WIP: more proper logging

2025-01-09 15:01:03 -08:00
76 changed files with 625 additions and 2820 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -1,10 +0,0 @@
 [*]
 charset = utf-8
 insert_final_newline = true
 end_of_line = lf
 indent_style = tab
 indent_size = 2
 max_line_length = 100
 quote_type = single
 trim_trailing_whitespace = true
--- a/.env.example
+++ b/.env.example
@ -1,17 +1,7 @@
 DATABASE_URL=file:local.db
-
+AUTH_DOMAIN=auth.lab.cazzzer.com
-PUBLIC_AUTH_AUTHENTIK_ENABLE=1
+AUTH_CLIENT_ID=
-AUTH_AUTHENTIK_REQUIRE_INVITE=0
+AUTH_CLIENT_SECRET=
 AUTH_AUTHENTIK_DOMAIN=auth.lab.cazzzer.com
 AUTH_AUTHENTIK_CLIENT_ID=
 AUTH_AUTHENTIK_CLIENT_SECRET=
 PUBLIC_AUTH_GOOGLE_ENABLE=1
 AUTH_GOOGLE_REQUIRE_INVITE=1
 AUTH_GOOGLE_CLIENT_ID=
 AUTH_GOOGLE_CLIENT_SECRET=
 AUTH_INVITE_TOKEN=GUjdsz9aREFTEBYDrA3AajUE8oVys2xW
 OPNSENSE_API_URL=https://opnsense.cazzzer.com
 OPNSENSE_API_KEY=
--- a/.idea/bun.xml
+++ b/.idea/bun.xml
@ -1,6 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
  <component name="BunSettings">
    <option name="bunPath" value="bun" />
  </component>
 </project>
--- a/.idea/modules.xml
+++ b/.idea/modules.xml
@ -2,7 +2,7 @@
 <project version="4">
  <component name="ProjectModuleManager">
    <modules>
-      <module fileurl="file://$PROJECT_DIR$/.idea/vpgen.iml" filepath="$PROJECT_DIR$/.idea/vpgen.iml" />
+      <module fileurl="file://$PROJECT_DIR$/.idea/vpgen-sv5.iml" filepath="$PROJECT_DIR$/.idea/vpgen-sv5.iml" />
    </modules>
  </component>
 </project>
--- a/.idea/vpgen-sv5.iml
+++ b/.idea/vpgen-sv5.iml
--- a/.npmrc
+++ b/.npmrc
@ -1,2 +1 @@
 engine-strict=true
@jsr:registry=https://npm.jsr.io
--- a/.woodpecker/build-image.yml
+++ b/.woodpecker/build-image.yml
@ -1,15 +0,0 @@
 when:
  - event: [push]
 steps:
  - name: build
    image: woodpeckerci/plugin-kaniko
    settings:
      registry: gitea.cazzzer.com
      repo: ${CI_REPO,,}
      # replace '/' in branch name
      tags: ${CI_COMMIT_BRANCH/\//-}
      cache: true
      username:
        from_secret: registry-username
      password:
        from_secret: registry-password
--- a/.zed/settings.json
+++ b/.zed/settings.json
@ -1,7 +0,0 @@
 // Folder-specific settings
 //
 // For a full list of overridable settings, and general information on folder-specific settings,
 // see the documentation: https://zed.dev/docs/configuring-zed#settings-files
 {
 	"formatter": "prettier"
 }
--- a/8
+++ b/8
@ -2,19 +2,19 @@
 # see all versions at https://hub.docker.com/r/oven/bun/tags
 FROM oven/bun:1-alpine AS base
 WORKDIR /app
-COPY package.json bun.lock /app/
+COPY package.json bun.lockb /app/
 # install dependencies into temp directory
 # this will cache them and speed up future builds
 FROM base AS install
 RUN mkdir -p /temp/dev
-COPY package.json bun.lock /temp/dev/
+COPY package.json bun.lockb /temp/dev/
 RUN cd /temp/dev && bun install --frozen-lockfile
 # install with --production (exclude devDependencies)
 RUN mkdir -p /temp/prod
-COPY package.json bun.lock /temp/prod/
+COPY package.json bun.lockb /temp/prod/
-RUN cd /temp/prod && bun install --frozen-lockfile --production --ignore-scripts
+RUN cd /temp/prod && bun install --frozen-lockfile --production
 # copy node_modules from temp directory
 # then copy all (non-ignored) project files into the image
--- a/README.md
+++ b/README.md
@ -1,29 +1,40 @@
-# VPGen
+# sv
-One-click WireGuard config generator, work in progress.
+Everything you need to build a Svelte project, powered by [`sv`](https://github.com/sveltejs/cli).
-## Why?
+## Creating a project
-Make it easier to share VPN access with friends/family,
+If you're seeing this, you've probably already done this step. Congrats!
 making use of existing networking infrastructure.
-## How?
+```bash
 # create a new project in the current directory
 npx sv create
-Currently, the supported backend is [OPNsense](https://opnsense.org/).
+# create a new project in my-app
-VPGen just creates WireGuard clients on the configured interface via the OPNsense API.
+npx sv create my-app
 Future plans include supporting other API backends (e.g. [Netmaker](https://github.com/gravitl/netmaker))
 and [wg-quick](https://www.wireguard.com/quickstart/) for standalone setups.
 ## Development
 Development uses bun.
 An additional prepare step is needed to set up typia for type validation.
 For example .env settings, see [.env.example](.env.example)
 ```shell
 bun install
 bun run prepare
 bun run dev
 ```
 ## Developing
 Once you've created a project and installed dependencies with `npm install` (or `pnpm install` or `yarn`), start a development server:
 ```bash
 npm run dev
 # or start the server and open the app in a new browser tab
 npm run dev -- --open
 ```
 ## Building
 To create a production version of your app:
 ```bash
 npm run build
 ```
 You can preview the production build with `npm run preview`.
 > To deploy your app, you may need to install an [adapter](https://svelte.dev/docs/kit/adapters) for your target environment.
 When deploying, set `ORIGIN` to the URL of your site to prevent cross-site request errors.
--- a/bruno/opnsense-api/Delete
+++ b/bruno/opnsense-api/Delete
@ -1,25 +0,0 @@
 meta {
  name: Delete Client
  type: http
  seq: 11
 }
 post {
  url: {{base}}/api/wireguard/client/delClient/:clientUuid
  body: none
  auth: inherit
 }
 params:path {
  clientUuid: d484d381-4d6f-4444-8e9d-9cda7b5b2243
 }
 body:json {
  {
    "current": 1,
    "rowCount": 7,
    "sort": {},
    "servers": ["{{serverUuid}}"],
    "searchPhrase": "{{searchPhrase}}"
  }
 }
--- a/bun.lock
+++ b/bun.lock
--- a/bun.lockb
+++ b/bun.lockb
--- a/bunfig.toml
+++ b/bunfig.toml
@ -0,0 +1 @@
 logLevel = "info"
--- a/drizzle/0001_equal_unicorn.sql
+++ b/drizzle/0001_equal_unicorn.sql
@ -1 +0,0 @@
 ALTER TABLE `users` ADD `auth_source` text DEFAULT 'authentik' NOT NULL;
--- a/drizzle/0002_minor_black_panther.sql
+++ b/drizzle/0002_minor_black_panther.sql
@ -1 +0,0 @@
 ALTER TABLE `devices` DROP COLUMN `opnsense_id`;
--- a/drizzle/meta/0001_snapshot.json
+++ b/drizzle/meta/0001_snapshot.json
@ -1,229 +0,0 @@
 {
  "version": "6",
  "dialect": "sqlite",
  "id": "cc1fa973-1e9c-4bd6-b082-d7cf36f7342c",
  "prevId": "48b7ce55-58f1-4b97-a144-ca733576dba6",
  "tables": {
    "devices": {
      "name": "devices",
      "columns": {
        "id": {
          "name": "id",
          "type": "integer",
          "primaryKey": true,
          "notNull": true,
          "autoincrement": true
        },
        "user_id": {
          "name": "user_id",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "name": {
          "name": "name",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "opnsense_id": {
          "name": "opnsense_id",
          "type": "text",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        },
        "public_key": {
          "name": "public_key",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "private_key": {
          "name": "private_key",
          "type": "text",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        },
        "pre_shared_key": {
          "name": "pre_shared_key",
          "type": "text",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        }
      },
      "indexes": {
        "devices_public_key_unique": {
          "name": "devices_public_key_unique",
          "columns": [
            "public_key"
          ],
          "isUnique": true
        }
      },
      "foreignKeys": {
        "devices_user_id_users_id_fk": {
          "name": "devices_user_id_users_id_fk",
          "tableFrom": "devices",
          "tableTo": "users",
          "columnsFrom": [
            "user_id"
          ],
          "columnsTo": [
            "id"
          ],
          "onDelete": "no action",
          "onUpdate": "no action"
        }
      },
      "compositePrimaryKeys": {},
      "uniqueConstraints": {},
      "checkConstraints": {}
    },
    "ip_allocations": {
      "name": "ip_allocations",
      "columns": {
        "id": {
          "name": "id",
          "type": "integer",
          "primaryKey": true,
          "notNull": true,
          "autoincrement": true
        },
        "device_id": {
          "name": "device_id",
          "type": "integer",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        }
      },
      "indexes": {
        "ip_allocations_device_id_unique": {
          "name": "ip_allocations_device_id_unique",
          "columns": [
            "device_id"
          ],
          "isUnique": true
        }
      },
      "foreignKeys": {
        "ip_allocations_device_id_devices_id_fk": {
          "name": "ip_allocations_device_id_devices_id_fk",
          "tableFrom": "ip_allocations",
          "tableTo": "devices",
          "columnsFrom": [
            "device_id"
          ],
          "columnsTo": [
            "id"
          ],
          "onDelete": "set null",
          "onUpdate": "no action"
        }
      },
      "compositePrimaryKeys": {},
      "uniqueConstraints": {},
      "checkConstraints": {}
    },
    "sessions": {
      "name": "sessions",
      "columns": {
        "id": {
          "name": "id",
          "type": "text",
          "primaryKey": true,
          "notNull": true,
          "autoincrement": false
        },
        "user_id": {
          "name": "user_id",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "expires_at": {
          "name": "expires_at",
          "type": "integer",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        }
      },
      "indexes": {},
      "foreignKeys": {
        "sessions_user_id_users_id_fk": {
          "name": "sessions_user_id_users_id_fk",
          "tableFrom": "sessions",
          "tableTo": "users",
          "columnsFrom": [
            "user_id"
          ],
          "columnsTo": [
            "id"
          ],
          "onDelete": "no action",
          "onUpdate": "no action"
        }
      },
      "compositePrimaryKeys": {},
      "uniqueConstraints": {},
      "checkConstraints": {}
    },
    "users": {
      "name": "users",
      "columns": {
        "id": {
          "name": "id",
          "type": "text",
          "primaryKey": true,
          "notNull": true,
          "autoincrement": false
        },
        "auth_source": {
          "name": "auth_source",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false,
          "default": "'authentik'"
        },
        "username": {
          "name": "username",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "name": {
          "name": "name",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        }
      },
      "indexes": {},
      "foreignKeys": {},
      "compositePrimaryKeys": {},
      "uniqueConstraints": {},
      "checkConstraints": {}
    }
  },
  "views": {},
  "enums": {},
  "_meta": {
    "schemas": {},
    "tables": {},
    "columns": {}
  },
  "internal": {
    "indexes": {}
  }
 }
--- a/drizzle/meta/0002_snapshot.json
+++ b/drizzle/meta/0002_snapshot.json
@ -1,222 +0,0 @@
 {
  "version": "6",
  "dialect": "sqlite",
  "id": "0b364191-58d0-46a3-8372-4a30b0b88d85",
  "prevId": "cc1fa973-1e9c-4bd6-b082-d7cf36f7342c",
  "tables": {
    "devices": {
      "name": "devices",
      "columns": {
        "id": {
          "name": "id",
          "type": "integer",
          "primaryKey": true,
          "notNull": true,
          "autoincrement": true
        },
        "user_id": {
          "name": "user_id",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "name": {
          "name": "name",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "public_key": {
          "name": "public_key",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "private_key": {
          "name": "private_key",
          "type": "text",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        },
        "pre_shared_key": {
          "name": "pre_shared_key",
          "type": "text",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        }
      },
      "indexes": {
        "devices_public_key_unique": {
          "name": "devices_public_key_unique",
          "columns": [
            "public_key"
          ],
          "isUnique": true
        }
      },
      "foreignKeys": {
        "devices_user_id_users_id_fk": {
          "name": "devices_user_id_users_id_fk",
          "tableFrom": "devices",
          "tableTo": "users",
          "columnsFrom": [
            "user_id"
          ],
          "columnsTo": [
            "id"
          ],
          "onDelete": "no action",
          "onUpdate": "no action"
        }
      },
      "compositePrimaryKeys": {},
      "uniqueConstraints": {},
      "checkConstraints": {}
    },
    "ip_allocations": {
      "name": "ip_allocations",
      "columns": {
        "id": {
          "name": "id",
          "type": "integer",
          "primaryKey": true,
          "notNull": true,
          "autoincrement": true
        },
        "device_id": {
          "name": "device_id",
          "type": "integer",
          "primaryKey": false,
          "notNull": false,
          "autoincrement": false
        }
      },
      "indexes": {
        "ip_allocations_device_id_unique": {
          "name": "ip_allocations_device_id_unique",
          "columns": [
            "device_id"
          ],
          "isUnique": true
        }
      },
      "foreignKeys": {
        "ip_allocations_device_id_devices_id_fk": {
          "name": "ip_allocations_device_id_devices_id_fk",
          "tableFrom": "ip_allocations",
          "tableTo": "devices",
          "columnsFrom": [
            "device_id"
          ],
          "columnsTo": [
            "id"
          ],
          "onDelete": "set null",
          "onUpdate": "no action"
        }
      },
      "compositePrimaryKeys": {},
      "uniqueConstraints": {},
      "checkConstraints": {}
    },
    "sessions": {
      "name": "sessions",
      "columns": {
        "id": {
          "name": "id",
          "type": "text",
          "primaryKey": true,
          "notNull": true,
          "autoincrement": false
        },
        "user_id": {
          "name": "user_id",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "expires_at": {
          "name": "expires_at",
          "type": "integer",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        }
      },
      "indexes": {},
      "foreignKeys": {
        "sessions_user_id_users_id_fk": {
          "name": "sessions_user_id_users_id_fk",
          "tableFrom": "sessions",
          "tableTo": "users",
          "columnsFrom": [
            "user_id"
          ],
          "columnsTo": [
            "id"
          ],
          "onDelete": "no action",
          "onUpdate": "no action"
        }
      },
      "compositePrimaryKeys": {},
      "uniqueConstraints": {},
      "checkConstraints": {}
    },
    "users": {
      "name": "users",
      "columns": {
        "id": {
          "name": "id",
          "type": "text",
          "primaryKey": true,
          "notNull": true,
          "autoincrement": false
        },
        "auth_source": {
          "name": "auth_source",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false,
          "default": "'authentik'"
        },
        "username": {
          "name": "username",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        },
        "name": {
          "name": "name",
          "type": "text",
          "primaryKey": false,
          "notNull": true,
          "autoincrement": false
        }
      },
      "indexes": {},
      "foreignKeys": {},
      "compositePrimaryKeys": {},
      "uniqueConstraints": {},
      "checkConstraints": {}
    }
  },
  "views": {},
  "enums": {},
  "_meta": {
    "schemas": {},
    "tables": {},
    "columns": {}
  },
  "internal": {
    "indexes": {}
  }
 }
--- a/drizzle/meta/_journal.json
+++ b/drizzle/meta/_journal.json
@ -8,20 +8,6 @@
      "when": 1736295566569,
      "tag": "0000_fair_tarantula",
      "breakpoints": true
    },
    {
      "idx": 1,
      "version": "6",
      "when": 1741936760967,
      "tag": "0001_equal_unicorn",
      "breakpoints": true
    },
    {
      "idx": 2,
      "version": "6",
      "when": 1743389268079,
      "tag": "0002_minor_black_panther",
      "breakpoints": true
    }
  ]
 }
--- a/package.json
+++ b/package.json
@ -1,7 +1,6 @@
 {
-	"name": "vpgen",
+	"name": "vpgen-sv5",
 	"version": "0.0.1",
 	"license": "AGPL-3.0-or-later",
 	"type": "module",
 	"scripts": {
 		"dev": "vite dev",
@ -15,52 +14,48 @@
 		"db:generate": "drizzle-kit generate",
 		"db:migrate": "drizzle-kit migrate",
 		"db:studio": "drizzle-kit studio",
-		"db:seed": "bun run ./src/lib/server/db/seed.ts",
+		"db:seed": "bun run ./src/lib/server/db/seed.ts"
 		"prepare": "ts-patch install"
 	},
 	"devDependencies": {
 		"@lucide/svelte": "^0.487.0",
 		"@oslojs/crypto": "^1.0.1",
 		"@oslojs/encoding": "^1.1.0",
 		"@ryoppippi/unplugin-typia": "npm:@jsr/ryoppippi__unplugin-typia",
 		"@sveltejs/adapter-auto": "^3.3.1",
-		"@sveltejs/adapter-node": "^5.2.12",
+		"@sveltejs/adapter-node": "^5.2.11",
-		"@sveltejs/kit": "^2.20.7",
+		"@sveltejs/kit": "^2.15.0",
 		"@sveltejs/vite-plugin-svelte": "^5.0.3",
 		"@tailwindcss/container-queries": "^0.1.1",
-		"@tailwindcss/forms": "^0.5.10",
+		"@tailwindcss/forms": "^0.5.9",
-		"@tailwindcss/typography": "^0.5.16",
+		"@tailwindcss/typography": "^0.5.15",
-		"@types/better-sqlite3": "^7.6.13",
+		"@types/better-sqlite3": "^7.6.12",
 		"@types/eslint": "^9.6.1",
 		"@types/qrcode-svg": "^1.1.5",
-		"arctic": "^2.3.4",
+		"arctic": "^2.3.3",
-		"autoprefixer": "^10.4.21",
+		"autoprefixer": "^10.4.20",
-		"bits-ui": "^1.3.19",
+		"bits-ui": "^0.22.0",
 		"clsx": "^2.1.1",
-		"eslint": "^9.25.1",
+		"eslint": "^9.17.0",
 		"eslint-config-prettier": "^9.1.0",
 		"eslint-plugin-svelte": "^2.46.1",
-		"globals": "^15.15.0",
+		"globals": "^15.14.0",
 		"ip-address": "^10.0.1",
-		"prettier": "^3.5.3",
+		"lucide-svelte": "^0.469.0",
-		"prettier-plugin-svelte": "^3.3.3",
+		"prettier": "^3.4.2",
-		"prettier-plugin-tailwindcss": "^0.6.11",
+		"prettier-plugin-svelte": "^3.3.2",
 		"prettier-plugin-tailwindcss": "^0.6.9",
 		"qrcode-svg": "^1.1.0",
-		"svelte": "^5.28.1",
+		"svelte": "^5.16.0",
-		"svelte-check": "^4.1.6",
+		"svelte-check": "^4.1.1",
 		"tailwind-merge": "^2.6.0",
-		"tailwind-variants": "^0.3.1",
+		"tailwind-variants": "^0.3.0",
 		"tailwindcss": "^3.4.17",
 		"tailwindcss-animate": "^1.0.7",
-		"ts-patch": "^3.3.0",
+		"typescript": "^5.7.2",
-		"typescript": "~5.8.3",
+		"typescript-eslint": "^8.18.2",
-		"typescript-eslint": "^8.31.0",
+		"vite": "^6.0.6"
 		"typia": "^8.2.0",
 		"vite": "^6.3.2"
 	},
 	"dependencies": {
 		"@libsql/client": "^0.14.0",
-		"drizzle-kit": "^0.30.6",
+		"drizzle-kit": "^0.30.1",
-		"drizzle-orm": "^0.38.4"
+		"drizzle-orm": "^0.38.3"
 	}
 }
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@ -2,9 +2,10 @@ import { type Handle, redirect } from '@sveltejs/kit';
 import { sequence } from '@sveltejs/kit/hooks';
 import { dev } from '$app/environment';
 import * as auth from '$lib/server/auth';
-import wgProvider from '$lib/server/wg-provider';
+import { fetchOpnsenseServer } from '$lib/server/opnsense';
-await wgProvider.init();
+// fetch opnsense server info on startup
 await fetchOpnsenseServer();
 const handleAuth: Handle = async ({ event, resolve }) => {
 	const sessionId = event.cookies.get(auth.sessionCookieName);
--- a/src/lib/assets/google.svg
+++ b/src/lib/assets/google.svg
@ -1,13 +0,0 @@
 <svg width="40" height="40" viewBox="10 10 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
 <g clip-path="url(#clip0_710_6221)">
 <path d="M29.6 20.2273C29.6 19.5182 29.5364 18.8364 29.4182 18.1818H20V22.05H25.3818C25.15 23.3 24.4455 24.3591 23.3864 25.0682V27.5773H26.6182C28.5091 25.8364 29.6 23.2727 29.6 20.2273Z" fill="#4285F4"/>
 <path d="M20 30C22.7 30 24.9636 29.1045 26.6181 27.5773L23.3863 25.0682C22.4909 25.6682 21.3454 26.0227 20 26.0227C17.3954 26.0227 15.1909 24.2636 14.4045 21.9H11.0636V24.4909C12.7091 27.7591 16.0909 30 20 30Z" fill="#34A853"/>
 <path d="M14.4045 21.9C14.2045 21.3 14.0909 20.6591 14.0909 20C14.0909 19.3409 14.2045 18.7 14.4045 18.1V15.5091H11.0636C10.3864 16.8591 10 18.3864 10 20C10 21.6136 10.3864 23.1409 11.0636 24.4909L14.4045 21.9Z" fill="#FBBC04"/>
 <path d="M20 13.9773C21.4681 13.9773 22.7863 14.4818 23.8227 15.4727L26.6909 12.6045C24.9591 10.9909 22.6954 10 20 10C16.0909 10 12.7091 12.2409 11.0636 15.5091L14.4045 18.1C15.1909 15.7364 17.3954 13.9773 20 13.9773Z" fill="#E94235"/>
 </g>
 <defs>
 <clipPath id="clip0_710_6221">
 <rect width="20" height="20" fill="white" transform="translate(10 10)"/>
 </clipPath>
 </defs>
 </svg>
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@ -1,9 +0,0 @@
 import { envToBool } from '$lib/utils';
 import { env } from '$env/dynamic/public';
 export type AuthProvider = 'authentik' | 'google';
 export const enabledAuthProviders: Record<AuthProvider, boolean> = {
 	authentik: envToBool(env.PUBLIC_AUTH_AUTHENTIK_ENABLE),
 	google: envToBool(env.PUBLIC_AUTH_GOOGLE_ENABLE),
 };
--- a/src/lib/components/app/auth-form/auth-button.svelte
+++ b/src/lib/components/app/auth-form/auth-button.svelte
@ -1,28 +0,0 @@
 <script lang="ts">
 	import { LucideLoaderCircle } from '@lucide/svelte';
 	import { Button } from '$lib/components/ui/button';
 	interface Props {
 		providerName: string;
 		displayName: string;
 		iconSrc: string;
 		inviteToken?: string;
 	}
 	let { providerName, displayName, inviteToken, iconSrc }: Props = $props();
 	let submitted = $state(false);
 </script>
 <form method="get" onsubmit={() => (submitted = true)} action="/auth/{providerName}">
 	{#if inviteToken}
 		<input type="hidden" value={inviteToken} name="invite" />
 	{/if}
 	<Button type="submit" disabled={submitted}>
 		{#if submitted}
 			<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
 		{:else}
 			<img class="mr-2 h-4 w-4" alt="{displayName} Logo" src={iconSrc} />
 		{/if}
 		Sign {inviteToken ? 'up' : 'in'} with {displayName}
 	</Button>
 </form>
--- a/src/lib/components/app/auth-form/auth-form.svelte
+++ b/src/lib/components/app/auth-form/auth-form.svelte
@ -1,26 +1,31 @@
 <script lang="ts">
 	import { LucideLoaderCircle } from 'lucide-svelte';
 	import { Button } from '$lib/components/ui/button';
 	import { cn } from '$lib/utils.js';
 	import googleIcon from '$lib/assets/google.svg';
 	import { enabledAuthProviders } from '$lib/auth';
 	import AuthButton from './auth-button.svelte';
-	interface Props {
+	let { class: className, ...rest }: { class?: string; rest?: { [p: string]: unknown } } = $props();
-		inviteToken?: string;
+
-		class?: string;
+	let isLoading = $state(false);
 	}
 	let { inviteToken, class: className }: Props = $props();
 </script>
-<div class={cn('flex gap-6', className)}>
+<div class={cn('flex gap-6', className)} {...rest}>
-	{#if enabledAuthProviders.authentik}
+	<form method="get" action="/auth/authentik">
-		<AuthButton
+		<Button
-			providerName="authentik"
+			type="submit"
-			displayName="Authentik"
+			onclick={() => {
-			iconSrc="https://auth.cazzzer.com/static/dist/assets/icons/icon.svg"
+				isLoading = true;
-			{inviteToken}
+			}}
-		/>
+		>
-	{/if}
+			{#if isLoading}
-	{#if enabledAuthProviders.google}
+				<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
-		<AuthButton providerName="google" displayName="Google" iconSrc={googleIcon} {inviteToken} />
+			{:else}
-	{/if}
+				<img
 					class="mr-2 h-4 w-4"
 					alt="Authentik Logo"
 					src="https://auth.cazzzer.com/static/dist/assets/icons/icon.svg"
 				/>
 			{/if}
 			Sign in with Authentik
 		</Button>
 	</form>
 </div>
--- a/src/lib/components/app/code-snippet/code-snippet.svelte
+++ b/src/lib/components/app/code-snippet/code-snippet.svelte
@ -1,6 +1,6 @@
 <script lang="ts">
 	import { Button } from '$lib/components/ui/button';
-	import { LucideClipboardCopy, LucideDownload } from '@lucide/svelte';
+	import { LucideClipboardCopy, LucideDownload } from 'lucide-svelte';
 	const {
 		data,
--- a/src/lib/components/ui/badge/badge.svelte
+++ b/src/lib/components/ui/badge/badge.svelte
@ -43,7 +43,7 @@
 	this={href ? "a" : "span"}
 	bind:this={ref}
 	{href}
-	class={cn(badgeVariants({ variant }), className)}
+	class={cn(badgeVariants({ variant, className }))}
 	{...restProps}
 >
 	{@render children?.()}
--- a/src/lib/components/ui/button/button.svelte
+++ b/src/lib/components/ui/button/button.svelte
@ -56,7 +56,7 @@
 {#if href}
 	<a
 		bind:this={ref}
-		class={cn(buttonVariants({ variant, size }), className)}
+		class={cn(buttonVariants({ variant, size, className }))}
 		{href}
 		{...restProps}
 	>
@ -65,7 +65,7 @@
 {:else}
 	<button
 		bind:this={ref}
-		class={cn(buttonVariants({ variant, size }), className)}
+		class={cn(buttonVariants({ variant, size, className }))}
 		{type}
 		{...restProps}
 	>
--- a/src/lib/components/ui/checkbox/checkbox.svelte
+++ b/src/lib/components/ui/checkbox/checkbox.svelte
@ -1,7 +1,7 @@
 <script lang="ts">
 	import { Checkbox as CheckboxPrimitive, type WithoutChildrenOrChild } from "bits-ui";
-	import Check from "@lucide/svelte/icons/check";
+	import Check from "lucide-svelte/icons/check";
-	import Minus from "@lucide/svelte/icons/minus";
+	import Minus from "lucide-svelte/icons/minus";
 	import { cn } from "$lib/utils.js";
 	let {
--- a/src/lib/components/ui/dialog/dialog-content.svelte
+++ b/src/lib/components/ui/dialog/dialog-content.svelte
@ -1,6 +1,6 @@
 <script lang="ts">
 	import { Dialog as DialogPrimitive, type WithoutChildrenOrChild } from "bits-ui";
-	import X from "@lucide/svelte/icons/x";
+	import X from "lucide-svelte/icons/x";
 	import type { Snippet } from "svelte";
 	import * as Dialog from "./index.js";
 	import { cn } from "$lib/utils.js";
--- a/src/lib/components/ui/dialog/dialog-description.svelte
+++ b/src/lib/components/ui/dialog/dialog-description.svelte
@ -5,6 +5,7 @@
 	let {
 		ref = $bindable(null),
 		class: className,
 		children,
 		...restProps
 	}: DialogPrimitive.DescriptionProps = $props();
 </script>
@ -13,4 +14,6 @@
 	bind:ref
 	class={cn("text-muted-foreground text-sm", className)}
 	{...restProps}
-/>
+>
 	{@render children?.()}
 </DialogPrimitive.Description>
--- a/src/lib/components/ui/dialog/dialog-overlay.svelte
+++ b/src/lib/components/ui/dialog/dialog-overlay.svelte
@ -5,6 +5,7 @@
 	let {
 		ref = $bindable(null),
 		class: className,
 		children,
 		...restProps
 	}: DialogPrimitive.OverlayProps = $props();
 </script>
@ -16,4 +17,6 @@
 		className
 	)}
 	{...restProps}
-/>
+>
 	{@render children?.()}
 </DialogPrimitive.Overlay>
--- a/src/lib/components/ui/dialog/dialog-title.svelte
+++ b/src/lib/components/ui/dialog/dialog-title.svelte
@ -5,6 +5,7 @@
 	let {
 		ref = $bindable(null),
 		class: className,
 		children,
 		...restProps
 	}: DialogPrimitive.TitleProps = $props();
 </script>
@ -13,4 +14,6 @@
 	bind:ref
 	class={cn("text-lg font-semibold leading-none tracking-tight", className)}
 	{...restProps}
-/>
+>
 	{@render children?.()}
 </DialogPrimitive.Title>
--- a/src/lib/components/ui/input/input.svelte
+++ b/src/lib/components/ui/input/input.svelte
@ -1,46 +1,22 @@
 <script lang="ts">
-	import type { HTMLInputAttributes, HTMLInputTypeAttribute } from "svelte/elements";
+	import type { HTMLInputAttributes } from "svelte/elements";
 	import type { WithElementRef } from "bits-ui";
 	import { cn } from "$lib/utils.js";
 	type InputType = Exclude<HTMLInputTypeAttribute, "file">;
 	type Props = WithElementRef<
 		Omit<HTMLInputAttributes, "type"> &
 			({ type: "file"; files?: FileList } | { type?: InputType; files?: undefined })
 	>;
 	let {
 		ref = $bindable(null),
 		value = $bindable(),
 		type,
 		files = $bindable(),
 		class: className,
 		...restProps
-	}: Props = $props();
+	}: WithElementRef<HTMLInputAttributes> = $props();
 </script>
-{#if type === "file"}
+<input
-	<input
+	bind:this={ref}
-		bind:this={ref}
+	class={cn(
-		class={cn(
+		"border-input bg-background ring-offset-background placeholder:text-muted-foreground focus-visible:ring-ring flex h-10 w-full rounded-md border px-3 py-2 text-base file:border-0 file:bg-transparent file:text-sm file:font-medium focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
-			"border-input bg-background ring-offset-background placeholder:text-muted-foreground focus-visible:ring-ring flex h-10 w-full rounded-md border px-3 py-2 text-base file:border-0 file:bg-transparent file:text-sm file:font-medium focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
+		className
-			className
+	)}
-		)}
+	bind:value
-		type="file"
+	{...restProps}
-		bind:files
+/>
 		bind:value
 		{...restProps}
 	/>
 {:else}
 	<input
 		bind:this={ref}
 		class={cn(
 			"border-input bg-background ring-offset-background placeholder:text-muted-foreground focus-visible:ring-ring flex h-10 w-full rounded-md border px-3 py-2 text-base file:border-0 file:bg-transparent file:text-sm file:font-medium focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
 			className
 		)}
 		{type}
 		bind:value
 		{...restProps}
 	/>
 {/if}
--- a/src/lib/components/ui/label/label.svelte
+++ b/src/lib/components/ui/label/label.svelte
@ -5,6 +5,7 @@
 	let {
 		ref = $bindable(null),
 		class: className,
 		children,
 		...restProps
 	}: LabelPrimitive.RootProps = $props();
 </script>
@ -16,4 +17,6 @@
 		className
 	)}
 	{...restProps}
-/>
+>
 	{@render children?.()}
 </LabelPrimitive.Root>
--- a/src/lib/components/ui/tabs/tabs-content.svelte
+++ b/src/lib/components/ui/tabs/tabs-content.svelte
@ -5,6 +5,7 @@
 	let {
 		ref = $bindable(null),
 		class: className,
 		children,
 		...restProps
 	}: TabsPrimitive.ContentProps = $props();
 </script>
@ -16,4 +17,6 @@
 		className
 	)}
 	{...restProps}
-/>
+>
 	{@render children?.()}
 </TabsPrimitive.Content>
--- a/src/lib/components/ui/tabs/tabs-list.svelte
+++ b/src/lib/components/ui/tabs/tabs-list.svelte
@ -5,6 +5,7 @@
 	let {
 		ref = $bindable(null),
 		class: className,
 		children,
 		...restProps
 	}: TabsPrimitive.ListProps = $props();
 </script>
@ -16,4 +17,6 @@
 		className
 	)}
 	{...restProps}
-/>
+>
 	{@render children?.()}
 </TabsPrimitive.List>
--- a/src/lib/components/ui/tabs/tabs-trigger.svelte
+++ b/src/lib/components/ui/tabs/tabs-trigger.svelte
@ -5,6 +5,7 @@
 	let {
 		ref = $bindable(null),
 		class: className,
 		children,
 		...restProps
 	}: TabsPrimitive.TriggerProps = $props();
 </script>
@ -16,4 +17,6 @@
 		className
 	)}
 	{...restProps}
-/>
+>
 	{@render children?.()}
 </TabsPrimitive.Trigger>
--- a/src/lib/opnsense/index.ts
+++ b/src/lib/opnsense/index.ts
@ -0,0 +1,3 @@
 export function opnsenseSanitezedUsername(username: string) {
 	return username.slice(0, 63).replace(/[^a-zA-Z0-9_-]/g, '_');
 }
--- a/src/lib/server/wg-providers/opnsense/types.ts
+++ b/src/lib/server/wg-providers/opnsense/types.ts
--- a/src/lib/server/auth.ts
+++ b/src/lib/server/auth.ts
@ -3,9 +3,8 @@ import { sha256 } from '@oslojs/crypto/sha2';
 import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase } from '@oslojs/encoding';
 import { db } from '$lib/server/db';
 import * as table from '$lib/server/db/schema';
-import type { Cookies } from '@sveltejs/kit';
+import type { RequestEvent } from '@sveltejs/kit';
 import { dev } from '$app/environment';
 import { env } from '$env/dynamic/private';
 const DAY_IN_MS = 1000 * 60 * 60 * 24;
@ -22,14 +21,14 @@ export async function createSession(userId: string): Promise<table.Session> {
 	const session: table.Session = {
 		id: sessionId,
 		userId,
-		expiresAt: new Date(Date.now() + DAY_IN_MS * 30),
+		expiresAt: new Date(Date.now() + DAY_IN_MS * 30)
 	};
 	await db.insert(table.sessions).values(session);
 	return session;
 }
-export function setSessionTokenCookie(cookies: Cookies, sessionId: string, expiresAt: Date) {
+export function setSessionTokenCookie(event: RequestEvent, sessionId: string, expiresAt: Date) {
-	cookies.set(sessionCookieName, sessionId, {
+	event.cookies.set(sessionCookieName, sessionId, {
 		path: '/',
 		sameSite: 'lax',
 		httpOnly: true,
@ -42,21 +41,16 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	await db.delete(table.sessions).where(eq(table.sessions.id, sessionId));
 }
-export function deleteSessionTokenCookie(cookies: Cookies) {
+export function deleteSessionTokenCookie(event: RequestEvent) {
-	cookies.delete(sessionCookieName, { path: '/' });
+	event.cookies.delete(sessionCookieName, { path: '/' });
 }
 export async function validateSession(sessionId: string) {
 	const [result] = await db
 		.select({
 			// Adjust user table here to tweak returned data
-			user: {
+			user: { id: table.users.id, username: table.users.username, name: table.users.name },
-				id: table.users.id,
+			session: table.sessions
 				authSource: table.users.authSource,
 				username: table.users.username,
 				name: table.users.name,
 			},
 			session: table.sessions,
 		})
 		.from(table.sessions)
 		.innerJoin(table.users, eq(table.sessions.userId, table.users.id))
@ -85,8 +79,4 @@ export async function validateSession(sessionId: string) {
 	return { session, user };
 }
 export function isValidInviteToken(inviteToken: string) {
 	return inviteToken === env.AUTH_INVITE_TOKEN;
 }
 export type SessionValidationResult = Awaited<ReturnType<typeof validateSession>>;
--- a/src/lib/server/db/schema.ts
+++ b/src/lib/server/db/schema.ts
@ -3,7 +3,6 @@ import { relations } from 'drizzle-orm';
 export const users = sqliteTable('users', {
 	id: text('id').primaryKey(),
 	authSource: text('auth_source').notNull().default('authentik'),
 	username: text('username').notNull(),
 	name: text('name').notNull(),
 });
@ -36,6 +35,8 @@ export const devices = sqliteTable('devices', {
 		.notNull()
 		.references(() => users.id),
 	name: text('name').notNull(),
 	// questioning whether this should be nullable
 	opnsenseId: text('opnsense_id'),
 	publicKey: text('public_key').notNull().unique(),
 	// nullable for the possibility of a user supplying their own private key
 	privateKey: text('private_key'),
--- a/src/lib/server/db/seed.ts
+++ b/src/lib/server/db/seed.ts
@ -2,7 +2,7 @@ import { ipAllocations, users, devices } from './schema';
 import { eq } from 'drizzle-orm';
 import assert from 'node:assert';
 import { drizzle } from 'drizzle-orm/libsql';
-import * as schema from './schema';
+import * as schema from '$lib/server/db/schema';
 assert(process.env.DATABASE_URL, 'DATABASE_URL is not set');
 const db = drizzle(process.env.DATABASE_URL, { schema });
--- a/src/lib/server/devices.ts
+++ b/src/lib/server/devices.ts
@ -0,0 +1,219 @@
 import type { User } from '$lib/server/db/schema';
 import { ipAllocations, devices } from '$lib/server/db/schema';
 import { db } from '$lib/server/db';
 import { opnsenseAuth, opnsenseUrl, serverPublicKey, serverUuid } from '$lib/server/opnsense';
 import { Address4, Address6 } from 'ip-address';
 import { env } from '$env/dynamic/private';
 import { and, count, eq, isNull } from 'drizzle-orm';
 import { err, ok, type Result } from '$lib/types';
 import type { DeviceDetails } from '$lib/devices';
 import { opnsenseSanitezedUsername } from '$lib/opnsense';
 export async function findDevices(userId: string) {
 	return db.query.devices.findMany({
 		columns: {
 			id: true,
 			name: true,
 			publicKey: true,
 			privateKey: true,
 			preSharedKey: true,
 		},
 		with: {
 			ipAllocation: true,
 		},
 		where: eq(devices.userId, userId),
 	});
 }
 export async function findDevice(userId: string, deviceId: number) {
 	return db.query.devices.findFirst({
 		columns: {
 			id: true,
 			name: true,
 			publicKey: true,
 			privateKey: true,
 			preSharedKey: true,
 		},
 		with: {
 			ipAllocation: true,
 		},
 		where: and(eq(devices.userId, userId), eq(devices.id, deviceId)),
 	});
 }
 export function mapDeviceToDetails(
 	device: Awaited<ReturnType<typeof findDevices>>[0],
 ): DeviceDetails {
 	const ips = getIpsFromIndex(device.ipAllocation.id);
 	return {
 		id: device.id,
 		name: device.name,
 		publicKey: device.publicKey,
 		privateKey: device.privateKey,
 		preSharedKey: device.preSharedKey,
 		ips,
 		vpnPublicKey: serverPublicKey,
 		vpnEndpoint: env.VPN_ENDPOINT,
 		vpnDns: env.VPN_DNS,
 	};
 }
 export async function createDevice(params: {
 	name: string;
 	user: User;
 }): Promise<Result<number, [400 | 500, string]>> {
 	// check if user exceeds the limit of devices
 	const [{ deviceCount }] = await db
 		.select({ deviceCount: count() })
 		.from(devices)
 		.where(eq(devices.userId, params.user.id));
 	if (deviceCount >= parseInt(env.MAX_CLIENTS_PER_USER))
 		return err([400, 'Maximum number of devices reached'] as [400, string]);
 	// this is going to be quite long
 	// 1. fetch params for new device from opnsense api
 	// 2.1 get an allocation for the device
 	// 2.2. insert new device into db
 	// 2.3. update the allocation with the device id
 	// 3. create the client in opnsense
 	// 4. reconfigure opnsense to enable the new client
 	return await db.transaction(async (tx) => {
 		const [keys, availableAllocation, lastAllocation] = await Promise.all([
 			// fetch params for new device from opnsense api
 			getKeys(),
 			// find first unallocated IP
 			await tx.query.ipAllocations.findFirst({
 				columns: {
 					id: true,
 				},
 				where: isNull(ipAllocations.deviceId),
 			}),
 			// find last allocation to check if we have any IPs left
 			await tx.query.ipAllocations.findFirst({
 				columns: {
 					id: true,
 				},
 				orderBy: (ipAllocations, { desc }) => desc(ipAllocations.id),
 			}),
 		]);
 		// check for existing allocation or if we have any IPs left
 		if (!availableAllocation && lastAllocation && lastAllocation.id >= parseInt(env.IP_MAX_INDEX)) {
 			return err([500, 'No more IP addresses available'] as [500, string]);
 		}
 		// use existing allocation or create a new one
 		const ipAllocationId =
 			availableAllocation?.id ??
 			(await tx.insert(ipAllocations).values({}).returning({ id: ipAllocations.id }))[0].id;
 		// transaction savepoint after creating a new IP allocation
 		// TODO: not sure if this is needed
 		return await tx.transaction(async (tx2) => {
 			// create new device in db
 			const [newDevice] = await tx2
 				.insert(devices)
 				.values({
 					userId: params.user.id,
 					name: params.name,
 					publicKey: keys.pubkey,
 					privateKey: keys.privkey,
 					preSharedKey: keys.psk,
 				})
 				.returning({ id: devices.id });
 			// update IP allocation with device ID
 			await tx2
 				.update(ipAllocations)
 				.set({ deviceId: newDevice.id })
 				.where(eq(ipAllocations.id, ipAllocationId));
 			// create client in opnsense
 			const opnsenseRes = await opnsenseCreateClient({
 				username: params.user.username,
 				pubkey: keys.pubkey,
 				psk: keys.psk,
 				allowedIps: getIpsFromIndex(ipAllocationId).join(','),
 			});
 			const opnsenseResJson = await opnsenseRes.json();
 			if (opnsenseResJson['result'] !== 'saved') {
 				tx2.rollback();
 				console.error(`Error creating client in OPNsense: \n${opnsenseResJson}`);
 				return err([500, 'Error creating client in OPNsense'] as [500, string]);
 			}
 			// reconfigure opnsense
 			await opnsenseReconfigure();
 			return ok(newDevice.id);
 		});
 	});
 }
 async function getKeys() {
 	// fetch key pair from opnsense
 	const options: RequestInit = {
 		method: 'GET',
 		headers: {
 			Authorization: opnsenseAuth,
 			Accept: 'application/json',
 		},
 	};
 	const resKeyPair = await fetch(`${opnsenseUrl}/api/wireguard/server/key_pair`, options);
 	const resPsk = await fetch(`${opnsenseUrl}/api/wireguard/client/psk`, options);
 	const keyPair = await resKeyPair.json();
 	const psk = await resPsk.json();
 	return {
 		pubkey: keyPair['pubkey'] as string,
 		privkey: keyPair['privkey'] as string,
 		psk: psk['psk'] as string,
 	};
 }
 export function getIpsFromIndex(ipIndex: number) {
 	ipIndex -= 1; // 1-indexed in the db
 	const v4StartingAddr = new Address4(env.IPV4_STARTING_ADDR);
 	const v6StartingAddr = new Address6(env.IPV6_STARTING_ADDR);
 	const v4Allowed = Address4.fromBigInt(v4StartingAddr.bigInt() + BigInt(ipIndex));
 	const v6Offset = BigInt(ipIndex) << (128n - BigInt(env.IPV6_CLIENT_PREFIX_SIZE));
 	const v6Allowed = Address6.fromBigInt(v6StartingAddr.bigInt() + v6Offset);
 	const v6AllowedShort = v6Allowed.parsedAddress.join(':');
 	return [v4Allowed.address + '/32', v6AllowedShort + '/' + env.IPV6_CLIENT_PREFIX_SIZE];
 }
 async function opnsenseCreateClient(params: {
 	username: string;
 	pubkey: string;
 	psk: string;
 	allowedIps: string;
 }) {
 	return fetch(`${opnsenseUrl}/api/wireguard/client/addClientBuilder`, {
 		method: 'POST',
 		headers: {
 			Authorization: opnsenseAuth,
 			Accept: 'application/json',
 			'Content-Type': 'application/json',
 		},
 		body: JSON.stringify({
 			configbuilder: {
 				enabled: '1',
 				name: `vpgen-${opnsenseSanitezedUsername(params.username)}`,
 				pubkey: params.pubkey,
 				psk: params.psk,
 				tunneladdress: params.allowedIps,
 				server: serverUuid,
 				endpoint: env.VPN_ENDPOINT,
 			},
 		}),
 	});
 }
 async function opnsenseReconfigure() {
 	return fetch(`${opnsenseUrl}/api/wireguard/service/reconfigure`, {
 		method: 'POST',
 		headers: {
 			Authorization: opnsenseAuth,
 			Accept: 'application/json',
 		},
 	});
 }
--- a/src/lib/server/devices/create.ts
+++ b/src/lib/server/devices/create.ts
@ -1,94 +0,0 @@
 import { devices, ipAllocations, type User } from '$lib/server/db/schema';
 import { err, ok, type Result } from '$lib/types';
 import { db } from '$lib/server/db';
 import { count, eq, isNull } from 'drizzle-orm';
 import { env } from '$env/dynamic/private';
 import { getIpsFromIndex } from './utils';
 import wgProvider from '$lib/server/wg-provider';
 export async function createDevice(params: {
 	name: string;
 	user: User;
 }): Promise<Result<number, [400 | 500, string]>> {
 	// check if user exceeds the limit of devices
 	const [{ deviceCount }] = await db
 		.select({ deviceCount: count() })
 		.from(devices)
 		.where(eq(devices.userId, params.user.id));
 	if (deviceCount >= parseInt(env.MAX_CLIENTS_PER_USER))
 		return err([400, 'Maximum number of devices reached'] as [400, string]);
 	// 1. fetch params for new device from provider
 	// 2.1 get an allocation for the device
 	// 2.2. insert new device into db
 	// 2.3. update the allocation with the device id
 	// 3. create the client in provider
 	return await db.transaction(async (tx) => {
 		const [keysResult, availableAllocation, lastAllocation] = await Promise.all([
 			// fetch params for new device from provider
 			wgProvider.generateKeys(),
 			// find first unallocated IP
 			await tx.query.ipAllocations.findFirst({
 				columns: {
 					id: true,
 				},
 				where: isNull(ipAllocations.deviceId),
 			}),
 			// find last allocation to check if we have any IPs left
 			await tx.query.ipAllocations.findFirst({
 				columns: {
 					id: true,
 				},
 				orderBy: (ipAllocations, { desc }) => desc(ipAllocations.id),
 			}),
 		]);
 		if (keysResult?._tag === 'err') return err([500, 'Failed to get keys']);
 		const keys = keysResult.value;
 		// check for existing allocation or if we have any IPs left
 		if (!availableAllocation && lastAllocation && lastAllocation.id >= parseInt(env.IP_MAX_INDEX)) {
 			return err([500, 'No more IP addresses available']);
 		}
 		// use existing allocation or create a new one
 		const ipAllocationId =
 			availableAllocation?.id ??
 			(await tx.insert(ipAllocations).values({}).returning({ id: ipAllocations.id }))[0].id;
 		// transaction savepoint after creating a new IP allocation
 		// TODO: not sure if this is needed
 		return await tx.transaction(async (tx2) => {
 			// create new device in db
 			const [newDevice] = await tx2
 				.insert(devices)
 				.values({
 					userId: params.user.id,
 					name: params.name,
 					publicKey: keys.publicKey,
 					privateKey: keys.privateKey,
 					preSharedKey: keys.preSharedKey,
 				})
 				.returning({ id: devices.id });
 			// update IP allocation with device ID
 			await tx2
 				.update(ipAllocations)
 				.set({ deviceId: newDevice.id })
 				.where(eq(ipAllocations.id, ipAllocationId));
 			// create client in provider
 			const providerRes = await wgProvider.createClient({
 				user: params.user,
 				publicKey: keys.publicKey,
 				preSharedKey: keys.preSharedKey,
 				allowedIps: getIpsFromIndex(ipAllocationId).join(','),
 			});
 			if (providerRes._tag === 'err') {
 				tx2.rollback();
 				return err([500, 'Failed to create client in provider']);
 			}
 			return ok(newDevice.id);
 		});
 	});
 }
--- a/src/lib/server/devices/delete.ts
+++ b/src/lib/server/devices/delete.ts
@ -1,27 +0,0 @@
 import { and, eq } from 'drizzle-orm';
 import { db } from '$lib/server/db';
 import { devices } from '$lib/server/db/schema';
 import { err, ok, type Result } from '$lib/types';
 import wgProvider from '$lib/server/wg-provider';
 export async function deleteDevice(
 	userId: string,
 	deviceId: number,
 ): Promise<Result<null, [400 | 500, string]>> {
 	const device = await db.query.devices.findFirst({
 		columns: {
 			publicKey: true,
 		},
 		where: and(eq(devices.userId, userId), eq(devices.id, deviceId)),
 	});
 	if (!device) return err([400, 'Device not found']);
 	const providerDeletionResult = await wgProvider.deleteClient(device.publicKey);
 	if (providerDeletionResult._tag === 'err') {
 		console.error('failed to delete provider client for device', deviceId, device.publicKey);
 		return err([500, 'Error deleting client in provider']);
 	}
 	await db.delete(devices).where(eq(devices.id, deviceId));
 	return ok(null);
 }
--- a/src/lib/server/devices/find.ts
+++ b/src/lib/server/devices/find.ts
@ -1,56 +0,0 @@
 import { db } from '$lib/server/db';
 import { and, eq } from 'drizzle-orm';
 import { devices } from '$lib/server/db/schema';
 import type { DeviceDetails } from '$lib/devices';
 import { env } from '$env/dynamic/private';
 import { getIpsFromIndex } from '$lib/server/devices/index';
 import wgProvider from '$lib/server/wg-provider';
 export async function findDevices(userId: string) {
 	return db.query.devices.findMany({
 		columns: {
 			id: true,
 			name: true,
 			publicKey: true,
 			privateKey: true,
 			preSharedKey: true,
 		},
 		with: {
 			ipAllocation: true,
 		},
 		where: eq(devices.userId, userId),
 	});
 }
 export async function findDevice(userId: string, deviceId: number) {
 	return db.query.devices.findFirst({
 		columns: {
 			id: true,
 			name: true,
 			publicKey: true,
 			privateKey: true,
 			preSharedKey: true,
 		},
 		with: {
 			ipAllocation: true,
 		},
 		where: and(eq(devices.userId, userId), eq(devices.id, deviceId)),
 	});
 }
 export function mapDeviceToDetails(
 	device: Awaited<ReturnType<typeof findDevices>>[0],
 ): DeviceDetails {
 	const ips = getIpsFromIndex(device.ipAllocation.id);
 	return {
 		id: device.id,
 		name: device.name,
 		publicKey: device.publicKey,
 		privateKey: device.privateKey,
 		preSharedKey: device.preSharedKey,
 		ips,
 		vpnPublicKey: wgProvider.getServerPublicKey(),
 		vpnEndpoint: env.VPN_ENDPOINT,
 		vpnDns: env.VPN_DNS,
 	};
 }
--- a/src/lib/server/devices/index.ts
+++ b/src/lib/server/devices/index.ts
@ -1,3 +0,0 @@
 export { findDevices, findDevice, mapDeviceToDetails } from './find';
 export { createDevice } from './create';
 export { getIpsFromIndex } from './utils';
--- a/src/lib/server/devices/utils.ts
+++ b/src/lib/server/devices/utils.ts
@ -1,14 +0,0 @@
 import { Address4, Address6 } from 'ip-address';
 import { env } from '$env/dynamic/private';
 export function getIpsFromIndex(ipIndex: number) {
 	ipIndex -= 1; // 1-indexed in the db
 	const v4StartingAddr = new Address4(env.IPV4_STARTING_ADDR);
 	const v6StartingAddr = new Address6(env.IPV6_STARTING_ADDR);
 	const v4Allowed = Address4.fromBigInt(v4StartingAddr.bigInt() + BigInt(ipIndex));
 	const v6Offset = BigInt(ipIndex) << (128n - BigInt(env.IPV6_CLIENT_PREFIX_SIZE));
 	const v6Allowed = Address6.fromBigInt(v6StartingAddr.bigInt() + v6Offset);
 	const v6AllowedShort = v6Allowed.parsedAddress.join(':');
 	return [v4Allowed.address + '/32', v6AllowedShort + '/' + env.IPV6_CLIENT_PREFIX_SIZE];
 }
--- a/src/lib/server/oauth-providers/authentik.ts
+++ b/src/lib/server/oauth-providers/authentik.ts
@ -1,34 +0,0 @@
 import { envToBool } from '$lib/utils';
 import { env } from '$env/dynamic/private';
 import { Authentik, decodeIdToken } from 'arctic';
 import { assertGuard } from 'typia';
 import type { IOAuthProvider } from '$lib/server/oauth';
 const authentikProvider = new Authentik(
 	env.AUTH_AUTHENTIK_DOMAIN,
 	env.AUTH_AUTHENTIK_CLIENT_ID,
 	env.AUTH_AUTHENTIK_CLIENT_SECRET,
 	`${env.ORIGIN}/auth/authentik/callback`,
 );
 export const authentik: IOAuthProvider = {
 	requireInvite: envToBool(env.AUTH_AUTHENTIK_REQUIRE_INVITE, true),
 	createAuthorizationURL: (state: string, codeVerifier: string) => {
 		const scopes = ['openid', 'profile'];
 		return authentikProvider.createAuthorizationURL(state, codeVerifier, scopes);
 	},
 	validateAuthorizationCode: async (code: string, codeVerifier: string) => {
 		const tokens = await authentikProvider.validateAuthorizationCode(code, codeVerifier);
 		const claims = decodeIdToken(tokens.idToken());
 		assertGuard<{
 			sub: string;
 			name: string;
 			preferred_username: string;
 		}>(claims);
 		return {
 			sub: claims.sub,
 			name: claims.name,
 			username: claims.preferred_username,
 		};
 	},
 };
--- a/src/lib/server/oauth-providers/google.ts
+++ b/src/lib/server/oauth-providers/google.ts
@ -1,33 +0,0 @@
 import { decodeIdToken, Google } from 'arctic';
 import { env } from '$env/dynamic/private';
 import { envToBool } from '$lib/utils';
 import { assertGuard } from 'typia';
 import type { IOAuthProvider } from '$lib/server/oauth';
 const googleProvider = new Google(
 	env.AUTH_GOOGLE_CLIENT_ID,
 	env.AUTH_GOOGLE_CLIENT_SECRET,
 	`${env.ORIGIN}/auth/google/callback`,
 );
 export const google: IOAuthProvider = {
 	requireInvite: envToBool(env.AUTH_GOOGLE_REQUIRE_INVITE, true),
 	createAuthorizationURL: (state: string, codeVerifier: string) => {
 		const scopes = ['openid', 'profile', 'email'];
 		return googleProvider.createAuthorizationURL(state, codeVerifier, scopes);
 	},
 	validateAuthorizationCode: async (code: string, codeVerifier: string) => {
 		const tokens = await googleProvider.validateAuthorizationCode(code, codeVerifier);
 		const claims = decodeIdToken(tokens.idToken());
 		assertGuard<{
 			sub: string;
 			email: string;
 			name: string;
 		}>(claims);
 		return {
 			sub: claims.sub,
 			name: claims.name,
 			username: claims.email,
 		};
 	},
 };
--- a/src/lib/server/oauth-providers/index.ts
+++ b/src/lib/server/oauth-providers/index.ts
@ -1,2 +0,0 @@
 export { authentik } from './authentik';
 export { google } from './google';
--- a/src/lib/server/oauth.ts
+++ b/src/lib/server/oauth.ts
@ -1,19 +1,9 @@
-import type { AuthProvider } from '$lib/auth';
+import { Authentik } from 'arctic';
-import { authentik, google } from '$lib/server/oauth-providers';
+import { env } from '$env/dynamic/private';
-export interface IOAuthClaims {
+export const authentik = new Authentik(
-	sub: string;
+	env.AUTH_DOMAIN,
-	name: string;
+	env.AUTH_CLIENT_ID,
-	username: string;
+	env.AUTH_CLIENT_SECRET,
-}
+	`${env.ORIGIN}/auth/authentik/callback`,
-
+);
 export interface IOAuthProvider {
 	readonly requireInvite: boolean;
 	createAuthorizationURL(state: string, codeVerifier: string): URL;
 	validateAuthorizationCode(code: string, codeVerifier: string): Promise<IOAuthClaims>;
 }
 export const oauthProviders: Record<AuthProvider, IOAuthProvider> = {
 	authentik,
 	google,
 };
--- a/src/lib/server/opnsense/index.ts
+++ b/src/lib/server/opnsense/index.ts
@ -0,0 +1,49 @@
 import { env } from '$env/dynamic/private';
 import assert from 'node:assert';
 import { encodeBasicCredentials } from 'arctic/dist/request';
 import { dev } from '$app/environment';
 import type { OpnsenseWgServers } from '$lib/opnsense/wg';
 export const opnsenseUrl = env.OPNSENSE_API_URL;
 export const opnsenseAuth =
 	'Basic ' + encodeBasicCredentials(env.OPNSENSE_API_KEY, env.OPNSENSE_API_SECRET);
 export const opnsenseIfname = env.OPNSENSE_WG_IFNAME;
 // unset secret for security
 if (!dev) env.OPNSENSE_API_SECRET = '';
 export let serverUuid: string, serverPublicKey: string;
 export async function fetchOpnsenseServer() {
 // this might be pretty bad if the server is down and in a bunch of other cases
 // TODO: write a retry loop later
 	const resServers = await fetch(`${opnsenseUrl}/api/wireguard/client/list_servers`, {
 		method: 'GET',
 		headers: {
 			Authorization: opnsenseAuth,
 			Accept: 'application/json',
 		},
 	});
 	assert(resServers.ok, 'Failed to fetch OPNsense WireGuard servers');
 	const servers = (await resServers.json()) as OpnsenseWgServers;
 	assert.equal(servers.status, 'ok', 'Failed to fetch OPNsense WireGuard servers');
 	const uuid = servers.rows.find((server) => server.name === opnsenseIfname)?.uuid;
 	assert(uuid, 'Failed to find server UUID for OPNsense WireGuard server');
 	serverUuid = uuid;
 	console.info('OPNsense WireGuard server UUID:', serverUuid);
 	const resServerInfo = await fetch(
 		`${opnsenseUrl}/api/wireguard/client/get_server_info/${serverUuid}`,
 		{
 			method: 'GET',
 			headers: {
 				Authorization: opnsenseAuth,
 				Accept: 'application/json',
 			},
 		},
 	);
 	assert(resServerInfo.ok, 'Failed to fetch OPNsense WireGuard server info');
 	const serverInfo = await resServerInfo.json();
 	assert.equal(serverInfo.status, 'ok', 'Failed to fetch OPNsense WireGuard server info');
 	serverPublicKey = serverInfo['pubkey'];
 }
--- a/src/lib/server/types/index.ts
+++ b/src/lib/server/types/index.ts
@ -1,38 +0,0 @@
 import type { Result } from '$lib/types';
 import type { User } from '$lib/server/db/schema';
 export interface IWgProvider {
 	init(): Promise<Result<null, Error>>;
 	getServerPublicKey(): string;
 	generateKeys(): Promise<Result<WgKeys, Error>>;
 	createClient(params: CreateClientParams): Promise<Result<null, Error>>;
 	findConnections(user: User): Promise<Result<ClientConnection[], Error>>;
 	deleteClient(publicKey: string): Promise<Result<null, Error>>;
 }
 export type WgKeys = {
 	publicKey: string;
 	privateKey: string;
 	preSharedKey: string;
 };
 export type CreateClientParams = {
 	user: User;
 	publicKey: string;
 	preSharedKey: string;
 	allowedIps: string;
 }
 export type ClientConnection = {
 	publicKey: string;
 	endpoint: string;
 	allowedIps: string;
 	transferRx: number;
 	transferTx: number;
 	latestHandshake: number;
 }
--- a/src/lib/server/wg-provider.ts
+++ b/src/lib/server/wg-provider.ts
@ -1,12 +0,0 @@
 import { WgProviderOpnsense } from '$lib/server/wg-providers/opnsense';
 import { env } from '$env/dynamic/private';
 import type { IWgProvider } from '$lib/server/types';
 const wgProvider: IWgProvider = new WgProviderOpnsense({
 	opnsenseUrl: env.OPNSENSE_API_URL,
 	opnsenseApiKey: env.OPNSENSE_API_KEY,
 	opnsenseApiSecret: env.OPNSENSE_API_SECRET,
 	opnsenseWgIfname: env.OPNSENSE_WG_IFNAME,
 });
 export default wgProvider;
--- a/src/lib/server/wg-providers/opnsense/index.ts
+++ b/src/lib/server/wg-providers/opnsense/index.ts
@ -1,244 +0,0 @@
 import type { ClientConnection, CreateClientParams, IWgProvider, WgKeys } from '$lib/server/types';
 import { encodeBasicCredentials } from 'arctic/dist/request';
 import { is } from 'typia';
 import type { OpnsenseWgPeers, OpnsenseWgServers } from '$lib/server/wg-providers/opnsense/types';
 import { err, ok, type Result } from '$lib/types';
 import assert from 'node:assert';
 import type { User } from '$lib/server/db/schema';
 export class WgProviderOpnsense implements IWgProvider {
 	private opnsenseUrl: string;
 	private opnsenseAuth: string;
 	private opnsenseIfname: string;
 	private opnsenseWgServerUuid: string | undefined;
 	private opnsenseWgServerPublicKey: string | undefined;
 	public constructor(params: OpnsenseParams) {
 		this.opnsenseUrl = params.opnsenseUrl;
 		this.opnsenseAuth =
 			'Basic ' + encodeBasicCredentials(params.opnsenseApiKey, params.opnsenseApiSecret);
 		this.opnsenseIfname = params.opnsenseWgIfname;
 	}
 	public async init():  Promise<Result<null, Error>> {
 		const resServers = await fetch(`${this.opnsenseUrl}/api/wireguard/client/list_servers`, {
 			method: 'GET',
 			headers: {
 				Authorization: this.opnsenseAuth,
 				Accept: 'application/json',
 			},
 		});
 		const servers = await resServers.json();
 		if (!is<OpnsenseWgServers>(servers)) {
 			console.error('Unexpected response for OPNsense WireGuard servers', servers);
 			return err(new Error('Failed to fetch OPNsense WireGuard servers'));
 		}
 		const uuid = servers.rows.find((server) => server.name === this.opnsenseIfname)?.uuid;
 		if (!uuid) {
 			console.error('OPNsense WireGuard servers', servers);
 			return err(new Error('Failed to find server UUID for OPNsense WireGuard server'));
 		}
 		const resServerInfo = await fetch(
 			`${this.opnsenseUrl}/api/wireguard/client/get_server_info/${uuid}`,
 			{
 				method: 'GET',
 				headers: {
 					Authorization: this.opnsenseAuth,
 					Accept: 'application/json',
 				},
 			},
 		);
 		const serverInfo = await resServerInfo.json();
 		const serverPublicKey = serverInfo['pubkey'];
 		if (serverInfo['status'] !== 'ok' || typeof serverPublicKey !== 'string') {
 			console.error('Failed to fetch OPNsense WireGuard server info', serverInfo);
 			return err(new Error('Failed to fetch OPNsense WireGuard server info'));
 		}
 		console.debug('OPNsense WireGuard server UUID:', uuid);
 		console.debug('OPNsense WireGuard server public key:', serverPublicKey);
 		this.opnsenseWgServerUuid = uuid;
 		this.opnsenseWgServerPublicKey = serverPublicKey;
 		return ok(null);
 	}
 	getServerPublicKey(): string {
 		assert(
 			this.opnsenseWgServerPublicKey,
 			'OPNsense server public key not set, init() must be called first',
 		);
 		return this.opnsenseWgServerPublicKey;
 	}
 	public async generateKeys(): Promise<Result<WgKeys, Error>> {
 		const options: RequestInit = {
 			method: 'GET',
 			headers: {
 				Authorization: this.opnsenseAuth,
 				Accept: 'application/json',
 			},
 		};
 		const resKeyPair = await fetch(`${this.opnsenseUrl}/api/wireguard/server/key_pair`, options);
 		const resPsk = await fetch(`${this.opnsenseUrl}/api/wireguard/client/psk`, options);
 		const keyPair = await resKeyPair.json();
 		const psk = await resPsk.json();
 		if (!is<{ pubkey: string; privkey: string }>(keyPair)) {
 			console.error('Unexpected response for OPNsense key pair', keyPair);
 			return err(new Error('Failed to fetch OPNsense key pair'));
 		}
 		if (!is<{ psk: string }>(psk)) {
 			console.error('Unexpected response for OPNsense PSK', psk);
 			return err(new Error('Failed to fetch OPNsense PSK'));
 		}
 		return ok({
 			publicKey: keyPair.pubkey,
 			privateKey: keyPair.privkey,
 			preSharedKey: psk.psk,
 		});
 	}
 	async createClient(params: CreateClientParams): Promise<Result<null, Error>> {
 		assert(this.opnsenseWgServerUuid, 'OPNsense server UUID not set, init() must be called first');
 		const createClientRes = await fetch(
 			`${this.opnsenseUrl}/api/wireguard/client/addClientBuilder`,
 			{
 				method: 'POST',
 				headers: {
 					Authorization: this.opnsenseAuth,
 					Accept: 'application/json',
 					'Content-Type': 'application/json',
 				},
 				body: JSON.stringify({
 					configbuilder: {
 						enabled: '1',
 						name: `vpgen-${opnsenseSanitezedUsername(params.user.username)}`,
 						pubkey: params.publicKey,
 						psk: params.preSharedKey,
 						tunneladdress: params.allowedIps,
 						server: this.opnsenseWgServerUuid,
 						endpoint: '',
 					},
 				}),
 			},
 		);
 		const createClientResJson = await createClientRes.json();
 		if (createClientResJson['result'] !== 'saved') {
 			console.error('Error creating client in OPNsense', createClientResJson);
 			return err(new Error('Failed to create client in OPNsense'));
 		}
 		const reconfigureRes = await fetch(`${this.opnsenseUrl}/api/wireguard/service/reconfigure`, {
 			method: 'POST',
 			headers: {
 				Authorization: this.opnsenseAuth,
 				Accept: 'application/json',
 			},
 		});
 		if (reconfigureRes.status !== 200) {
 			console.error('Error reconfiguring OPNsense', reconfigureRes);
 			return err(new Error('Failed to reconfigure OPNsense'));
 		}
 		return ok(null);
 	}
 	async findConnections(user: User): Promise<Result<ClientConnection[], Error>> {
 		const res = await fetch(`${this.opnsenseUrl}/api/wireguard/service/show`, {
 			method: 'POST',
 			headers: {
 				Authorization: this.opnsenseAuth,
 				Accept: 'application/json',
 				'Content-Type': 'application/json',
 			},
 			body: JSON.stringify({
 				current: 1,
 				// "rowCount": 7,
 				sort: {},
 				// TODO: use a more unique search phrase
 				// unfortunately 64 character limit,
 				// but it should be fine if users can't change their own username
 				searchPhrase: `vpgen-${opnsenseSanitezedUsername(user.username)}`,
 				type: ['peer'],
 			}),
 		});
 		const peers = await res.json();
 		if (!is<OpnsenseWgPeers>(peers)) {
 			console.error('Unexpected response for OPNsense WireGuard peers', peers);
 			return err(new Error('Failed to fetch OPNsense WireGuard peers'));
 		}
 		return ok(
 			peers.rows.map((peer) => {
 				return {
 					publicKey: peer['public-key'],
 					endpoint: peer['endpoint'],
 					allowedIps: peer['allowed-ips'],
 					transferRx: peer['transfer-rx'],
 					transferTx: peer['transfer-tx'],
 					latestHandshake: peer['latest-handshake'] * 1000,
 				};
 			}),
 		);
 	}
 	async deleteClient(publicKey: string): Promise<Result<null, Error>> {
 		const client = await this.findOpnsenseClient(publicKey);
 		const clientUuid = client?.uuid;
 		if (typeof clientUuid !== 'string') {
 			console.error('Failed to get OPNsense client UUID for deletion', client);
 			return err(new Error('Failed to get OPNsense client UUID for deletion'));
 		}
 		const res = await fetch(`${this.opnsenseUrl}/api/wireguard/client/delClient/${clientUuid}`, {
 			method: 'POST',
 			headers: {
 				Authorization: this.opnsenseAuth,
 				Accept: 'application/json',
 			},
 		});
 		const resJson = await res.json();
 		if (resJson['result'] !== 'deleted') {
 			console.error('Failed to delete OPNsense client', resJson);
 			return err(new Error('Failed to delete OPNsense client'));
 		}
 		return ok(null);
 	}
 	private async findOpnsenseClient(publicKey: string) {
 		const res = await fetch(`${this.opnsenseUrl}/api/wireguard/client/searchClient`, {
 			method: 'POST',
 			headers: {
 				Authorization: this.opnsenseAuth,
 				Accept: 'application/json',
 				'Content-Type': 'application/json',
 			},
 			body: JSON.stringify({
 				current: 1,
 				sort: {},
 				searchPhrase: publicKey,
 				type: ['peer'],
 			}),
 		});
 		return (await res.json())?.rows?.[0] ?? null;
 	}
 }
 function opnsenseSanitezedUsername(username: string) {
 	return username.slice(0, 63).replace(/[^a-zA-Z0-9_-]/g, '_');
 }
 export type OpnsenseParams = {
 	opnsenseUrl: string;
 	opnsenseApiKey: string;
 	opnsenseApiSecret: string;
 	opnsenseWgIfname: string;
 };
--- a/src/lib/types/index.ts
+++ b/src/lib/types/index.ts
@ -1,2 +1,27 @@
-export type { Result } from './result';
+class Ok<T> {
-export { ok, err } from './result';
+	readonly _tag = 'ok';
 	value: T;
 	constructor(value: T) {
 		this.value = value;
 	}
 }
 class Err<E> {
 	readonly _tag = 'err';
 	error: E;
 	constructor(error: E) {
 		this.error = error;
 	}
 }
 export type Result<T, E> = Ok<T> | Err<E>;
 export function err<E>(e: E): Err<E> {
 	return new Err(e);
 }
 export function ok<T>(t: T): Ok<T> {
 	return new Ok(t);
 }
--- a/src/lib/types/result.ts
+++ b/src/lib/types/result.ts
@ -1,27 +0,0 @@
 class Ok<T> {
 	readonly _tag = 'ok';
 	value: T;
 	constructor(value: T) {
 		this.value = value;
 	}
 }
 class Err<E> {
 	readonly _tag = 'err';
 	error: E;
 	constructor(error: E) {
 		this.error = error;
 	}
 }
 export type Result<T, E> = Ok<T> | Err<E>;
 export function err<E>(e: E): Err<E> {
 	return new Err(e);
 }
 export function ok<T>(t: T): Ok<T> {
 	return new Ok(t);
 }
--- a/src/lib/utils.ts
+++ b/src/lib/utils.ts
@ -4,11 +4,3 @@ import { twMerge } from "tailwind-merge";
 export function cn(...inputs: ClassValue[]) {
 	return twMerge(clsx(inputs));
 }
 export function envToBool(value: string | undefined, defaultValue = false): boolean {
 	if (typeof value === "undefined") {
 		return defaultValue;
 	}
 	return ['true', '1', 'yes'].includes(value.toLowerCase());
 }
--- a/src/routes/api/connections/+server.ts
+++ b/src/routes/api/connections/+server.ts
@ -1,43 +1,44 @@
 import { error } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 import { opnsenseAuth, opnsenseUrl } from '$lib/server/opnsense';
 import type { OpnsenseWgPeers } from '$lib/opnsense/wg';
 import { findDevices } from '$lib/server/devices';
 import type { ConnectionDetails } from '$lib/connections';
-import type { Result } from '$lib/types';
+import { opnsenseSanitezedUsername } from '$lib/opnsense';
 import type { ClientConnection } from '$lib/server/types';
 import wgProvider from '$lib/server/wg-provider';
 export const GET: RequestHandler = async (event) => {
 	if (!event.locals.user) {
 		return error(401, 'Unauthorized');
 	}
 	console.debug('/api/connections');
-
+	const peers = await fetchOpnsensePeers(event.locals.user.username);
-	const peersResult: Result<ClientConnection[], Error> = await wgProvider.findConnections(event.locals.user);
+	console.debug('/api/connections: fetched opnsense peers', peers.rowCount);
 	if (peersResult._tag === 'err') return error(500, peersResult.error.message);
 	const devices = await findDevices(event.locals.user.id);
 	console.debug('/api/connections: fetched db devices');
 	if (!peers) {
 		return error(500, 'Error getting info from OPNsense API');
 	}
 	// TODO: this is all garbage performance
 	// filter devices with no recent handshakes
-	const peers = peersResult.value.filter((peer) => peer.latestHandshake);
+	peers.rows = peers.rows.filter((peer) => peer['latest-handshake']);
 	// start from devices, to treat db as the source of truth
 	const connections: ConnectionDetails[] = [];
 	for (const device of devices) {
-		const peerData = peers.find((peer) => peer.publicKey === device.publicKey);
+		const peerData = peers.rows.find((peer) => peer['public-key'] === device.publicKey);
 		if (!peerData) continue;
 		connections.push({
 			deviceId: device.id,
 			deviceName: device.name,
 			devicePublicKey: device.publicKey,
-			deviceIps: peerData.allowedIps.split(','),
+			deviceIps: peerData['allowed-ips'].split(','),
-			endpoint: peerData.endpoint,
+			endpoint: peerData['endpoint'],
 			// swap rx and tx, since the opnsense values are from the server perspective
-			transferRx: peerData.transferTx,
+			transferRx: peerData['transfer-tx'],
-			transferTx: peerData.transferRx,
+			transferTx: peerData['transfer-rx'],
-			latestHandshake: peerData.latestHandshake,
+			latestHandshake: peerData['latest-handshake'] * 1000,
 		});
 	}
@ -48,3 +49,25 @@ export const GET: RequestHandler = async (event) => {
 		},
 	});
 };
 async function fetchOpnsensePeers(username: string) {
 	const res = await fetch(`${opnsenseUrl}/api/wireguard/service/show`, {
 		method: 'POST',
 		headers: {
 			Authorization: opnsenseAuth,
 			Accept: 'application/json',
 			'Content-Type': 'application/json',
 		},
 		body: JSON.stringify({
 			current: 1,
 			// "rowCount": 7,
 			sort: {},
 			// TODO: use a more unique search phrase
 			// unfortunately 64 character limit,
 			// but it should be fine if users can't change their own username
 			searchPhrase: `vpgen-${opnsenseSanitezedUsername(username)}`,
 			type: ['peer'],
 		}),
 	});
 	return (await res.json()) as OpnsenseWgPeers;
 }
--- a/src/routes/auth/+page.server.ts
+++ b/src/routes/auth/+page.server.ts
@ -1,14 +1,14 @@
-import { fail, redirect } from '@sveltejs/kit';
+import { fail, redirect } from "@sveltejs/kit";
-import { invalidateSession, deleteSessionTokenCookie } from '$lib/server/auth';
+import { invalidateSession, deleteSessionTokenCookie } from "$lib/server/auth";
-import type { Actions } from './$types';
+import type { Actions } from "./$types";
 export const actions: Actions = {
-	logout: async ({ locals, cookies }) => {
+	logout: async (event) => {
-		if (locals.session === null) {
+		if (event.locals.session === null) {
 			return fail(401);
 		}
-		await invalidateSession(locals.session.id);
+		await invalidateSession(event.locals.session.id);
-		deleteSessionTokenCookie(cookies);
+		deleteSessionTokenCookie(event);
-		redirect(302, '/');
+		return redirect(302, "/");
-	},
+	}
 };
--- a/src/routes/auth/[provider]/+server.ts
+++ b/src/routes/auth/[provider]/+server.ts
@ -1,36 +0,0 @@
 import { generateCodeVerifier, generateState } from 'arctic';
 import { oauthProviders } from '$lib/server/oauth';
 import { is } from 'typia';
 import { type AuthProvider, enabledAuthProviders } from '$lib/auth';
 export async function GET({ params: { provider }, url, cookies }) {
 	if (!is<AuthProvider>(provider) || !enabledAuthProviders[provider]) {
 		return new Response(null, { status: 404 });
 	}
 	const oauthProvider = oauthProviders[provider];
 	const inviteToken = url.searchParams.get('invite') ?? '';
 	const state = generateState();
 	const codeVerifier = generateCodeVerifier();
 	const authUrl = oauthProvider.createAuthorizationURL(state + inviteToken, codeVerifier);
 	cookies.set(`${provider}_oauth_state`, state, {
 		path: '/',
 		httpOnly: true,
 		maxAge: 60 * 10, // 10 minutes
 		sameSite: 'lax',
 	});
 	cookies.set(`${provider}_code_verifier`, codeVerifier, {
 		path: '/',
 		httpOnly: true,
 		maxAge: 60 * 10, // 10 minutes
 		sameSite: 'lax',
 	});
 	return new Response(null, {
 		status: 302,
 		headers: {
 			Location: authUrl.toString(),
 		},
 	});
 }
--- a/src/routes/auth/[provider]/callback/+page.server.ts
+++ b/src/routes/auth/[provider]/callback/+page.server.ts
@ -1,76 +0,0 @@
 import { is } from 'typia';
 import type { PageServerLoad } from './$types';
 import { error, redirect } from '@sveltejs/kit';
 import { type AuthProvider, enabledAuthProviders } from '$lib/auth';
 import { oauthProviders } from '$lib/server/oauth';
 import { ArcticFetchError, OAuth2RequestError } from 'arctic';
 import { db } from '$lib/server/db';
 import * as table from '$lib/server/db/schema';
 import { eq } from 'drizzle-orm';
 import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
 export const load: PageServerLoad = async ({ params: { provider }, url, cookies }) => {
 	if (!is<AuthProvider>(provider) || !enabledAuthProviders[provider]) {
 		error(404);
 	}
 	const oauthProvider = oauthProviders[provider];
 	const code = url.searchParams.get('code');
 	const state = url.searchParams.get('state');
 	const storedState = cookies.get(`${provider}_oauth_state`) ?? null;
 	const codeVerifier = cookies.get(`${provider}_code_verifier`) ?? null;
 	if (code === null || state === null || storedState === null || codeVerifier === null) {
 		error(400, 'Missing url parameters');
 	}
 	const stateGeneratedToken = state.slice(0, storedState.length);
 	const stateInviteToken = state.slice(storedState.length);
 	if (stateGeneratedToken !== storedState) {
 		error(400, 'Invalid state in url');
 	}
 	let claims;
 	try {
 		claims = await oauthProvider.validateAuthorizationCode(code, codeVerifier);
 	} catch (e) {
 		if (e instanceof OAuth2RequestError) {
 			console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e);
 			error(400, 'Invalid authorization code');
 		}
 		if (e instanceof ArcticFetchError) {
 			console.debug('Arctic: failed to call `fetch()`', e);
 			error(400, 'Failed to validate authorization code');
 		}
 		console.error('Unexpected error validating authorization code', code, e);
 		error(500);
 	}
 	const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, claims.sub) });
 	if (existingUser) {
 		const session = await createSession(existingUser.id);
 		setSessionTokenCookie(cookies, session.id, session.expiresAt);
 		redirect(302, '/');
 	}
 	if (oauthProvider.requireInvite && !isValidInviteToken(stateInviteToken)) {
 		const message =
 			stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
 		error(403, 'Not Authorized: ' + message);
 	}
 	const user: table.User = {
 		id: claims.sub,
 		authSource: provider,
 		username: claims.username,
 		name: claims.name,
 	};
 	await db.insert(table.users).values(user);
 	console.log('created user', user, 'using provider', provider, 'with invite token', stateInviteToken);
 	const session = await createSession(user.id);
 	setSessionTokenCookie(cookies, session.id, session.expiresAt);
 	redirect(302, '/');
 };
--- a/src/routes/auth/authentik/+server.ts
+++ b/src/routes/auth/authentik/+server.ts
@ -0,0 +1,30 @@
 import { generateState, generateCodeVerifier } from "arctic";
 import { authentik } from "$lib/server/oauth";
 import type { RequestEvent } from "@sveltejs/kit";
 export async function GET(event: RequestEvent): Promise<Response> {
 	const state = generateState();
 	const codeVerifier = generateCodeVerifier();
 	const url = authentik.createAuthorizationURL(state, codeVerifier, ["openid", "profile"]);
 	event.cookies.set("authentik_oauth_state", state, {
 		path: "/",
 		httpOnly: true,
 		maxAge: 60 * 10, // 10 minutes
 		sameSite: "lax"
 	});
 	event.cookies.set("authentik_code_verifier", codeVerifier, {
 		path: "/",
 		httpOnly: true,
 		maxAge: 60 * 10, // 10 minutes
 		sameSite: "lax"
 	});
 	return new Response(null, {
 		status: 302,
 		headers: {
 			Location: url.toString()
 		}
 	});
 }
--- a/src/routes/auth/authentik/callback/+server.ts
+++ b/src/routes/auth/authentik/callback/+server.ts
@ -0,0 +1,78 @@
 import { createSession, setSessionTokenCookie } from "$lib/server/auth";
 import { authentik } from "$lib/server/oauth";
 import { decodeIdToken } from "arctic";
 import type { RequestEvent } from "@sveltejs/kit";
 import type { OAuth2Tokens } from "arctic";
 import { db } from '$lib/server/db';
 import { eq } from 'drizzle-orm';
 import * as table from '$lib/server/db/schema';
 export async function GET(event: RequestEvent): Promise<Response> {
 	const code = event.url.searchParams.get("code");
 	const state = event.url.searchParams.get("state");
 	const storedState = event.cookies.get("authentik_oauth_state") ?? null;
 	const codeVerifier = event.cookies.get("authentik_code_verifier") ?? null;
 	if (code === null || state === null || storedState === null || codeVerifier === null) {
 		return new Response(null, {
 			status: 400
 		});
 	}
 	if (state !== storedState) {
 		return new Response(null, {
 			status: 400
 		});
 	}
 	let tokens: OAuth2Tokens;
 	try {
 		tokens = await authentik.validateAuthorizationCode(code, codeVerifier);
 	} catch (e) {
 		// Invalid code or client credentials
 		return new Response(null, {
 			status: 400
 		});
 	}
 	const claims = decodeIdToken(tokens.idToken()) as { sub: string, preferred_username: string, name: string };
 	console.info("claims", claims);
 	const userId: string = claims.sub;
 	const username: string = claims.preferred_username;
 	const existingUser = await db.query.users.findFirst({where: eq(table.users.id, userId)});
 	if (existingUser) {
 		const session = await createSession(existingUser.id);
 		setSessionTokenCookie(event, session.id, session.expiresAt);
 		return new Response(null, {
 			status: 302,
 			headers: {
 				Location: "/"
 			}
 		});
 	}
 	const user: table.User = {
 		id: userId,
 		username,
 		name: claims.name as string,
 	};
 	try {
 		await db.insert(table.users).values(user);
 		const session = await createSession(user.id);
 		setSessionTokenCookie(event, session.id, session.expiresAt);
 	} catch (e) {
 		console.error('failed to create user', e);
 		return new Response(null, {
 			status: 500
 		});
 	}
 	return new Response(null, {
 		status: 302,
 		headers: {
 			Location: "/"
 		}
 	});
 }
--- a/src/routes/devices/+page.server.ts
+++ b/src/routes/devices/+page.server.ts
@ -1,14 +1,13 @@
 import type { Actions } from './$types';
 import { createDevice } from '$lib/server/devices';
-import { error, fail, redirect } from '@sveltejs/kit';
+import { error, redirect } from '@sveltejs/kit';
 import wgProvider from '$lib/server/wg-provider';
 export const actions = {
 	create: async (event) => {
 		if (!event.locals.user) return error(401, 'Unauthorized');
 		const formData = await event.request.formData();
 		const name = formData.get('name');
-		if (typeof name !== 'string' || name.trim() === '') return fail(400, { name, invalid: true });
+		if (typeof name !== 'string' || name.trim() === '') return error(400, 'Invalid name');
 		const res = await createDevice({
 			name: name.trim(),
 			user: event.locals.user,
--- a/src/routes/devices/+page.svelte
+++ b/src/routes/devices/+page.svelte
@ -4,11 +4,10 @@
 	import { Badge } from '$lib/components/ui/badge';
 	import { Button, buttonVariants } from '$lib/components/ui/button';
 	import { Input } from '$lib/components/ui/input';
-	import { LucideLoaderCircle, LucidePlus } from '@lucide/svelte';
+	import { LucideLoaderCircle, LucidePlus } from 'lucide-svelte';
 	import type { PageData } from './$types';
 	import { Label } from '$lib/components/ui/label';
 	import { page } from '$app/state';
 	import DeleteDevice from './delete-device.svelte';
 	const { data }: { data: PageData } = $props();
@ -57,9 +56,6 @@
 						<Badge class="select-auto bg-background" variant="secondary">{ip}</Badge>
 					{/each}
 				</Table.Cell>
 				<Table.Cell class="py-0">
 					<DeleteDevice device={device} />
 				</Table.Cell>
 			</Table.Row>
 		{/each}
 	</Table.Body>
@ -90,11 +86,11 @@
 					class="max-w-[20ch]"
 				/>
 			</div>
-			<Dialog.Footer class="gap-y-2">
+			<Dialog.Footer>
-				{#if submitted}
+				<Button type="submit" disabled={submitted}>
-					<LucideLoaderCircle class="size-4 animate-spin place-self-center" />
+					{#if submitted}
-				{/if}
+						<LucideLoaderCircle class="size-4 mr-2 animate-spin" />
-				<Button type="submit" disabled={submitted} class="">
+					{/if}
 					Add
 				</Button>
 			</Dialog.Footer>
--- a/src/routes/devices/[id]/+page.server.ts
+++ b/src/routes/devices/[id]/+page.server.ts
@ -1,23 +0,0 @@
 import { error, redirect } from '@sveltejs/kit';
 import { deleteDevice } from '$lib/server/devices/delete';
 import type { Actions } from './$types';
 export const actions = {
 	delete: async (event) => {
 		if (!event.locals.user) return error(401, 'Unauthorized');
 		const deviceId = Number.parseInt(event.params.id);
 		if (Number.isNaN(deviceId)) return error(400, 'Invalid device id');
 		const res = await deleteDevice(event.locals.user.id, deviceId);
 		switch (res._tag) {
 			case 'ok': {
 				return redirect(303, '/devices');
 			}
 			case 'err': {
 				const [status, message] = res.error;
 				return error(status, message);
 			}
 		}
 	},
 } satisfies Actions;
--- a/src/routes/devices/[id]/+page.svelte
+++ b/src/routes/devices/[id]/+page.svelte
@ -3,7 +3,6 @@
 	import QRCode from 'qrcode-svg';
 	import { CodeSnippet } from '$lib/components/app/code-snippet';
 	import { WireguardGuide } from '$lib/components/app/wireguard-guide';
 	import DeleteDevice from '../delete-device.svelte';
 	const { data }: { data: PageData } = $props();
@ -26,10 +25,7 @@
 	<title>{data.device.name}</title>
 </svelte:head>
-<div class="flex justify-between">
+<h1 class="w-fit rounded-lg bg-accent p-2 text-lg">{data.device.name}</h1>
 	<h1 class="w-fit rounded-lg bg-accent p-2 text-lg">{data.device.name}</h1>
 	<DeleteDevice device={data.device} />
 </div>
 <section id="device-configuration" class="flex flex-wrap items-center justify-center gap-4">
 	<CodeSnippet data={data.config} filename={deviceWgCleanedName} copy download />
--- a/src/routes/devices/delete-device.svelte
+++ b/src/routes/devices/delete-device.svelte
@ -1,39 +0,0 @@
 <script>
 	import { Button, buttonVariants } from '$lib/components/ui/button';
 	import * as Dialog from '$lib/components/ui/dialog';
 	import { LucideLoaderCircle, LucideTrash } from '@lucide/svelte';
 	const { device } = $props();
 	let submitted = $state(false);
 </script>
 <Dialog.Root>
 	<Dialog.Trigger class={buttonVariants({ variant: 'destructive', size: 'sm', class: 'bg-accent hover:bg-destructive' })}>
 		<LucideTrash />
 	</Dialog.Trigger>
 	<Dialog.Content>
 		<form class="contents" method="post" action="/devices/{device.id}?/delete"
 					onsubmit={() => submitted = true}
 		>
 			<Dialog.Header>
 				Are you sure you want to permanently delete "{device.name}"?
 			</Dialog.Header>
 			You will no longer be able to connect from this device.
 			<Dialog.Footer class="gap-y-2">
 				{#if submitted}
 					<LucideLoaderCircle class="size-4 animate-spin place-self-center" />
 				{/if}
 				<Button type="submit" variant="destructive" disabled={submitted}>
 					Delete
 				</Button>
 				<Dialog.Close>
 					{#snippet child({ props })}
 						<Button {...props} disabled={submitted}>
 							Cancel
 						</Button>
 					{/snippet}
 				</Dialog.Close>
 			</Dialog.Footer>
 		</form>
 	</Dialog.Content>
 </Dialog.Root>
--- a/src/routes/invite/[id]/+layout.server.ts
+++ b/src/routes/invite/[id]/+layout.server.ts
@ -1,8 +0,0 @@
 import type { LayoutServerLoad } from './$types';
 import { redirect } from '@sveltejs/kit';
 import { isValidInviteToken } from '$lib/server/auth';
 export const load: LayoutServerLoad = ({ params, locals }) => {
 	if (!isValidInviteToken(params.id)) redirect(302, '/');
 	if (locals.user !== null) redirect(302, '/');
 };
--- a/src/routes/invite/[id]/+page.svelte
+++ b/src/routes/invite/[id]/+page.svelte
@ -1,16 +0,0 @@
 <script lang="ts">
 	import { AuthForm } from '$lib/components/app/auth-form';
 	import { page } from '$app/state';
 	let inviteToken = page.params.id;
 </script>
 <svelte:head>
 	<title>You are Invited to VPGen</title>
 </svelte:head>
 <h1 class="mb-2 scroll-m-20 text-center text-3xl font-extrabold tracking-tight lg:text-4xl">
 	You are invited to VPGen
 </h1>
 <AuthForm {inviteToken} />
--- a/src/routes/user/+page.svelte
+++ b/src/routes/user/+page.svelte
@ -1,7 +1,7 @@
 <script lang="ts">
 	import { invalidate, invalidateAll } from '$app/navigation';
 	import { Button } from '$lib/components/ui/button';
-	import { LucideLoaderCircle, LucideLogOut, LucideRefreshCw } from '@lucide/svelte';
+	import { LucideLoaderCircle, LucideLogOut, LucideRefreshCw } from 'lucide-svelte';
 	import { CodeSnippet } from '$lib/components/app/code-snippet/index.js';
 	let { data } = $props();
--- a/tsconfig.json
+++ b/tsconfig.json
@ -9,17 +9,11 @@
 		"skipLibCheck": true,
 		"sourceMap": true,
 		"strict": true,
-		"moduleResolution": "bundler",
+		"moduleResolution": "bundler"
 		"plugins": [
 			{
 				"transform": "typia/lib/transform"
 			}
 		],
 		"strictNullChecks": true
 	}
 	// Path aliases are handled by https://svelte.dev/docs/kit/configuration#alias
 	// except $lib which is handled by https://svelte.dev/docs/kit/configuration#files
 	//
 	// If you want to overwrite includes/excludes, make sure to copy over the relevant includes/excludes
 	// from the referenced tsconfig.json - TypeScript does not merge them in
-}
+}
--- a/vite.config.ts
+++ b/vite.config.ts
@ -1,7 +1,6 @@
 import { sveltekit } from '@sveltejs/kit/vite';
 import { defineConfig } from 'vite';
 import UnpluginTypia from '@ryoppippi/unplugin-typia/vite';
 export default defineConfig({
-	plugins: [sveltekit(), UnpluginTypia()],
+	plugins: [sveltekit()]
 });
`@ -1,2 +1 @@`
	`engine-strict=true`	`engine-strict=true`
	`@jsr:registry=https://npm.jsr.io`
		`@ -1 +0,0 @@`
			ALTER TABLE `users` ADD `auth_source` text DEFAULT 'authentik' NOT NULL;
		`@ -1 +0,0 @@`
			ALTER TABLE `devices` DROP COLUMN `opnsense_id`;
		`@ -1,2 +0,0 @@`
			`export { authentik } from './authentik';`
			`export { google } from './google';`