provider = await createProvider(inputs.k8sCluster)\n\nconst existingNamespace = await toPromise(\n inputs.deployment?.metadata?.namespace ??\n inputs.statefulSet?.metadata?.namespace ??\n inputs.interface?.deployment.metadata.namespace,\n)\n\nconst namespace = existingNamespace\n ? getNamespace(existingNamespace, provider)\n : createNamespace(appName, provider)\n\nnew core.v1.NamespacePatch(\n \"allow-privileged\",\n {\n metadata: {\n name: namespace.metadata.name,\n labels: {\n \"pod-security.kubernetes.io/enforce\": \"privileged\",\n },\n },\n },\n { provider },\n)\n\nconst listenPort = identity.listenPort ?? args.listenPort\nconst externalIp = identity.externalIp ?? args.externalIp\n\nconst downstreamInterface = await toPromise(inputs.interface)\n\nconst preUp: string[] = [\n // idk why\n \"sleep 5\",\n]\n\nconst postUp: string[] = [\n // enable masquerading for all traffic going out of the WireGuard node\n // TODO: consider adding more specific and restrictive rules\n \"iptables -t nat -A POSTROUTING -j MASQUERADE\",\n]\n\nconst preDown: string[] = [\n // remove the masquerading rule\n \"iptables -t nat -D POSTROUTING -j MASQUERADE\",\n]\n\nif (downstreamInterface) {\n // wait until the interface is up\n preUp.push(`while ! ip link show ${downstreamInterface.name} | grep -q 'UP' ; do sleep 1; done`)\n\n // remove the default rule to route all non-encapsulated traffic to upstream wireguard interface\n postUp.push(\"ip rule del not from all fwmark 0xca6c lookup 51820\")\n\n // add a rule to route all downstream traffic to the upstream wireguard interface\n postUp.push(\"ip rule add from all fwmark 0x1 lookup 51820\")\n\n // mark all downstream traffic with 0x1\n postUp.push(\n `iptables -t mangle -A PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`,\n )\n\n // remove the rule to route all downstream traffic to the upstream wireguard interface\n preDown.push(\n `iptables -t mangle -D PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`,\n )\n\n // remove the rule to route all non-encapsulated traffic to upstream wireguard interface\n preDown.push(\"ip rule del from all fwmark 0x1 lookup 51820\")\n}\n\nconst interfaceName = identityName.substring(0, 15) // linux kernel limit\n\nconst configSecret = new core.v1.Secret(\n appName,\n {\n metadata: mapMetadata({ name: appName, namespace }),\n stringData: {\n [`${interfaceName}.conf`]: generateIdentityConfig({\n identity,\n peers,\n listenPort,\n dns: args.dns,\n preUp,\n postUp,\n preDown,\n defaultInterface: \"eth0\",\n }),\n },\n },\n { provider },\n)\n\nconst workloadOptions: DeploymentArgs & StatefulSetArgs = {\n namespace,\n cluster: inputs.k8sCluster,\n\n container: deepmerge(\n {\n image: \"linuxserver/wireguard:latest\",\n\n environment: {\n PUID: \"1000\",\n PGID: \"1000\",\n TZ: \"Etc/UTC\",\n },\n\n securityContext: {\n capabilities: {\n add: [\"NET_ADMIN\"],\n },\n },\n\n port:\n identity.endpoint && listenPort\n ? { containerPort: listenPort, protocol: \"UDP\" }\n : undefined,\n\n volumeMount: {\n volume: configSecret,\n mountPath: \"/config/wg_confs\",\n },\n },\n args.containerSpec ?? {},\n ),\n\n service:\n identity.endpoint && listenPort\n ? {\n type: serviceType,\n externalIPs: externalIp ? [externalIp] : undefined,\n\n port: {\n port: listenPort,\n protocol: \"UDP\",\n nodePort: serviceType !== \"ClusterIP\" ? listenPort : undefined,\n },\n }\n : undefined,\n}\n\nconst deployment = !inputs.statefulSet\n ? Deployment.create(\n appName,\n { ...workloadOptions, patch: inputs.deployment ?? inputs.interface?.deployment },\n { provider },\n )\n : undefined\n\nconst statefulSet = inputs.statefulSet\n ? StatefulSet.create(appName, { ...workloadOptions, patch: inputs.statefulSet }, { provider })\n : undefined\n\nconst selector = deployment?.spec.selector ?? statefulSet?.spec.selector\nconst service = deployment?.optionalService ?? statefulSet?.optionalService\n\nif (externalIp && listenPort) {\n NetworkPolicy.create(\n \"allow-wireguard-ingress\",\n {\n namespace,\n cluster: inputs.k8sCluster,\n selector,\n\n description: \"Allow encapsulated WireGuard traffic to the node from anywhere.\",\n\n ingressRule: {\n fromAll: true,\n toPort: { port: listenPort, protocol: \"UDP\" },\n },\n },\n { provider },\n )\n}\n\nif (identity.exitNode) {\n NetworkPolicy.create(\n \"allow-all-egress\",\n {\n namespace,\n cluster: inputs.k8sCluster,\n selector,\n\n description: \"Allow all egress traffic from the WireGuard node.\",\n\n egressRule: {\n toAll: true,\n },\n },\n { provider },\n )\n}\n\nfor (const service of identity.k8sServices) {\n const displayName = getAppDisplayName(service.metadata)\n\n NetworkPolicy.create(\n `allow-egress-to-${getAppName(service.metadata)}`,\n {\n namespace,\n cluster: inputs.k8sCluster,\n selector,\n\n description: `Allow egress traffic from the WireGuard node to the service \"${displayName}\".`,\n\n egressRules: [\n {\n toNamespace: service.metadata.namespace,\n toSelector: service.spec.selector,\n },\n\n // for compatibility with Cilium which cannot correctly detect the destination endpoint when the packet is redirected by the WireGuard node\n ...(service.spec.clusterIP ? [{ toCidr: `${service.spec.clusterIP}/32` }] : []),\n ],\n },\n { provider },\n )\n\n NetworkPolicy.create(\n `allow-ingress-to-${getAppName(service.metadata)}`,\n {\n name: `allow-ingress-from-${appName}`,\n\n namespace: service.metadata.namespace,\n cluster: inputs.k8sCluster,\n selector: service.spec.selector,\n\n description: `Allow ingress traffic from the WireGuard node \"${appName}\" to the service \"${displayName}\".`,\n\n ingressRule: {\n fromNamespace: namespace,\n fromSelector: selector,\n },\n },\n { provider },\n )\n}\n\nfor (const peer of peers) {\n if (!peer.endpoint) {\n continue\n }\n\n const [endpoint, port] = peer.endpoint.split(\":\")\n\n NetworkPolicy.create(\n `allow-egress-to-peer-${peer.name}`,\n {\n namespace,\n cluster: inputs.k8sCluster,\n selector,\n\n description: `Allow egress traffic from the WireGuard node to the endpoint of the peer \"${peer.name}\".`,\n\n egressRule: {\n toEndpoint: endpoint,\n toPort: { port: port ? parseInt(port) : 51820, protocol: \"UDP\" },\n },\n },\n { provider },\n )\n}\n\nexport default outputs({\n deployment: deployment?.entity,\n interface: {\n name: interfaceName,\n deployment: deployment?.entity,\n },\n service: service?.apply(service => service?.entity),\n $terminals: [deployment?.terminal],\n})\n"],"mappings":";;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAGK;AACP,SAAS,iBAAiB;AAC1B,SAAS,SAAS,iBAAiB;AACnC,SAAS,YAAY;AACrB,SAAS,iBAAiB;AAG1B,IAAM,EAAE,MAAM,MAAM,QAAQ,QAAQ,IAAI,QAAQ,UAAU,IAAI;AAE9D,IAAM,EAAE,UAAU,MAAM,IAAI,MAAM,UAAU,MAAM;AAElD,IAAM,gBAAgB,SAAS,QAAQ,MAAM,WAAW,KAAK,GAAG;AAChE,IAAM,UAAU,KAAK,WAAW,MAAM,YAAY;AAClD,IAAM,cAAc,KAAK,eAAe;AAExC,IAAM,WAAW,MAAM,eAAe,OAAO,UAAU;AAEvD,IAAM,oBAAoB,MAAM;AAAA,EAC9B,OAAO,YAAY,UAAU,aAC3B,OAAO,aAAa,UAAU,aAC9B,OAAO,WAAW,WAAW,SAAS;AAC1C;AAEA,IAAM,YAAY,oBACd,aAAa,mBAAmB,QAAQ,IACxC,gBAAgB,SAAS,QAAQ;AAErC,IAAI,KAAK,GAAG;AAAA,EACV;AAAA,EACA;AAAA,IACE,UAAU;AAAA,MACR,MAAM,UAAU,SAAS;AAAA,MACzB,QAAQ;AAAA,QACN,sCAAsC;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAAA,EACA,EAAE,SAAS;AACb;AAEA,IAAM,aAAa,SAAS,cAAc,KAAK;AAC/C,IAAM,aAAa,SAAS,cAAc,KAAK;AAE/C,IAAM,sBAAsB,MAAM,UAAU,OAAO,SAAS;AAE5D,IAAM,QAAkB;AAAA;AAAA,EAEtB;AACF;AAEA,IAAM,SAAmB;AAAA;AAAA;AAAA,EAGvB;AACF;AAEA,IAAM,UAAoB;AAAA;AAAA,EAExB;AACF;AAEA,IAAI,qBAAqB;AAEvB,QAAM,KAAK,wBAAwB,oBAAoB,IAAI,oCAAoC;AAG/F,SAAO,KAAK,qDAAqD;AAGjE,SAAO,KAAK,8CAA8C;AAG1D,SAAO;AAAA,IACL,uCAAuC,oBAAoB,IAAI;AAAA,EACjE;AAGA,UAAQ;AAAA,IACN,uCAAuC,oBAAoB,IAAI;AAAA,EACjE;AAGA,UAAQ,KAAK,8CAA8C;AAC7D;AAEA,IAAM,gBAAgB,aAAa,UAAU,GAAG,EAAE;AAElD,IAAM,eAAe,IAAI,KAAK,GAAG;AAAA,EAC/B;AAAA,EACA;AAAA,IACE,UAAU,YAAY,EAAE,MAAM,SAAS,UAAU,CAAC;AAAA,IAClD,YAAY;AAAA,MACV,CAAC,GAAG,aAAa,OAAO,GAAG,uBAAuB;AAAA,QAChD;AAAA,QACA;AAAA,QACA;AAAA,QACA,KAAK,KAAK;AAAA,QACV;AAAA,QACA;AAAA,QACA;AAAA,QACA,kBAAkB;AAAA,MACpB,CAAC;AAAA,IACH;AAAA,EACF;AAAA,EACA,EAAE,SAAS;AACb;AAEA,IAAM,kBAAoD;AAAA,EACxD;AAAA,EACA,SAAS,OAAO;AAAA,EAEhB,WAAW;AAAA,IACT;AAAA,MACE,OAAO;AAAA,MAEP,aAAa;AAAA,QACX,MAAM;AAAA,QACN,MAAM;AAAA,QACN,IAAI;AAAA,MACN;AAAA,MAEA,iBAAiB;AAAA,QACf,cAAc;AAAA,UACZ,KAAK,CAAC,WAAW;AAAA,QACnB;AAAA,MACF;AAAA,MAEA,MACE,SAAS,YAAY,aACjB,EAAE,eAAe,YAAY,UAAU,MAAM,IAC7C;AAAA,MAEN,aAAa;AAAA,QACX,QAAQ;AAAA,QACR,WAAW;AAAA,MACb;AAAA,IACF;AAAA,IACA,KAAK,iBAAiB,CAAC;AAAA,EACzB;AAAA,EAEA,SACE,SAAS,YAAY,aACjB;AAAA,IACE,MAAM;AAAA,IACN,aAAa,aAAa,CAAC,UAAU,IAAI;AAAA,IAEzC,MAAM;AAAA,MACJ,MAAM;AAAA,MACN,UAAU;AAAA,MACV,UAAU,gBAAgB,cAAc,aAAa;AAAA,IACvD;AAAA,EACF,IACA;AACR;AAEA,IAAM,aAAa,CAAC,OAAO,cACvB,WAAW;AAAA,EACT;AAAA,EACA,EAAE,GAAG,iBAAiB,OAAO,OAAO,cAAc,OAAO,WAAW,WAAW;AAAA,EAC/E,EAAE,SAAS;AACb,IACA;AAEJ,IAAM,cAAc,OAAO,cACvB,YAAY,OAAO,SAAS,EAAE,GAAG,iBAAiB,OAAO,OAAO,YAAY,GAAG,EAAE,SAAS,CAAC,IAC3F;AAEJ,IAAM,WAAW,YAAY,KAAK,YAAY,aAAa,KAAK;AAChE,IAAM,UAAU,YAAY,mBAAmB,aAAa;AAE5D,IAAI,cAAc,YAAY;AAC5B,gBAAc;AAAA,IACZ;AAAA,IACA;AAAA,MACE;AAAA,MACA,SAAS,OAAO;AAAA,MAChB;AAAA,MAEA,aAAa;AAAA,MAEb,aAAa;AAAA,QACX,SAAS;AAAA,QACT,QAAQ,EAAE,MAAM,YAAY,UAAU,MAAM;AAAA,MAC9C;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,IAAI,SAAS,UAAU;AACrB,gBAAc;AAAA,IACZ;AAAA,IACA;AAAA,MACE;AAAA,MACA,SAAS,OAAO;AAAA,MAChB;AAAA,MAEA,aAAa;AAAA,MAEb,YAAY;AAAA,QACV,OAAO;AAAA,MACT;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,WAAWA,YAAW,SAAS,aAAa;AAC1C,QAAM,cAAc,kBAAkBA,SAAQ,QAAQ;AAEtD,gBAAc;AAAA,IACZ,mBAAmB,WAAWA,SAAQ,QAAQ,CAAC;AAAA,IAC/C;AAAA,MACE;AAAA,MACA,SAAS,OAAO;AAAA,MAChB;AAAA,MAEA,aAAa,gEAAgE,WAAW;AAAA,MAExF,aAAa;AAAA,QACX;AAAA,UACE,aAAaA,SAAQ,SAAS;AAAA,UAC9B,YAAYA,SAAQ,KAAK;AAAA,QAC3B;AAAA;AAAA,QAGA,GAAIA,SAAQ,KAAK,YAAY,CAAC,EAAE,QAAQ,GAAGA,SAAQ,KAAK,SAAS,MAAM,CAAC,IAAI,CAAC;AAAA,MAC/E;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AAEA,gBAAc;AAAA,IACZ,oBAAoB,WAAWA,SAAQ,QAAQ,CAAC;AAAA,IAChD;AAAA,MACE,MAAM,sBAAsB,OAAO;AAAA,MAEnC,WAAWA,SAAQ,SAAS;AAAA,MAC5B,SAAS,OAAO;AAAA,MAChB,UAAUA,SAAQ,KAAK;AAAA,MAEvB,aAAa,kDAAkD,OAAO,qBAAqB,WAAW;AAAA,MAEtG,aAAa;AAAA,QACX,eAAe;AAAA,QACf,cAAc;AAAA,MAChB;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,WAAW,QAAQ,OAAO;AACxB,MAAI,CAAC,KAAK,UAAU;AAClB;AAAA,EACF;AAEA,QAAM,CAAC,UAAU,IAAI,IAAI,KAAK,SAAS,MAAM,GAAG;AAEhD,gBAAc;AAAA,IACZ,wBAAwB,KAAK,IAAI;AAAA,IACjC;AAAA,MACE;AAAA,MACA,SAAS,OAAO;AAAA,MAChB;AAAA,MAEA,aAAa,6EAA6E,KAAK,IAAI;AAAA,MAEnG,YAAY;AAAA,QACV,YAAY;AAAA,QACZ,QAAQ,EAAE,MAAM,OAAO,SAAS,IAAI,IAAI,OAAO,UAAU,MAAM;AAAA,MACjE;AAAA,IACF;AAAA,IACA,EAAE,SAAS;AAAA,EACb;AACF;AAEA,IAAO,eAAQ,QAAQ;AAAA,EACrB,YAAY,YAAY;AAAA,EACxB,WAAW;AAAA,IACT,MAAM;AAAA,IACN,YAAY,YAAY;AAAA,EAC1B;AAAA,EACA,SAAS,SAAS,MAAM,CAAAA,aAAWA,UAAS,MAAM;AAAA,EAClD,YAAY,CAAC,YAAY,QAAQ;AACnC,CAAC;","names":["service"]}
package/dist/peer/index.js CHANGED
@@ -1,25 +1,32 @@
1
1
  import {
2
2
  calculateAllowedIps,
3
3
  calculateExcludedIps
4
- } from "../chunk-EIST65M3.js";
4
+ } from "../chunk-7BHZHUOK.js";
5
5
 
6
6
  // src/peer/index.ts
7
7
  import { wireguard } from "@highstate/library";
8
8
  import { forUnit, toPromise } from "@highstate/pulumi";
9
+ import { l4EndpointToString } from "@highstate/common";
9
10
  var { name, args, inputs, outputs } = forUnit(wireguard.peer);
10
11
  var network = await toPromise(inputs.network);
12
+ var peer = await toPromise(inputs.peer);
11
13
  var allowedIps = calculateAllowedIps(args, network);
12
14
  var excludedIps = calculateExcludedIps(args, network);
15
+ var publicKey = args.publicKey ?? peer?.publicKey;
16
+ if (!publicKey) {
17
+ throw new Error("Public key was not provided neither in args nor in peer");
18
+ }
13
19
  var peer_default = outputs({
14
20
  peer: {
15
- name: args.peerName ?? name,
16
- network: inputs.network,
17
- address: args.address,
18
- publicKey: args.publicKey,
19
- allowedIps,
20
- endpoint: args.endpoint,
21
- excludedIps,
22
- dns: args.dns
21
+ name: args.peerName ?? peer?.name ?? name,
22
+ network: inputs.network ?? peer?.network,
23
+ address: args.address ?? peer?.address,
24
+ publicKey,
25
+ allowedIps: allowedIps.length ? allowedIps : peer?.allowedIps,
26
+ endpoint: inputs.l4Endpoint?.apply(l4EndpointToString) ?? args.endpoint ?? peer?.endpoint,
27
+ excludedIps: excludedIps.length ? excludedIps : peer?.excludedIps,
28
+ dns: args.dns ?? peer?.dns,
29
+ presharedKeyPart: peer?.presharedKeyPart
23
30
  },
24
31
  $status: {
25
32
  allowedIps: {
package/dist/peer/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/peer/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { calculateAllowedIps, calculateExcludedIps } from \"../shared\"\n\nconst { name, args, inputs, outputs } = forUnit(wireguard.peer)\n\nconst network = await toPromise(inputs.network)\n\nconst allowedIps = calculateAllowedIps(args, network)\nconst excludedIps = calculateExcludedIps(args, network)\n\nexport default outputs({\n peer: {\n name: args.peerName ?? name,\n network: inputs.network,\n address: args.address,\n publicKey: args.publicKey,\n allowedIps,\n endpoint: args.endpoint,\n excludedIps,\n dns: args.dns,\n },\n $status: {\n allowedIps: {\n value: allowedIps.join(\", \"),\n complementaryTo: \"allowedIps\",\n },\n excludedIps: {\n value: excludedIps.join(\", \"),\n complementaryTo: \"excludedIps\",\n },\n },\n})\n"],"mappings":";;;;;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,SAAS,iBAAiB;AAGnC,IAAM,EAAE,MAAM,MAAM,QAAQ,QAAQ,IAAI,QAAQ,UAAU,IAAI;AAE9D,IAAM,UAAU,MAAM,UAAU,OAAO,OAAO;AAE9C,IAAM,aAAa,oBAAoB,MAAM,OAAO;AACpD,IAAM,cAAc,qBAAqB,MAAM,OAAO;AAEtD,IAAO,eAAQ,QAAQ;AAAA,EACrB,MAAM;AAAA,IACJ,MAAM,KAAK,YAAY;AAAA,IACvB,SAAS,OAAO;AAAA,IAChB,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,IAChB;AAAA,IACA,UAAU,KAAK;AAAA,IACf;AAAA,IACA,KAAK,KAAK;AAAA,EACZ;AAAA,EACA,SAAS;AAAA,IACP,YAAY;AAAA,MACV,OAAO,WAAW,KAAK,IAAI;AAAA,MAC3B,iBAAiB;AAAA,IACnB;AAAA,IACA,aAAa;AAAA,MACX,OAAO,YAAY,KAAK,IAAI;AAAA,MAC5B,iBAAiB;AAAA,IACnB;AAAA,EACF;AACF,CAAC;","names":[]}
1
+ {"version":3,"sources":["../../src/peer/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { l4EndpointToString } from \"@highstate/common\"\nimport { calculateAllowedIps, calculateExcludedIps } from \"../shared\"\n\nconst { name, args, inputs, outputs } = forUnit(wireguard.peer)\n\nconst network = await toPromise(inputs.network)\nconst peer = await toPromise(inputs.peer)\n\nconst allowedIps = calculateAllowedIps(args, network)\nconst excludedIps = calculateExcludedIps(args, network)\n\nconst publicKey = args.publicKey ?? peer?.publicKey\n\nif (!publicKey) {\n throw new Error(\"Public key was not provided neither in args nor in peer\")\n}\n\nexport default outputs({\n peer: {\n name: args.peerName ?? peer?.name ?? name,\n network: inputs.network ?? peer?.network,\n address: args.address ?? peer?.address,\n publicKey,\n allowedIps: allowedIps.length ? allowedIps : peer?.allowedIps,\n endpoint: inputs.l4Endpoint?.apply(l4EndpointToString) ?? args.endpoint ?? peer?.endpoint,\n excludedIps: excludedIps.length ? excludedIps : peer?.excludedIps,\n dns: args.dns ?? peer?.dns,\n presharedKeyPart: peer?.presharedKeyPart,\n },\n $status: {\n allowedIps: {\n value: allowedIps.join(\", \"),\n complementaryTo: \"allowedIps\",\n },\n excludedIps: {\n value: excludedIps.join(\", \"),\n complementaryTo: \"excludedIps\",\n },\n },\n})\n"],"mappings":";;;;;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,SAAS,iBAAiB;AACnC,SAAS,0BAA0B;AAGnC,IAAM,EAAE,MAAM,MAAM,QAAQ,QAAQ,IAAI,QAAQ,UAAU,IAAI;AAE9D,IAAM,UAAU,MAAM,UAAU,OAAO,OAAO;AAC9C,IAAM,OAAO,MAAM,UAAU,OAAO,IAAI;AAExC,IAAM,aAAa,oBAAoB,MAAM,OAAO;AACpD,IAAM,cAAc,qBAAqB,MAAM,OAAO;AAEtD,IAAM,YAAY,KAAK,aAAa,MAAM;AAE1C,IAAI,CAAC,WAAW;AACd,QAAM,IAAI,MAAM,yDAAyD;AAC3E;AAEA,IAAO,eAAQ,QAAQ;AAAA,EACrB,MAAM;AAAA,IACJ,MAAM,KAAK,YAAY,MAAM,QAAQ;AAAA,IACrC,SAAS,OAAO,WAAW,MAAM;AAAA,IACjC,SAAS,KAAK,WAAW,MAAM;AAAA,IAC/B;AAAA,IACA,YAAY,WAAW,SAAS,aAAa,MAAM;AAAA,IACnD,UAAU,OAAO,YAAY,MAAM,kBAAkB,KAAK,KAAK,YAAY,MAAM;AAAA,IACjF,aAAa,YAAY,SAAS,cAAc,MAAM;AAAA,IACtD,KAAK,KAAK,OAAO,MAAM;AAAA,IACvB,kBAAkB,MAAM;AAAA,EAC1B;AAAA,EACA,SAAS;AAAA,IACP,YAAY;AAAA,MACV,OAAO,WAAW,KAAK,IAAI;AAAA,MAC3B,iBAAiB;AAAA,IACnB;AAAA,IACA,aAAa;AAAA,MACX,OAAO,YAAY,KAAK,IAAI;AAAA,MAC5B,iBAAiB;AAAA,IACnB;AAAA,EACF;AACF,CAAC;","names":[]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@highstate/wireguard",
3
- "version": "0.8.0",
3
+ "version": "0.9.1",
4
4
  "type": "module",
5
5
  "files": [
6
6
  "dist"
@@ -20,10 +20,10 @@
20
20
  "build": "highstate build"
21
21
  },
22
22
  "dependencies": {
23
- "@highstate/common": "^0.8.0",
24
- "@highstate/contract": "^0.8.0",
25
- "@highstate/k8s": "^0.8.0",
26
- "@highstate/pulumi": "^0.8.0",
23
+ "@highstate/common": "^0.9.1",
24
+ "@highstate/contract": "^0.9.1",
25
+ "@highstate/k8s": "^0.9.1",
26
+ "@highstate/pulumi": "^0.9.1",
27
27
  "@noble/curves": "^1.8.0",
28
28
  "@pulumi/kubernetes": "^4.18.0",
29
29
  "deepmerge-ts": "^7.1.5",
@@ -33,8 +33,8 @@
33
33
  "@highstate/library": "workspace:^0.4.4"
34
34
  },
35
35
  "devDependencies": {
36
- "@highstate/cli": "^0.8.0",
36
+ "@highstate/cli": "^0.9.1",
37
37
  "@types/zip-stream": "^7.0.0"
38
38
  },
39
- "gitHead": "8590eea089a016c9b4b797299fc94ddc9afe10ba"
39
+ "gitHead": "2f9fdd9542fbdd11d4337fb59ac4f5728535fa0c"
40
40
  }
package/dist/chunk-EIST65M3.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/shared.ts","../../../node_modules/@noble/hashes/src/cryptoNode.ts","../../../node_modules/@noble/hashes/src/utils.ts","../../../node_modules/remeda/dist/chunk-ANXBDSUI.js","../../../node_modules/remeda/dist/chunk-3GOCSNFN.js","../../../node_modules/remeda/dist/chunk-LFJW7BOT.js","../../../node_modules/remeda/dist/chunk-QJLMYOTX.js"],"sourcesContent":["import type { k8s, wireguard } from \"@highstate/library\"\nimport { x25519 } from \"@noble/curves/ed25519\"\nimport { randomBytes } from \"@noble/hashes/utils\"\nimport { unique } from \"remeda\"\n\nexport function generateKey(): string {\n const key = x25519.utils.randomPrivateKey()\n\n return Buffer.from(key).toString(\"base64\")\n}\n\nexport function convertPrivateKeyToPublicKey(privateKey: string): string {\n const key = Buffer.from(privateKey, \"base64\")\n\n return Buffer.from(x25519.getPublicKey(key)).toString(\"base64\")\n}\n\nexport function generatePresharedKey(): string {\n const key = randomBytes(32)\n\n return Buffer.from(key).toString(\"base64\")\n}\n\nexport function combinePresharedKeyParts(part1: string, part2: string): string {\n const key1 = Buffer.from(part1, \"base64\")\n const key2 = Buffer.from(part2, \"base64\")\n const result = new Uint8Array(32)\n\n for (let i = 0; i < 32; i++) {\n result[i] = key1[i] ^ key2[i]\n }\n\n return Buffer.from(result).toString(\"base64\")\n}\n\nfunction generatePeerConfig(identity: wireguard.Identity, peer: wireguard.Peer): string {\n const lines = [\n //\n \"[Peer]\",\n `# ${peer.name}`,\n `PublicKey = ${peer.publicKey}`,\n ]\n\n if (peer.allowedIps.length > 0) {\n lines.push(`AllowedIPs = ${peer.allowedIps.join(\", \")}`)\n }\n\n if (peer.endpoint) {\n lines.push(`Endpoint = ${peer.endpoint}`)\n }\n\n if (identity.presharedKeyPart && peer.presharedKeyPart) {\n const presharedKey = combinePresharedKeyParts(identity.presharedKeyPart, peer.presharedKeyPart)\n\n lines.push(`PresharedKey = ${presharedKey}`)\n } else if (identity.network?.globalPresharedKey) {\n if (identity.network.globalPresharedKey !== peer.network?.globalPresharedKey) {\n throw new Error(\"The global preshared key must be the same for all peers.\")\n }\n\n lines.push(`PresharedKey = ${identity.network.globalPresharedKey}`)\n }\n\n return lines.join(\"\\n\")\n}\n\nexport type IdentityConfigArgs = {\n identity: wireguard.Identity\n peers: wireguard.Peer[]\n listenPort?: number\n dns?: string[]\n postUp?: string[]\n defaultInterface?: string\n}\n\nexport function generateIdentityConfig({\n identity,\n peers,\n listenPort,\n dns,\n postUp,\n defaultInterface,\n}: IdentityConfigArgs): string {\n const allDns = unique(peers.flatMap(peer => peer.dns ?? []).concat(dns ?? []))\n const excludedIps = unique(peers.flatMap(peer => peer.excludedIps ?? []))\n\n const lines = [\n //\n \"[Interface]\",\n `# ${identity.name}`,\n ]\n\n if (identity.address) {\n lines.push(`Address = ${identity.address}`)\n }\n\n lines.push(\n //\n `PrivateKey = ${identity.privateKey}`,\n \"MTU = 1280\",\n )\n\n if (allDns.length > 0) {\n lines.push(`DNS = ${allDns.join(\", \")}`)\n }\n\n if (listenPort) {\n lines.push(`ListenPort = ${listenPort}`)\n }\n\n if (postUp) {\n lines.push()\n for (const command of postUp) {\n lines.push(`PostUp = ${command}`)\n }\n }\n\n if (defaultInterface) {\n for (const excludedIp of excludedIps) {\n lines.push(`PostUp = ip route add ${excludedIp} dev ${defaultInterface}`)\n }\n }\n\n const otherPeers = peers.filter(peer => peer.name !== identity.name)\n\n for (const peer of otherPeers) {\n lines.push(\"\")\n lines.push(generatePeerConfig(identity, peer))\n }\n\n return lines.join(\"\\n\")\n}\n\ntype AllowedIpsArgs = {\n address?: string\n allowedIps?: string[]\n exitNode?: boolean\n}\n\nexport function calculateAllowedIps(\n { address, allowedIps, exitNode }: AllowedIpsArgs,\n network: wireguard.Network | undefined,\n k8sServices?: k8s.Service[],\n): string[] {\n const result = new Set<string>()\n\n if (address) {\n result.add(address)\n }\n\n if (allowedIps) {\n for (const ip of allowedIps) {\n result.add(ip)\n }\n }\n\n if (exitNode) {\n result.add(\"0.0.0.0/0\")\n\n if (network?.ipv6) {\n result.add(\"::/0\")\n }\n }\n\n if (k8sServices) {\n for (const service of k8sServices) {\n if (service.spec.clusterIP) {\n result.add(service.spec.clusterIP)\n }\n }\n }\n\n return Array.from(result)\n}\n\ntype ExcludedIpsArgs = {\n excludedIps?: string[]\n excludePrivateIps?: boolean\n}\n\nexport function calculateExcludedIps(\n { excludedIps, excludePrivateIps }: ExcludedIpsArgs,\n network: wireguard.Network | undefined,\n): string[] {\n const result = new Set<string>()\n\n if (excludedIps) {\n for (const ip of excludedIps) {\n result.add(ip)\n }\n }\n\n if (excludePrivateIps) {\n result.add(\"10.0.0.0/8\")\n result.add(\"172.16.0.0/12\")\n result.add(\"192.168.0.0/16\")\n\n if (network?.ipv6) {\n result.add(\"fc00::/7\")\n result.add(\"fe80::/10\")\n }\n }\n\n return Array.from(result)\n}\n\ntype EndpointArgs = {\n externalIp?: string\n listenPort?: number\n endpoint?: string\n}\n\nexport function calculateEndpoint(\n { externalIp, listenPort, endpoint }: EndpointArgs,\n fqdn?: string,\n): string | undefined {\n if (endpoint) {\n return endpoint\n }\n\n if (fqdn && listenPort) {\n return `${fqdn}:${listenPort}`\n }\n\n if (externalIp && listenPort) {\n return `${externalIp}:${listenPort}`\n }\n\n return undefined\n}\n","/**\n * Internal webcrypto alias.\n * We prefer WebCrypto aka globalThis.crypto, which exists in node.js 16+.\n * Falls back to Node.js built-in crypto for Node.js <=v14.\n * See utils.ts for details.\n * @module\n */\n// @ts-ignore\nimport * as nc from 'node:crypto';\nexport const crypto: any =\n nc && typeof nc === 'object' && 'webcrypto' in nc\n ? (nc.webcrypto as any)\n : nc && typeof nc === 'object' && 'randomBytes' in nc\n ? nc\n : undefined;\n","/**\n * Utilities for hex, bytes, CSPRNG.\n * @module\n */\n/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n\n// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.\n// node.js versions earlier than v19 don't declare it in global scope.\n// For node.js, package.json#exports field mapping rewrites import\n// from `crypto` to `cryptoNode`, which imports native module.\n// Makes the utils un-importable in browsers without a bundler.\n// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.\nimport { crypto } from '@noble/hashes/crypto';\nimport { abytes } from './_assert.js';\n// export { isBytes } from './_assert.js';\n// We can't reuse isBytes from _assert, because somehow this causes huge perf issues\nexport function isBytes(a: unknown): a is Uint8Array {\n return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');\n}\n\n// prettier-ignore\nexport type TypedArray = Int8Array | Uint8ClampedArray | Uint8Array |\n Uint16Array | Int16Array | Uint32Array | Int32Array;\n\n// Cast array to different type\nexport function u8(arr: TypedArray): Uint8Array {\n return new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);\n}\nexport function u32(arr: TypedArray): Uint32Array {\n return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n}\n\n// Cast array to view\nexport function createView(arr: TypedArray): DataView {\n return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);\n}\n\n/** The rotate right (circular right shift) operation for uint32 */\nexport function rotr(word: number, shift: number): number {\n return (word << (32 - shift)) | (word >>> shift);\n}\n/** The rotate left (circular left shift) operation for uint32 */\nexport function rotl(word: number, shift: number): number {\n return (word << shift) | ((word >>> (32 - shift)) >>> 0);\n}\n\n/** Is current platform little-endian? Most are. Big-Endian platform: IBM */\nexport const isLE: boolean = /* @__PURE__ */ (() =>\n new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();\n// The byte swap operation for uint32\nexport function byteSwap(word: number): number {\n return (\n ((word << 24) & 0xff000000) |\n ((word << 8) & 0xff0000) |\n ((word >>> 8) & 0xff00) |\n ((word >>> 24) & 0xff)\n );\n}\n/** Conditionally byte swap if on a big-endian platform */\nexport const byteSwapIfBE: (n: number) => number = isLE\n ? (n: number) => n\n : (n: number) => byteSwap(n);\n\n/** In place byte swap for Uint32Array */\nexport function byteSwap32(arr: Uint32Array): void {\n for (let i = 0; i < arr.length; i++) {\n arr[i] = byteSwap(arr[i]);\n }\n}\n\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>\n i.toString(16).padStart(2, '0')\n);\n/**\n * Convert byte array to hex string.\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes: Uint8Array): string {\n abytes(bytes);\n // pre-caching improves the speed 6x\n let hex = '';\n for (let i = 0; i < bytes.length; i++) {\n hex += hexes[bytes[i]];\n }\n return hex;\n}\n\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 } as const;\nfunction asciiToBase16(ch: number): number | undefined {\n if (ch >= asciis._0 && ch <= asciis._9) return ch - asciis._0; // '2' => 50-48\n if (ch >= asciis.A && ch <= asciis.F) return ch - (asciis.A - 10); // 'B' => 66-(65-10)\n if (ch >= asciis.a && ch <= asciis.f) return ch - (asciis.a - 10); // 'b' => 98-(97-10)\n return;\n}\n\n/**\n * Convert hex string to byte array.\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex: string): Uint8Array {\n if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);\n const hl = hex.length;\n const al = hl / 2;\n if (hl % 2) throw new Error('hex string expected, got unpadded hex of length ' + hl);\n const array = new Uint8Array(al);\n for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n const n1 = asciiToBase16(hex.charCodeAt(hi));\n const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n if (n1 === undefined || n2 === undefined) {\n const char = hex[hi] + hex[hi + 1];\n throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' + hi);\n }\n array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163\n }\n return array;\n}\n\n/**\n * There is no setImmediate in browser and setTimeout is slow.\n * Call of async fn will return Promise, which will be fullfiled only on\n * next scheduler queue processing step and this is exactly what we need.\n */\nexport const nextTick = async (): Promise<void> => {};\n\n/** Returns control to thread each 'tick' ms to avoid blocking. */\nexport async function asyncLoop(\n iters: number,\n tick: number,\n cb: (i: number) => void\n): Promise<void> {\n let ts = Date.now();\n for (let i = 0; i < iters; i++) {\n cb(i);\n // Date.now() is not monotonic, so in case if clock goes backwards we return return control too\n const diff = Date.now() - ts;\n if (diff >= 0 && diff < tick) continue;\n await nextTick();\n ts += diff;\n }\n}\n\n// Global symbols in both browsers and Node.js since v11\n// See https://github.com/microsoft/TypeScript/issues/31535\ndeclare const TextEncoder: any;\n\n/**\n * Convert JS string to byte array.\n * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])\n */\nexport function utf8ToBytes(str: string): Uint8Array {\n if (typeof str !== 'string') throw new Error('utf8ToBytes expected string, got ' + typeof str);\n return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n\n/** Accepted input of hash functions. Strings are converted to byte arrays. */\nexport type Input = Uint8Array | string;\n/**\n * Normalizes (non-hex) string or Uint8Array to Uint8Array.\n * Warning: when Uint8Array is passed, it would NOT get copied.\n * Keep in mind for future mutable operations.\n */\nexport function toBytes(data: Input): Uint8Array {\n if (typeof data === 'string') data = utf8ToBytes(data);\n abytes(data);\n return data;\n}\n\n/**\n * Copies several Uint8Arrays into one.\n */\nexport function concatBytes(...arrays: Uint8Array[]): Uint8Array {\n let sum = 0;\n for (let i = 0; i < arrays.length; i++) {\n const a = arrays[i];\n abytes(a);\n sum += a.length;\n }\n const res = new Uint8Array(sum);\n for (let i = 0, pad = 0; i < arrays.length; i++) {\n const a = arrays[i];\n res.set(a, pad);\n pad += a.length;\n }\n return res;\n}\n\n/** For runtime check if class implements interface */\nexport abstract class Hash<T extends Hash<T>> {\n abstract blockLen: number; // Bytes per block\n abstract outputLen: number; // Bytes in output\n abstract update(buf: Input): this;\n // Writes digest into buf\n abstract digestInto(buf: Uint8Array): void;\n abstract digest(): Uint8Array;\n /**\n * Resets internal state. Makes Hash instance unusable.\n * Reset is impossible for keyed hashes if key is consumed into state. If digest is not consumed\n * by user, they will need to manually call `destroy()` when zeroing is necessary.\n */\n abstract destroy(): void;\n /**\n * Clones hash instance. Unsafe: doesn't check whether `to` is valid. Can be used as `clone()`\n * when no options are passed.\n * Reasons to use `_cloneInto` instead of clone: 1) performance 2) reuse instance => all internal\n * buffers are overwritten => causes buffer overwrite which is used for digest in some cases.\n * There are no guarantees for clean-up because it's impossible in JS.\n */\n abstract _cloneInto(to?: T): T;\n // Safe version that clones internal state\n clone(): T {\n return this._cloneInto();\n }\n}\n\n/**\n * XOF: streaming API to read digest in chunks.\n * Same as 'squeeze' in keccak/k12 and 'seek' in blake3, but more generic name.\n * When hash used in XOF mode it is up to user to call '.destroy' afterwards, since we cannot\n * destroy state, next call can require more bytes.\n */\nexport type HashXOF<T extends Hash<T>> = Hash<T> & {\n xof(bytes: number): Uint8Array; // Read 'bytes' bytes from digest stream\n xofInto(buf: Uint8Array): Uint8Array; // read buf.length bytes from digest stream into buf\n};\n\ntype EmptyObj = {};\nexport function checkOpts<T1 extends EmptyObj, T2 extends EmptyObj>(\n defaults: T1,\n opts?: T2\n): T1 & T2 {\n if (opts !== undefined && {}.toString.call(opts) !== '[object Object]')\n throw new Error('Options should be object or undefined');\n const merged = Object.assign(defaults, opts);\n return merged as T1 & T2;\n}\n\n/** Hash function */\nexport type CHash = ReturnType<typeof wrapConstructor>;\n/** Hash function with output */\nexport type CHashO = ReturnType<typeof wrapConstructorWithOpts>;\n/** XOF with output */\nexport type CHashXO = ReturnType<typeof wrapXOFConstructorWithOpts>;\n\n/** Wraps hash function, creating an interface on top of it */\nexport function wrapConstructor<T extends Hash<T>>(\n hashCons: () => Hash<T>\n): {\n (msg: Input): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(): Hash<T>;\n} {\n const hashC = (msg: Input): Uint8Array => hashCons().update(toBytes(msg)).digest();\n const tmp = hashCons();\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = () => hashCons();\n return hashC;\n}\n\nexport function wrapConstructorWithOpts<H extends Hash<H>, T extends Object>(\n hashCons: (opts?: T) => Hash<H>\n): {\n (msg: Input, opts?: T): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(opts: T): Hash<H>;\n} {\n const hashC = (msg: Input, opts?: T): Uint8Array => hashCons(opts).update(toBytes(msg)).digest();\n const tmp = hashCons({} as T);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts: T) => hashCons(opts);\n return hashC;\n}\n\nexport function wrapXOFConstructorWithOpts<H extends HashXOF<H>, T extends Object>(\n hashCons: (opts?: T) => HashXOF<H>\n): {\n (msg: Input, opts?: T): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(opts: T): HashXOF<H>;\n} {\n const hashC = (msg: Input, opts?: T): Uint8Array => hashCons(opts).update(toBytes(msg)).digest();\n const tmp = hashCons({} as T);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts: T) => hashCons(opts);\n return hashC;\n}\n\n/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */\nexport function randomBytes(bytesLength = 32): Uint8Array {\n if (crypto && typeof crypto.getRandomValues === 'function') {\n return crypto.getRandomValues(new Uint8Array(bytesLength));\n }\n // Legacy Node.js compatibility\n if (crypto && typeof crypto.randomBytes === 'function') {\n return crypto.randomBytes(bytesLength);\n }\n throw new Error('crypto.getRandomValues must be defined');\n}\n","var e={done:!0,hasNext:!1},s={done:!1,hasNext:!1},a=()=>e,o=t=>({hasNext:!0,next:t,done:!1});export{s as a,a as b,o as c};\n","import{a as A}from\"./chunk-ANXBDSUI.js\";function C(t,...o){let n=t,u=o.map(e=>\"lazy\"in e?y(e):void 0),p=0;for(;p<o.length;){if(u[p]===void 0||!B(n)){let i=o[p];n=i(n),p+=1;continue}let r=[];for(let i=p;i<o.length;i++){let l=u[i];if(l===void 0||(r.push(l),l.isSingle))break}let a=[];for(let i of n)if(f(i,a,r))break;let{isSingle:s}=r.at(-1);n=s?a[0]:a,p+=r.length}return n}function f(t,o,n){if(n.length===0)return o.push(t),!1;let u=t,p=A,e=!1;for(let[r,a]of n.entries()){let{index:s,items:i}=a;if(i.push(u),p=a(u,s,i),a.index+=1,p.hasNext){if(p.hasMany??!1){for(let l of p.next)if(f(l,o,n.slice(r+1)))return!0;return e}u=p.next}if(!p.hasNext)break;p.done&&(e=!0)}return p.hasNext&&o.push(u),e}function y(t){let{lazy:o,lazyArgs:n}=t,u=o(...n);return Object.assign(u,{isSingle:o.single??!1,index:0,items:[]})}function B(t){return typeof t==\"string\"||typeof t==\"object\"&&t!==null&&Symbol.iterator in t}export{C as a};\n","import{a as o}from\"./chunk-3GOCSNFN.js\";function y(t,i){let a=i.length-t.length;if(a===1){let[n,...r]=i;return o(n,{lazy:t,lazyArgs:r})}if(a===0){let n={lazy:t,lazyArgs:i};return Object.assign(e=>o(e,n),n)}throw new Error(\"Wrong number of arguments\")}export{y as a};\n","import{a as r}from\"./chunk-LFJW7BOT.js\";import{a as n}from\"./chunk-ANXBDSUI.js\";function i(...e){return r(a,e)}function a(){let e=new Set;return t=>e.has(t)?n:(e.add(t),{done:!1,hasNext:!0,next:t})}export{i as a};\n"],"mappings":";AACA,SAAS,cAAc;;;ACOvB,YAAY,QAAQ;AACb,IAAM,SACX,MAAM,OAAO,OAAO,YAAY,eAAe,KACvC,eACJ,MAAM,OAAO,OAAO,YAAY,iBAAiB,KAC/C,KACA;;;ACyRF,SAAU,YAAY,cAAc,IAAE;AAC1C,MAAI,UAAU,OAAO,OAAO,oBAAoB,YAAY;AAC1D,WAAO,OAAO,gBAAgB,IAAI,WAAW,WAAW,CAAC;EAC3D;AAEA,MAAI,UAAU,OAAO,OAAO,gBAAgB,YAAY;AACtD,WAAO,OAAO,YAAY,WAAW;EACvC;AACA,QAAM,IAAI,MAAM,wCAAwC;AAC1D;;;AChTA,IAA2B,IAAE,EAAC,MAAK,OAAG,SAAQ,MAAE;;;ACAR,SAAS,EAAE,MAAK,GAAE;AAAC,MAAI,IAAE,GAAE,IAAE,EAAE,IAAI,OAAG,UAAS,IAAE,EAAE,CAAC,IAAE,MAAM,GAAE,IAAE;AAAE,SAAK,IAAE,EAAE,UAAQ;AAAC,QAAG,EAAE,CAAC,MAAI,UAAQ,CAAC,EAAE,CAAC,GAAE;AAAC,UAAIA,KAAE,EAAE,CAAC;AAAE,UAAEA,GAAE,CAAC,GAAE,KAAG;AAAE;AAAA,IAAQ;AAAC,QAAI,IAAE,CAAC;AAAE,aAAQA,KAAE,GAAEA,KAAE,EAAE,QAAOA,MAAI;AAAC,UAAI,IAAE,EAAEA,EAAC;AAAE,UAAG,MAAI,WAAS,EAAE,KAAK,CAAC,GAAE,EAAE,UAAU;AAAA,IAAK;AAAC,QAAIC,KAAE,CAAC;AAAE,aAAQD,MAAK,EAAE,KAAG,EAAEA,IAAEC,IAAE,CAAC,EAAE;AAAM,QAAG,EAAC,UAASC,GAAC,IAAE,EAAE,GAAG,EAAE;AAAE,QAAEA,KAAED,GAAE,CAAC,IAAEA,IAAE,KAAG,EAAE;AAAA,EAAM;AAAC,SAAO;AAAC;AAAC,SAAS,EAAE,GAAE,GAAE,GAAE;AAAC,MAAG,EAAE,WAAS,EAAE,QAAO,EAAE,KAAK,CAAC,GAAE;AAAG,MAAI,IAAE,GAAE,IAAE,GAAE,IAAE;AAAG,WAAO,CAAC,GAAEA,EAAC,KAAI,EAAE,QAAQ,GAAE;AAAC,QAAG,EAAC,OAAMC,IAAE,OAAMF,GAAC,IAAEC;AAAE,QAAGD,GAAE,KAAK,CAAC,GAAE,IAAEC,GAAE,GAAEC,IAAEF,EAAC,GAAEC,GAAE,SAAO,GAAE,EAAE,SAAQ;AAAC,UAAG,EAAE,WAAS,OAAG;AAAC,iBAAQ,KAAK,EAAE,KAAK,KAAG,EAAE,GAAE,GAAE,EAAE,MAAM,IAAE,CAAC,CAAC,EAAE,QAAM;AAAG,eAAO;AAAA,MAAC;AAAC,UAAE,EAAE;AAAA,IAAI;AAAC,QAAG,CAAC,EAAE,QAAQ;AAAM,MAAE,SAAO,IAAE;AAAA,EAAG;AAAC,SAAO,EAAE,WAAS,EAAE,KAAK,CAAC,GAAE;AAAC;AAAC,SAAS,EAAE,GAAE;AAAC,MAAG,EAAC,MAAK,GAAE,UAAS,EAAC,IAAE,GAAE,IAAE,EAAE,GAAG,CAAC;AAAE,SAAO,OAAO,OAAO,GAAE,EAAC,UAAS,EAAE,UAAQ,OAAG,OAAM,GAAE,OAAM,CAAC,EAAC,CAAC;AAAC;AAAC,SAAS,EAAE,GAAE;AAAC,SAAO,OAAO,KAAG,YAAU,OAAO,KAAG,YAAU,MAAI,QAAM,OAAO,YAAY;AAAC;;;ACA11B,SAASE,GAAE,GAAEC,IAAE;AAAC,MAAIC,KAAED,GAAE,SAAO,EAAE;AAAO,MAAGC,OAAI,GAAE;AAAC,QAAG,CAAC,GAAE,GAAG,CAAC,IAAED;AAAE,WAAO,EAAE,GAAE,EAAC,MAAK,GAAE,UAAS,EAAC,CAAC;AAAA,EAAC;AAAC,MAAGC,OAAI,GAAE;AAAC,QAAI,IAAE,EAAC,MAAK,GAAE,UAASD,GAAC;AAAE,WAAO,OAAO,OAAO,OAAG,EAAE,GAAE,CAAC,GAAE,CAAC;AAAA,EAAC;AAAC,QAAM,IAAI,MAAM,2BAA2B;AAAC;;;ACA1K,SAAS,KAAK,GAAE;AAAC,SAAOE,GAAE,GAAE,CAAC;AAAC;AAAC,SAAS,IAAG;AAAC,MAAI,IAAE,oBAAI;AAAI,SAAO,OAAG,EAAE,IAAI,CAAC,IAAE,KAAG,EAAE,IAAI,CAAC,GAAE,EAAC,MAAK,OAAG,SAAQ,MAAG,MAAK,EAAC;AAAE;;;ANK9L,SAAS,cAAsB;AACpC,QAAM,MAAM,OAAO,MAAM,iBAAiB;AAE1C,SAAO,OAAO,KAAK,GAAG,EAAE,SAAS,QAAQ;AAC3C;AAEO,SAAS,6BAA6B,YAA4B;AACvE,QAAM,MAAM,OAAO,KAAK,YAAY,QAAQ;AAE5C,SAAO,OAAO,KAAK,OAAO,aAAa,GAAG,CAAC,EAAE,SAAS,QAAQ;AAChE;AAEO,SAAS,uBAA+B;AAC7C,QAAM,MAAM,YAAY,EAAE;AAE1B,SAAO,OAAO,KAAK,GAAG,EAAE,SAAS,QAAQ;AAC3C;AAEO,SAAS,yBAAyB,OAAe,OAAuB;AAC7E,QAAM,OAAO,OAAO,KAAK,OAAO,QAAQ;AACxC,QAAM,OAAO,OAAO,KAAK,OAAO,QAAQ;AACxC,QAAM,SAAS,IAAI,WAAW,EAAE;AAEhC,WAASC,KAAI,GAAGA,KAAI,IAAIA,MAAK;AAC3B,WAAOA,EAAC,IAAI,KAAKA,EAAC,IAAI,KAAKA,EAAC;AAAA,EAC9B;AAEA,SAAO,OAAO,KAAK,MAAM,EAAE,SAAS,QAAQ;AAC9C;AAEA,SAAS,mBAAmB,UAA8B,MAA8B;AACtF,QAAM,QAAQ;AAAA;AAAA,IAEZ;AAAA,IACA,KAAK,KAAK,IAAI;AAAA,IACd,eAAe,KAAK,SAAS;AAAA,EAC/B;AAEA,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,KAAK,gBAAgB,KAAK,WAAW,KAAK,IAAI,CAAC,EAAE;AAAA,EACzD;AAEA,MAAI,KAAK,UAAU;AACjB,UAAM,KAAK,cAAc,KAAK,QAAQ,EAAE;AAAA,EAC1C;AAEA,MAAI,SAAS,oBAAoB,KAAK,kBAAkB;AACtD,UAAM,eAAe,yBAAyB,SAAS,kBAAkB,KAAK,gBAAgB;AAE9F,UAAM,KAAK,kBAAkB,YAAY,EAAE;AAAA,EAC7C,WAAW,SAAS,SAAS,oBAAoB;AAC/C,QAAI,SAAS,QAAQ,uBAAuB,KAAK,SAAS,oBAAoB;AAC5E,YAAM,IAAI,MAAM,0DAA0D;AAAA,IAC5E;AAEA,UAAM,KAAK,kBAAkB,SAAS,QAAQ,kBAAkB,EAAE;AAAA,EACpE;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AAWO,SAAS,uBAAuB;AAAA,EACrC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAA+B;AAC7B,QAAM,SAAS,EAAO,MAAM,QAAQ,UAAQ,KAAK,OAAO,CAAC,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC,CAAC;AAC7E,QAAM,cAAc,EAAO,MAAM,QAAQ,UAAQ,KAAK,eAAe,CAAC,CAAC,CAAC;AAExE,QAAM,QAAQ;AAAA;AAAA,IAEZ;AAAA,IACA,KAAK,SAAS,IAAI;AAAA,EACpB;AAEA,MAAI,SAAS,SAAS;AACpB,UAAM,KAAK,aAAa,SAAS,OAAO,EAAE;AAAA,EAC5C;AAEA,QAAM;AAAA;AAAA,IAEJ,gBAAgB,SAAS,UAAU;AAAA,IACnC;AAAA,EACF;AAEA,MAAI,OAAO,SAAS,GAAG;AACrB,UAAM,KAAK,SAAS,OAAO,KAAK,IAAI,CAAC,EAAE;AAAA,EACzC;AAEA,MAAI,YAAY;AACd,UAAM,KAAK,gBAAgB,UAAU,EAAE;AAAA,EACzC;AAEA,MAAI,QAAQ;AACV,UAAM,KAAK;AACX,eAAW,WAAW,QAAQ;AAC5B,YAAM,KAAK,YAAY,OAAO,EAAE;AAAA,IAClC;AAAA,EACF;AAEA,MAAI,kBAAkB;AACpB,eAAW,cAAc,aAAa;AACpC,YAAM,KAAK,yBAAyB,UAAU,QAAQ,gBAAgB,EAAE;AAAA,IAC1E;AAAA,EACF;AAEA,QAAM,aAAa,MAAM,OAAO,UAAQ,KAAK,SAAS,SAAS,IAAI;AAEnE,aAAW,QAAQ,YAAY;AAC7B,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,mBAAmB,UAAU,IAAI,CAAC;AAAA,EAC/C;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AAQO,SAAS,oBACd,EAAE,SAAS,YAAY,SAAS,GAChC,SACA,aACU;AACV,QAAM,SAAS,oBAAI,IAAY;AAE/B,MAAI,SAAS;AACX,WAAO,IAAI,OAAO;AAAA,EACpB;AAEA,MAAI,YAAY;AACd,eAAW,MAAM,YAAY;AAC3B,aAAO,IAAI,EAAE;AAAA,IACf;AAAA,EACF;AAEA,MAAI,UAAU;AACZ,WAAO,IAAI,WAAW;AAEtB,QAAI,SAAS,MAAM;AACjB,aAAO,IAAI,MAAM;AAAA,IACnB;AAAA,EACF;AAEA,MAAI,aAAa;AACf,eAAW,WAAW,aAAa;AACjC,UAAI,QAAQ,KAAK,WAAW;AAC1B,eAAO,IAAI,QAAQ,KAAK,SAAS;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,MAAM;AAC1B;AAOO,SAAS,qBACd,EAAE,aAAa,kBAAkB,GACjC,SACU;AACV,QAAM,SAAS,oBAAI,IAAY;AAE/B,MAAI,aAAa;AACf,eAAW,MAAM,aAAa;AAC5B,aAAO,IAAI,EAAE;AAAA,IACf;AAAA,EACF;AAEA,MAAI,mBAAmB;AACrB,WAAO,IAAI,YAAY;AACvB,WAAO,IAAI,eAAe;AAC1B,WAAO,IAAI,gBAAgB;AAE3B,QAAI,SAAS,MAAM;AACjB,aAAO,IAAI,UAAU;AACrB,aAAO,IAAI,WAAW;AAAA,IACxB;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,MAAM;AAC1B;AAQO,SAAS,kBACd,EAAE,YAAY,YAAY,SAAS,GACnC,MACoB;AACpB,MAAI,UAAU;AACZ,WAAO;AAAA,EACT;AAEA,MAAI,QAAQ,YAAY;AACtB,WAAO,GAAG,IAAI,IAAI,UAAU;AAAA,EAC9B;AAEA,MAAI,cAAc,YAAY;AAC5B,WAAO,GAAG,UAAU,IAAI,UAAU;AAAA,EACpC;AAEA,SAAO;AACT;","names":["i","a","s","y","i","a","y","i"]}