@highstate/wireguard 0.9.15 → 0.9.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{chunk-PXOBQDLU.js → chunk-MDXKWNFE.js} +10 -30
- package/dist/chunk-MDXKWNFE.js.map +1 -0
- package/dist/config/index.js +7 -10
- package/dist/config/index.js.map +1 -1
- package/dist/config-bundle/index.js +9 -17
- package/dist/config-bundle/index.js.map +1 -1
- package/dist/highstate.manifest.json +7 -7
- package/dist/identity/index.js +8 -14
- package/dist/identity/index.js.map +1 -1
- package/dist/network/index.js +6 -5
- package/dist/network/index.js.map +1 -1
- package/dist/node/index.js +15 -19
- package/dist/node/index.js.map +1 -1
- package/dist/peer/index.js +8 -11
- package/dist/peer/index.js.map +1 -1
- package/dist/peer-patch/index.js +8 -13
- package/dist/peer-patch/index.js.map +1 -1
- package/package.json +8 -8
- package/dist/chunk-PXOBQDLU.js.map +0 -1
|
@@ -1,16 +1,9 @@
|
|
|
1
|
-
|
|
2
|
-
import {
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
l3ToL4Endpoint,
|
|
6
|
-
l4EndpointToString,
|
|
7
|
-
parseL34Endpoint,
|
|
8
|
-
parseL4Endpoint
|
|
9
|
-
} from "@highstate/common";
|
|
10
|
-
import { x25519 } from "@noble/curves/ed25519";
|
|
1
|
+
import { l3ToL4Endpoint, parseL4Endpoint, l3EndpointToString, parseL34Endpoint, l4EndpointToString, l34EndpointToString } from '@highstate/common';
|
|
2
|
+
import { x25519 } from '@noble/curves/ed25519';
|
|
3
|
+
import * as nc from 'node:crypto';
|
|
4
|
+
import { getBestEndpoint } from '@highstate/k8s';
|
|
11
5
|
|
|
12
|
-
//
|
|
13
|
-
import * as nc from "node:crypto";
|
|
6
|
+
// src/shared.ts
|
|
14
7
|
var crypto = nc && typeof nc === "object" && "webcrypto" in nc ? nc.webcrypto : nc && typeof nc === "object" && "randomBytes" in nc ? nc : void 0;
|
|
15
8
|
|
|
16
9
|
// ../../node_modules/@noble/hashes/esm/utils.js
|
|
@@ -19,7 +12,7 @@ function randomBytes(bytesLength = 32) {
|
|
|
19
12
|
return crypto.getRandomValues(new Uint8Array(bytesLength));
|
|
20
13
|
}
|
|
21
14
|
if (crypto && typeof crypto.randomBytes === "function") {
|
|
22
|
-
return crypto.randomBytes(bytesLength);
|
|
15
|
+
return Uint8Array.from(crypto.randomBytes(bytesLength));
|
|
23
16
|
}
|
|
24
17
|
throw new Error("crypto.getRandomValues must be defined");
|
|
25
18
|
}
|
|
@@ -107,9 +100,6 @@ function a() {
|
|
|
107
100
|
let e = /* @__PURE__ */ new Set();
|
|
108
101
|
return (t) => e.has(t) ? s : (e.add(t), { done: false, hasNext: true, next: t });
|
|
109
102
|
}
|
|
110
|
-
|
|
111
|
-
// src/shared.ts
|
|
112
|
-
import { getBestEndpoint } from "@highstate/k8s";
|
|
113
103
|
function generateKey() {
|
|
114
104
|
const key = x25519.utils.randomPrivateKey();
|
|
115
105
|
return Buffer.from(key).toString("base64");
|
|
@@ -320,22 +310,12 @@ function shouldExpose(identity, exposePolicy) {
|
|
|
320
310
|
}
|
|
321
311
|
return identity.peer.endpoints.length > 0;
|
|
322
312
|
}
|
|
323
|
-
|
|
324
|
-
export {
|
|
325
|
-
generateKey,
|
|
326
|
-
convertPrivateKeyToPublicKey,
|
|
327
|
-
generatePresharedKey,
|
|
328
|
-
generateIdentityConfig,
|
|
329
|
-
calculateEndpoints,
|
|
330
|
-
calculateAllowedIps,
|
|
331
|
-
calculateAllowedEndpoints,
|
|
332
|
-
isExitNode,
|
|
333
|
-
createPeerEntity,
|
|
334
|
-
shouldExpose
|
|
335
|
-
};
|
|
336
313
|
/*! Bundled license information:
|
|
337
314
|
|
|
338
315
|
@noble/hashes/esm/utils.js:
|
|
339
316
|
(*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
|
|
340
317
|
*/
|
|
341
|
-
|
|
318
|
+
|
|
319
|
+
export { calculateAllowedEndpoints, calculateAllowedIps, calculateEndpoints, convertPrivateKeyToPublicKey, createPeerEntity, generateIdentityConfig, generateKey, generatePresharedKey, isExitNode, shouldExpose };
|
|
320
|
+
//# sourceMappingURL=chunk-MDXKWNFE.js.map
|
|
321
|
+
//# sourceMappingURL=chunk-MDXKWNFE.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../../../node_modules/@noble/hashes/src/cryptoNode.ts","../../../node_modules/@noble/hashes/src/utils.ts","../../../node_modules/remeda/dist/chunk-ANXBDSUI.js","../../../node_modules/remeda/dist/chunk-3GOCSNFN.js","../../../node_modules/remeda/dist/chunk-LFJW7BOT.js","../../../node_modules/remeda/dist/chunk-7ZI6JRPB.js","../../../node_modules/remeda/dist/chunk-QJLMYOTX.js","../src/shared.ts"],"names":["i","a","s","y"],"mappings":";;;;;;AASO,IAAM,MACX,GAAA,EAAA,IAAM,OAAO,EAAA,KAAO,YAAY,WAAe,IAAA,EAAA,GACvC,EACJ,CAAA,SAAA,GAAA,EAAA,IAAM,OAAO,EAAA,KAAO,QAAY,IAAA,aAAA,IAAiB,KAC/C,EACA,GAAA,MAAA;;;ACmXF,SAAU,WAAA,CAAY,cAAc,EAAE,EAAA;AAC1C,EAAA,IAAI,MAAU,IAAA,OAAO,MAAO,CAAA,eAAA,KAAoB,UAAY,EAAA;AAC1D,IAAA,OAAO,MAAO,CAAA,eAAA,CAAgB,IAAI,UAAA,CAAW,WAAW,CAAC,CAAA;AAC3D;AAEA,EAAA,IAAI,MAAU,IAAA,OAAO,MAAO,CAAA,WAAA,KAAgB,UAAY,EAAA;AACtD,IAAA,OAAO,UAAW,CAAA,IAAA,CAAK,MAAO,CAAA,WAAA,CAAY,WAAW,CAAC,CAAA;AACxD;AACA,EAAM,MAAA,IAAI,MAAM,wCAAwC,CAAA;AAC1D;;;AC1YA,IAA2B,CAAE,GAAA,EAAC,IAAK,EAAA,KAAA,EAAG,SAAQ,KAAE,EAAA;;;ACAR,SAAS,CAAA,CAAE,MAAK,CAAE,EAAA;AAAC,EAAA,IAAI,CAAE,GAAA,CAAA,EAAE,CAAE,GAAA,CAAA,CAAE,GAAI,CAAA,CAAA,CAAA,KAAG,MAAS,IAAA,CAAA,GAAE,CAAE,CAAA,CAAC,CAAE,GAAA,MAAM,GAAE,CAAE,GAAA,CAAA;AAAE,EAAK,OAAA,CAAA,GAAE,EAAE,MAAQ,IAAA;AAAC,IAAA,IAAG,EAAE,CAAC,CAAA,KAAI,UAAQ,CAAC,CAAA,CAAE,CAAC,CAAE,EAAA;AAAC,MAAIA,IAAAA,EAAAA,GAAE,EAAE,CAAC,CAAA;AAAE,MAAEA,CAAAA,GAAAA,EAAAA,CAAE,CAAC,CAAA,EAAE,CAAG,IAAA,CAAA;AAAE,MAAA;AAAA;AAAS,IAAA,IAAI,IAAE,EAAC;AAAE,IAAA,KAAA,IAAQA,EAAE,GAAA,CAAA,EAAEA,EAAE,GAAA,CAAA,CAAE,QAAOA,EAAI,EAAA,EAAA;AAAC,MAAI,IAAA,CAAA,GAAE,EAAEA,EAAC,CAAA;AAAE,MAAA,IAAG,MAAI,MAAS,KAAA,CAAA,CAAE,KAAK,CAAC,CAAA,EAAE,EAAE,QAAU,CAAA,EAAA;AAAA;AAAM,IAAA,IAAIC,KAAE,EAAC;AAAE,IAAA,KAAA,IAAQD,MAAK,CAAE,EAAA,IAAG,EAAEA,EAAEC,EAAAA,EAAAA,EAAE,CAAC,CAAE,EAAA;AAAM,IAAA,IAAG,EAAC,QAASC,EAAAA,EAAAA,EAAG,GAAA,CAAA,CAAE,GAAG,EAAE,CAAA;AAAE,IAAA,CAAA,GAAEA,KAAED,EAAE,CAAA,CAAC,CAAEA,GAAAA,EAAAA,EAAE,KAAG,CAAE,CAAA,MAAA;AAAA;AAAO,EAAO,OAAA,CAAA;AAAC;AAAC,SAAS,CAAA,CAAE,CAAE,EAAA,CAAA,EAAE,CAAE,EAAA;AAAC,EAAA,IAAG,EAAE,MAAS,KAAA,CAAA,SAAS,CAAE,CAAA,IAAA,CAAK,CAAC,CAAE,EAAA,KAAA;AAAG,EAAA,IAAI,CAAE,GAAA,CAAA,EAAE,CAAE,GAAA,CAAA,EAAE,CAAE,GAAA,KAAA;AAAG,EAAA,KAAA,IAAO,CAAC,CAAEA,EAAAA,EAAC,CAAI,IAAA,CAAA,CAAE,SAAU,EAAA;AAAC,IAAA,IAAG,EAAC,KAAA,EAAMC,EAAE,EAAA,KAAA,EAAMF,IAAGC,GAAAA,EAAAA;AAAE,IAAA,IAAGD,EAAE,CAAA,IAAA,CAAK,CAAC,CAAA,EAAE,IAAEC,EAAE,CAAA,CAAA,EAAEC,EAAEF,EAAAA,EAAC,CAAEC,EAAAA,EAAAA,CAAE,KAAO,IAAA,CAAA,EAAE,EAAE,OAAQ,EAAA;AAAC,MAAG,IAAA,CAAA,CAAE,WAAS,KAAG,EAAA;AAAC,QAAA,KAAA,IAAQ,CAAK,IAAA,CAAA,CAAE,IAAK,EAAA,IAAG,CAAE,CAAA,CAAA,EAAE,CAAE,EAAA,CAAA,CAAE,KAAM,CAAA,CAAA,GAAE,CAAC,CAAC,GAAQ,OAAA,IAAA;AAAG,QAAO,OAAA,CAAA;AAAA;AAAE,MAAA,CAAA,GAAE,CAAE,CAAA,IAAA;AAAA;AAAK,IAAG,IAAA,CAAC,EAAE,OAAQ,EAAA;AAAM,IAAA,CAAA,CAAE,SAAO,CAAE,GAAA,IAAA,CAAA;AAAA;AAAI,EAAA,OAAO,CAAE,CAAA,OAAA,IAAS,CAAE,CAAA,IAAA,CAAK,CAAC,CAAE,EAAA,CAAA;AAAC;AAAC,SAAS,EAAE,CAAE,EAAA;AAAC,EAAG,IAAA,EAAC,IAAK,EAAA,CAAA,EAAE,QAAS,EAAA,CAAA,KAAG,CAAE,EAAA,CAAA,GAAE,CAAE,CAAA,GAAG,CAAC,CAAA;AAAE,EAAA,OAAO,MAAO,CAAA,MAAA,CAAO,CAAE,EAAA,EAAC,QAAS,EAAA,CAAA,CAAE,MAAQ,IAAA,KAAA,EAAG,KAAM,EAAA,CAAA,EAAE,KAAM,EAAA,IAAG,CAAA;AAAC;AAAC,SAAS,EAAE,CAAE,EAAA;AAAC,EAAO,OAAA,OAAO,KAAG,QAAU,IAAA,OAAO,KAAG,QAAU,IAAA,CAAA,KAAI,IAAM,IAAA,MAAA,CAAO,QAAY,IAAA,CAAA;AAAC;;;ACA11B,SAASE,EAAAA,CAAE,GAAEH,EAAE,EAAA;AAAC,EAAIC,IAAAA,EAAAA,GAAED,EAAE,CAAA,MAAA,GAAO,CAAE,CAAA,MAAA;AAAO,EAAA,IAAGC,OAAI,CAAE,EAAA;AAAC,IAAA,IAAG,CAAC,CAAA,EAAE,GAAG,CAAC,CAAED,GAAAA,EAAAA;AAAE,IAAA,OAAO,EAAE,CAAE,EAAA,EAAC,MAAK,CAAE,EAAA,QAAA,EAAS,GAAE,CAAA;AAAA;AAAE,EAAA,IAAGC,OAAI,CAAE,EAAA;AAAC,IAAA,IAAI,CAAE,GAAA,EAAC,IAAK,EAAA,CAAA,EAAE,UAASD,EAAC,EAAA;AAAE,IAAA,OAAO,OAAO,MAAO,CAAA,CAAA,CAAA,KAAG,EAAE,CAAE,EAAA,CAAC,GAAE,CAAC,CAAA;AAAA;AAAE,EAAM,MAAA,IAAI,MAAM,2BAA2B,CAAA;AAAC;;;ACA/K,SAAS,KAAK,CAAE,EAAA;AAAC,EAAOG,OAAAA,EAAAA,CAAEA,IAAE,CAAC,CAAA;AAAC;AAAC,SAASA,GAAE,CAAE,EAAA;AAAC,EAAI,IAAA,CAAA,GAAE,CAAE,EAAA,CAAA,mBAAM,IAAA,GAAA,EAAA;AAAI,EAAM,OAAA,CAAC,CAAEH,EAAAA,EAAAA,EAAE,CAAI,KAAA;AAAC,IAAA,IAAI,CAAE,GAAA,CAAA,CAAE,CAAEA,EAAAA,EAAAA,EAAE,CAAC,CAAA;AAAE,IAAA,OAAO,CAAE,CAAA,GAAA,CAAI,CAAC,CAAA,GAAE,KAAG,CAAE,CAAA,GAAA,CAAI,CAAC,CAAA,EAAE,EAAC,IAAK,EAAA,KAAA,EAAG,OAAQ,EAAA,IAAA,EAAG,MAAK,CAAC,EAAA,CAAA;AAAA,GAAE;AAAC;;;ACAlJ,SAAS,KAAK,CAAE,EAAA;AAAC,EAAOG,OAAAA,EAAAA,CAAE,GAAE,CAAC,CAAA;AAAC;AAAC,SAAS,CAAG,GAAA;AAAC,EAAA,IAAI,oBAAM,IAAA,GAAA,EAAA;AAAI,EAAA,OAAO,OAAG,CAAE,CAAA,GAAA,CAAI,CAAC,CAAA,GAAE,KAAG,CAAE,CAAA,GAAA,CAAI,CAAC,CAAA,EAAE,EAAC,IAAK,EAAA,KAAA,EAAG,OAAQ,EAAA,IAAA,EAAG,MAAK,CAAC,EAAA,CAAA;AAAE;ACe9L,SAAS,WAAsB,GAAA;AACpC,EAAM,MAAA,GAAA,GAAM,MAAO,CAAA,KAAA,CAAM,gBAAiB,EAAA;AAE1C,EAAA,OAAO,MAAO,CAAA,IAAA,CAAK,GAAG,CAAA,CAAE,SAAS,QAAQ,CAAA;AAC3C;AAEO,SAAS,6BAA6B,UAA4B,EAAA;AACvE,EAAA,MAAM,GAAM,GAAA,MAAA,CAAO,IAAK,CAAA,UAAA,EAAY,QAAQ,CAAA;AAE5C,EAAO,OAAA,MAAA,CAAO,KAAK,MAAO,CAAA,YAAA,CAAa,GAAG,CAAC,CAAA,CAAE,SAAS,QAAQ,CAAA;AAChE;AAEO,SAAS,oBAA+B,GAAA;AAC7C,EAAM,MAAA,GAAA,GAAM,YAAY,EAAE,CAAA;AAE1B,EAAA,OAAO,MAAO,CAAA,IAAA,CAAK,GAAG,CAAA,CAAE,SAAS,QAAQ,CAAA;AAC3C;AAEO,SAAS,wBAAA,CAAyB,OAAe,KAAuB,EAAA;AAC7E,EAAA,MAAM,IAAO,GAAA,MAAA,CAAO,IAAK,CAAA,KAAA,EAAO,QAAQ,CAAA;AACxC,EAAA,MAAM,IAAO,GAAA,MAAA,CAAO,IAAK,CAAA,KAAA,EAAO,QAAQ,CAAA;AACxC,EAAM,MAAA,MAAA,GAAS,IAAI,UAAA,CAAW,EAAE,CAAA;AAEhC,EAAA,KAAA,IAASH,EAAI,GAAA,CAAA,EAAGA,EAAI,GAAA,EAAA,EAAIA,EAAK,EAAA,EAAA;AAC3B,IAAA,MAAA,CAAOA,EAAC,CAAI,GAAA,IAAA,CAAKA,EAAC,CAAA,GAAI,KAAKA,EAAC,CAAA;AAAA;AAG9B,EAAA,OAAO,MAAO,CAAA,IAAA,CAAK,MAAM,CAAA,CAAE,SAAS,QAAQ,CAAA;AAC9C;AAEA,SAAS,kBAAA,CACP,QACA,EAAA,IAAA,EACA,OACQ,EAAA;AACR,EAAA,MAAM,KAAQ,GAAA;AAAA;AAAA,IAEZ,QAAA;AAAA,IACA,CAAA,EAAA,EAAK,KAAK,IAAI,CAAA,CAAA;AAAA,IACd,CAAA,YAAA,EAAe,KAAK,SAAS,CAAA;AAAA,GAC/B;AAEA,EAAI,IAAA,IAAA,CAAK,UAAW,CAAA,MAAA,GAAS,CAAG,EAAA;AAC9B,IAAA,KAAA,CAAM,KAAK,CAAgB,aAAA,EAAA,IAAA,CAAK,WAAW,IAAK,CAAA,IAAI,CAAC,CAAE,CAAA,CAAA;AAAA;AAGzD,EAAA,MAAM,YAAe,GAAA,eAAA,CAAgB,IAAK,CAAA,SAAA,EAAW,OAAO,CAAA;AAE5D,EAAA,IAAI,YAAc,EAAA;AAChB,IAAA,KAAA,CAAM,IAAK,CAAA,CAAA,WAAA,EAAc,kBAAmB,CAAA,YAAY,CAAC,CAAE,CAAA,CAAA;AAAA;AAG7D,EAAA,IAAI,QAAS,CAAA,IAAA,CAAK,gBAAoB,IAAA,IAAA,CAAK,gBAAkB,EAAA;AAC3D,IAAA,MAAM,YAAe,GAAA,wBAAA;AAAA,MACnB,SAAS,IAAK,CAAA,gBAAA;AAAA,MACd,IAAK,CAAA;AAAA,KACP;AAEA,IAAM,KAAA,CAAA,IAAA,CAAK,CAAkB,eAAA,EAAA,YAAY,CAAE,CAAA,CAAA;AAAA,GAClC,MAAA,IAAA,IAAA,CAAK,YAAgB,IAAA,QAAA,CAAS,KAAK,YAAc,EAAA;AAC1D,IAAA,IAAI,IAAK,CAAA,YAAA,KAAiB,QAAS,CAAA,IAAA,CAAK,YAAc,EAAA;AACpD,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,0CAA0C,IAAK,CAAA,IAAI,CAAQ,KAAA,EAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,OAC/E;AAAA;AAGF,IAAA,KAAA,CAAM,IAAK,CAAA,CAAA,eAAA,EAAkB,IAAK,CAAA,YAAY,CAAE,CAAA,CAAA;AAAA;AAGlD,EAAO,OAAA,KAAA,CAAM,KAAK,IAAI,CAAA;AACxB;AAeO,SAAS,sBAAuB,CAAA;AAAA,EACrC,QAAA;AAAA,EACA,KAAA;AAAA,EACA,UAAA,GAAa,SAAS,IAAK,CAAA,UAAA;AAAA,EAC3B,MAAM,EAAC;AAAA,EACP,QAAQ,EAAC;AAAA,EACT,SAAS,EAAC;AAAA,EACV,UAAU,EAAC;AAAA,EACX,WAAW,EAAC;AAAA,EACZ,gBAAA;AAAA,EACA;AACF,CAA+B,EAAA;AAC7B,EAAM,MAAA,MAAA,GAAS,CAAO,CAAA,KAAA,CAAM,OAAQ,CAAA,CAAA,IAAA,KAAQ,KAAK,GAAG,CAAA,CAAE,MAAO,CAAA,GAAG,CAAC,CAAA;AACjE,EAAA,MAAM,cAAc,CAAO,CAAA,KAAA,CAAM,QAAQ,CAAQ,IAAA,KAAA,IAAA,CAAK,WAAW,CAAC,CAAA;AAElE,EAAA,MAAM,KAAQ,GAAA;AAAA;AAAA,IAEZ,aAAA;AAAA,IACA,CAAA,EAAA,EAAK,QAAS,CAAA,IAAA,CAAK,IAAI,CAAA;AAAA,GACzB;AAEA,EAAI,IAAA,QAAA,CAAS,KAAK,OAAS,EAAA;AACzB,IAAA,KAAA,CAAM,IAAK,CAAA,CAAA,UAAA,EAAa,QAAS,CAAA,IAAA,CAAK,OAAO,CAAE,CAAA,CAAA;AAAA;AAGjD,EAAM,KAAA,CAAA,IAAA;AAAA;AAAA,IAEJ,CAAA,aAAA,EAAgB,SAAS,UAAU,CAAA,CAAA;AAAA,IACnC;AAAA,GACF;AAEA,EAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,IAAA,KAAA,CAAM,KAAK,CAAS,MAAA,EAAA,MAAA,CAAO,IAAK,CAAA,IAAI,CAAC,CAAE,CAAA,CAAA;AAAA;AAGzC,EAAA,IAAI,UAAY,EAAA;AACd,IAAM,KAAA,CAAA,IAAA,CAAK,CAAgB,aAAA,EAAA,UAAU,CAAE,CAAA,CAAA;AAAA;AAGzC,EAAI,IAAA,KAAA,CAAM,SAAS,CAAG,EAAA;AACpB,IAAA,KAAA,CAAM,IAAK,EAAA;AACX,IAAA,KAAA,MAAW,WAAW,KAAO,EAAA;AAC3B,MAAM,KAAA,CAAA,IAAA,CAAK,CAAW,QAAA,EAAA,OAAO,CAAE,CAAA,CAAA;AAAA;AACjC;AAGF,EAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,IAAA,KAAA,CAAM,IAAK,EAAA;AACX,IAAA,KAAA,MAAW,WAAW,MAAQ,EAAA;AAC5B,MAAM,KAAA,CAAA,IAAA,CAAK,CAAY,SAAA,EAAA,OAAO,CAAE,CAAA,CAAA;AAAA;AAClC;AAGF,EAAI,IAAA,OAAA,CAAQ,SAAS,CAAG,EAAA;AACtB,IAAA,KAAA,CAAM,IAAK,EAAA;AACX,IAAA,KAAA,MAAW,WAAW,OAAS,EAAA;AAC7B,MAAM,KAAA,CAAA,IAAA,CAAK,CAAa,UAAA,EAAA,OAAO,CAAE,CAAA,CAAA;AAAA;AACnC;AAGF,EAAI,IAAA,QAAA,CAAS,SAAS,CAAG,EAAA;AACvB,IAAA,KAAA,CAAM,IAAK,EAAA;AACX,IAAA,KAAA,MAAW,WAAW,QAAU,EAAA;AAC9B,MAAM,KAAA,CAAA,IAAA,CAAK,CAAc,WAAA,EAAA,OAAO,CAAE,CAAA,CAAA;AAAA;AACpC;AAGF,EAAA,IAAI,gBAAkB,EAAA;AACpB,IAAA,KAAA,CAAM,IAAK,EAAA;AACX,IAAA,KAAA,MAAW,cAAc,WAAa,EAAA;AACpC,MAAA,KAAA,CAAM,IAAK,CAAA,CAAA,sBAAA,EAAyB,UAAU,CAAA,KAAA,EAAQ,gBAAgB,CAAE,CAAA,CAAA;AAAA;AAC1E;AAGF,EAAM,MAAA,UAAA,GAAa,MAAM,MAAO,CAAA,CAAA,IAAA,KAAQ,KAAK,IAAS,KAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAExE,EAAA,KAAA,MAAW,QAAQ,UAAY,EAAA;AAC7B,IAAA,KAAA,CAAM,KAAK,EAAE,CAAA;AACb,IAAA,KAAA,CAAM,IAAK,CAAA,kBAAA,CAAmB,QAAU,EAAA,IAAA,EAAM,OAAO,CAAC,CAAA;AAAA;AAGxD,EAAO,OAAA,KAAA,CAAM,KAAK,IAAI,CAAA;AACxB;AAUO,SAAS,kBAAA,CACd,EAAE,SAAW,EAAA,UAAA,IACb,EAAE,WAAA,EAAa,aACO,EAAA;AACtB,EAAO,OAAA,CAAA;AAAA,IACL;AAAA,MACE,GAAG,YAAY,GAAI,CAAA,CAAA,CAAA,KAAK,eAAe,CAAG,EAAA,UAAA,IAAc,KAAK,CAAC,CAAA;AAAA,MAC9D,GAAG,WAAA;AAAA,MACH,GAAG,SAAU,CAAA,GAAA,CAAI,eAAe;AAAA,KAClC;AAAA,IACA,CAAA,QAAA,KAAY,mBAAmB,QAAQ;AAAA,GACzC;AACF;AAEO,SAAS,mBAAA,CACd,EAAE,OAAS,EAAA,QAAA,IACX,EAAE,OAAA,IACF,gBACU,EAAA;AACV,EAAM,MAAA,MAAA,uBAAa,GAAY,EAAA;AAE/B,EAAA,IAAI,OAAS,EAAA;AACX,IAAA,MAAA,CAAO,IAAI,OAAO,CAAA;AAAA;AAGpB,EAAA,IAAI,QAAU,EAAA;AACZ,IAAA,MAAA,CAAO,IAAI,WAAW,CAAA;AAEtB,IAAA,IAAI,SAAS,IAAM,EAAA;AACjB,MAAA,MAAA,CAAO,IAAI,MAAM,CAAA;AAAA;AACnB;AAGF,EAAA,KAAA,MAAW,YAAY,gBAAkB,EAAA;AACvC,IAAI,IAAA,QAAA,CAAS,SAAS,UAAY,EAAA;AAChC,MAAO,MAAA,CAAA,GAAA,CAAI,kBAAmB,CAAA,QAAQ,CAAC,CAAA;AAAA;AACzC;AAGF,EAAO,OAAA,KAAA,CAAM,KAAK,MAAM,CAAA;AAC1B;AAEO,SAAS,yBAAA,CACd,EAAE,gBAAA,EACF,EAAA;AAAA,EACE,kBAAA;AAAA,EACA;AACF,CACuB,EAAA;AACvB,EAAO,OAAA,CAAA;AAAA,IACL;AAAA;AAAA,MAEE,GAAG,kBAAA;AAAA,MACH,GAAG,kBAAA;AAAA,MACH,GAAG,gBAAiB,CAAA,GAAA,CAAI,gBAAgB;AAAA,KAC1C;AAAA,IACA,CAAA,QAAA,KAAY,oBAAoB,QAAQ;AAAA,GAC1C;AACF;AAEA,SAAS,qBACP,EAAE,WAAA,EAAa,mBACf,EAAA,EAAE,SACQ,EAAA;AACV,EAAM,MAAA,MAAA,uBAAa,GAAY,EAAA;AAE/B,EAAA,KAAA,MAAW,MAAM,WAAa,EAAA;AAC5B,IAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AAAA;AAGf,EAAA,IAAI,iBAAmB,EAAA;AACrB,IAAA,MAAA,CAAO,IAAI,YAAY,CAAA;AACvB,IAAA,MAAA,CAAO,IAAI,eAAe,CAAA;AAC1B,IAAA,MAAA,CAAO,IAAI,gBAAgB,CAAA;AAE3B,IAAA,IAAI,SAAS,IAAM,EAAA;AACjB,MAAA,MAAA,CAAO,IAAI,UAAU,CAAA;AACrB,MAAA,MAAA,CAAO,IAAI,WAAW,CAAA;AAAA;AACxB;AAGF,EAAO,OAAA,KAAA,CAAM,KAAK,MAAM,CAAA;AAC1B;AAEO,SAAS,WAAW,IAA+B,EAAA;AACxD,EAAO,OAAA,IAAA,CAAK,WAAW,QAAS,CAAA,WAAW,KAAK,IAAK,CAAA,UAAA,CAAW,SAAS,MAAM,CAAA;AACjF;AAEO,SAAS,gBACd,CAAA,IAAA,EACA,IACA,EAAA,MAAA,EACA,WACA,gBACgB,EAAA;AAChB,EAAM,MAAA,SAAA,GAAY,kBAAmB,CAAA,IAAA,EAAM,MAAM,CAAA;AACjD,EAAM,MAAA,gBAAA,GAAmB,yBAA0B,CAAA,IAAA,EAAM,MAAM,CAAA;AAC/D,EAAA,MAAM,UAAa,GAAA,mBAAA,CAAoB,IAAM,EAAA,MAAA,EAAQ,gBAAgB,CAAA;AACrE,EAAM,MAAA,WAAA,GAAc,oBAAqB,CAAA,IAAA,EAAM,MAAM,CAAA;AAErD,EAAO,OAAA;AAAA,IACL,IAAA,EAAM,KAAK,QAAY,IAAA,IAAA;AAAA,IACvB,SAAA;AAAA,IACA,UAAA;AAAA,IACA,gBAAA;AAAA,IACA,WAAA;AAAA,IACA,KAAK,IAAK,CAAA,GAAA;AAAA,IACV,SAAA;AAAA,IACA,SAAS,IAAK,CAAA,OAAA;AAAA,IACd,SAAS,MAAO,CAAA,OAAA;AAAA,IAChB,gBAAA;AAAA,IACA,YAAY,IAAK,CAAA;AAAA,GACnB;AACF;AAEO,SAAS,YAAA,CACd,UACA,YACS,EAAA;AACT,EAAA,IAAI,iBAAiB,QAAU,EAAA;AAC7B,IAAO,OAAA,IAAA;AAAA;AAGT,EAAA,IAAI,iBAAiB,OAAS,EAAA;AAC5B,IAAO,OAAA,KAAA;AAAA;AAGT,EAAO,OAAA,QAAA,CAAS,IAAK,CAAA,SAAA,CAAU,MAAS,GAAA,CAAA;AAC1C","file":"chunk-MDXKWNFE.js","sourcesContent":["/**\n * Internal webcrypto alias.\n * We prefer WebCrypto aka globalThis.crypto, which exists in node.js 16+.\n * Falls back to Node.js built-in crypto for Node.js <=v14.\n * See utils.ts for details.\n * @module\n */\n// @ts-ignore\nimport * as nc from 'node:crypto';\nexport const crypto: any =\n nc && typeof nc === 'object' && 'webcrypto' in nc\n ? (nc.webcrypto as any)\n : nc && typeof nc === 'object' && 'randomBytes' in nc\n ? nc\n : undefined;\n","/**\n * Utilities for hex, bytes, CSPRNG.\n * @module\n */\n/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n\n// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.\n// node.js versions earlier than v19 don't declare it in global scope.\n// For node.js, package.json#exports field mapping rewrites import\n// from `crypto` to `cryptoNode`, which imports native module.\n// Makes the utils un-importable in browsers without a bundler.\n// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.\nimport { crypto } from '@noble/hashes/crypto';\n\n/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */\nexport function isBytes(a: unknown): a is Uint8Array {\n return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');\n}\n\n/** Asserts something is positive integer. */\nexport function anumber(n: number): void {\n if (!Number.isSafeInteger(n) || n < 0) throw new Error('positive integer expected, got ' + n);\n}\n\n/** Asserts something is Uint8Array. */\nexport function abytes(b: Uint8Array | undefined, ...lengths: number[]): void {\n if (!isBytes(b)) throw new Error('Uint8Array expected');\n if (lengths.length > 0 && !lengths.includes(b.length))\n throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);\n}\n\n/** Asserts something is hash */\nexport function ahash(h: IHash): void {\n if (typeof h !== 'function' || typeof h.create !== 'function')\n throw new Error('Hash should be wrapped by utils.createHasher');\n anumber(h.outputLen);\n anumber(h.blockLen);\n}\n\n/** Asserts a hash instance has not been destroyed / finished */\nexport function aexists(instance: any, checkFinished = true): void {\n if (instance.destroyed) throw new Error('Hash instance has been destroyed');\n if (checkFinished && instance.finished) throw new Error('Hash#digest() has already been called');\n}\n\n/** Asserts output is properly-sized byte array */\nexport function aoutput(out: any, instance: any): void {\n abytes(out);\n const min = instance.outputLen;\n if (out.length < min) {\n throw new Error('digestInto() expects output buffer of length at least ' + min);\n }\n}\n\n/** Generic type encompassing 8/16/32-byte arrays - but not 64-byte. */\n// prettier-ignore\nexport type TypedArray = Int8Array | Uint8ClampedArray | Uint8Array |\n Uint16Array | Int16Array | Uint32Array | Int32Array;\n\n/** Cast u8 / u16 / u32 to u8. */\nexport function u8(arr: TypedArray): Uint8Array {\n return new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);\n}\n\n/** Cast u8 / u16 / u32 to u32. */\nexport function u32(arr: TypedArray): Uint32Array {\n return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n}\n\n/** Zeroize a byte array. Warning: JS provides no guarantees. */\nexport function clean(...arrays: TypedArray[]): void {\n for (let i = 0; i < arrays.length; i++) {\n arrays[i].fill(0);\n }\n}\n\n/** Create DataView of an array for easy byte-level manipulation. */\nexport function createView(arr: TypedArray): DataView {\n return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);\n}\n\n/** The rotate right (circular right shift) operation for uint32 */\nexport function rotr(word: number, shift: number): number {\n return (word << (32 - shift)) | (word >>> shift);\n}\n\n/** The rotate left (circular left shift) operation for uint32 */\nexport function rotl(word: number, shift: number): number {\n return (word << shift) | ((word >>> (32 - shift)) >>> 0);\n}\n\n/** Is current platform little-endian? Most are. Big-Endian platform: IBM */\nexport const isLE: boolean = /* @__PURE__ */ (() =>\n new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();\n\n/** The byte swap operation for uint32 */\nexport function byteSwap(word: number): number {\n return (\n ((word << 24) & 0xff000000) |\n ((word << 8) & 0xff0000) |\n ((word >>> 8) & 0xff00) |\n ((word >>> 24) & 0xff)\n );\n}\n/** Conditionally byte swap if on a big-endian platform */\nexport const swap8IfBE: (n: number) => number = isLE\n ? (n: number) => n\n : (n: number) => byteSwap(n);\n\n/** @deprecated */\nexport const byteSwapIfBE: typeof swap8IfBE = swap8IfBE;\n/** In place byte swap for Uint32Array */\nexport function byteSwap32(arr: Uint32Array): Uint32Array {\n for (let i = 0; i < arr.length; i++) {\n arr[i] = byteSwap(arr[i]);\n }\n return arr;\n}\n\nexport const swap32IfBE: (u: Uint32Array) => Uint32Array = isLE\n ? (u: Uint32Array) => u\n : byteSwap32;\n\n// Built-in hex conversion https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex\nconst hasHexBuiltin: boolean = /* @__PURE__ */ (() =>\n // @ts-ignore\n typeof Uint8Array.from([]).toHex === 'function' && typeof Uint8Array.fromHex === 'function')();\n\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>\n i.toString(16).padStart(2, '0')\n);\n\n/**\n * Convert byte array to hex string. Uses built-in function, when available.\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes: Uint8Array): string {\n abytes(bytes);\n // @ts-ignore\n if (hasHexBuiltin) return bytes.toHex();\n // pre-caching improves the speed 6x\n let hex = '';\n for (let i = 0; i < bytes.length; i++) {\n hex += hexes[bytes[i]];\n }\n return hex;\n}\n\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 } as const;\nfunction asciiToBase16(ch: number): number | undefined {\n if (ch >= asciis._0 && ch <= asciis._9) return ch - asciis._0; // '2' => 50-48\n if (ch >= asciis.A && ch <= asciis.F) return ch - (asciis.A - 10); // 'B' => 66-(65-10)\n if (ch >= asciis.a && ch <= asciis.f) return ch - (asciis.a - 10); // 'b' => 98-(97-10)\n return;\n}\n\n/**\n * Convert hex string to byte array. Uses built-in function, when available.\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex: string): Uint8Array {\n if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);\n // @ts-ignore\n if (hasHexBuiltin) return Uint8Array.fromHex(hex);\n const hl = hex.length;\n const al = hl / 2;\n if (hl % 2) throw new Error('hex string expected, got unpadded hex of length ' + hl);\n const array = new Uint8Array(al);\n for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n const n1 = asciiToBase16(hex.charCodeAt(hi));\n const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n if (n1 === undefined || n2 === undefined) {\n const char = hex[hi] + hex[hi + 1];\n throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' + hi);\n }\n array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163\n }\n return array;\n}\n\n/**\n * There is no setImmediate in browser and setTimeout is slow.\n * Call of async fn will return Promise, which will be fullfiled only on\n * next scheduler queue processing step and this is exactly what we need.\n */\nexport const nextTick = async (): Promise<void> => {};\n\n/** Returns control to thread each 'tick' ms to avoid blocking. */\nexport async function asyncLoop(\n iters: number,\n tick: number,\n cb: (i: number) => void\n): Promise<void> {\n let ts = Date.now();\n for (let i = 0; i < iters; i++) {\n cb(i);\n // Date.now() is not monotonic, so in case if clock goes backwards we return return control too\n const diff = Date.now() - ts;\n if (diff >= 0 && diff < tick) continue;\n await nextTick();\n ts += diff;\n }\n}\n\n// Global symbols, but ts doesn't see them: https://github.com/microsoft/TypeScript/issues/31535\ndeclare const TextEncoder: any;\ndeclare const TextDecoder: any;\n\n/**\n * Converts string to bytes using UTF8 encoding.\n * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])\n */\nexport function utf8ToBytes(str: string): Uint8Array {\n if (typeof str !== 'string') throw new Error('string expected');\n return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n\n/**\n * Converts bytes to string using UTF8 encoding.\n * @example bytesToUtf8(Uint8Array.from([97, 98, 99])) // 'abc'\n */\nexport function bytesToUtf8(bytes: Uint8Array): string {\n return new TextDecoder().decode(bytes);\n}\n\n/** Accepted input of hash functions. Strings are converted to byte arrays. */\nexport type Input = string | Uint8Array;\n/**\n * Normalizes (non-hex) string or Uint8Array to Uint8Array.\n * Warning: when Uint8Array is passed, it would NOT get copied.\n * Keep in mind for future mutable operations.\n */\nexport function toBytes(data: Input): Uint8Array {\n if (typeof data === 'string') data = utf8ToBytes(data);\n abytes(data);\n return data;\n}\n\n/** KDFs can accept string or Uint8Array for user convenience. */\nexport type KDFInput = string | Uint8Array;\n/**\n * Helper for KDFs: consumes uint8array or string.\n * When string is passed, does utf8 decoding, using TextDecoder.\n */\nexport function kdfInputToBytes(data: KDFInput): Uint8Array {\n if (typeof data === 'string') data = utf8ToBytes(data);\n abytes(data);\n return data;\n}\n\n/** Copies several Uint8Arrays into one. */\nexport function concatBytes(...arrays: Uint8Array[]): Uint8Array {\n let sum = 0;\n for (let i = 0; i < arrays.length; i++) {\n const a = arrays[i];\n abytes(a);\n sum += a.length;\n }\n const res = new Uint8Array(sum);\n for (let i = 0, pad = 0; i < arrays.length; i++) {\n const a = arrays[i];\n res.set(a, pad);\n pad += a.length;\n }\n return res;\n}\n\ntype EmptyObj = {};\nexport function checkOpts<T1 extends EmptyObj, T2 extends EmptyObj>(\n defaults: T1,\n opts?: T2\n): T1 & T2 {\n if (opts !== undefined && {}.toString.call(opts) !== '[object Object]')\n throw new Error('options should be object or undefined');\n const merged = Object.assign(defaults, opts);\n return merged as T1 & T2;\n}\n\n/** Hash interface. */\nexport type IHash = {\n (data: Uint8Array): Uint8Array;\n blockLen: number;\n outputLen: number;\n create: any;\n};\n\n/** For runtime check if class implements interface */\nexport abstract class Hash<T extends Hash<T>> {\n abstract blockLen: number; // Bytes per block\n abstract outputLen: number; // Bytes in output\n abstract update(buf: Input): this;\n // Writes digest into buf\n abstract digestInto(buf: Uint8Array): void;\n abstract digest(): Uint8Array;\n /**\n * Resets internal state. Makes Hash instance unusable.\n * Reset is impossible for keyed hashes if key is consumed into state. If digest is not consumed\n * by user, they will need to manually call `destroy()` when zeroing is necessary.\n */\n abstract destroy(): void;\n /**\n * Clones hash instance. Unsafe: doesn't check whether `to` is valid. Can be used as `clone()`\n * when no options are passed.\n * Reasons to use `_cloneInto` instead of clone: 1) performance 2) reuse instance => all internal\n * buffers are overwritten => causes buffer overwrite which is used for digest in some cases.\n * There are no guarantees for clean-up because it's impossible in JS.\n */\n abstract _cloneInto(to?: T): T;\n // Safe version that clones internal state\n abstract clone(): T;\n}\n\n/**\n * XOF: streaming API to read digest in chunks.\n * Same as 'squeeze' in keccak/k12 and 'seek' in blake3, but more generic name.\n * When hash used in XOF mode it is up to user to call '.destroy' afterwards, since we cannot\n * destroy state, next call can require more bytes.\n */\nexport type HashXOF<T extends Hash<T>> = Hash<T> & {\n xof(bytes: number): Uint8Array; // Read 'bytes' bytes from digest stream\n xofInto(buf: Uint8Array): Uint8Array; // read buf.length bytes from digest stream into buf\n};\n\n/** Hash function */\nexport type CHash = ReturnType<typeof createHasher>;\n/** Hash function with output */\nexport type CHashO = ReturnType<typeof createOptHasher>;\n/** XOF with output */\nexport type CHashXO = ReturnType<typeof createXOFer>;\n\n/** Wraps hash function, creating an interface on top of it */\nexport function createHasher<T extends Hash<T>>(\n hashCons: () => Hash<T>\n): {\n (msg: Input): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(): Hash<T>;\n} {\n const hashC = (msg: Input): Uint8Array => hashCons().update(toBytes(msg)).digest();\n const tmp = hashCons();\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = () => hashCons();\n return hashC;\n}\n\nexport function createOptHasher<H extends Hash<H>, T extends Object>(\n hashCons: (opts?: T) => Hash<H>\n): {\n (msg: Input, opts?: T): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(opts?: T): Hash<H>;\n} {\n const hashC = (msg: Input, opts?: T): Uint8Array => hashCons(opts).update(toBytes(msg)).digest();\n const tmp = hashCons({} as T);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts?: T) => hashCons(opts);\n return hashC;\n}\n\nexport function createXOFer<H extends HashXOF<H>, T extends Object>(\n hashCons: (opts?: T) => HashXOF<H>\n): {\n (msg: Input, opts?: T): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(opts?: T): HashXOF<H>;\n} {\n const hashC = (msg: Input, opts?: T): Uint8Array => hashCons(opts).update(toBytes(msg)).digest();\n const tmp = hashCons({} as T);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts?: T) => hashCons(opts);\n return hashC;\n}\nexport const wrapConstructor: typeof createHasher = createHasher;\nexport const wrapConstructorWithOpts: typeof createOptHasher = createOptHasher;\nexport const wrapXOFConstructorWithOpts: typeof createXOFer = createXOFer;\n\n/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */\nexport function randomBytes(bytesLength = 32): Uint8Array {\n if (crypto && typeof crypto.getRandomValues === 'function') {\n return crypto.getRandomValues(new Uint8Array(bytesLength));\n }\n // Legacy Node.js compatibility\n if (crypto && typeof crypto.randomBytes === 'function') {\n return Uint8Array.from(crypto.randomBytes(bytesLength));\n }\n throw new Error('crypto.getRandomValues must be defined');\n}\n","var e={done:!0,hasNext:!1},s={done:!1,hasNext:!1},a=()=>e,o=t=>({hasNext:!0,next:t,done:!1});export{s as a,a as b,o as c};\n","import{a as A}from\"./chunk-ANXBDSUI.js\";function C(t,...o){let n=t,u=o.map(e=>\"lazy\"in e?y(e):void 0),p=0;for(;p<o.length;){if(u[p]===void 0||!B(n)){let i=o[p];n=i(n),p+=1;continue}let r=[];for(let i=p;i<o.length;i++){let l=u[i];if(l===void 0||(r.push(l),l.isSingle))break}let a=[];for(let i of n)if(f(i,a,r))break;let{isSingle:s}=r.at(-1);n=s?a[0]:a,p+=r.length}return n}function f(t,o,n){if(n.length===0)return o.push(t),!1;let u=t,p=A,e=!1;for(let[r,a]of n.entries()){let{index:s,items:i}=a;if(i.push(u),p=a(u,s,i),a.index+=1,p.hasNext){if(p.hasMany??!1){for(let l of p.next)if(f(l,o,n.slice(r+1)))return!0;return e}u=p.next}if(!p.hasNext)break;p.done&&(e=!0)}return p.hasNext&&o.push(u),e}function y(t){let{lazy:o,lazyArgs:n}=t,u=o(...n);return Object.assign(u,{isSingle:o.single??!1,index:0,items:[]})}function B(t){return typeof t==\"string\"||typeof t==\"object\"&&t!==null&&Symbol.iterator in t}export{C as a};\n","import{a as o}from\"./chunk-3GOCSNFN.js\";function y(t,i){let a=i.length-t.length;if(a===1){let[n,...r]=i;return o(n,{lazy:t,lazyArgs:r})}if(a===0){let n={lazy:t,lazyArgs:i};return Object.assign(e=>o(e,n),n)}throw new Error(\"Wrong number of arguments\")}export{y as a};\n","import{a as o}from\"./chunk-LFJW7BOT.js\";import{a}from\"./chunk-ANXBDSUI.js\";function T(...e){return o(y,e)}function y(e){let u=e,n=new Set;return(t,i,d)=>{let r=u(t,i,d);return n.has(r)?a:(n.add(r),{done:!1,hasNext:!0,next:t})}}export{T as a};\n","import{a as r}from\"./chunk-LFJW7BOT.js\";import{a as n}from\"./chunk-ANXBDSUI.js\";function i(...e){return r(a,e)}function a(){let e=new Set;return t=>e.has(t)?n:(e.add(t),{done:!1,hasNext:!0,next:t})}export{i as a};\n","import type { k8s, network, wireguard } from \"@highstate/library\"\nimport type { Input, Unwrap } from \"@highstate/pulumi\"\nimport {\n l34EndpointToString,\n l3EndpointToString,\n l3ToL4Endpoint,\n l4EndpointToString,\n parseL34Endpoint,\n parseL4Endpoint,\n} from \"@highstate/common\"\nimport { x25519 } from \"@noble/curves/ed25519\"\nimport { randomBytes } from \"@noble/hashes/utils\"\nimport { unique, uniqueBy } from \"remeda\"\nimport { getBestEndpoint } from \"@highstate/k8s\"\n\nexport function generateKey(): string {\n const key = x25519.utils.randomPrivateKey()\n\n return Buffer.from(key).toString(\"base64\")\n}\n\nexport function convertPrivateKeyToPublicKey(privateKey: string): string {\n const key = Buffer.from(privateKey, \"base64\")\n\n return Buffer.from(x25519.getPublicKey(key)).toString(\"base64\")\n}\n\nexport function generatePresharedKey(): string {\n const key = randomBytes(32)\n\n return Buffer.from(key).toString(\"base64\")\n}\n\nexport function combinePresharedKeyParts(part1: string, part2: string): string {\n const key1 = Buffer.from(part1, \"base64\")\n const key2 = Buffer.from(part2, \"base64\")\n const result = new Uint8Array(32)\n\n for (let i = 0; i < 32; i++) {\n result[i] = key1[i] ^ key2[i]\n }\n\n return Buffer.from(result).toString(\"base64\")\n}\n\nfunction generatePeerConfig(\n identity: wireguard.Identity,\n peer: wireguard.Peer,\n cluster?: k8s.Cluster,\n): string {\n const lines = [\n //\n \"[Peer]\",\n `# ${peer.name}`,\n `PublicKey = ${peer.publicKey}`,\n ]\n\n if (peer.allowedIps.length > 0) {\n lines.push(`AllowedIPs = ${peer.allowedIps.join(\", \")}`)\n }\n\n const bestEndpoint = getBestEndpoint(peer.endpoints, cluster)\n\n if (bestEndpoint) {\n lines.push(`Endpoint = ${l4EndpointToString(bestEndpoint)}`)\n }\n\n if (identity.peer.presharedKeyPart && peer.presharedKeyPart) {\n const presharedKey = combinePresharedKeyParts(\n identity.peer.presharedKeyPart,\n peer.presharedKeyPart,\n )\n\n lines.push(`PresharedKey = ${presharedKey}`)\n } else if (peer.presharedKey || identity.peer.presharedKey) {\n if (peer.presharedKey !== identity.peer.presharedKey) {\n throw new Error(\n `Preshared keys do not match for peers: ${peer.name} and ${identity.peer.name}`,\n )\n }\n\n lines.push(`PresharedKey = ${peer.presharedKey}`)\n }\n\n return lines.join(\"\\n\")\n}\n\nexport type IdentityConfigArgs = {\n identity: wireguard.Identity\n peers: wireguard.Peer[]\n listenPort?: number\n dns?: string[]\n postUp?: string[]\n preUp?: string[]\n preDown?: string[]\n postDown?: string[]\n defaultInterface?: string\n cluster?: k8s.Cluster\n}\n\nexport function generateIdentityConfig({\n identity,\n peers,\n listenPort = identity.peer.listenPort,\n dns = [],\n preUp = [],\n postUp = [],\n preDown = [],\n postDown = [],\n defaultInterface,\n cluster,\n}: IdentityConfigArgs): string {\n const allDns = unique(peers.flatMap(peer => peer.dns).concat(dns))\n const excludedIps = unique(peers.flatMap(peer => peer.excludedIps))\n\n const lines = [\n //\n \"[Interface]\",\n `# ${identity.peer.name}`,\n ]\n\n if (identity.peer.address) {\n lines.push(`Address = ${identity.peer.address}`)\n }\n\n lines.push(\n //\n `PrivateKey = ${identity.privateKey}`,\n \"MTU = 1280\",\n )\n\n if (allDns.length > 0) {\n lines.push(`DNS = ${allDns.join(\", \")}`)\n }\n\n if (listenPort) {\n lines.push(`ListenPort = ${listenPort}`)\n }\n\n if (preUp.length > 0) {\n lines.push()\n for (const command of preUp) {\n lines.push(`PreUp = ${command}`)\n }\n }\n\n if (postUp.length > 0) {\n lines.push()\n for (const command of postUp) {\n lines.push(`PostUp = ${command}`)\n }\n }\n\n if (preDown.length > 0) {\n lines.push()\n for (const command of preDown) {\n lines.push(`PreDown = ${command}`)\n }\n }\n\n if (postDown.length > 0) {\n lines.push()\n for (const command of postDown) {\n lines.push(`PostDown = ${command}`)\n }\n }\n\n if (defaultInterface) {\n lines.push()\n for (const excludedIp of excludedIps) {\n lines.push(`PostUp = ip route add ${excludedIp} dev ${defaultInterface}`)\n }\n }\n\n const otherPeers = peers.filter(peer => peer.name !== identity.peer.name)\n\n for (const peer of otherPeers) {\n lines.push(\"\")\n lines.push(generatePeerConfig(identity, peer, cluster))\n }\n\n return lines.join(\"\\n\")\n}\n\ntype SharedPeerInputs = {\n network?: Input<wireguard.Network>\n l3Endpoints: Input<network.L3Endpoint>[]\n l4Endpoints: Input<network.L4Endpoint>[]\n allowedL3Endpoints: Input<network.L3Endpoint>[]\n allowedL4Endpoints: Input<network.L4Endpoint>[]\n}\n\nexport function calculateEndpoints(\n { endpoints, listenPort }: Pick<wireguard.SharedPeerArgs, \"endpoints\" | \"listenPort\">,\n { l3Endpoints, l4Endpoints }: Pick<Unwrap<SharedPeerInputs>, \"l3Endpoints\" | \"l4Endpoints\">,\n): network.L4Endpoint[] {\n return uniqueBy(\n [\n ...l3Endpoints.map(e => l3ToL4Endpoint(e, listenPort ?? 51820)),\n ...l4Endpoints,\n ...endpoints.map(parseL4Endpoint),\n ],\n endpoint => l4EndpointToString(endpoint),\n )\n}\n\nexport function calculateAllowedIps(\n { address, exitNode }: Pick<wireguard.SharedPeerArgs, \"address\" | \"exitNode\">,\n { network }: Unwrap<SharedPeerInputs>,\n allowedEndpoints: network.L34Endpoint[],\n): string[] {\n const result = new Set<string>()\n\n if (address) {\n result.add(address)\n }\n\n if (exitNode) {\n result.add(\"0.0.0.0/0\")\n\n if (network?.ipv6) {\n result.add(\"::/0\")\n }\n }\n\n for (const endpoint of allowedEndpoints) {\n if (endpoint.type !== \"hostname\") {\n result.add(l3EndpointToString(endpoint))\n }\n }\n\n return Array.from(result)\n}\n\nexport function calculateAllowedEndpoints(\n { allowedEndpoints }: Pick<wireguard.SharedPeerArgs, \"allowedEndpoints\">,\n {\n allowedL3Endpoints,\n allowedL4Endpoints,\n }: Pick<Unwrap<SharedPeerInputs>, \"allowedL3Endpoints\" | \"allowedL4Endpoints\">,\n): network.L34Endpoint[] {\n return uniqueBy(\n [\n //\n ...allowedL3Endpoints,\n ...allowedL4Endpoints,\n ...allowedEndpoints.map(parseL34Endpoint),\n ],\n endpoint => l34EndpointToString(endpoint),\n )\n}\n\nfunction calculateExcludedIps(\n { excludedIps, excludePrivateIps }: wireguard.SharedPeerArgs,\n { network }: Unwrap<SharedPeerInputs>,\n): string[] {\n const result = new Set<string>()\n\n for (const ip of excludedIps) {\n result.add(ip)\n }\n\n if (excludePrivateIps) {\n result.add(\"10.0.0.0/8\")\n result.add(\"172.16.0.0/12\")\n result.add(\"192.168.0.0/16\")\n\n if (network?.ipv6) {\n result.add(\"fc00::/7\")\n result.add(\"fe80::/10\")\n }\n }\n\n return Array.from(result)\n}\n\nexport function isExitNode(peer: wireguard.Peer): boolean {\n return peer.allowedIps.includes(\"0.0.0.0/0\") || peer.allowedIps.includes(\"::/0\")\n}\n\nexport function createPeerEntity(\n name: string,\n args: wireguard.SharedPeerArgs,\n inputs: Unwrap<SharedPeerInputs>,\n publicKey: string,\n presharedKeyPart?: string,\n): wireguard.Peer {\n const endpoints = calculateEndpoints(args, inputs)\n const allowedEndpoints = calculateAllowedEndpoints(args, inputs)\n const allowedIps = calculateAllowedIps(args, inputs, allowedEndpoints)\n const excludedIps = calculateExcludedIps(args, inputs)\n\n return {\n name: args.peerName ?? name,\n endpoints,\n allowedIps,\n allowedEndpoints,\n excludedIps,\n dns: args.dns,\n publicKey,\n address: args.address,\n network: inputs.network,\n presharedKeyPart,\n listenPort: args.listenPort,\n }\n}\n\nexport function shouldExpose(\n identity: wireguard.Identity,\n exposePolicy: wireguard.NodeExposePolicy,\n): boolean {\n if (exposePolicy === \"always\") {\n return true\n }\n\n if (exposePolicy === \"never\") {\n return false\n }\n\n return identity.peer.endpoints.length > 0\n}\n"]}
|
package/dist/config/index.js
CHANGED
|
@@ -1,11 +1,8 @@
|
|
|
1
|
-
import {
|
|
2
|
-
|
|
3
|
-
} from
|
|
1
|
+
import { generateIdentityConfig } from '../chunk-MDXKWNFE.js';
|
|
2
|
+
import { wireguard } from '@highstate/library';
|
|
3
|
+
import { forUnit, toPromise } from '@highstate/pulumi';
|
|
4
|
+
import { text } from '@highstate/contract';
|
|
4
5
|
|
|
5
|
-
// src/config/index.ts
|
|
6
|
-
import { wireguard } from "@highstate/library";
|
|
7
|
-
import { forUnit, toPromise } from "@highstate/pulumi";
|
|
8
|
-
import { text } from "@highstate/contract";
|
|
9
6
|
var { inputs, args, outputs } = forUnit(wireguard.config);
|
|
10
7
|
var { identity, peers } = await toPromise(inputs);
|
|
11
8
|
var configContent = generateIdentityConfig({
|
|
@@ -34,7 +31,7 @@ var config_default = outputs({
|
|
|
34
31
|
}
|
|
35
32
|
}
|
|
36
33
|
});
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
34
|
+
|
|
35
|
+
export { config_default as default };
|
|
36
|
+
//# sourceMappingURL=index.js.map
|
|
40
37
|
//# sourceMappingURL=index.js.map
|
package/dist/config/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/config/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { text } from \"@highstate/contract\"\nimport { generateIdentityConfig } from \"../shared\"\n\nconst { inputs, args, outputs } = forUnit(wireguard.config)\n\nconst { identity, peers } = await toPromise(inputs)\n\nconst configContent = generateIdentityConfig({\n identity,\n peers,\n defaultInterface: args.defaultInterface,\n})\n\nexport default outputs({\n $pages: {\n index: {\n title: \"WireGuard Configuration\",\n content: [\n {\n type: \"markdown\",\n content: text`\n You can use this configuration to setup an external WireGuard device via \\`wg-quick\\` command.\n `,\n },\n {\n type: \"qr\",\n content: configContent,\n showContent: true,\n language: \"ini\",\n },\n ],\n },\n },\n})\n"]
|
|
1
|
+
{"version":3,"sources":["../../src/config/index.ts"],"names":[],"mappings":";;;;;AAKA,IAAM,EAAE,MAAQ,EAAA,IAAA,EAAM,SAAY,GAAA,OAAA,CAAQ,UAAU,MAAM,CAAA;AAE1D,IAAM,EAAE,QAAU,EAAA,KAAA,EAAU,GAAA,MAAM,UAAU,MAAM,CAAA;AAElD,IAAM,gBAAgB,sBAAuB,CAAA;AAAA,EAC3C,QAAA;AAAA,EACA,KAAA;AAAA,EACA,kBAAkB,IAAK,CAAA;AACzB,CAAC,CAAA;AAED,IAAO,iBAAQ,OAAQ,CAAA;AAAA,EACrB,MAAQ,EAAA;AAAA,IACN,KAAO,EAAA;AAAA,MACL,KAAO,EAAA,yBAAA;AAAA,MACP,OAAS,EAAA;AAAA,QACP;AAAA,UACE,IAAM,EAAA,UAAA;AAAA,UACN,OAAS,EAAA,IAAA;AAAA;AAAA,UAAA;AAAA,SAGX;AAAA,QACA;AAAA,UACE,IAAM,EAAA,IAAA;AAAA,UACN,OAAS,EAAA,aAAA;AAAA,UACT,WAAa,EAAA,IAAA;AAAA,UACb,QAAU,EAAA;AAAA;AACZ;AACF;AACF;AAEJ,CAAC","file":"index.js","sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { text } from \"@highstate/contract\"\nimport { generateIdentityConfig } from \"../shared\"\n\nconst { inputs, args, outputs } = forUnit(wireguard.config)\n\nconst { identity, peers } = await toPromise(inputs)\n\nconst configContent = generateIdentityConfig({\n identity,\n peers,\n defaultInterface: args.defaultInterface,\n})\n\nexport default outputs({\n $pages: {\n index: {\n title: \"WireGuard Configuration\",\n content: [\n {\n type: \"markdown\",\n content: text`\n You can use this configuration to setup an external WireGuard device via \\`wg-quick\\` command.\n `,\n },\n {\n type: \"qr\",\n content: configContent,\n showContent: true,\n language: \"ini\",\n },\n ],\n },\n },\n})\n"]}
|
|
@@ -1,17 +1,9 @@
|
|
|
1
|
-
import {
|
|
2
|
-
|
|
3
|
-
} from
|
|
1
|
+
import { generateIdentityConfig } from '../chunk-MDXKWNFE.js';
|
|
2
|
+
import { wireguard } from '@highstate/library';
|
|
3
|
+
import { forUnit, toPromise, secret, fileFromBuffer } from '@highstate/pulumi';
|
|
4
|
+
import { text } from '@highstate/contract';
|
|
5
|
+
import ZipStream from 'zip-stream';
|
|
4
6
|
|
|
5
|
-
// src/config-bundle/index.ts
|
|
6
|
-
import { wireguard } from "@highstate/library";
|
|
7
|
-
import {
|
|
8
|
-
fileFromBuffer,
|
|
9
|
-
forUnit,
|
|
10
|
-
secret,
|
|
11
|
-
toPromise
|
|
12
|
-
} from "@highstate/pulumi";
|
|
13
|
-
import { text } from "@highstate/contract";
|
|
14
|
-
import ZipStream from "zip-stream";
|
|
15
7
|
var { name, inputs, args, outputs } = forUnit(wireguard.configBundle);
|
|
16
8
|
var { identity, peers, sharedPeers } = await toPromise(inputs);
|
|
17
9
|
var blocks = [];
|
|
@@ -76,7 +68,7 @@ var config_bundle_default = outputs({
|
|
|
76
68
|
},
|
|
77
69
|
{
|
|
78
70
|
type: "file",
|
|
79
|
-
|
|
71
|
+
meta: zipFile.meta
|
|
80
72
|
},
|
|
81
73
|
...blocks
|
|
82
74
|
]
|
|
@@ -84,7 +76,7 @@ var config_bundle_default = outputs({
|
|
|
84
76
|
},
|
|
85
77
|
$files: [zipFile]
|
|
86
78
|
});
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
79
|
+
|
|
80
|
+
export { config_bundle_default as default };
|
|
81
|
+
//# sourceMappingURL=index.js.map
|
|
90
82
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/config-bundle/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport {\n fileFromBuffer,\n forUnit,\n secret,\n toPromise,\n type InstancePageBlock,\n} from \"@highstate/pulumi\"\nimport { text } from \"@highstate/contract\"\nimport ZipStream from \"zip-stream\"\nimport { generateIdentityConfig } from \"../shared\"\n\nconst { name, inputs, args, outputs } = forUnit(wireguard.configBundle)\n\nconst { identity, peers, sharedPeers } = await toPromise(inputs)\n\nconst blocks: InstancePageBlock[] = []\nconst zipStream = new ZipStream()\n\nfor (const peer of peers) {\n const configContent = generateIdentityConfig({\n identity,\n peers: [...sharedPeers, peer],\n defaultInterface: args.defaultInterface,\n })\n\n await new Promise((resolve, reject) => {\n return zipStream.entry(\n configContent,\n {\n name: `${peer.name}.conf`,\n\n // to prevent zip-stream from using the current date, for reproducibility\n date: new Date(0),\n },\n err => {\n if (err) {\n reject(err)\n } else {\n resolve(null)\n }\n },\n )\n })\n\n blocks.push(\n {\n type: \"markdown\",\n content: `### ${peer.name}`,\n },\n {\n type: \"qr\",\n content: secret(configContent),\n showContent: true,\n language: \"ini\",\n },\n )\n}\n\nzipStream.finish()\n\nconst content = await new Promise<Buffer>((resolve, reject) => {\n const buffers: Buffer[] = []\n\n zipStream.on(\"data\", data => buffers.push(data as Buffer))\n zipStream.on(\"error\", err => reject(err as Error))\n zipStream.on(\"end\", () => resolve(Buffer.concat(buffers)))\n})\n\nconst zipFile = fileFromBuffer(`${name}.zip`, content, \"application/zip\", true)\n\nexport default outputs({\n $pages: {\n index: {\n title: \"WireGuard Configuration Bundle\",\n content: [\n {\n type: \"markdown\",\n content: text`\n You can use the following configurations to setup an external WireGuard device via \\`wg-quick\\` command or\n using the WireGuard app on your desktop or mobile device.\n \n You can also bulk import all configurations from zip file using the WireGuard app.\n `,\n },\n {\n type: \"file\",\n
|
|
1
|
+
{"version":3,"sources":["../../src/config-bundle/index.ts"],"names":[],"mappings":";;;;;;AAYA,IAAM,EAAE,MAAM,MAAQ,EAAA,IAAA,EAAM,SAAY,GAAA,OAAA,CAAQ,UAAU,YAAY,CAAA;AAEtE,IAAM,EAAE,QAAU,EAAA,KAAA,EAAO,aAAgB,GAAA,MAAM,UAAU,MAAM,CAAA;AAE/D,IAAM,SAA8B,EAAC;AACrC,IAAM,SAAA,GAAY,IAAI,SAAU,EAAA;AAEhC,KAAA,MAAW,QAAQ,KAAO,EAAA;AACxB,EAAA,MAAM,gBAAgB,sBAAuB,CAAA;AAAA,IAC3C,QAAA;AAAA,IACA,KAAO,EAAA,CAAC,GAAG,WAAA,EAAa,IAAI,CAAA;AAAA,IAC5B,kBAAkB,IAAK,CAAA;AAAA,GACxB,CAAA;AAED,EAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACrC,IAAA,OAAO,SAAU,CAAA,KAAA;AAAA,MACf,aAAA;AAAA,MACA;AAAA,QACE,IAAA,EAAM,CAAG,EAAA,IAAA,CAAK,IAAI,CAAA,KAAA,CAAA;AAAA;AAAA,QAGlB,IAAA,kBAAU,IAAA,IAAA,CAAK,CAAC;AAAA,OAClB;AAAA,MACA,CAAO,GAAA,KAAA;AACL,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAA,CAAO,GAAG,CAAA;AAAA,SACL,MAAA;AACL,UAAA,OAAA,CAAQ,IAAI,CAAA;AAAA;AACd;AACF,KACF;AAAA,GACD,CAAA;AAED,EAAO,MAAA,CAAA,IAAA;AAAA,IACL;AAAA,MACE,IAAM,EAAA,UAAA;AAAA,MACN,OAAA,EAAS,CAAO,IAAA,EAAA,IAAA,CAAK,IAAI,CAAA;AAAA,KAC3B;AAAA,IACA;AAAA,MACE,IAAM,EAAA,IAAA;AAAA,MACN,OAAA,EAAS,OAAO,aAAa,CAAA;AAAA,MAC7B,WAAa,EAAA,IAAA;AAAA,MACb,QAAU,EAAA;AAAA;AACZ,GACF;AACF;AAEA,SAAA,CAAU,MAAO,EAAA;AAEjB,IAAM,UAAU,MAAM,IAAI,OAAgB,CAAA,CAAC,SAAS,MAAW,KAAA;AAC7D,EAAA,MAAM,UAAoB,EAAC;AAE3B,EAAA,SAAA,CAAU,GAAG,MAAQ,EAAA,CAAA,IAAA,KAAQ,OAAQ,CAAA,IAAA,CAAK,IAAc,CAAC,CAAA;AACzD,EAAA,SAAA,CAAU,EAAG,CAAA,OAAA,EAAS,CAAO,GAAA,KAAA,MAAA,CAAO,GAAY,CAAC,CAAA;AACjD,EAAU,SAAA,CAAA,EAAA,CAAG,OAAO,MAAM,OAAA,CAAQ,OAAO,MAAO,CAAA,OAAO,CAAC,CAAC,CAAA;AAC3D,CAAC,CAAA;AAED,IAAM,UAAU,cAAe,CAAA,CAAA,EAAG,IAAI,CAAQ,IAAA,CAAA,EAAA,OAAA,EAAS,mBAAmB,IAAI,CAAA;AAE9E,IAAO,wBAAQ,OAAQ,CAAA;AAAA,EACrB,MAAQ,EAAA;AAAA,IACN,KAAO,EAAA;AAAA,MACL,KAAO,EAAA,gCAAA;AAAA,MACP,OAAS,EAAA;AAAA,QACP;AAAA,UACE,IAAM,EAAA,UAAA;AAAA,UACN,OAAS,EAAA,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA,UAAA;AAAA,SAMX;AAAA,QACA;AAAA,UACE,IAAM,EAAA,MAAA;AAAA,UACN,MAAM,OAAQ,CAAA;AAAA,SAChB;AAAA,QACA,GAAG;AAAA;AACL;AACF,GACF;AAAA,EACA,MAAA,EAAQ,CAAC,OAAO;AAClB,CAAC","file":"index.js","sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport {\n fileFromBuffer,\n forUnit,\n secret,\n toPromise,\n type InstancePageBlock,\n} from \"@highstate/pulumi\"\nimport { text } from \"@highstate/contract\"\nimport ZipStream from \"zip-stream\"\nimport { generateIdentityConfig } from \"../shared\"\n\nconst { name, inputs, args, outputs } = forUnit(wireguard.configBundle)\n\nconst { identity, peers, sharedPeers } = await toPromise(inputs)\n\nconst blocks: InstancePageBlock[] = []\nconst zipStream = new ZipStream()\n\nfor (const peer of peers) {\n const configContent = generateIdentityConfig({\n identity,\n peers: [...sharedPeers, peer],\n defaultInterface: args.defaultInterface,\n })\n\n await new Promise((resolve, reject) => {\n return zipStream.entry(\n configContent,\n {\n name: `${peer.name}.conf`,\n\n // to prevent zip-stream from using the current date, for reproducibility\n date: new Date(0),\n },\n err => {\n if (err) {\n reject(err)\n } else {\n resolve(null)\n }\n },\n )\n })\n\n blocks.push(\n {\n type: \"markdown\",\n content: `### ${peer.name}`,\n },\n {\n type: \"qr\",\n content: secret(configContent),\n showContent: true,\n language: \"ini\",\n },\n )\n}\n\nzipStream.finish()\n\nconst content = await new Promise<Buffer>((resolve, reject) => {\n const buffers: Buffer[] = []\n\n zipStream.on(\"data\", data => buffers.push(data as Buffer))\n zipStream.on(\"error\", err => reject(err as Error))\n zipStream.on(\"end\", () => resolve(Buffer.concat(buffers)))\n})\n\nconst zipFile = fileFromBuffer(`${name}.zip`, content, \"application/zip\", true)\n\nexport default outputs({\n $pages: {\n index: {\n title: \"WireGuard Configuration Bundle\",\n content: [\n {\n type: \"markdown\",\n content: text`\n You can use the following configurations to setup an external WireGuard device via \\`wg-quick\\` command or\n using the WireGuard app on your desktop or mobile device.\n \n You can also bulk import all configurations from zip file using the WireGuard app.\n `,\n },\n {\n type: \"file\",\n meta: zipFile.meta,\n },\n ...blocks,\n ],\n },\n },\n $files: [zipFile],\n})\n"]}
|
|
@@ -1,11 +1,11 @@
|
|
|
1
1
|
{
|
|
2
2
|
"sourceHashes": {
|
|
3
|
-
"./dist/network/index.js":
|
|
4
|
-
"./dist/identity/index.js":
|
|
5
|
-
"./dist/config/index.js":
|
|
6
|
-
"./dist/config-bundle/index.js":
|
|
7
|
-
"./dist/node/index.js":
|
|
8
|
-
"./dist/peer/index.js":
|
|
9
|
-
"./dist/peer-patch/index.js":
|
|
3
|
+
"./dist/network/index.js": 1025330091,
|
|
4
|
+
"./dist/identity/index.js": 825177407,
|
|
5
|
+
"./dist/config/index.js": 4223567731,
|
|
6
|
+
"./dist/config-bundle/index.js": 1169485548,
|
|
7
|
+
"./dist/node/index.js": 3211956047,
|
|
8
|
+
"./dist/peer/index.js": 2788760262,
|
|
9
|
+
"./dist/peer-patch/index.js": 4230535502
|
|
10
10
|
}
|
|
11
11
|
}
|
package/dist/identity/index.js
CHANGED
|
@@ -1,14 +1,8 @@
|
|
|
1
|
-
import {
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
generatePresharedKey
|
|
6
|
-
} from "../chunk-PXOBQDLU.js";
|
|
1
|
+
import { generateKey, generatePresharedKey, convertPrivateKeyToPublicKey, createPeerEntity } from '../chunk-MDXKWNFE.js';
|
|
2
|
+
import { wireguard } from '@highstate/library';
|
|
3
|
+
import { forUnit, getOrCreateSecret, toPromise } from '@highstate/pulumi';
|
|
4
|
+
import { l4EndpointToString } from '@highstate/common';
|
|
7
5
|
|
|
8
|
-
// src/identity/index.ts
|
|
9
|
-
import { wireguard } from "@highstate/library";
|
|
10
|
-
import { forUnit, getOrCreateSecret, toPromise } from "@highstate/pulumi";
|
|
11
|
-
import { l4EndpointToString } from "@highstate/common";
|
|
12
6
|
var { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity);
|
|
13
7
|
var privateKey = getOrCreateSecret(secrets, "privateKey", generateKey);
|
|
14
8
|
var presharedKeyPartOutput = getOrCreateSecret(secrets, "presharedKeyPart", generatePresharedKey);
|
|
@@ -23,7 +17,7 @@ var identity_default = outputs({
|
|
|
23
17
|
},
|
|
24
18
|
peer,
|
|
25
19
|
endpoints: peer.endpoints,
|
|
26
|
-
$
|
|
20
|
+
$statusFields: {
|
|
27
21
|
publicKey,
|
|
28
22
|
endpoints: {
|
|
29
23
|
value: peer.endpoints.map(l4EndpointToString),
|
|
@@ -35,7 +29,7 @@ var identity_default = outputs({
|
|
|
35
29
|
}
|
|
36
30
|
}
|
|
37
31
|
});
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
32
|
+
|
|
33
|
+
export { identity_default as default };
|
|
34
|
+
//# sourceMappingURL=index.js.map
|
|
41
35
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/identity/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, getOrCreateSecret, toPromise } from \"@highstate/pulumi\"\nimport { l4EndpointToString } from \"@highstate/common\"\nimport {\n convertPrivateKeyToPublicKey,\n createPeerEntity,\n generateKey,\n generatePresharedKey,\n} from \"../shared\"\n\nconst { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity)\n\nconst privateKey = getOrCreateSecret(secrets, \"privateKey\", generateKey)\nconst presharedKeyPartOutput = getOrCreateSecret(secrets, \"presharedKeyPart\", generatePresharedKey)\n\nconst resolvedInpus = await toPromise(inputs)\nconst publicKey = await toPromise(privateKey.apply(convertPrivateKeyToPublicKey))\nconst presharedKeyPart = await toPromise(presharedKeyPartOutput)\n\nconst peer = createPeerEntity(name, args, resolvedInpus, publicKey, presharedKeyPart)\n\nexport default outputs({\n identity: {\n peer,\n privateKey,\n },\n\n peer,\n\n endpoints: peer.endpoints,\n\n $
|
|
1
|
+
{"version":3,"sources":["../../src/identity/index.ts"],"names":[],"mappings":";;;;;AAUA,IAAM,EAAE,MAAM,IAAM,EAAA,MAAA,EAAQ,SAAS,OAAQ,EAAA,GAAI,OAAQ,CAAA,SAAA,CAAU,QAAQ,CAAA;AAE3E,IAAM,UAAa,GAAA,iBAAA,CAAkB,OAAS,EAAA,YAAA,EAAc,WAAW,CAAA;AACvE,IAAM,sBAAyB,GAAA,iBAAA,CAAkB,OAAS,EAAA,kBAAA,EAAoB,oBAAoB,CAAA;AAElG,IAAM,aAAA,GAAgB,MAAM,SAAA,CAAU,MAAM,CAAA;AAC5C,IAAM,YAAY,MAAM,SAAA,CAAU,UAAW,CAAA,KAAA,CAAM,4BAA4B,CAAC,CAAA;AAChF,IAAM,gBAAA,GAAmB,MAAM,SAAA,CAAU,sBAAsB,CAAA;AAE/D,IAAM,OAAO,gBAAiB,CAAA,IAAA,EAAM,IAAM,EAAA,aAAA,EAAe,WAAW,gBAAgB,CAAA;AAEpF,IAAO,mBAAQ,OAAQ,CAAA;AAAA,EACrB,QAAU,EAAA;AAAA,IACR,IAAA;AAAA,IACA;AAAA,GACF;AAAA,EAEA,IAAA;AAAA,EAEA,WAAW,IAAK,CAAA,SAAA;AAAA,EAEhB,aAAe,EAAA;AAAA,IACb,SAAA;AAAA,IACA,SAAW,EAAA;AAAA,MACT,KAAO,EAAA,IAAA,CAAK,SAAU,CAAA,GAAA,CAAI,kBAAkB,CAAA;AAAA,MAC5C,eAAiB,EAAA;AAAA,KACnB;AAAA,IACA,WAAa,EAAA;AAAA,MACX,OAAO,IAAK,CAAA,WAAA;AAAA,MACZ,eAAiB,EAAA;AAAA;AACnB;AAEJ,CAAC","file":"index.js","sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, getOrCreateSecret, toPromise } from \"@highstate/pulumi\"\nimport { l4EndpointToString } from \"@highstate/common\"\nimport {\n convertPrivateKeyToPublicKey,\n createPeerEntity,\n generateKey,\n generatePresharedKey,\n} from \"../shared\"\n\nconst { name, args, inputs, secrets, outputs } = forUnit(wireguard.identity)\n\nconst privateKey = getOrCreateSecret(secrets, \"privateKey\", generateKey)\nconst presharedKeyPartOutput = getOrCreateSecret(secrets, \"presharedKeyPart\", generatePresharedKey)\n\nconst resolvedInpus = await toPromise(inputs)\nconst publicKey = await toPromise(privateKey.apply(convertPrivateKeyToPublicKey))\nconst presharedKeyPart = await toPromise(presharedKeyPartOutput)\n\nconst peer = createPeerEntity(name, args, resolvedInpus, publicKey, presharedKeyPart)\n\nexport default outputs({\n identity: {\n peer,\n privateKey,\n },\n\n peer,\n\n endpoints: peer.endpoints,\n\n $statusFields: {\n publicKey,\n endpoints: {\n value: peer.endpoints.map(l4EndpointToString),\n complementaryTo: \"endpoints\",\n },\n excludedIps: {\n value: peer.excludedIps,\n complementaryTo: \"excludedIps\",\n },\n },\n})\n"]}
|
package/dist/network/index.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
|
+
import { wireguard } from '@highstate/library';
|
|
2
|
+
import { forUnit } from '@highstate/pulumi';
|
|
3
|
+
|
|
1
4
|
// src/network/index.ts
|
|
2
|
-
import { wireguard } from "@highstate/library";
|
|
3
|
-
import { forUnit } from "@highstate/pulumi";
|
|
4
5
|
var { args, outputs } = forUnit(wireguard.network);
|
|
5
6
|
var network_default = outputs({
|
|
6
7
|
network: {
|
|
@@ -8,7 +9,7 @@ var network_default = outputs({
|
|
|
8
9
|
ipv6: args.ipv6
|
|
9
10
|
}
|
|
10
11
|
});
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
12
|
+
|
|
13
|
+
export { network_default as default };
|
|
14
|
+
//# sourceMappingURL=index.js.map
|
|
14
15
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/network/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit } from \"@highstate/pulumi\"\n\nconst { args, outputs } = forUnit(wireguard.network)\n\nexport default outputs({\n network: {\n backend: args.backend,\n ipv6: args.ipv6,\n },\n})\n"]
|
|
1
|
+
{"version":3,"sources":["../../src/network/index.ts"],"names":[],"mappings":";;;;AAGA,IAAM,EAAE,IAAM,EAAA,OAAA,EAAY,GAAA,OAAA,CAAQ,UAAU,OAAO,CAAA;AAEnD,IAAO,kBAAQ,OAAQ,CAAA;AAAA,EACrB,OAAS,EAAA;AAAA,IACP,SAAS,IAAK,CAAA,OAAA;AAAA,IACd,MAAM,IAAK,CAAA;AAAA;AAEf,CAAC","file":"index.js","sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit } from \"@highstate/pulumi\"\n\nconst { args, outputs } = forUnit(wireguard.network)\n\nexport default outputs({\n network: {\n backend: args.backend,\n ipv6: args.ipv6,\n },\n})\n"]}
|
package/dist/node/index.js
CHANGED
|
@@ -1,25 +1,17 @@
|
|
|
1
|
-
import {
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
} from
|
|
6
|
-
|
|
7
|
-
// src/node/index.ts
|
|
8
|
-
import { NetworkPolicy, Namespace, ExposableWorkload, Secret } from "@highstate/k8s";
|
|
9
|
-
import { wireguard as wireguard2 } from "@highstate/library";
|
|
10
|
-
import { forUnit, output, toPromise } from "@highstate/pulumi";
|
|
11
|
-
import { deepmerge } from "deepmerge-ts";
|
|
12
|
-
import { l34EndpointToString, l4EndpointToString, updateEndpoints } from "@highstate/common";
|
|
1
|
+
import { generateIdentityConfig, shouldExpose, isExitNode } from '../chunk-MDXKWNFE.js';
|
|
2
|
+
import { Namespace, Secret, ExposableWorkload, NetworkPolicy } from '@highstate/k8s';
|
|
3
|
+
import { wireguard as wireguard$1 } from '@highstate/library';
|
|
4
|
+
import { forUnit, toPromise, output } from '@highstate/pulumi';
|
|
5
|
+
import { deepmerge } from 'deepmerge-ts';
|
|
6
|
+
import { l34EndpointToString, updateEndpoints, l4EndpointToString } from '@highstate/common';
|
|
13
7
|
|
|
14
8
|
// assets/images.json
|
|
15
9
|
var wireguard = {
|
|
16
|
-
name: "docker.io/linuxserver/wireguard",
|
|
17
|
-
tag: "latest",
|
|
18
10
|
image: "docker.io/linuxserver/wireguard:latest@sha256:7792dcef56c51e6b4d499a209e980ed74309bf3bee6af12168ea02bf289eddd9"
|
|
19
11
|
};
|
|
20
12
|
|
|
21
13
|
// src/node/index.ts
|
|
22
|
-
var { args, inputs, outputs } = forUnit(
|
|
14
|
+
var { args, inputs, outputs } = forUnit(wireguard$1.node);
|
|
23
15
|
var { identity, peers } = await toPromise(inputs);
|
|
24
16
|
var identityName = identity.peer.name.replaceAll(".", "-");
|
|
25
17
|
var appName = args.appName ?? `wg-${identityName}`;
|
|
@@ -46,6 +38,10 @@ var preDown = [
|
|
|
46
38
|
// remove the masquerading rule
|
|
47
39
|
"iptables -t nat -D POSTROUTING -j MASQUERADE"
|
|
48
40
|
];
|
|
41
|
+
for (const restrictedCidr of args.forwardRestrictedIps) {
|
|
42
|
+
postUp.push(`iptables -I FORWARD -d ${restrictedCidr} -j DROP`);
|
|
43
|
+
preDown.push(`iptables -D FORWARD -d ${restrictedCidr} -j DROP`);
|
|
44
|
+
}
|
|
49
45
|
if (downstreamInterface) {
|
|
50
46
|
preUp.push(`while ! ip link show ${downstreamInterface.name} | grep -q 'UP' ; do sleep 1; done`);
|
|
51
47
|
postUp.push("ip rule del not from all fwmark 0xca6c lookup 51820");
|
|
@@ -178,12 +174,12 @@ var node_default = outputs({
|
|
|
178
174
|
endpoints
|
|
179
175
|
},
|
|
180
176
|
endpoints,
|
|
181
|
-
$
|
|
177
|
+
$statusFields: {
|
|
182
178
|
endpoints: endpoints.map(l4EndpointToString)
|
|
183
179
|
},
|
|
184
180
|
$terminals: [workload.terminal]
|
|
185
181
|
});
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
|
|
182
|
+
|
|
183
|
+
export { node_default as default };
|
|
184
|
+
//# sourceMappingURL=index.js.map
|
|
189
185
|
//# sourceMappingURL=index.js.map
|
package/dist/node/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/node/index.ts","../../assets/images.json"],"sourcesContent":["import { NetworkPolicy, Namespace, ExposableWorkload, Secret } from \"@highstate/k8s\"\nimport { wireguard } from \"@highstate/library\"\nimport { forUnit, output, toPromise } from \"@highstate/pulumi\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { l34EndpointToString, l4EndpointToString, updateEndpoints } from \"@highstate/common\"\nimport { generateIdentityConfig, isExitNode, shouldExpose } from \"../shared\"\nimport * as images from \"../../assets/images.json\"\n\nconst { args, inputs, outputs } = forUnit(wireguard.node)\n\nconst { identity, peers } = await toPromise(inputs)\n\nconst identityName = identity.peer.name.replaceAll(\".\", \"-\")\nconst appName = args.appName ?? `wg-${identityName}`\n\nconst namespace = Namespace.createOrPatch(appName, {\n cluster: inputs.k8sCluster,\n resource: inputs.workload ?? inputs.interface?.workload,\n\n metadata: {\n labels: {\n \"pod-security.kubernetes.io/enforce\": \"privileged\",\n },\n },\n})\n\nconst downstreamInterface = await toPromise(inputs.interface)\n\nconst preUp: string[] = [\n // idk why\n \"sleep 5\",\n]\n\nconst postUp: string[] = [\n // enable masquerading for all traffic going out of the WireGuard node\n // TODO: consider adding more specific and restrictive rules\n \"iptables -t nat -A POSTROUTING -j MASQUERADE\",\n]\n\nconst preDown: string[] = [\n // remove the masquerading rule\n \"iptables -t nat -D POSTROUTING -j MASQUERADE\",\n]\n\nif (downstreamInterface) {\n // wait until the interface is up\n preUp.push(`while ! ip link show ${downstreamInterface.name} | grep -q 'UP' ; do sleep 1; done`)\n\n // remove the default rule to route all non-encapsulated traffic to upstream wireguard interface\n postUp.push(\"ip rule del not from all fwmark 0xca6c lookup 51820\")\n\n // add a rule to route all downstream traffic to the upstream wireguard interface\n postUp.push(\"ip rule add from all fwmark 0x1 lookup 51820\")\n\n // mark all downstream traffic with 0x1\n postUp.push(\n `iptables -t mangle -A PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`,\n )\n\n // remove the rule to route all downstream traffic to the upstream wireguard interface\n preDown.push(\n `iptables -t mangle -D PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`,\n )\n\n // remove the rule to route all non-encapsulated traffic to upstream wireguard interface\n preDown.push(\"ip rule del from all fwmark 0x1 lookup 51820\")\n}\n\nconst interfaceName = identityName.substring(0, 15) // linux kernel limit\n\n// if there is a workload, we will use a different port to prevent potential conflicts\nconst containerPort = (inputs.workload ?? inputs.interface?.workload) ? 51821 : 51820\n\nconst configSecret = Secret.create(appName, {\n cluster: inputs.k8sCluster,\n namespace,\n\n stringData: {\n [`${interfaceName}.conf`]: generateIdentityConfig({\n identity,\n peers,\n listenPort: containerPort,\n preUp,\n postUp,\n preDown,\n defaultInterface: \"eth0\",\n cluster: await toPromise(inputs.k8sCluster),\n }),\n },\n})\n\nconst workload = ExposableWorkload.createOrPatchGeneric(appName, {\n type: \"Deployment\",\n cluster: inputs.k8sCluster,\n namespace,\n\n existing: inputs.workload ?? inputs.interface?.workload,\n\n container: deepmerge(\n {\n image: images[\"wireguard\"].image,\n\n environment: {\n PUID: \"1000\",\n PGID: \"1000\",\n TZ: \"Etc/UTC\",\n },\n\n securityContext: {\n capabilities: {\n add: [\"NET_ADMIN\"],\n },\n },\n\n port: {\n containerPort,\n protocol: \"UDP\",\n },\n\n volumeMount: {\n volume: configSecret,\n mountPath: \"/config/wg_confs\",\n },\n },\n args.containerSpec ?? {},\n ),\n\n service: shouldExpose(identity, args.exposePolicy)\n ? {\n external: args.external,\n port: {\n port: identity.peer.listenPort ?? 51820,\n targetPort: containerPort,\n protocol: \"UDP\",\n nodePort: args.external ? identity.peer.listenPort : undefined,\n },\n }\n : undefined,\n})\n\nif (shouldExpose(identity, args.exposePolicy)) {\n NetworkPolicy.create(\"allow-wireguard-ingress\", {\n namespace,\n cluster: inputs.k8sCluster,\n selector: workload.spec.selector,\n\n description: \"Allow encapsulated WireGuard traffic to the node from anywhere.\",\n\n ingressRule: {\n fromAll: true,\n },\n })\n}\n\nif (isExitNode(identity.peer)) {\n NetworkPolicy.create(\"allow-all-egress\", {\n namespace,\n cluster: inputs.k8sCluster,\n selector: workload.spec.selector,\n\n description: \"Allow all egress traffic from the WireGuard node since it is an exit node.\",\n\n egressRule: {\n toAll: true,\n },\n })\n}\n\nfor (const endpoint of identity.peer.allowedEndpoints) {\n NetworkPolicy.create(`allow-egress-to-${l34EndpointToString(endpoint)}`, {\n namespace,\n cluster: inputs.k8sCluster,\n selector: workload.spec.selector,\n\n description: `Allow egress traffic from the WireGuard node to the allowed endpoint \"${l34EndpointToString(endpoint)}\".`,\n\n egressRule: {\n toEndpoint: endpoint,\n },\n })\n}\n\nfor (const peer of peers) {\n if (!peer.endpoints.length) {\n continue\n }\n\n NetworkPolicy.create(`allow-egress-to-peer-${peer.name}`, {\n namespace,\n cluster: inputs.k8sCluster,\n selector: workload.spec.selector,\n\n description: `Allow egress traffic from the WireGuard node to the endpoints of the peer \"${peer.name}\".`,\n\n egressRule: {\n toEndpoints: peer.endpoints,\n },\n })\n}\n\nconst endpoints = await updateEndpoints(\n identity.peer.endpoints,\n [],\n output(workload.optionalService.apply(service => service?.endpoints ?? [])),\n \"prepend\",\n)\n\nexport default outputs({\n interface: {\n name: interfaceName,\n workload: workload.entity,\n },\n peer: {\n ...identity.peer,\n endpoints,\n },\n endpoints,\n\n $status: {\n endpoints: endpoints.map(l4EndpointToString),\n },\n\n $terminals: [workload.terminal],\n})\n","{\n \"wireguard\": {\n \"name\": \"docker.io/linuxserver/wireguard\",\n \"tag\": \"latest\",\n \"image\": \"docker.io/linuxserver/wireguard:latest@sha256:7792dcef56c51e6b4d499a209e980ed74309bf3bee6af12168ea02bf289eddd9\"\n }\n}\n"],"mappings":";;;;;;;AAAA,SAAS,eAAe,WAAW,mBAAmB,cAAc;AACpE,SAAS,aAAAA,kBAAiB;AAC1B,SAAS,SAAS,QAAQ,iBAAiB;AAC3C,SAAS,iBAAiB;AAC1B,SAAS,qBAAqB,oBAAoB,uBAAuB;;;ACHvE,gBAAa;AAAA,EACX,MAAQ;AAAA,EACR,KAAO;AAAA,EACP,OAAS;AACX;;;ADGF,IAAM,EAAE,MAAM,QAAQ,QAAQ,IAAI,QAAQC,WAAU,IAAI;AAExD,IAAM,EAAE,UAAU,MAAM,IAAI,MAAM,UAAU,MAAM;AAElD,IAAM,eAAe,SAAS,KAAK,KAAK,WAAW,KAAK,GAAG;AAC3D,IAAM,UAAU,KAAK,WAAW,MAAM,YAAY;AAElD,IAAM,YAAY,UAAU,cAAc,SAAS;AAAA,EACjD,SAAS,OAAO;AAAA,EAChB,UAAU,OAAO,YAAY,OAAO,WAAW;AAAA,EAE/C,UAAU;AAAA,IACR,QAAQ;AAAA,MACN,sCAAsC;AAAA,IACxC;AAAA,EACF;AACF,CAAC;AAED,IAAM,sBAAsB,MAAM,UAAU,OAAO,SAAS;AAE5D,IAAM,QAAkB;AAAA;AAAA,EAEtB;AACF;AAEA,IAAM,SAAmB;AAAA;AAAA;AAAA,EAGvB;AACF;AAEA,IAAM,UAAoB;AAAA;AAAA,EAExB;AACF;AAEA,IAAI,qBAAqB;AAEvB,QAAM,KAAK,wBAAwB,oBAAoB,IAAI,oCAAoC;AAG/F,SAAO,KAAK,qDAAqD;AAGjE,SAAO,KAAK,8CAA8C;AAG1D,SAAO;AAAA,IACL,uCAAuC,oBAAoB,IAAI;AAAA,EACjE;AAGA,UAAQ;AAAA,IACN,uCAAuC,oBAAoB,IAAI;AAAA,EACjE;AAGA,UAAQ,KAAK,8CAA8C;AAC7D;AAEA,IAAM,gBAAgB,aAAa,UAAU,GAAG,EAAE;AAGlD,IAAM,gBAAiB,OAAO,YAAY,OAAO,WAAW,WAAY,QAAQ;AAEhF,IAAM,eAAe,OAAO,OAAO,SAAS;AAAA,EAC1C,SAAS,OAAO;AAAA,EAChB;AAAA,EAEA,YAAY;AAAA,IACV,CAAC,GAAG,aAAa,OAAO,GAAG,uBAAuB;AAAA,MAChD;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,MACA,kBAAkB;AAAA,MAClB,SAAS,MAAM,UAAU,OAAO,UAAU;AAAA,IAC5C,CAAC;AAAA,EACH;AACF,CAAC;AAED,IAAM,WAAW,kBAAkB,qBAAqB,SAAS;AAAA,EAC/D,MAAM;AAAA,EACN,SAAS,OAAO;AAAA,EAChB;AAAA,EAEA,UAAU,OAAO,YAAY,OAAO,WAAW;AAAA,EAE/C,WAAW;AAAA,IACT;AAAA,MACE,OAAc,UAAa;AAAA,MAE3B,aAAa;AAAA,QACX,MAAM;AAAA,QACN,MAAM;AAAA,QACN,IAAI;AAAA,MACN;AAAA,MAEA,iBAAiB;AAAA,QACf,cAAc;AAAA,UACZ,KAAK,CAAC,WAAW;AAAA,QACnB;AAAA,MACF;AAAA,MAEA,MAAM;AAAA,QACJ;AAAA,QACA,UAAU;AAAA,MACZ;AAAA,MAEA,aAAa;AAAA,QACX,QAAQ;AAAA,QACR,WAAW;AAAA,MACb;AAAA,IACF;AAAA,IACA,KAAK,iBAAiB,CAAC;AAAA,EACzB;AAAA,EAEA,SAAS,aAAa,UAAU,KAAK,YAAY,IAC7C;AAAA,IACE,UAAU,KAAK;AAAA,IACf,MAAM;AAAA,MACJ,MAAM,SAAS,KAAK,cAAc;AAAA,MAClC,YAAY;AAAA,MACZ,UAAU;AAAA,MACV,UAAU,KAAK,WAAW,SAAS,KAAK,aAAa;AAAA,IACvD;AAAA,EACF,IACA;AACN,CAAC;AAED,IAAI,aAAa,UAAU,KAAK,YAAY,GAAG;AAC7C,gBAAc,OAAO,2BAA2B;AAAA,IAC9C;AAAA,IACA,SAAS,OAAO;AAAA,IAChB,UAAU,SAAS,KAAK;AAAA,IAExB,aAAa;AAAA,IAEb,aAAa;AAAA,MACX,SAAS;AAAA,IACX;AAAA,EACF,CAAC;AACH;AAEA,IAAI,WAAW,SAAS,IAAI,GAAG;AAC7B,gBAAc,OAAO,oBAAoB;AAAA,IACvC;AAAA,IACA,SAAS,OAAO;AAAA,IAChB,UAAU,SAAS,KAAK;AAAA,IAExB,aAAa;AAAA,IAEb,YAAY;AAAA,MACV,OAAO;AAAA,IACT;AAAA,EACF,CAAC;AACH;AAEA,WAAW,YAAY,SAAS,KAAK,kBAAkB;AACrD,gBAAc,OAAO,mBAAmB,oBAAoB,QAAQ,CAAC,IAAI;AAAA,IACvE;AAAA,IACA,SAAS,OAAO;AAAA,IAChB,UAAU,SAAS,KAAK;AAAA,IAExB,aAAa,yEAAyE,oBAAoB,QAAQ,CAAC;AAAA,IAEnH,YAAY;AAAA,MACV,YAAY;AAAA,IACd;AAAA,EACF,CAAC;AACH;AAEA,WAAW,QAAQ,OAAO;AACxB,MAAI,CAAC,KAAK,UAAU,QAAQ;AAC1B;AAAA,EACF;AAEA,gBAAc,OAAO,wBAAwB,KAAK,IAAI,IAAI;AAAA,IACxD;AAAA,IACA,SAAS,OAAO;AAAA,IAChB,UAAU,SAAS,KAAK;AAAA,IAExB,aAAa,8EAA8E,KAAK,IAAI;AAAA,IAEpG,YAAY;AAAA,MACV,aAAa,KAAK;AAAA,IACpB;AAAA,EACF,CAAC;AACH;AAEA,IAAM,YAAY,MAAM;AAAA,EACtB,SAAS,KAAK;AAAA,EACd,CAAC;AAAA,EACD,OAAO,SAAS,gBAAgB,MAAM,aAAW,SAAS,aAAa,CAAC,CAAC,CAAC;AAAA,EAC1E;AACF;AAEA,IAAO,eAAQ,QAAQ;AAAA,EACrB,WAAW;AAAA,IACT,MAAM;AAAA,IACN,UAAU,SAAS;AAAA,EACrB;AAAA,EACA,MAAM;AAAA,IACJ,GAAG,SAAS;AAAA,IACZ;AAAA,EACF;AAAA,EACA;AAAA,EAEA,SAAS;AAAA,IACP,WAAW,UAAU,IAAI,kBAAkB;AAAA,EAC7C;AAAA,EAEA,YAAY,CAAC,SAAS,QAAQ;AAChC,CAAC;","names":["wireguard","wireguard"]}
|
|
1
|
+
{"version":3,"sources":["../../assets/images.json","../../src/node/index.ts"],"names":["wireguard"],"mappings":";;;;;;;;AACE,IAAa,SAAA,GAAA;AAAA,EAGX,KAAS,EAAA;AACX,CAAA;;;ACGF,IAAM,EAAE,IAAM,EAAA,MAAA,EAAQ,SAAY,GAAA,OAAA,CAAQA,YAAU,IAAI,CAAA;AAExD,IAAM,EAAE,QAAU,EAAA,KAAA,EAAU,GAAA,MAAM,UAAU,MAAM,CAAA;AAElD,IAAM,eAAe,QAAS,CAAA,IAAA,CAAK,IAAK,CAAA,UAAA,CAAW,KAAK,GAAG,CAAA;AAC3D,IAAM,OAAU,GAAA,IAAA,CAAK,OAAW,IAAA,CAAA,GAAA,EAAM,YAAY,CAAA,CAAA;AAElD,IAAM,SAAA,GAAY,SAAU,CAAA,aAAA,CAAc,OAAS,EAAA;AAAA,EACjD,SAAS,MAAO,CAAA,UAAA;AAAA,EAChB,QAAU,EAAA,MAAA,CAAO,QAAY,IAAA,MAAA,CAAO,SAAW,EAAA,QAAA;AAAA,EAE/C,QAAU,EAAA;AAAA,IACR,MAAQ,EAAA;AAAA,MACN,oCAAsC,EAAA;AAAA;AACxC;AAEJ,CAAC,CAAA;AAED,IAAM,mBAAsB,GAAA,MAAM,SAAU,CAAA,MAAA,CAAO,SAAS,CAAA;AAE5D,IAAM,KAAkB,GAAA;AAAA;AAAA,EAEtB;AACF,CAAA;AAEA,IAAM,MAAmB,GAAA;AAAA;AAAA;AAAA,EAGvB;AACF,CAAA;AAEA,IAAM,OAAoB,GAAA;AAAA;AAAA,EAExB;AACF,CAAA;AAGA,KAAW,MAAA,cAAA,IAAkB,KAAK,oBAAsB,EAAA;AAEtD,EAAO,MAAA,CAAA,IAAA,CAAK,CAA0B,uBAAA,EAAA,cAAc,CAAU,QAAA,CAAA,CAAA;AAC9D,EAAQ,OAAA,CAAA,IAAA,CAAK,CAA0B,uBAAA,EAAA,cAAc,CAAU,QAAA,CAAA,CAAA;AACjE;AAEA,IAAI,mBAAqB,EAAA;AAEvB,EAAA,KAAA,CAAM,IAAK,CAAA,CAAA,qBAAA,EAAwB,mBAAoB,CAAA,IAAI,CAAoC,kCAAA,CAAA,CAAA;AAG/F,EAAA,MAAA,CAAO,KAAK,qDAAqD,CAAA;AAGjE,EAAA,MAAA,CAAO,KAAK,8CAA8C,CAAA;AAG1D,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,CAAA,oCAAA,EAAuC,oBAAoB,IAAI,CAAA,uBAAA;AAAA,GACjE;AAGA,EAAQ,OAAA,CAAA,IAAA;AAAA,IACN,CAAA,oCAAA,EAAuC,oBAAoB,IAAI,CAAA,uBAAA;AAAA,GACjE;AAGA,EAAA,OAAA,CAAQ,KAAK,8CAA8C,CAAA;AAC7D;AAEA,IAAM,aAAgB,GAAA,YAAA,CAAa,SAAU,CAAA,CAAA,EAAG,EAAE,CAAA;AAGlD,IAAM,gBAAiB,MAAO,CAAA,QAAA,IAAY,MAAO,CAAA,SAAA,EAAW,WAAY,KAAQ,GAAA,KAAA;AAEhF,IAAM,YAAA,GAAe,MAAO,CAAA,MAAA,CAAO,OAAS,EAAA;AAAA,EAC1C,SAAS,MAAO,CAAA,UAAA;AAAA,EAChB,SAAA;AAAA,EAEA,UAAY,EAAA;AAAA,IACV,CAAC,CAAA,EAAG,aAAa,CAAA,KAAA,CAAO,GAAG,sBAAuB,CAAA;AAAA,MAChD,QAAA;AAAA,MACA,KAAA;AAAA,MACA,UAAY,EAAA,aAAA;AAAA,MACZ,KAAA;AAAA,MACA,MAAA;AAAA,MACA,OAAA;AAAA,MACA,gBAAkB,EAAA,MAAA;AAAA,MAClB,OAAS,EAAA,MAAM,SAAU,CAAA,MAAA,CAAO,UAAU;AAAA,KAC3C;AAAA;AAEL,CAAC,CAAA;AAED,IAAM,QAAA,GAAW,iBAAkB,CAAA,oBAAA,CAAqB,OAAS,EAAA;AAAA,EAC/D,IAAM,EAAA,YAAA;AAAA,EACN,SAAS,MAAO,CAAA,UAAA;AAAA,EAChB,SAAA;AAAA,EAEA,QAAU,EAAA,MAAA,CAAO,QAAY,IAAA,MAAA,CAAO,SAAW,EAAA,QAAA;AAAA,EAE/C,SAAW,EAAA,SAAA;AAAA,IACT;AAAA,MACE,OAAc,SAAa,CAAA,KAAA;AAAA,MAE3B,WAAa,EAAA;AAAA,QACX,IAAM,EAAA,MAAA;AAAA,QACN,IAAM,EAAA,MAAA;AAAA,QACN,EAAI,EAAA;AAAA,OACN;AAAA,MAEA,eAAiB,EAAA;AAAA,QACf,YAAc,EAAA;AAAA,UACZ,GAAA,EAAK,CAAC,WAAW;AAAA;AACnB,OACF;AAAA,MAEA,IAAM,EAAA;AAAA,QACJ,aAAA;AAAA,QACA,QAAU,EAAA;AAAA,OACZ;AAAA,MAEA,WAAa,EAAA;AAAA,QACX,MAAQ,EAAA,YAAA;AAAA,QACR,SAAW,EAAA;AAAA;AACb,KACF;AAAA,IACA,IAAA,CAAK,iBAAiB;AAAC,GACzB;AAAA,EAEA,OAAS,EAAA,YAAA,CAAa,QAAU,EAAA,IAAA,CAAK,YAAY,CAC7C,GAAA;AAAA,IACE,UAAU,IAAK,CAAA,QAAA;AAAA,IACf,IAAM,EAAA;AAAA,MACJ,IAAA,EAAM,QAAS,CAAA,IAAA,CAAK,UAAc,IAAA,KAAA;AAAA,MAClC,UAAY,EAAA,aAAA;AAAA,MACZ,QAAU,EAAA,KAAA;AAAA,MACV,QAAU,EAAA,IAAA,CAAK,QAAW,GAAA,QAAA,CAAS,KAAK,UAAa,GAAA;AAAA;AACvD,GAEF,GAAA;AACN,CAAC,CAAA;AAED,IAAI,YAAa,CAAA,QAAA,EAAU,IAAK,CAAA,YAAY,CAAG,EAAA;AAC7C,EAAA,aAAA,CAAc,OAAO,yBAA2B,EAAA;AAAA,IAC9C,SAAA;AAAA,IACA,SAAS,MAAO,CAAA,UAAA;AAAA,IAChB,QAAA,EAAU,SAAS,IAAK,CAAA,QAAA;AAAA,IAExB,WAAa,EAAA,iEAAA;AAAA,IAEb,WAAa,EAAA;AAAA,MACX,OAAS,EAAA;AAAA;AACX,GACD,CAAA;AACH;AAEA,IAAI,UAAA,CAAW,QAAS,CAAA,IAAI,CAAG,EAAA;AAC7B,EAAA,aAAA,CAAc,OAAO,kBAAoB,EAAA;AAAA,IACvC,SAAA;AAAA,IACA,SAAS,MAAO,CAAA,UAAA;AAAA,IAChB,QAAA,EAAU,SAAS,IAAK,CAAA,QAAA;AAAA,IAExB,WAAa,EAAA,4EAAA;AAAA,IAEb,UAAY,EAAA;AAAA,MACV,KAAO,EAAA;AAAA;AACT,GACD,CAAA;AACH;AAEA,KAAW,MAAA,QAAA,IAAY,QAAS,CAAA,IAAA,CAAK,gBAAkB,EAAA;AACrD,EAAA,aAAA,CAAc,MAAO,CAAA,CAAA,gBAAA,EAAmB,mBAAoB,CAAA,QAAQ,CAAC,CAAI,CAAA,EAAA;AAAA,IACvE,SAAA;AAAA,IACA,SAAS,MAAO,CAAA,UAAA;AAAA,IAChB,QAAA,EAAU,SAAS,IAAK,CAAA,QAAA;AAAA,IAExB,WAAa,EAAA,CAAA,sEAAA,EAAyE,mBAAoB,CAAA,QAAQ,CAAC,CAAA,EAAA,CAAA;AAAA,IAEnH,UAAY,EAAA;AAAA,MACV,UAAY,EAAA;AAAA;AACd,GACD,CAAA;AACH;AAEA,KAAA,MAAW,QAAQ,KAAO,EAAA;AACxB,EAAI,IAAA,CAAC,IAAK,CAAA,SAAA,CAAU,MAAQ,EAAA;AAC1B,IAAA;AAAA;AAGF,EAAA,aAAA,CAAc,MAAO,CAAA,CAAA,qBAAA,EAAwB,IAAK,CAAA,IAAI,CAAI,CAAA,EAAA;AAAA,IACxD,SAAA;AAAA,IACA,SAAS,MAAO,CAAA,UAAA;AAAA,IAChB,QAAA,EAAU,SAAS,IAAK,CAAA,QAAA;AAAA,IAExB,WAAA,EAAa,CAA8E,2EAAA,EAAA,IAAA,CAAK,IAAI,CAAA,EAAA,CAAA;AAAA,IAEpG,UAAY,EAAA;AAAA,MACV,aAAa,IAAK,CAAA;AAAA;AACpB,GACD,CAAA;AACH;AAEA,IAAM,YAAY,MAAM,eAAA;AAAA,EACtB,SAAS,IAAK,CAAA,SAAA;AAAA,EACd,EAAC;AAAA,EACD,MAAA,CAAO,SAAS,eAAgB,CAAA,KAAA,CAAM,aAAW,OAAS,EAAA,SAAA,IAAa,EAAE,CAAC,CAAA;AAAA,EAC1E;AACF,CAAA;AAEA,IAAO,eAAQ,OAAQ,CAAA;AAAA,EACrB,SAAW,EAAA;AAAA,IACT,IAAM,EAAA,aAAA;AAAA,IACN,UAAU,QAAS,CAAA;AAAA,GACrB;AAAA,EACA,IAAM,EAAA;AAAA,IACJ,GAAG,QAAS,CAAA,IAAA;AAAA,IACZ;AAAA,GACF;AAAA,EACA,SAAA;AAAA,EAEA,aAAe,EAAA;AAAA,IACb,SAAA,EAAW,SAAU,CAAA,GAAA,CAAI,kBAAkB;AAAA,GAC7C;AAAA,EAEA,UAAA,EAAY,CAAC,QAAA,CAAS,QAAQ;AAChC,CAAC","file":"index.js","sourcesContent":["{\n \"wireguard\": {\n \"name\": \"docker.io/linuxserver/wireguard\",\n \"tag\": \"latest\",\n \"image\": \"docker.io/linuxserver/wireguard:latest@sha256:7792dcef56c51e6b4d499a209e980ed74309bf3bee6af12168ea02bf289eddd9\"\n }\n}\n","import { NetworkPolicy, Namespace, ExposableWorkload, Secret } from \"@highstate/k8s\"\nimport { wireguard } from \"@highstate/library\"\nimport { forUnit, output, toPromise } from \"@highstate/pulumi\"\nimport { deepmerge } from \"deepmerge-ts\"\nimport { l34EndpointToString, l4EndpointToString, updateEndpoints } from \"@highstate/common\"\nimport { generateIdentityConfig, isExitNode, shouldExpose } from \"../shared\"\nimport * as images from \"../../assets/images.json\"\n\nconst { args, inputs, outputs } = forUnit(wireguard.node)\n\nconst { identity, peers } = await toPromise(inputs)\n\nconst identityName = identity.peer.name.replaceAll(\".\", \"-\")\nconst appName = args.appName ?? `wg-${identityName}`\n\nconst namespace = Namespace.createOrPatch(appName, {\n cluster: inputs.k8sCluster,\n resource: inputs.workload ?? inputs.interface?.workload,\n\n metadata: {\n labels: {\n \"pod-security.kubernetes.io/enforce\": \"privileged\",\n },\n },\n})\n\nconst downstreamInterface = await toPromise(inputs.interface)\n\nconst preUp: string[] = [\n // idk why\n \"sleep 5\",\n]\n\nconst postUp: string[] = [\n // enable masquerading for all traffic going out of the WireGuard node\n // TODO: consider adding more specific and restrictive rules\n \"iptables -t nat -A POSTROUTING -j MASQUERADE\",\n]\n\nconst preDown: string[] = [\n // remove the masquerading rule\n \"iptables -t nat -D POSTROUTING -j MASQUERADE\",\n]\n\n// Add forwarding restrictions for specified CIDRs\nfor (const restrictedCidr of args.forwardRestrictedIps) {\n // Block forwarding to restricted CIDR (prevents other peers from reaching these destinations)\n postUp.push(`iptables -I FORWARD -d ${restrictedCidr} -j DROP`)\n preDown.push(`iptables -D FORWARD -d ${restrictedCidr} -j DROP`)\n}\n\nif (downstreamInterface) {\n // wait until the interface is up\n preUp.push(`while ! ip link show ${downstreamInterface.name} | grep -q 'UP' ; do sleep 1; done`)\n\n // remove the default rule to route all non-encapsulated traffic to upstream wireguard interface\n postUp.push(\"ip rule del not from all fwmark 0xca6c lookup 51820\")\n\n // add a rule to route all downstream traffic to the upstream wireguard interface\n postUp.push(\"ip rule add from all fwmark 0x1 lookup 51820\")\n\n // mark all downstream traffic with 0x1\n postUp.push(\n `iptables -t mangle -A PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`,\n )\n\n // remove the rule to route all downstream traffic to the upstream wireguard interface\n preDown.push(\n `iptables -t mangle -D PREROUTING -i ${downstreamInterface.name} -j MARK --set-mark 0x1`,\n )\n\n // remove the rule to route all non-encapsulated traffic to upstream wireguard interface\n preDown.push(\"ip rule del from all fwmark 0x1 lookup 51820\")\n}\n\nconst interfaceName = identityName.substring(0, 15) // linux kernel limit\n\n// if there is a workload, we will use a different port to prevent potential conflicts\nconst containerPort = (inputs.workload ?? inputs.interface?.workload) ? 51821 : 51820\n\nconst configSecret = Secret.create(appName, {\n cluster: inputs.k8sCluster,\n namespace,\n\n stringData: {\n [`${interfaceName}.conf`]: generateIdentityConfig({\n identity,\n peers,\n listenPort: containerPort,\n preUp,\n postUp,\n preDown,\n defaultInterface: \"eth0\",\n cluster: await toPromise(inputs.k8sCluster),\n }),\n },\n})\n\nconst workload = ExposableWorkload.createOrPatchGeneric(appName, {\n type: \"Deployment\",\n cluster: inputs.k8sCluster,\n namespace,\n\n existing: inputs.workload ?? inputs.interface?.workload,\n\n container: deepmerge(\n {\n image: images[\"wireguard\"].image,\n\n environment: {\n PUID: \"1000\",\n PGID: \"1000\",\n TZ: \"Etc/UTC\",\n },\n\n securityContext: {\n capabilities: {\n add: [\"NET_ADMIN\"],\n },\n },\n\n port: {\n containerPort,\n protocol: \"UDP\",\n },\n\n volumeMount: {\n volume: configSecret,\n mountPath: \"/config/wg_confs\",\n },\n },\n args.containerSpec ?? {},\n ),\n\n service: shouldExpose(identity, args.exposePolicy)\n ? {\n external: args.external,\n port: {\n port: identity.peer.listenPort ?? 51820,\n targetPort: containerPort,\n protocol: \"UDP\",\n nodePort: args.external ? identity.peer.listenPort : undefined,\n },\n }\n : undefined,\n})\n\nif (shouldExpose(identity, args.exposePolicy)) {\n NetworkPolicy.create(\"allow-wireguard-ingress\", {\n namespace,\n cluster: inputs.k8sCluster,\n selector: workload.spec.selector,\n\n description: \"Allow encapsulated WireGuard traffic to the node from anywhere.\",\n\n ingressRule: {\n fromAll: true,\n },\n })\n}\n\nif (isExitNode(identity.peer)) {\n NetworkPolicy.create(\"allow-all-egress\", {\n namespace,\n cluster: inputs.k8sCluster,\n selector: workload.spec.selector,\n\n description: \"Allow all egress traffic from the WireGuard node since it is an exit node.\",\n\n egressRule: {\n toAll: true,\n },\n })\n}\n\nfor (const endpoint of identity.peer.allowedEndpoints) {\n NetworkPolicy.create(`allow-egress-to-${l34EndpointToString(endpoint)}`, {\n namespace,\n cluster: inputs.k8sCluster,\n selector: workload.spec.selector,\n\n description: `Allow egress traffic from the WireGuard node to the allowed endpoint \"${l34EndpointToString(endpoint)}\".`,\n\n egressRule: {\n toEndpoint: endpoint,\n },\n })\n}\n\nfor (const peer of peers) {\n if (!peer.endpoints.length) {\n continue\n }\n\n NetworkPolicy.create(`allow-egress-to-peer-${peer.name}`, {\n namespace,\n cluster: inputs.k8sCluster,\n selector: workload.spec.selector,\n\n description: `Allow egress traffic from the WireGuard node to the endpoints of the peer \"${peer.name}\".`,\n\n egressRule: {\n toEndpoints: peer.endpoints,\n },\n })\n}\n\nconst endpoints = await updateEndpoints(\n identity.peer.endpoints,\n [],\n output(workload.optionalService.apply(service => service?.endpoints ?? [])),\n \"prepend\",\n)\n\nexport default outputs({\n interface: {\n name: interfaceName,\n workload: workload.entity,\n },\n peer: {\n ...identity.peer,\n endpoints,\n },\n endpoints,\n\n $statusFields: {\n endpoints: endpoints.map(l4EndpointToString),\n },\n\n $terminals: [workload.terminal],\n})\n"]}
|
package/dist/peer/index.js
CHANGED
|
@@ -1,11 +1,8 @@
|
|
|
1
|
-
import {
|
|
2
|
-
|
|
3
|
-
} from
|
|
1
|
+
import { createPeerEntity } from '../chunk-MDXKWNFE.js';
|
|
2
|
+
import { wireguard } from '@highstate/library';
|
|
3
|
+
import { forUnit, toPromise } from '@highstate/pulumi';
|
|
4
|
+
import { l3EndpointToString, l4EndpointToString } from '@highstate/common';
|
|
4
5
|
|
|
5
|
-
// src/peer/index.ts
|
|
6
|
-
import { wireguard } from "@highstate/library";
|
|
7
|
-
import { forUnit, toPromise } from "@highstate/pulumi";
|
|
8
|
-
import { l3EndpointToString, l4EndpointToString } from "@highstate/common";
|
|
9
6
|
var { name, args, secrets, inputs, outputs } = forUnit(wireguard.peer);
|
|
10
7
|
var resolvedInpus = await toPromise(inputs);
|
|
11
8
|
var presharedKey = await toPromise(secrets.presharedKey);
|
|
@@ -13,7 +10,7 @@ var peer = createPeerEntity(name, args, resolvedInpus, args.publicKey, preshared
|
|
|
13
10
|
var peer_default = outputs({
|
|
14
11
|
peer,
|
|
15
12
|
endpoints: peer.endpoints,
|
|
16
|
-
$
|
|
13
|
+
$statusFields: {
|
|
17
14
|
endpoints: {
|
|
18
15
|
value: peer.endpoints.map(l4EndpointToString),
|
|
19
16
|
complementaryTo: "endpoints"
|
|
@@ -24,7 +21,7 @@ var peer_default = outputs({
|
|
|
24
21
|
}
|
|
25
22
|
}
|
|
26
23
|
});
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
24
|
+
|
|
25
|
+
export { peer_default as default };
|
|
26
|
+
//# sourceMappingURL=index.js.map
|
|
30
27
|
//# sourceMappingURL=index.js.map
|
package/dist/peer/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/peer/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { l3EndpointToString, l4EndpointToString } from \"@highstate/common\"\nimport { createPeerEntity } from \"../shared\"\n\nconst { name, args, secrets, inputs, outputs } = forUnit(wireguard.peer)\n\nconst resolvedInpus = await toPromise(inputs)\nconst presharedKey = await toPromise(secrets.presharedKey)\n\nconst peer = createPeerEntity(name, args, resolvedInpus, args.publicKey, presharedKey)\n\nexport default outputs({\n peer,\n endpoints: peer.endpoints,\n\n $
|
|
1
|
+
{"version":3,"sources":["../../src/peer/index.ts"],"names":[],"mappings":";;;;;AAKA,IAAM,EAAE,MAAM,IAAM,EAAA,OAAA,EAAS,QAAQ,OAAQ,EAAA,GAAI,OAAQ,CAAA,SAAA,CAAU,IAAI,CAAA;AAEvE,IAAM,aAAA,GAAgB,MAAM,SAAA,CAAU,MAAM,CAAA;AAC5C,IAAM,YAAe,GAAA,MAAM,SAAU,CAAA,OAAA,CAAQ,YAAY,CAAA;AAEzD,IAAM,OAAO,gBAAiB,CAAA,IAAA,EAAM,MAAM,aAAe,EAAA,IAAA,CAAK,WAAW,YAAY,CAAA;AAErF,IAAO,eAAQ,OAAQ,CAAA;AAAA,EACrB,IAAA;AAAA,EACA,WAAW,IAAK,CAAA,SAAA;AAAA,EAEhB,aAAe,EAAA;AAAA,IACb,SAAW,EAAA;AAAA,MACT,KAAO,EAAA,IAAA,CAAK,SAAU,CAAA,GAAA,CAAI,kBAAkB,CAAA;AAAA,MAC5C,eAAiB,EAAA;AAAA,KACnB;AAAA,IACA,gBAAkB,EAAA;AAAA,MAChB,KAAO,EAAA,IAAA,CAAK,gBAAiB,CAAA,GAAA,CAAI,kBAAkB,CAAA;AAAA,MACnD,eAAiB,EAAA;AAAA;AACnB;AAEJ,CAAC","file":"index.js","sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { l3EndpointToString, l4EndpointToString } from \"@highstate/common\"\nimport { createPeerEntity } from \"../shared\"\n\nconst { name, args, secrets, inputs, outputs } = forUnit(wireguard.peer)\n\nconst resolvedInpus = await toPromise(inputs)\nconst presharedKey = await toPromise(secrets.presharedKey)\n\nconst peer = createPeerEntity(name, args, resolvedInpus, args.publicKey, presharedKey)\n\nexport default outputs({\n peer,\n endpoints: peer.endpoints,\n\n $statusFields: {\n endpoints: {\n value: peer.endpoints.map(l4EndpointToString),\n complementaryTo: \"endpoints\",\n },\n allowedEndpoints: {\n value: peer.allowedEndpoints.map(l3EndpointToString),\n complementaryTo: \"allowedEndpoints\",\n },\n },\n})\n"]}
|
package/dist/peer-patch/index.js
CHANGED
|
@@ -1,13 +1,8 @@
|
|
|
1
|
-
import {
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
} from "../chunk-PXOBQDLU.js";
|
|
1
|
+
import { calculateEndpoints, calculateAllowedEndpoints, calculateAllowedIps } from '../chunk-MDXKWNFE.js';
|
|
2
|
+
import { wireguard } from '@highstate/library';
|
|
3
|
+
import { forUnit, toPromise } from '@highstate/pulumi';
|
|
4
|
+
import { updateEndpoints, l3EndpointToString, l4EndpointToString } from '@highstate/common';
|
|
6
5
|
|
|
7
|
-
// src/peer-patch/index.ts
|
|
8
|
-
import { wireguard } from "@highstate/library";
|
|
9
|
-
import { forUnit, toPromise } from "@highstate/pulumi";
|
|
10
|
-
import { l3EndpointToString, l4EndpointToString, updateEndpoints } from "@highstate/common";
|
|
11
6
|
var { args, inputs, outputs } = forUnit(wireguard.peerPatch);
|
|
12
7
|
var resolvedInputs = await toPromise(inputs);
|
|
13
8
|
var endpoints = await updateEndpoints(
|
|
@@ -35,7 +30,7 @@ var peer_patch_default = outputs({
|
|
|
35
30
|
)
|
|
36
31
|
},
|
|
37
32
|
endpoints,
|
|
38
|
-
$
|
|
33
|
+
$statusFields: {
|
|
39
34
|
endpoints: {
|
|
40
35
|
value: endpoints.map(l4EndpointToString),
|
|
41
36
|
complementaryTo: "endpoints"
|
|
@@ -46,7 +41,7 @@ var peer_patch_default = outputs({
|
|
|
46
41
|
}
|
|
47
42
|
}
|
|
48
43
|
});
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
44
|
+
|
|
45
|
+
export { peer_patch_default as default };
|
|
46
|
+
//# sourceMappingURL=index.js.map
|
|
52
47
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/peer-patch/index.ts"],"sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { l3EndpointToString, l4EndpointToString, updateEndpoints } from \"@highstate/common\"\nimport { calculateAllowedEndpoints, calculateAllowedIps, calculateEndpoints } from \"../shared\"\n\nconst { args, inputs, outputs } = forUnit(wireguard.peerPatch)\n\nconst resolvedInputs = await toPromise(inputs)\n\nconst endpoints = await updateEndpoints(\n inputs.peer.endpoints,\n [],\n calculateEndpoints({ ...args, listenPort: resolvedInputs.peer.listenPort }, resolvedInputs),\n args.endpointsPatchMode,\n)\n\nconst allowedEndpoints = await updateEndpoints(\n inputs.peer.allowedEndpoints,\n [],\n calculateAllowedEndpoints(args, resolvedInputs),\n args.allowedEndpointsPatchMode,\n)\n\nexport default outputs({\n peer: {\n ...resolvedInputs.peer,\n endpoints,\n allowedEndpoints,\n dns: args.dns.length > 0 ? args.dns : resolvedInputs.peer.dns,\n allowedIps: calculateAllowedIps(\n { address: args.address ?? resolvedInputs.peer.address, exitNode: args.exitNode },\n resolvedInputs,\n allowedEndpoints,\n ),\n },\n\n endpoints,\n\n $
|
|
1
|
+
{"version":3,"sources":["../../src/peer-patch/index.ts"],"names":[],"mappings":";;;;;AAKA,IAAM,EAAE,IAAM,EAAA,MAAA,EAAQ,SAAY,GAAA,OAAA,CAAQ,UAAU,SAAS,CAAA;AAE7D,IAAM,cAAA,GAAiB,MAAM,SAAA,CAAU,MAAM,CAAA;AAE7C,IAAM,YAAY,MAAM,eAAA;AAAA,EACtB,OAAO,IAAK,CAAA,SAAA;AAAA,EACZ,EAAC;AAAA,EACD,kBAAA,CAAmB,EAAE,GAAG,IAAA,EAAM,YAAY,cAAe,CAAA,IAAA,CAAK,UAAW,EAAA,EAAG,cAAc,CAAA;AAAA,EAC1F,IAAK,CAAA;AACP,CAAA;AAEA,IAAM,mBAAmB,MAAM,eAAA;AAAA,EAC7B,OAAO,IAAK,CAAA,gBAAA;AAAA,EACZ,EAAC;AAAA,EACD,yBAAA,CAA0B,MAAM,cAAc,CAAA;AAAA,EAC9C,IAAK,CAAA;AACP,CAAA;AAEA,IAAO,qBAAQ,OAAQ,CAAA;AAAA,EACrB,IAAM,EAAA;AAAA,IACJ,GAAG,cAAe,CAAA,IAAA;AAAA,IAClB,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,GAAA,EAAK,KAAK,GAAI,CAAA,MAAA,GAAS,IAAI,IAAK,CAAA,GAAA,GAAM,eAAe,IAAK,CAAA,GAAA;AAAA,IAC1D,UAAY,EAAA,mBAAA;AAAA,MACV,EAAE,SAAS,IAAK,CAAA,OAAA,IAAW,eAAe,IAAK,CAAA,OAAA,EAAS,QAAU,EAAA,IAAA,CAAK,QAAS,EAAA;AAAA,MAChF,cAAA;AAAA,MACA;AAAA;AACF,GACF;AAAA,EAEA,SAAA;AAAA,EAEA,aAAe,EAAA;AAAA,IACb,SAAW,EAAA;AAAA,MACT,KAAA,EAAO,SAAU,CAAA,GAAA,CAAI,kBAAkB,CAAA;AAAA,MACvC,eAAiB,EAAA;AAAA,KACnB;AAAA,IACA,gBAAkB,EAAA;AAAA,MAChB,KAAA,EAAO,gBAAiB,CAAA,GAAA,CAAI,kBAAkB,CAAA;AAAA,MAC9C,eAAiB,EAAA;AAAA;AACnB;AAEJ,CAAC","file":"index.js","sourcesContent":["import { wireguard } from \"@highstate/library\"\nimport { forUnit, toPromise } from \"@highstate/pulumi\"\nimport { l3EndpointToString, l4EndpointToString, updateEndpoints } from \"@highstate/common\"\nimport { calculateAllowedEndpoints, calculateAllowedIps, calculateEndpoints } from \"../shared\"\n\nconst { args, inputs, outputs } = forUnit(wireguard.peerPatch)\n\nconst resolvedInputs = await toPromise(inputs)\n\nconst endpoints = await updateEndpoints(\n inputs.peer.endpoints,\n [],\n calculateEndpoints({ ...args, listenPort: resolvedInputs.peer.listenPort }, resolvedInputs),\n args.endpointsPatchMode,\n)\n\nconst allowedEndpoints = await updateEndpoints(\n inputs.peer.allowedEndpoints,\n [],\n calculateAllowedEndpoints(args, resolvedInputs),\n args.allowedEndpointsPatchMode,\n)\n\nexport default outputs({\n peer: {\n ...resolvedInputs.peer,\n endpoints,\n allowedEndpoints,\n dns: args.dns.length > 0 ? args.dns : resolvedInputs.peer.dns,\n allowedIps: calculateAllowedIps(\n { address: args.address ?? resolvedInputs.peer.address, exitNode: args.exitNode },\n resolvedInputs,\n allowedEndpoints,\n ),\n },\n\n endpoints,\n\n $statusFields: {\n endpoints: {\n value: endpoints.map(l4EndpointToString),\n complementaryTo: \"endpoints\",\n },\n allowedEndpoints: {\n value: allowedEndpoints.map(l3EndpointToString),\n complementaryTo: \"allowedEndpoints\",\n },\n },\n})\n"]}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@highstate/wireguard",
|
|
3
|
-
"version": "0.9.
|
|
3
|
+
"version": "0.9.16",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"files": [
|
|
6
6
|
"dist"
|
|
@@ -22,19 +22,19 @@
|
|
|
22
22
|
"update-images": "../../scripts/update-images.sh ./assets/images.json"
|
|
23
23
|
},
|
|
24
24
|
"dependencies": {
|
|
25
|
-
"@highstate/common": "^0.9.
|
|
26
|
-
"@highstate/contract": "^0.9.
|
|
27
|
-
"@highstate/k8s": "^0.9.
|
|
28
|
-
"@highstate/library": "^0.9.
|
|
29
|
-
"@highstate/pulumi": "^0.9.
|
|
25
|
+
"@highstate/common": "^0.9.16",
|
|
26
|
+
"@highstate/contract": "^0.9.16",
|
|
27
|
+
"@highstate/k8s": "^0.9.16",
|
|
28
|
+
"@highstate/library": "^0.9.16",
|
|
29
|
+
"@highstate/pulumi": "^0.9.16",
|
|
30
30
|
"@noble/curves": "^1.8.0",
|
|
31
31
|
"@pulumi/kubernetes": "^4.18.0",
|
|
32
32
|
"deepmerge-ts": "^7.1.5",
|
|
33
33
|
"zip-stream": "^7.0.2"
|
|
34
34
|
},
|
|
35
35
|
"devDependencies": {
|
|
36
|
-
"@highstate/cli": "^0.9.
|
|
36
|
+
"@highstate/cli": "^0.9.16",
|
|
37
37
|
"@types/zip-stream": "^7.0.0"
|
|
38
38
|
},
|
|
39
|
-
"gitHead": "
|
|
39
|
+
"gitHead": "458d6f1f9f6d4aec0ba75a2b2c4c01408cb9c8df"
|
|
40
40
|
}
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/shared.ts","../../../node_modules/@noble/hashes/src/cryptoNode.ts","../../../node_modules/@noble/hashes/src/utils.ts","../../../node_modules/remeda/dist/chunk-ANXBDSUI.js","../../../node_modules/remeda/dist/chunk-3GOCSNFN.js","../../../node_modules/remeda/dist/chunk-LFJW7BOT.js","../../../node_modules/remeda/dist/chunk-7ZI6JRPB.js","../../../node_modules/remeda/dist/chunk-QJLMYOTX.js"],"sourcesContent":["import type { k8s, network, wireguard } from \"@highstate/library\"\nimport type { Input, Unwrap } from \"@highstate/pulumi\"\nimport {\n l34EndpointToString,\n l3EndpointToString,\n l3ToL4Endpoint,\n l4EndpointToString,\n parseL34Endpoint,\n parseL4Endpoint,\n} from \"@highstate/common\"\nimport { x25519 } from \"@noble/curves/ed25519\"\nimport { randomBytes } from \"@noble/hashes/utils\"\nimport { unique, uniqueBy } from \"remeda\"\nimport { getBestEndpoint } from \"@highstate/k8s\"\n\nexport function generateKey(): string {\n const key = x25519.utils.randomPrivateKey()\n\n return Buffer.from(key).toString(\"base64\")\n}\n\nexport function convertPrivateKeyToPublicKey(privateKey: string): string {\n const key = Buffer.from(privateKey, \"base64\")\n\n return Buffer.from(x25519.getPublicKey(key)).toString(\"base64\")\n}\n\nexport function generatePresharedKey(): string {\n const key = randomBytes(32)\n\n return Buffer.from(key).toString(\"base64\")\n}\n\nexport function combinePresharedKeyParts(part1: string, part2: string): string {\n const key1 = Buffer.from(part1, \"base64\")\n const key2 = Buffer.from(part2, \"base64\")\n const result = new Uint8Array(32)\n\n for (let i = 0; i < 32; i++) {\n result[i] = key1[i] ^ key2[i]\n }\n\n return Buffer.from(result).toString(\"base64\")\n}\n\nfunction generatePeerConfig(\n identity: wireguard.Identity,\n peer: wireguard.Peer,\n cluster?: k8s.Cluster,\n): string {\n const lines = [\n //\n \"[Peer]\",\n `# ${peer.name}`,\n `PublicKey = ${peer.publicKey}`,\n ]\n\n if (peer.allowedIps.length > 0) {\n lines.push(`AllowedIPs = ${peer.allowedIps.join(\", \")}`)\n }\n\n const bestEndpoint = getBestEndpoint(peer.endpoints, cluster)\n\n if (bestEndpoint) {\n lines.push(`Endpoint = ${l4EndpointToString(bestEndpoint)}`)\n }\n\n if (identity.peer.presharedKeyPart && peer.presharedKeyPart) {\n const presharedKey = combinePresharedKeyParts(\n identity.peer.presharedKeyPart,\n peer.presharedKeyPart,\n )\n\n lines.push(`PresharedKey = ${presharedKey}`)\n } else if (peer.presharedKey || identity.peer.presharedKey) {\n if (peer.presharedKey !== identity.peer.presharedKey) {\n throw new Error(\n `Preshared keys do not match for peers: ${peer.name} and ${identity.peer.name}`,\n )\n }\n\n lines.push(`PresharedKey = ${peer.presharedKey}`)\n }\n\n return lines.join(\"\\n\")\n}\n\nexport type IdentityConfigArgs = {\n identity: wireguard.Identity\n peers: wireguard.Peer[]\n listenPort?: number\n dns?: string[]\n postUp?: string[]\n preUp?: string[]\n preDown?: string[]\n postDown?: string[]\n defaultInterface?: string\n cluster?: k8s.Cluster\n}\n\nexport function generateIdentityConfig({\n identity,\n peers,\n listenPort = identity.peer.listenPort,\n dns = [],\n preUp = [],\n postUp = [],\n preDown = [],\n postDown = [],\n defaultInterface,\n cluster,\n}: IdentityConfigArgs): string {\n const allDns = unique(peers.flatMap(peer => peer.dns).concat(dns))\n const excludedIps = unique(peers.flatMap(peer => peer.excludedIps))\n\n const lines = [\n //\n \"[Interface]\",\n `# ${identity.peer.name}`,\n ]\n\n if (identity.peer.address) {\n lines.push(`Address = ${identity.peer.address}`)\n }\n\n lines.push(\n //\n `PrivateKey = ${identity.privateKey}`,\n \"MTU = 1280\",\n )\n\n if (allDns.length > 0) {\n lines.push(`DNS = ${allDns.join(\", \")}`)\n }\n\n if (listenPort) {\n lines.push(`ListenPort = ${listenPort}`)\n }\n\n if (preUp.length > 0) {\n lines.push()\n for (const command of preUp) {\n lines.push(`PreUp = ${command}`)\n }\n }\n\n if (postUp.length > 0) {\n lines.push()\n for (const command of postUp) {\n lines.push(`PostUp = ${command}`)\n }\n }\n\n if (preDown.length > 0) {\n lines.push()\n for (const command of preDown) {\n lines.push(`PreDown = ${command}`)\n }\n }\n\n if (postDown.length > 0) {\n lines.push()\n for (const command of postDown) {\n lines.push(`PostDown = ${command}`)\n }\n }\n\n if (defaultInterface) {\n lines.push()\n for (const excludedIp of excludedIps) {\n lines.push(`PostUp = ip route add ${excludedIp} dev ${defaultInterface}`)\n }\n }\n\n const otherPeers = peers.filter(peer => peer.name !== identity.peer.name)\n\n for (const peer of otherPeers) {\n lines.push(\"\")\n lines.push(generatePeerConfig(identity, peer, cluster))\n }\n\n return lines.join(\"\\n\")\n}\n\ntype SharedPeerInputs = {\n network?: Input<wireguard.Network>\n l3Endpoints: Input<network.L3Endpoint>[]\n l4Endpoints: Input<network.L4Endpoint>[]\n allowedL3Endpoints: Input<network.L3Endpoint>[]\n allowedL4Endpoints: Input<network.L4Endpoint>[]\n}\n\nexport function calculateEndpoints(\n { endpoints, listenPort }: Pick<wireguard.SharedPeerArgs, \"endpoints\" | \"listenPort\">,\n { l3Endpoints, l4Endpoints }: Pick<Unwrap<SharedPeerInputs>, \"l3Endpoints\" | \"l4Endpoints\">,\n): network.L4Endpoint[] {\n return uniqueBy(\n [\n ...l3Endpoints.map(e => l3ToL4Endpoint(e, listenPort ?? 51820)),\n ...l4Endpoints,\n ...endpoints.map(parseL4Endpoint),\n ],\n endpoint => l4EndpointToString(endpoint),\n )\n}\n\nexport function calculateAllowedIps(\n { address, exitNode }: Pick<wireguard.SharedPeerArgs, \"address\" | \"exitNode\">,\n { network }: Unwrap<SharedPeerInputs>,\n allowedEndpoints: network.L34Endpoint[],\n): string[] {\n const result = new Set<string>()\n\n if (address) {\n result.add(address)\n }\n\n if (exitNode) {\n result.add(\"0.0.0.0/0\")\n\n if (network?.ipv6) {\n result.add(\"::/0\")\n }\n }\n\n for (const endpoint of allowedEndpoints) {\n if (endpoint.type !== \"hostname\") {\n result.add(l3EndpointToString(endpoint))\n }\n }\n\n return Array.from(result)\n}\n\nexport function calculateAllowedEndpoints(\n { allowedEndpoints }: Pick<wireguard.SharedPeerArgs, \"allowedEndpoints\">,\n {\n allowedL3Endpoints,\n allowedL4Endpoints,\n }: Pick<Unwrap<SharedPeerInputs>, \"allowedL3Endpoints\" | \"allowedL4Endpoints\">,\n): network.L34Endpoint[] {\n return uniqueBy(\n [\n //\n ...allowedL3Endpoints,\n ...allowedL4Endpoints,\n ...allowedEndpoints.map(parseL34Endpoint),\n ],\n endpoint => l34EndpointToString(endpoint),\n )\n}\n\nfunction calculateExcludedIps(\n { excludedIps, excludePrivateIps }: wireguard.SharedPeerArgs,\n { network }: Unwrap<SharedPeerInputs>,\n): string[] {\n const result = new Set<string>()\n\n for (const ip of excludedIps) {\n result.add(ip)\n }\n\n if (excludePrivateIps) {\n result.add(\"10.0.0.0/8\")\n result.add(\"172.16.0.0/12\")\n result.add(\"192.168.0.0/16\")\n\n if (network?.ipv6) {\n result.add(\"fc00::/7\")\n result.add(\"fe80::/10\")\n }\n }\n\n return Array.from(result)\n}\n\nexport function isExitNode(peer: wireguard.Peer): boolean {\n return peer.allowedIps.includes(\"0.0.0.0/0\") || peer.allowedIps.includes(\"::/0\")\n}\n\nexport function createPeerEntity(\n name: string,\n args: wireguard.SharedPeerArgs,\n inputs: Unwrap<SharedPeerInputs>,\n publicKey: string,\n presharedKeyPart?: string,\n): wireguard.Peer {\n const endpoints = calculateEndpoints(args, inputs)\n const allowedEndpoints = calculateAllowedEndpoints(args, inputs)\n const allowedIps = calculateAllowedIps(args, inputs, allowedEndpoints)\n const excludedIps = calculateExcludedIps(args, inputs)\n\n return {\n name: args.peerName ?? name,\n endpoints,\n allowedIps,\n allowedEndpoints,\n excludedIps,\n dns: args.dns,\n publicKey,\n address: args.address,\n network: inputs.network,\n presharedKeyPart,\n listenPort: args.listenPort,\n }\n}\n\nexport function shouldExpose(\n identity: wireguard.Identity,\n exposePolicy: wireguard.NodeExposePolicy,\n): boolean {\n if (exposePolicy === \"always\") {\n return true\n }\n\n if (exposePolicy === \"never\") {\n return false\n }\n\n return identity.peer.endpoints.length > 0\n}\n","/**\n * Internal webcrypto alias.\n * We prefer WebCrypto aka globalThis.crypto, which exists in node.js 16+.\n * Falls back to Node.js built-in crypto for Node.js <=v14.\n * See utils.ts for details.\n * @module\n */\n// @ts-ignore\nimport * as nc from 'node:crypto';\nexport const crypto: any =\n nc && typeof nc === 'object' && 'webcrypto' in nc\n ? (nc.webcrypto as any)\n : nc && typeof nc === 'object' && 'randomBytes' in nc\n ? nc\n : undefined;\n","/**\n * Utilities for hex, bytes, CSPRNG.\n * @module\n */\n/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n\n// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.\n// node.js versions earlier than v19 don't declare it in global scope.\n// For node.js, package.json#exports field mapping rewrites import\n// from `crypto` to `cryptoNode`, which imports native module.\n// Makes the utils un-importable in browsers without a bundler.\n// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.\nimport { crypto } from '@noble/hashes/crypto';\nimport { abytes } from './_assert.js';\n// export { isBytes } from './_assert.js';\n// We can't reuse isBytes from _assert, because somehow this causes huge perf issues\nexport function isBytes(a: unknown): a is Uint8Array {\n return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');\n}\n\n// prettier-ignore\nexport type TypedArray = Int8Array | Uint8ClampedArray | Uint8Array |\n Uint16Array | Int16Array | Uint32Array | Int32Array;\n\n// Cast array to different type\nexport function u8(arr: TypedArray): Uint8Array {\n return new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);\n}\nexport function u32(arr: TypedArray): Uint32Array {\n return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n}\n\n// Cast array to view\nexport function createView(arr: TypedArray): DataView {\n return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);\n}\n\n/** The rotate right (circular right shift) operation for uint32 */\nexport function rotr(word: number, shift: number): number {\n return (word << (32 - shift)) | (word >>> shift);\n}\n/** The rotate left (circular left shift) operation for uint32 */\nexport function rotl(word: number, shift: number): number {\n return (word << shift) | ((word >>> (32 - shift)) >>> 0);\n}\n\n/** Is current platform little-endian? Most are. Big-Endian platform: IBM */\nexport const isLE: boolean = /* @__PURE__ */ (() =>\n new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();\n// The byte swap operation for uint32\nexport function byteSwap(word: number): number {\n return (\n ((word << 24) & 0xff000000) |\n ((word << 8) & 0xff0000) |\n ((word >>> 8) & 0xff00) |\n ((word >>> 24) & 0xff)\n );\n}\n/** Conditionally byte swap if on a big-endian platform */\nexport const byteSwapIfBE: (n: number) => number = isLE\n ? (n: number) => n\n : (n: number) => byteSwap(n);\n\n/** In place byte swap for Uint32Array */\nexport function byteSwap32(arr: Uint32Array): void {\n for (let i = 0; i < arr.length; i++) {\n arr[i] = byteSwap(arr[i]);\n }\n}\n\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>\n i.toString(16).padStart(2, '0')\n);\n/**\n * Convert byte array to hex string.\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes: Uint8Array): string {\n abytes(bytes);\n // pre-caching improves the speed 6x\n let hex = '';\n for (let i = 0; i < bytes.length; i++) {\n hex += hexes[bytes[i]];\n }\n return hex;\n}\n\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 } as const;\nfunction asciiToBase16(ch: number): number | undefined {\n if (ch >= asciis._0 && ch <= asciis._9) return ch - asciis._0; // '2' => 50-48\n if (ch >= asciis.A && ch <= asciis.F) return ch - (asciis.A - 10); // 'B' => 66-(65-10)\n if (ch >= asciis.a && ch <= asciis.f) return ch - (asciis.a - 10); // 'b' => 98-(97-10)\n return;\n}\n\n/**\n * Convert hex string to byte array.\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex: string): Uint8Array {\n if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);\n const hl = hex.length;\n const al = hl / 2;\n if (hl % 2) throw new Error('hex string expected, got unpadded hex of length ' + hl);\n const array = new Uint8Array(al);\n for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n const n1 = asciiToBase16(hex.charCodeAt(hi));\n const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n if (n1 === undefined || n2 === undefined) {\n const char = hex[hi] + hex[hi + 1];\n throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' + hi);\n }\n array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163\n }\n return array;\n}\n\n/**\n * There is no setImmediate in browser and setTimeout is slow.\n * Call of async fn will return Promise, which will be fullfiled only on\n * next scheduler queue processing step and this is exactly what we need.\n */\nexport const nextTick = async (): Promise<void> => {};\n\n/** Returns control to thread each 'tick' ms to avoid blocking. */\nexport async function asyncLoop(\n iters: number,\n tick: number,\n cb: (i: number) => void\n): Promise<void> {\n let ts = Date.now();\n for (let i = 0; i < iters; i++) {\n cb(i);\n // Date.now() is not monotonic, so in case if clock goes backwards we return return control too\n const diff = Date.now() - ts;\n if (diff >= 0 && diff < tick) continue;\n await nextTick();\n ts += diff;\n }\n}\n\n// Global symbols in both browsers and Node.js since v11\n// See https://github.com/microsoft/TypeScript/issues/31535\ndeclare const TextEncoder: any;\n\n/**\n * Convert JS string to byte array.\n * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])\n */\nexport function utf8ToBytes(str: string): Uint8Array {\n if (typeof str !== 'string') throw new Error('utf8ToBytes expected string, got ' + typeof str);\n return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n\n/** Accepted input of hash functions. Strings are converted to byte arrays. */\nexport type Input = Uint8Array | string;\n/**\n * Normalizes (non-hex) string or Uint8Array to Uint8Array.\n * Warning: when Uint8Array is passed, it would NOT get copied.\n * Keep in mind for future mutable operations.\n */\nexport function toBytes(data: Input): Uint8Array {\n if (typeof data === 'string') data = utf8ToBytes(data);\n abytes(data);\n return data;\n}\n\n/**\n * Copies several Uint8Arrays into one.\n */\nexport function concatBytes(...arrays: Uint8Array[]): Uint8Array {\n let sum = 0;\n for (let i = 0; i < arrays.length; i++) {\n const a = arrays[i];\n abytes(a);\n sum += a.length;\n }\n const res = new Uint8Array(sum);\n for (let i = 0, pad = 0; i < arrays.length; i++) {\n const a = arrays[i];\n res.set(a, pad);\n pad += a.length;\n }\n return res;\n}\n\n/** For runtime check if class implements interface */\nexport abstract class Hash<T extends Hash<T>> {\n abstract blockLen: number; // Bytes per block\n abstract outputLen: number; // Bytes in output\n abstract update(buf: Input): this;\n // Writes digest into buf\n abstract digestInto(buf: Uint8Array): void;\n abstract digest(): Uint8Array;\n /**\n * Resets internal state. Makes Hash instance unusable.\n * Reset is impossible for keyed hashes if key is consumed into state. If digest is not consumed\n * by user, they will need to manually call `destroy()` when zeroing is necessary.\n */\n abstract destroy(): void;\n /**\n * Clones hash instance. Unsafe: doesn't check whether `to` is valid. Can be used as `clone()`\n * when no options are passed.\n * Reasons to use `_cloneInto` instead of clone: 1) performance 2) reuse instance => all internal\n * buffers are overwritten => causes buffer overwrite which is used for digest in some cases.\n * There are no guarantees for clean-up because it's impossible in JS.\n */\n abstract _cloneInto(to?: T): T;\n // Safe version that clones internal state\n clone(): T {\n return this._cloneInto();\n }\n}\n\n/**\n * XOF: streaming API to read digest in chunks.\n * Same as 'squeeze' in keccak/k12 and 'seek' in blake3, but more generic name.\n * When hash used in XOF mode it is up to user to call '.destroy' afterwards, since we cannot\n * destroy state, next call can require more bytes.\n */\nexport type HashXOF<T extends Hash<T>> = Hash<T> & {\n xof(bytes: number): Uint8Array; // Read 'bytes' bytes from digest stream\n xofInto(buf: Uint8Array): Uint8Array; // read buf.length bytes from digest stream into buf\n};\n\ntype EmptyObj = {};\nexport function checkOpts<T1 extends EmptyObj, T2 extends EmptyObj>(\n defaults: T1,\n opts?: T2\n): T1 & T2 {\n if (opts !== undefined && {}.toString.call(opts) !== '[object Object]')\n throw new Error('Options should be object or undefined');\n const merged = Object.assign(defaults, opts);\n return merged as T1 & T2;\n}\n\n/** Hash function */\nexport type CHash = ReturnType<typeof wrapConstructor>;\n/** Hash function with output */\nexport type CHashO = ReturnType<typeof wrapConstructorWithOpts>;\n/** XOF with output */\nexport type CHashXO = ReturnType<typeof wrapXOFConstructorWithOpts>;\n\n/** Wraps hash function, creating an interface on top of it */\nexport function wrapConstructor<T extends Hash<T>>(\n hashCons: () => Hash<T>\n): {\n (msg: Input): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(): Hash<T>;\n} {\n const hashC = (msg: Input): Uint8Array => hashCons().update(toBytes(msg)).digest();\n const tmp = hashCons();\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = () => hashCons();\n return hashC;\n}\n\nexport function wrapConstructorWithOpts<H extends Hash<H>, T extends Object>(\n hashCons: (opts?: T) => Hash<H>\n): {\n (msg: Input, opts?: T): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(opts: T): Hash<H>;\n} {\n const hashC = (msg: Input, opts?: T): Uint8Array => hashCons(opts).update(toBytes(msg)).digest();\n const tmp = hashCons({} as T);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts: T) => hashCons(opts);\n return hashC;\n}\n\nexport function wrapXOFConstructorWithOpts<H extends HashXOF<H>, T extends Object>(\n hashCons: (opts?: T) => HashXOF<H>\n): {\n (msg: Input, opts?: T): Uint8Array;\n outputLen: number;\n blockLen: number;\n create(opts: T): HashXOF<H>;\n} {\n const hashC = (msg: Input, opts?: T): Uint8Array => hashCons(opts).update(toBytes(msg)).digest();\n const tmp = hashCons({} as T);\n hashC.outputLen = tmp.outputLen;\n hashC.blockLen = tmp.blockLen;\n hashC.create = (opts: T) => hashCons(opts);\n return hashC;\n}\n\n/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */\nexport function randomBytes(bytesLength = 32): Uint8Array {\n if (crypto && typeof crypto.getRandomValues === 'function') {\n return crypto.getRandomValues(new Uint8Array(bytesLength));\n }\n // Legacy Node.js compatibility\n if (crypto && typeof crypto.randomBytes === 'function') {\n return crypto.randomBytes(bytesLength);\n }\n throw new Error('crypto.getRandomValues must be defined');\n}\n","var e={done:!0,hasNext:!1},s={done:!1,hasNext:!1},a=()=>e,o=t=>({hasNext:!0,next:t,done:!1});export{s as a,a as b,o as c};\n","import{a as A}from\"./chunk-ANXBDSUI.js\";function C(t,...o){let n=t,u=o.map(e=>\"lazy\"in e?y(e):void 0),p=0;for(;p<o.length;){if(u[p]===void 0||!B(n)){let i=o[p];n=i(n),p+=1;continue}let r=[];for(let i=p;i<o.length;i++){let l=u[i];if(l===void 0||(r.push(l),l.isSingle))break}let a=[];for(let i of n)if(f(i,a,r))break;let{isSingle:s}=r.at(-1);n=s?a[0]:a,p+=r.length}return n}function f(t,o,n){if(n.length===0)return o.push(t),!1;let u=t,p=A,e=!1;for(let[r,a]of n.entries()){let{index:s,items:i}=a;if(i.push(u),p=a(u,s,i),a.index+=1,p.hasNext){if(p.hasMany??!1){for(let l of p.next)if(f(l,o,n.slice(r+1)))return!0;return e}u=p.next}if(!p.hasNext)break;p.done&&(e=!0)}return p.hasNext&&o.push(u),e}function y(t){let{lazy:o,lazyArgs:n}=t,u=o(...n);return Object.assign(u,{isSingle:o.single??!1,index:0,items:[]})}function B(t){return typeof t==\"string\"||typeof t==\"object\"&&t!==null&&Symbol.iterator in t}export{C as a};\n","import{a as o}from\"./chunk-3GOCSNFN.js\";function y(t,i){let a=i.length-t.length;if(a===1){let[n,...r]=i;return o(n,{lazy:t,lazyArgs:r})}if(a===0){let n={lazy:t,lazyArgs:i};return Object.assign(e=>o(e,n),n)}throw new Error(\"Wrong number of arguments\")}export{y as a};\n","import{a as o}from\"./chunk-LFJW7BOT.js\";import{a}from\"./chunk-ANXBDSUI.js\";function T(...e){return o(y,e)}function y(e){let u=e,n=new Set;return(t,i,d)=>{let r=u(t,i,d);return n.has(r)?a:(n.add(r),{done:!1,hasNext:!0,next:t})}}export{T as a};\n","import{a as r}from\"./chunk-LFJW7BOT.js\";import{a as n}from\"./chunk-ANXBDSUI.js\";function i(...e){return r(a,e)}function a(){let e=new Set;return t=>e.has(t)?n:(e.add(t),{done:!1,hasNext:!0,next:t})}export{i as a};\n"],"mappings":";AAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,cAAc;;;ACFvB,YAAY,QAAQ;AACb,IAAM,SACX,MAAM,OAAO,OAAO,YAAY,eAAe,KACvC,eACJ,MAAM,OAAO,OAAO,YAAY,iBAAiB,KAC/C,KACA;;;ACyRF,SAAU,YAAY,cAAc,IAAE;AAC1C,MAAI,UAAU,OAAO,OAAO,oBAAoB,YAAY;AAC1D,WAAO,OAAO,gBAAgB,IAAI,WAAW,WAAW,CAAC;EAC3D;AAEA,MAAI,UAAU,OAAO,OAAO,gBAAgB,YAAY;AACtD,WAAO,OAAO,YAAY,WAAW;EACvC;AACA,QAAM,IAAI,MAAM,wCAAwC;AAC1D;;;AChTA,IAA2B,IAAE,EAAC,MAAK,OAAG,SAAQ,MAAE;;;ACAR,SAAS,EAAE,MAAK,GAAE;AAAC,MAAI,IAAE,GAAE,IAAE,EAAE,IAAI,OAAG,UAAS,IAAE,EAAE,CAAC,IAAE,MAAM,GAAE,IAAE;AAAE,SAAK,IAAE,EAAE,UAAQ;AAAC,QAAG,EAAE,CAAC,MAAI,UAAQ,CAAC,EAAE,CAAC,GAAE;AAAC,UAAIA,KAAE,EAAE,CAAC;AAAE,UAAEA,GAAE,CAAC,GAAE,KAAG;AAAE;AAAA,IAAQ;AAAC,QAAI,IAAE,CAAC;AAAE,aAAQA,KAAE,GAAEA,KAAE,EAAE,QAAOA,MAAI;AAAC,UAAI,IAAE,EAAEA,EAAC;AAAE,UAAG,MAAI,WAAS,EAAE,KAAK,CAAC,GAAE,EAAE,UAAU;AAAA,IAAK;AAAC,QAAIC,KAAE,CAAC;AAAE,aAAQD,MAAK,EAAE,KAAG,EAAEA,IAAEC,IAAE,CAAC,EAAE;AAAM,QAAG,EAAC,UAASC,GAAC,IAAE,EAAE,GAAG,EAAE;AAAE,QAAEA,KAAED,GAAE,CAAC,IAAEA,IAAE,KAAG,EAAE;AAAA,EAAM;AAAC,SAAO;AAAC;AAAC,SAAS,EAAE,GAAE,GAAE,GAAE;AAAC,MAAG,EAAE,WAAS,EAAE,QAAO,EAAE,KAAK,CAAC,GAAE;AAAG,MAAI,IAAE,GAAE,IAAE,GAAE,IAAE;AAAG,WAAO,CAAC,GAAEA,EAAC,KAAI,EAAE,QAAQ,GAAE;AAAC,QAAG,EAAC,OAAMC,IAAE,OAAMF,GAAC,IAAEC;AAAE,QAAGD,GAAE,KAAK,CAAC,GAAE,IAAEC,GAAE,GAAEC,IAAEF,EAAC,GAAEC,GAAE,SAAO,GAAE,EAAE,SAAQ;AAAC,UAAG,EAAE,WAAS,OAAG;AAAC,iBAAQ,KAAK,EAAE,KAAK,KAAG,EAAE,GAAE,GAAE,EAAE,MAAM,IAAE,CAAC,CAAC,EAAE,QAAM;AAAG,eAAO;AAAA,MAAC;AAAC,UAAE,EAAE;AAAA,IAAI;AAAC,QAAG,CAAC,EAAE,QAAQ;AAAM,MAAE,SAAO,IAAE;AAAA,EAAG;AAAC,SAAO,EAAE,WAAS,EAAE,KAAK,CAAC,GAAE;AAAC;AAAC,SAAS,EAAE,GAAE;AAAC,MAAG,EAAC,MAAK,GAAE,UAAS,EAAC,IAAE,GAAE,IAAE,EAAE,GAAG,CAAC;AAAE,SAAO,OAAO,OAAO,GAAE,EAAC,UAAS,EAAE,UAAQ,OAAG,OAAM,GAAE,OAAM,CAAC,EAAC,CAAC;AAAC;AAAC,SAAS,EAAE,GAAE;AAAC,SAAO,OAAO,KAAG,YAAU,OAAO,KAAG,YAAU,MAAI,QAAM,OAAO,YAAY;AAAC;;;ACA11B,SAASE,GAAE,GAAEC,IAAE;AAAC,MAAIC,KAAED,GAAE,SAAO,EAAE;AAAO,MAAGC,OAAI,GAAE;AAAC,QAAG,CAAC,GAAE,GAAG,CAAC,IAAED;AAAE,WAAO,EAAE,GAAE,EAAC,MAAK,GAAE,UAAS,EAAC,CAAC;AAAA,EAAC;AAAC,MAAGC,OAAI,GAAE;AAAC,QAAI,IAAE,EAAC,MAAK,GAAE,UAASD,GAAC;AAAE,WAAO,OAAO,OAAO,OAAG,EAAE,GAAE,CAAC,GAAE,CAAC;AAAA,EAAC;AAAC,QAAM,IAAI,MAAM,2BAA2B;AAAC;;;ACA/K,SAAS,KAAK,GAAE;AAAC,SAAOE,GAAEA,IAAE,CAAC;AAAC;AAAC,SAASA,GAAE,GAAE;AAAC,MAAI,IAAE,GAAE,IAAE,oBAAI;AAAI,SAAM,CAAC,GAAEC,IAAE,MAAI;AAAC,QAAI,IAAE,EAAE,GAAEA,IAAE,CAAC;AAAE,WAAO,EAAE,IAAI,CAAC,IAAE,KAAG,EAAE,IAAI,CAAC,GAAE,EAAC,MAAK,OAAG,SAAQ,MAAG,MAAK,EAAC;AAAA,EAAE;AAAC;;;ACAlJ,SAAS,KAAK,GAAE;AAAC,SAAOC,GAAE,GAAE,CAAC;AAAC;AAAC,SAAS,IAAG;AAAC,MAAI,IAAE,oBAAI;AAAI,SAAO,OAAG,EAAE,IAAI,CAAC,IAAE,KAAG,EAAE,IAAI,CAAC,GAAE,EAAC,MAAK,OAAG,SAAQ,MAAG,MAAK,EAAC;AAAE;;;AParM,SAAS,uBAAuB;AAEzB,SAAS,cAAsB;AACpC,QAAM,MAAM,OAAO,MAAM,iBAAiB;AAE1C,SAAO,OAAO,KAAK,GAAG,EAAE,SAAS,QAAQ;AAC3C;AAEO,SAAS,6BAA6B,YAA4B;AACvE,QAAM,MAAM,OAAO,KAAK,YAAY,QAAQ;AAE5C,SAAO,OAAO,KAAK,OAAO,aAAa,GAAG,CAAC,EAAE,SAAS,QAAQ;AAChE;AAEO,SAAS,uBAA+B;AAC7C,QAAM,MAAM,YAAY,EAAE;AAE1B,SAAO,OAAO,KAAK,GAAG,EAAE,SAAS,QAAQ;AAC3C;AAEO,SAAS,yBAAyB,OAAe,OAAuB;AAC7E,QAAM,OAAO,OAAO,KAAK,OAAO,QAAQ;AACxC,QAAM,OAAO,OAAO,KAAK,OAAO,QAAQ;AACxC,QAAM,SAAS,IAAI,WAAW,EAAE;AAEhC,WAASC,KAAI,GAAGA,KAAI,IAAIA,MAAK;AAC3B,WAAOA,EAAC,IAAI,KAAKA,EAAC,IAAI,KAAKA,EAAC;AAAA,EAC9B;AAEA,SAAO,OAAO,KAAK,MAAM,EAAE,SAAS,QAAQ;AAC9C;AAEA,SAAS,mBACP,UACA,MACA,SACQ;AACR,QAAM,QAAQ;AAAA;AAAA,IAEZ;AAAA,IACA,KAAK,KAAK,IAAI;AAAA,IACd,eAAe,KAAK,SAAS;AAAA,EAC/B;AAEA,MAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,UAAM,KAAK,gBAAgB,KAAK,WAAW,KAAK,IAAI,CAAC,EAAE;AAAA,EACzD;AAEA,QAAM,eAAe,gBAAgB,KAAK,WAAW,OAAO;AAE5D,MAAI,cAAc;AAChB,UAAM,KAAK,cAAc,mBAAmB,YAAY,CAAC,EAAE;AAAA,EAC7D;AAEA,MAAI,SAAS,KAAK,oBAAoB,KAAK,kBAAkB;AAC3D,UAAM,eAAe;AAAA,MACnB,SAAS,KAAK;AAAA,MACd,KAAK;AAAA,IACP;AAEA,UAAM,KAAK,kBAAkB,YAAY,EAAE;AAAA,EAC7C,WAAW,KAAK,gBAAgB,SAAS,KAAK,cAAc;AAC1D,QAAI,KAAK,iBAAiB,SAAS,KAAK,cAAc;AACpD,YAAM,IAAI;AAAA,QACR,0CAA0C,KAAK,IAAI,QAAQ,SAAS,KAAK,IAAI;AAAA,MAC/E;AAAA,IACF;AAEA,UAAM,KAAK,kBAAkB,KAAK,YAAY,EAAE;AAAA,EAClD;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AAeO,SAAS,uBAAuB;AAAA,EACrC;AAAA,EACA;AAAA,EACA,aAAa,SAAS,KAAK;AAAA,EAC3B,MAAM,CAAC;AAAA,EACP,QAAQ,CAAC;AAAA,EACT,SAAS,CAAC;AAAA,EACV,UAAU,CAAC;AAAA,EACX,WAAW,CAAC;AAAA,EACZ;AAAA,EACA;AACF,GAA+B;AAC7B,QAAM,SAAS,EAAO,MAAM,QAAQ,UAAQ,KAAK,GAAG,EAAE,OAAO,GAAG,CAAC;AACjE,QAAM,cAAc,EAAO,MAAM,QAAQ,UAAQ,KAAK,WAAW,CAAC;AAElE,QAAM,QAAQ;AAAA;AAAA,IAEZ;AAAA,IACA,KAAK,SAAS,KAAK,IAAI;AAAA,EACzB;AAEA,MAAI,SAAS,KAAK,SAAS;AACzB,UAAM,KAAK,aAAa,SAAS,KAAK,OAAO,EAAE;AAAA,EACjD;AAEA,QAAM;AAAA;AAAA,IAEJ,gBAAgB,SAAS,UAAU;AAAA,IACnC;AAAA,EACF;AAEA,MAAI,OAAO,SAAS,GAAG;AACrB,UAAM,KAAK,SAAS,OAAO,KAAK,IAAI,CAAC,EAAE;AAAA,EACzC;AAEA,MAAI,YAAY;AACd,UAAM,KAAK,gBAAgB,UAAU,EAAE;AAAA,EACzC;AAEA,MAAI,MAAM,SAAS,GAAG;AACpB,UAAM,KAAK;AACX,eAAW,WAAW,OAAO;AAC3B,YAAM,KAAK,WAAW,OAAO,EAAE;AAAA,IACjC;AAAA,EACF;AAEA,MAAI,OAAO,SAAS,GAAG;AACrB,UAAM,KAAK;AACX,eAAW,WAAW,QAAQ;AAC5B,YAAM,KAAK,YAAY,OAAO,EAAE;AAAA,IAClC;AAAA,EACF;AAEA,MAAI,QAAQ,SAAS,GAAG;AACtB,UAAM,KAAK;AACX,eAAW,WAAW,SAAS;AAC7B,YAAM,KAAK,aAAa,OAAO,EAAE;AAAA,IACnC;AAAA,EACF;AAEA,MAAI,SAAS,SAAS,GAAG;AACvB,UAAM,KAAK;AACX,eAAW,WAAW,UAAU;AAC9B,YAAM,KAAK,cAAc,OAAO,EAAE;AAAA,IACpC;AAAA,EACF;AAEA,MAAI,kBAAkB;AACpB,UAAM,KAAK;AACX,eAAW,cAAc,aAAa;AACpC,YAAM,KAAK,yBAAyB,UAAU,QAAQ,gBAAgB,EAAE;AAAA,IAC1E;AAAA,EACF;AAEA,QAAM,aAAa,MAAM,OAAO,UAAQ,KAAK,SAAS,SAAS,KAAK,IAAI;AAExE,aAAW,QAAQ,YAAY;AAC7B,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,mBAAmB,UAAU,MAAM,OAAO,CAAC;AAAA,EACxD;AAEA,SAAO,MAAM,KAAK,IAAI;AACxB;AAUO,SAAS,mBACd,EAAE,WAAW,WAAW,GACxB,EAAE,aAAa,YAAY,GACL;AACtB,SAAO;AAAA,IACL;AAAA,MACE,GAAG,YAAY,IAAI,OAAK,eAAe,GAAG,cAAc,KAAK,CAAC;AAAA,MAC9D,GAAG;AAAA,MACH,GAAG,UAAU,IAAI,eAAe;AAAA,IAClC;AAAA,IACA,cAAY,mBAAmB,QAAQ;AAAA,EACzC;AACF;AAEO,SAAS,oBACd,EAAE,SAAS,SAAS,GACpB,EAAE,QAAQ,GACV,kBACU;AACV,QAAM,SAAS,oBAAI,IAAY;AAE/B,MAAI,SAAS;AACX,WAAO,IAAI,OAAO;AAAA,EACpB;AAEA,MAAI,UAAU;AACZ,WAAO,IAAI,WAAW;AAEtB,QAAI,SAAS,MAAM;AACjB,aAAO,IAAI,MAAM;AAAA,IACnB;AAAA,EACF;AAEA,aAAW,YAAY,kBAAkB;AACvC,QAAI,SAAS,SAAS,YAAY;AAChC,aAAO,IAAI,mBAAmB,QAAQ,CAAC;AAAA,IACzC;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,MAAM;AAC1B;AAEO,SAAS,0BACd,EAAE,iBAAiB,GACnB;AAAA,EACE;AAAA,EACA;AACF,GACuB;AACvB,SAAO;AAAA,IACL;AAAA;AAAA,MAEE,GAAG;AAAA,MACH,GAAG;AAAA,MACH,GAAG,iBAAiB,IAAI,gBAAgB;AAAA,IAC1C;AAAA,IACA,cAAY,oBAAoB,QAAQ;AAAA,EAC1C;AACF;AAEA,SAAS,qBACP,EAAE,aAAa,kBAAkB,GACjC,EAAE,QAAQ,GACA;AACV,QAAM,SAAS,oBAAI,IAAY;AAE/B,aAAW,MAAM,aAAa;AAC5B,WAAO,IAAI,EAAE;AAAA,EACf;AAEA,MAAI,mBAAmB;AACrB,WAAO,IAAI,YAAY;AACvB,WAAO,IAAI,eAAe;AAC1B,WAAO,IAAI,gBAAgB;AAE3B,QAAI,SAAS,MAAM;AACjB,aAAO,IAAI,UAAU;AACrB,aAAO,IAAI,WAAW;AAAA,IACxB;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,MAAM;AAC1B;AAEO,SAAS,WAAW,MAA+B;AACxD,SAAO,KAAK,WAAW,SAAS,WAAW,KAAK,KAAK,WAAW,SAAS,MAAM;AACjF;AAEO,SAAS,iBACd,MACA,MACA,QACA,WACA,kBACgB;AAChB,QAAM,YAAY,mBAAmB,MAAM,MAAM;AACjD,QAAM,mBAAmB,0BAA0B,MAAM,MAAM;AAC/D,QAAM,aAAa,oBAAoB,MAAM,QAAQ,gBAAgB;AACrE,QAAM,cAAc,qBAAqB,MAAM,MAAM;AAErD,SAAO;AAAA,IACL,MAAM,KAAK,YAAY;AAAA,IACvB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,KAAK,KAAK;AAAA,IACV;AAAA,IACA,SAAS,KAAK;AAAA,IACd,SAAS,OAAO;AAAA,IAChB;AAAA,IACA,YAAY,KAAK;AAAA,EACnB;AACF;AAEO,SAAS,aACd,UACA,cACS;AACT,MAAI,iBAAiB,UAAU;AAC7B,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,SAAS;AAC5B,WAAO;AAAA,EACT;AAEA,SAAO,SAAS,KAAK,UAAU,SAAS;AAC1C;","names":["i","a","s","y","i","a","y","i","y","i"]}
|