CaZzzer/vpgen
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: CaZzzer:e9d4be1d53f7dbf711f1444509908d8f90260f29
Branches Tags
CaZzzer:develop CaZzzer:feature/wg-quick CaZzzer:feature/invite CaZzzer:feature/auth CaZzzer:feature/auth-1 CaZzzer:feature/ci CaZzzer:feature/api CaZzzer:feature/provider-interface-1 CaZzzer:feature/provider-interface CaZzzer:feature/logging CaZzzer:feature/qrcode CaZzzer:feature/trailing-slashes CaZzzer:feature/opnsense CaZzzer:master
..
compare: CaZzzer:feature/logging
Branches Tags
CaZzzer:feature/wg-quick CaZzzer:develop CaZzzer:feature/invite CaZzzer:feature/auth CaZzzer:feature/auth-1 CaZzzer:feature/ci CaZzzer:feature/api CaZzzer:feature/provider-interface-1 CaZzzer:feature/provider-interface CaZzzer:feature/logging CaZzzer:feature/qrcode CaZzzer:feature/trailing-slashes CaZzzer:feature/opnsense CaZzzer:master

1 Commits
e9d4be1d53 ... feature/lo

Author SHA1 Message Date
Yuri Tatishchev
b38ab19c3e WIP: more proper logging 2025-01-09 15:01:03 -08:00
40 changed files with 165 additions and 1973 deletions
Expand all files Collapse all files

5
.env.example
View File

@@ -1,12 +1,7 @@
DATABASE_URL=file:local.db DATABASE_URL=file:local.db
AUTH_DOMAIN=auth.lab.cazzzer.com AUTH_DOMAIN=auth.lab.cazzzer.com
AUTH_CLIENT_ID= AUTH_CLIENT_ID=
AUTH_CLIENT_SECRET= AUTH_CLIENT_SECRET=
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
INVITE_TOKEN=GUjdsz9aREFTEBYDrA3AajUE8oVys2xW
OPNSENSE_API_URL=https://opnsense.cazzzer.com OPNSENSE_API_URL=https://opnsense.cazzzer.com
OPNSENSE_API_KEY= OPNSENSE_API_KEY=

6
.idea/bun.xml generated
View File

@@ -1,6 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="BunSettings">
<option name="bunPath" value="bun" />
</component>
</project>

2
.idea/modules.xml generated
View File

@@ -2,7 +2,7 @@
<project version="4"> <project version="4">
<component name="ProjectModuleManager"> <component name="ProjectModuleManager">
<modules> <modules>
<module fileurl="file://$PROJECT_DIR$/.idea/vpgen.iml" filepath="$PROJECT_DIR$/.idea/vpgen.iml" /> <module fileurl="file://$PROJECT_DIR$/.idea/vpgen-sv5.iml" filepath="$PROJECT_DIR$/.idea/vpgen-sv5.iml" />
</modules> </modules>
</component> </component>
</project> </project>

0
.idea/vpgen.iml → .idea/vpgen-sv5.iml generated
View File

1
.npmrc
View File

@@ -1,2 +1 @@
engine-strict=true engine-strict=true
@jsr:registry=https://npm.jsr.io

4
Dockerfile
View File

@@ -8,12 +8,12 @@ COPY package.json bun.lockb /app/
# this will cache them and speed up future builds # this will cache them and speed up future builds
FROM base AS install FROM base AS install
RUN mkdir -p /temp/dev RUN mkdir -p /temp/dev
COPY package.json bun.lock /temp/dev/ COPY package.json bun.lockb /temp/dev/
RUN cd /temp/dev && bun install --frozen-lockfile RUN cd /temp/dev && bun install --frozen-lockfile
# install with --production (exclude devDependencies) # install with --production (exclude devDependencies)
RUN mkdir -p /temp/prod RUN mkdir -p /temp/prod
COPY package.json bun.lock /temp/prod/ COPY package.json bun.lockb /temp/prod/
RUN cd /temp/prod && bun install --frozen-lockfile --production RUN cd /temp/prod && bun install --frozen-lockfile --production
# copy node_modules from temp directory # copy node_modules from temp directory

57
README.md
View File

@@ -1,29 +1,40 @@
# VPGen # sv
One-click WireGuard config generator, work in progress. Everything you need to build a Svelte project, powered by [`sv`](https://github.com/sveltejs/cli).
## Why? ## Creating a project
Make it easier to share VPN access with friends/family, If you're seeing this, you've probably already done this step. Congrats!
making use of existing networking infrastructure.
## How? ```bash
# create a new project in the current directory
npx sv create
Currently, the supported backend is [OPNsense](https://opnsense.org/). # create a new project in my-app
VPGen just creates WireGuard clients on the configured interface via the OPNsense API. npx sv create my-app
Future plans include supporting other API backends (e.g. [Netmaker](https://github.com/gravitl/netmaker))
and [wg-quick](https://www.wireguard.com/quickstart/) for standalone setups.
## Development
Development uses bun.
An additional prepare step is needed to set up typia for type validation.
For example .env settings, see [.env.example](.env.example)
```shell
bun install
bun run prepare
bun run dev
``` ```
## Developing
Once you've created a project and installed dependencies with `npm install` (or `pnpm install` or `yarn`), start a development server:
```bash
npm run dev
# or start the server and open the app in a new browser tab
npm run dev -- --open
```
## Building
To create a production version of your app:
```bash
npm run build
```
You can preview the production build with `npm run preview`.
> To deploy your app, you may need to install an [adapter](https://svelte.dev/docs/kit/adapters) for your target environment.
When deploying, set `ORIGIN` to the URL of your site to prevent cross-site request errors.

25
bruno/opnsense-api/Delete Client.bru
View File

@@ -1,25 +0,0 @@
meta {
name: Delete Client
type: http
seq: 11
}
post {
url: {{base}}/api/wireguard/client/delClient/:clientUuid
body: none
auth: inherit
}
params:path {
clientUuid: d484d381-4d6f-4444-8e9d-9cda7b5b2243
}
body:json {
{
"current": 1,
"rowCount": 7,
"sort": {},
"servers": ["{{serverUuid}}"],
"searchPhrase": "{{searchPhrase}}"
}
}

1170
bun.lock
View File

File diff suppressed because it is too large Load Diff

BIN
bun.lockb Executable file
View File

Binary file not shown.

1
bunfig.toml Normal file
View File

@@ -0,0 +1 @@
logLevel = "info"

1
drizzle/0001_equal_unicorn.sql
View File

@@ -1 +0,0 @@
ALTER TABLE `users` ADD `auth_source` text DEFAULT 'authentik' NOT NULL;

229
drizzle/meta/0001_snapshot.json
View File

@@ -1,229 +0,0 @@
{
"version": "6",
"dialect": "sqlite",
"id": "cc1fa973-1e9c-4bd6-b082-d7cf36f7342c",
"prevId": "48b7ce55-58f1-4b97-a144-ca733576dba6",
"tables": {
"devices": {
"name": "devices",
"columns": {
"id": {
"name": "id",
"type": "integer",
"primaryKey": true,
"notNull": true,
"autoincrement": true
},
"user_id": {
"name": "user_id",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"name": {
"name": "name",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"opnsense_id": {
"name": "opnsense_id",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"public_key": {
"name": "public_key",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"private_key": {
"name": "private_key",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"pre_shared_key": {
"name": "pre_shared_key",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"devices_public_key_unique": {
"name": "devices_public_key_unique",
"columns": [
"public_key"
],
"isUnique": true
}
},
"foreignKeys": {
"devices_user_id_users_id_fk": {
"name": "devices_user_id_users_id_fk",
"tableFrom": "devices",
"tableTo": "users",
"columnsFrom": [
"user_id"
],
"columnsTo": [
"id"
],
"onDelete": "no action",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"ip_allocations": {
"name": "ip_allocations",
"columns": {
"id": {
"name": "id",
"type": "integer",
"primaryKey": true,
"notNull": true,
"autoincrement": true
},
"device_id": {
"name": "device_id",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"ip_allocations_device_id_unique": {
"name": "ip_allocations_device_id_unique",
"columns": [
"device_id"
],
"isUnique": true
}
},
"foreignKeys": {
"ip_allocations_device_id_devices_id_fk": {
"name": "ip_allocations_device_id_devices_id_fk",
"tableFrom": "ip_allocations",
"tableTo": "devices",
"columnsFrom": [
"device_id"
],
"columnsTo": [
"id"
],
"onDelete": "set null",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"sessions": {
"name": "sessions",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"user_id": {
"name": "user_id",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"expires_at": {
"name": "expires_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
}
},
"indexes": {},
"foreignKeys": {
"sessions_user_id_users_id_fk": {
"name": "sessions_user_id_users_id_fk",
"tableFrom": "sessions",
"tableTo": "users",
"columnsFrom": [
"user_id"
],
"columnsTo": [
"id"
],
"onDelete": "no action",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"users": {
"name": "users",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"auth_source": {
"name": "auth_source",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false,
"default": "'authentik'"
},
"username": {
"name": "username",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"name": {
"name": "name",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
}
},
"indexes": {},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
}
},
"views": {},
"enums": {},
"_meta": {
"schemas": {},
"tables": {},
"columns": {}
},
"internal": {
"indexes": {}
}
}

7
drizzle/meta/_journal.json
View File

@@ -8,13 +8,6 @@
"when": 1736295566569, "when": 1736295566569,
"tag": "0000_fair_tarantula", "tag": "0000_fair_tarantula",
"breakpoints": true "breakpoints": true
},
{
"idx": 1,
"version": "6",
"when": 1741936760967,
"tag": "0001_equal_unicorn",
"breakpoints": true
} }
] ]
} }

46
package.json
View File

@@ -1,5 +1,5 @@
{ {
"name": "vpgen", "name": "vpgen-sv5",
"version": "0.0.1", "version": "0.0.1",
"type": "module", "type": "module",
"scripts": { "scripts": {
@@ -14,52 +14,48 @@
"db:generate": "drizzle-kit generate", "db:generate": "drizzle-kit generate",
"db:migrate": "drizzle-kit migrate", "db:migrate": "drizzle-kit migrate",
"db:studio": "drizzle-kit studio", "db:studio": "drizzle-kit studio",
"db:seed": "bun run ./src/lib/server/db/seed.ts", "db:seed": "bun run ./src/lib/server/db/seed.ts"
"prepare": "ts-patch install"
}, },
"devDependencies": { "devDependencies": {
"@oslojs/crypto": "^1.0.1", "@oslojs/crypto": "^1.0.1",
"@oslojs/encoding": "^1.1.0", "@oslojs/encoding": "^1.1.0",
"@ryoppippi/unplugin-typia": "npm:@jsr/ryoppippi__unplugin-typia",
"@sveltejs/adapter-auto": "^3.3.1", "@sveltejs/adapter-auto": "^3.3.1",
"@sveltejs/adapter-node": "^5.2.12", "@sveltejs/adapter-node": "^5.2.11",
"@sveltejs/kit": "^2.19.1", "@sveltejs/kit": "^2.15.0",
"@sveltejs/vite-plugin-svelte": "^5.0.3", "@sveltejs/vite-plugin-svelte": "^5.0.3",
"@tailwindcss/container-queries": "^0.1.1", "@tailwindcss/container-queries": "^0.1.1",
"@tailwindcss/forms": "^0.5.10", "@tailwindcss/forms": "^0.5.9",
"@tailwindcss/typography": "^0.5.16", "@tailwindcss/typography": "^0.5.15",
"@types/better-sqlite3": "^7.6.12", "@types/better-sqlite3": "^7.6.12",
"@types/eslint": "^9.6.1", "@types/eslint": "^9.6.1",
"@types/qrcode-svg": "^1.1.5", "@types/qrcode-svg": "^1.1.5",
"arctic": "^2.3.4", "arctic": "^2.3.3",
"autoprefixer": "^10.4.21", "autoprefixer": "^10.4.20",
"bits-ui": "^0.22.0", "bits-ui": "^0.22.0",
"clsx": "^2.1.1", "clsx": "^2.1.1",
"eslint": "^9.22.0", "eslint": "^9.17.0",
"eslint-config-prettier": "^9.1.0", "eslint-config-prettier": "^9.1.0",
"eslint-plugin-svelte": "^2.46.1", "eslint-plugin-svelte": "^2.46.1",
"globals": "^15.15.0", "globals": "^15.14.0",
"ip-address": "^10.0.1", "ip-address": "^10.0.1",
"lucide-svelte": "^0.469.0", "lucide-svelte": "^0.469.0",
"prettier": "^3.5.3", "prettier": "^3.4.2",
"prettier-plugin-svelte": "^3.3.3", "prettier-plugin-svelte": "^3.3.2",
"prettier-plugin-tailwindcss": "^0.6.11", "prettier-plugin-tailwindcss": "^0.6.9",
"qrcode-svg": "^1.1.0", "qrcode-svg": "^1.1.0",
"svelte": "^5.23.0", "svelte": "^5.16.0",
"svelte-check": "^4.1.5", "svelte-check": "^4.1.1",
"tailwind-merge": "^2.6.0", "tailwind-merge": "^2.6.0",
"tailwind-variants": "^0.3.1", "tailwind-variants": "^0.3.0",
"tailwindcss": "^3.4.17", "tailwindcss": "^3.4.17",
"tailwindcss-animate": "^1.0.7", "tailwindcss-animate": "^1.0.7",
"ts-patch": "^3.3.0", "typescript": "^5.7.2",
"typescript": "~5.8.2", "typescript-eslint": "^8.18.2",
"typescript-eslint": "^8.26.1", "vite": "^6.0.6"
"typia": "^8.0.2",
"vite": "^6.2.2"
}, },
"dependencies": { "dependencies": {
"@libsql/client": "^0.14.0", "@libsql/client": "^0.14.0",
"drizzle-kit": "^0.30.5", "drizzle-kit": "^0.30.1",
"drizzle-orm": "^0.38.4" "drizzle-orm": "^0.38.3"
} }
} }

13
src/lib/assets/google.svg
View File

@@ -1,13 +0,0 @@
<svg width="40" height="40" viewBox="10 10 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_710_6221)">
<path d="M29.6 20.2273C29.6 19.5182 29.5364 18.8364 29.4182 18.1818H20V22.05H25.3818C25.15 23.3 24.4455 24.3591 23.3864 25.0682V27.5773H26.6182C28.5091 25.8364 29.6 23.2727 29.6 20.2273Z" fill="#4285F4"/>
<path d="M20 30C22.7 30 24.9636 29.1045 26.6181 27.5773L23.3863 25.0682C22.4909 25.6682 21.3454 26.0227 20 26.0227C17.3954 26.0227 15.1909 24.2636 14.4045 21.9H11.0636V24.4909C12.7091 27.7591 16.0909 30 20 30Z" fill="#34A853"/>
<path d="M14.4045 21.9C14.2045 21.3 14.0909 20.6591 14.0909 20C14.0909 19.3409 14.2045 18.7 14.4045 18.1V15.5091H11.0636C10.3864 16.8591 10 18.3864 10 20C10 21.6136 10.3864 23.1409 11.0636 24.4909L14.4045 21.9Z" fill="#FBBC04"/>
<path d="M20 13.9773C21.4681 13.9773 22.7863 14.4818 23.8227 15.4727L26.6909 12.6045C24.9591 10.9909 22.6954 10 20 10C16.0909 10 12.7091 12.2409 11.0636 15.5091L14.4045 18.1C15.1909 15.7364 17.3954 13.9773 20 13.9773Z" fill="#E94235"/>
</g>
<defs>
<clipPath id="clip0_710_6221">
<rect width="20" height="20" fill="white" transform="translate(10 10)"/>
</clipPath>
</defs>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 KiB

26
src/lib/components/app/auth-form/auth-form.svelte
View File

@@ -2,16 +2,14 @@
import { LucideLoaderCircle } from 'lucide-svelte'; import { LucideLoaderCircle } from 'lucide-svelte';
import { Button } from '$lib/components/ui/button'; import { Button } from '$lib/components/ui/button';
import { cn } from '$lib/utils.js'; import { cn } from '$lib/utils.js';
import googleIcon from '$lib/assets/google.svg';
let { inviteToken, class: className, ...rest }: { inviteToken?: string; class?: string; rest?: { [p: string]: unknown } } = $props(); let { class: className, ...rest }: { class?: string; rest?: { [p: string]: unknown } } = $props();
let isLoading = $state(false); let isLoading = $state(false);
</script> </script>
<div class={cn('flex gap-6', className)} {...rest}> <div class={cn('flex gap-6', className)} {...rest}>
<form method="get" action="/auth/authentik{inviteToken ? `?invite=${inviteToken}` : ''}"> <form method="get" action="/auth/authentik">
<input type="hidden" value={inviteToken} name="invite" />
<Button <Button
type="submit" type="submit"
onclick={() => { onclick={() => {
@@ -30,24 +28,4 @@
Sign in with Authentik Sign in with Authentik
</Button> </Button>
</form> </form>
<form method="get" action="/auth/google">
<input type="hidden" value={inviteToken} name="invite" />
<Button
type="submit"
onclick={() => {
isLoading = true;
}}
>
{#if isLoading}
<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
{:else}
<img
class="mr-2 h-4 w-4"
alt="Google Logo"
src={googleIcon}
/>
{/if}
Sign in with Google
</Button>
</form>
</div> </div>

2
src/lib/components/ui/dialog/dialog-content.svelte
View File

@@ -17,7 +17,7 @@
} = $props(); } = $props();
</script> </script>
<Dialog.Portal class="absolute" {...portalProps}> <Dialog.Portal {...portalProps}>
<Dialog.Overlay /> <Dialog.Overlay />
<DialogPrimitive.Content <DialogPrimitive.Content
bind:ref bind:ref

5
src/lib/server/auth.ts
View File

@@ -5,7 +5,6 @@ import { db } from '$lib/server/db';
import * as table from '$lib/server/db/schema'; import * as table from '$lib/server/db/schema';
import type { RequestEvent } from '@sveltejs/kit'; import type { RequestEvent } from '@sveltejs/kit';
import { dev } from '$app/environment'; import { dev } from '$app/environment';
import { env } from '$env/dynamic/private';
const DAY_IN_MS = 1000 * 60 * 60 * 24; const DAY_IN_MS = 1000 * 60 * 60 * 24;
@@ -80,8 +79,4 @@ export async function validateSession(sessionId: string) {
return { session, user }; return { session, user };
} }
export function isValidInviteToken(inviteToken: string) {
return inviteToken === env.INVITE_TOKEN;
}
export type SessionValidationResult = Awaited<ReturnType<typeof validateSession>>; export type SessionValidationResult = Awaited<ReturnType<typeof validateSession>>;

1
src/lib/server/db/schema.ts
View File

@@ -3,7 +3,6 @@ import { relations } from 'drizzle-orm';
export const users = sqliteTable('users', { export const users = sqliteTable('users', {
id: text('id').primaryKey(), id: text('id').primaryKey(),
authSource: text('auth_source').notNull().default('authentik'),
username: text('username').notNull(), username: text('username').notNull(),
name: text('name').notNull(), name: text('name').notNull(),
}); });

2
src/lib/server/db/seed.ts
View File

@@ -2,7 +2,7 @@ import { ipAllocations, users, devices } from './schema';
import { eq } from 'drizzle-orm'; import { eq } from 'drizzle-orm';
import assert from 'node:assert'; import assert from 'node:assert';
import { drizzle } from 'drizzle-orm/libsql'; import { drizzle } from 'drizzle-orm/libsql';
import * as schema from './schema'; import * as schema from '$lib/server/db/schema';
assert(process.env.DATABASE_URL, 'DATABASE_URL is not set'); assert(process.env.DATABASE_URL, 'DATABASE_URL is not set');
const db = drizzle(process.env.DATABASE_URL, { schema }); const db = drizzle(process.env.DATABASE_URL, { schema });

73
src/lib/server/devices/create.ts → src/lib/server/devices.ts
View File

@@ -1,11 +1,62 @@
import { devices, ipAllocations, type User } from '$lib/server/db/schema'; import type { User } from '$lib/server/db/schema';
import { err, ok, type Result } from '$lib/types'; import { ipAllocations, devices } from '$lib/server/db/schema';
import { db } from '$lib/server/db'; import { db } from '$lib/server/db';
import { count, eq, isNull } from 'drizzle-orm'; import { opnsenseAuth, opnsenseUrl, serverPublicKey, serverUuid } from '$lib/server/opnsense';
import { Address4, Address6 } from 'ip-address';
import { env } from '$env/dynamic/private'; import { env } from '$env/dynamic/private';
import { opnsenseAuth, opnsenseUrl, serverUuid } from '$lib/server/opnsense'; import { and, count, eq, isNull } from 'drizzle-orm';
import { err, ok, type Result } from '$lib/types';
import type { DeviceDetails } from '$lib/devices';
import { opnsenseSanitezedUsername } from '$lib/opnsense'; import { opnsenseSanitezedUsername } from '$lib/opnsense';
import { getIpsFromIndex } from './utils';
export async function findDevices(userId: string) {
return db.query.devices.findMany({
columns: {
id: true,
name: true,
publicKey: true,
privateKey: true,
preSharedKey: true,
},
with: {
ipAllocation: true,
},
where: eq(devices.userId, userId),
});
}
export async function findDevice(userId: string, deviceId: number) {
return db.query.devices.findFirst({
columns: {
id: true,
name: true,
publicKey: true,
privateKey: true,
preSharedKey: true,
},
with: {
ipAllocation: true,
},
where: and(eq(devices.userId, userId), eq(devices.id, deviceId)),
});
}
export function mapDeviceToDetails(
device: Awaited<ReturnType<typeof findDevices>>[0],
): DeviceDetails {
const ips = getIpsFromIndex(device.ipAllocation.id);
return {
id: device.id,
name: device.name,
publicKey: device.publicKey,
privateKey: device.privateKey,
preSharedKey: device.preSharedKey,
ips,
vpnPublicKey: serverPublicKey,
vpnEndpoint: env.VPN_ENDPOINT,
vpnDns: env.VPN_DNS,
};
}
export async function createDevice(params: { export async function createDevice(params: {
name: string; name: string;
@@ -118,6 +169,18 @@ async function getKeys() {
}; };
} }
export function getIpsFromIndex(ipIndex: number) {
ipIndex -= 1; // 1-indexed in the db
const v4StartingAddr = new Address4(env.IPV4_STARTING_ADDR);
const v6StartingAddr = new Address6(env.IPV6_STARTING_ADDR);
const v4Allowed = Address4.fromBigInt(v4StartingAddr.bigInt() + BigInt(ipIndex));
const v6Offset = BigInt(ipIndex) << (128n - BigInt(env.IPV6_CLIENT_PREFIX_SIZE));
const v6Allowed = Address6.fromBigInt(v6StartingAddr.bigInt() + v6Offset);
const v6AllowedShort = v6Allowed.parsedAddress.join(':');
return [v4Allowed.address + '/32', v6AllowedShort + '/' + env.IPV6_CLIENT_PREFIX_SIZE];
}
async function opnsenseCreateClient(params: { async function opnsenseCreateClient(params: {
username: string; username: string;
pubkey: string; pubkey: string;

73
src/lib/server/devices/delete.ts
View File

@@ -1,73 +0,0 @@
import { and, eq } from 'drizzle-orm';
import { db } from '$lib/server/db';
import { devices } from '$lib/server/db/schema';
import { err, ok, type Result } from '$lib/types';
import { opnsenseAuth, opnsenseUrl } from '$lib/server/opnsense';
export async function deleteDevice(
userId: string,
deviceId: number,
): Promise<Result<null, [400 | 500, string]>> {
const device = await db.query.devices.findFirst({
columns: {
publicKey: true,
},
where: and(eq(devices.userId, userId), eq(devices.id, deviceId)),
});
if (!device) return err([400, 'Device not found']);
const opnsenseClientUuid = (await opnsenseFindClient(device.publicKey))?.['uuid'];
if (typeof opnsenseClientUuid !== 'string') {
console.error(
'failed to get OPNsense client for deletion for device',
deviceId,
device.publicKey,
);
return err([500, 'Error getting client from OPNsense']);
}
const opnsenseDeletionResult = await opnsenseDeleteClient(opnsenseClientUuid);
if (opnsenseDeletionResult?.['result'] !== 'deleted') {
console.error(
'failed to delete OPNsense client for device',
deviceId,
device.publicKey,
'\n',
'OPNsense client uuid:',
opnsenseClientUuid,
);
return err([500, 'Error deleting client in OPNsense']);
}
await db.delete(devices).where(eq(devices.id, deviceId));
return ok(null);
}
async function opnsenseFindClient(pubkey: string) {
const res = await fetch(`${opnsenseUrl}/api/wireguard/client/searchClient`, {
method: 'POST',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
'Content-Type': 'application/json',
},
body: JSON.stringify({
current: 1,
// "rowCount": 7,
sort: {},
searchPhrase: pubkey,
type: ['peer'],
}),
});
return (await res.json())?.rows?.[0] ?? null;
}
async function opnsenseDeleteClient(clientUuid: string) {
const res = await fetch(`${opnsenseUrl}/api/wireguard/client/delClient/${clientUuid}`, {
method: 'POST',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
},
});
return res.json();
}

56
src/lib/server/devices/find.ts
View File

@@ -1,56 +0,0 @@
import { db } from '$lib/server/db';
import { and, eq } from 'drizzle-orm';
import { devices } from '$lib/server/db/schema';
import type { DeviceDetails } from '$lib/devices';
import { serverPublicKey } from '$lib/server/opnsense';
import { env } from '$env/dynamic/private';
import { getIpsFromIndex } from '$lib/server/devices/index';
export async function findDevices(userId: string) {
return db.query.devices.findMany({
columns: {
id: true,
name: true,
publicKey: true,
privateKey: true,
preSharedKey: true,
},
with: {
ipAllocation: true,
},
where: eq(devices.userId, userId),
});
}
export async function findDevice(userId: string, deviceId: number) {
return db.query.devices.findFirst({
columns: {
id: true,
name: true,
publicKey: true,
privateKey: true,
preSharedKey: true,
},
with: {
ipAllocation: true,
},
where: and(eq(devices.userId, userId), eq(devices.id, deviceId)),
});
}
export function mapDeviceToDetails(
device: Awaited<ReturnType<typeof findDevices>>[0],
): DeviceDetails {
const ips = getIpsFromIndex(device.ipAllocation.id);
return {
id: device.id,
name: device.name,
publicKey: device.publicKey,
privateKey: device.privateKey,
preSharedKey: device.preSharedKey,
ips,
vpnPublicKey: serverPublicKey,
vpnEndpoint: env.VPN_ENDPOINT,
vpnDns: env.VPN_DNS,
};
}

3
src/lib/server/devices/index.ts
View File

@@ -1,3 +0,0 @@
export { findDevices, findDevice, mapDeviceToDetails } from './find';
export { createDevice } from './create';
export { getIpsFromIndex } from './utils';

14
src/lib/server/devices/utils.ts
View File

@@ -1,14 +0,0 @@
import { Address4, Address6 } from 'ip-address';
import { env } from '$env/dynamic/private';
export function getIpsFromIndex(ipIndex: number) {
ipIndex -= 1; // 1-indexed in the db
const v4StartingAddr = new Address4(env.IPV4_STARTING_ADDR);
const v6StartingAddr = new Address6(env.IPV6_STARTING_ADDR);
const v4Allowed = Address4.fromBigInt(v4StartingAddr.bigInt() + BigInt(ipIndex));
const v6Offset = BigInt(ipIndex) << (128n - BigInt(env.IPV6_CLIENT_PREFIX_SIZE));
const v6Allowed = Address6.fromBigInt(v6StartingAddr.bigInt() + v6Offset);
const v6AllowedShort = v6Allowed.parsedAddress.join(':');
return [v4Allowed.address + '/32', v6AllowedShort + '/' + env.IPV6_CLIENT_PREFIX_SIZE];
}

8
src/lib/server/oauth.ts
View File

@@ -1,4 +1,4 @@
import { Authentik, Google } from 'arctic'; import { Authentik } from 'arctic';
import { env } from '$env/dynamic/private'; import { env } from '$env/dynamic/private';
export const authentik = new Authentik( export const authentik = new Authentik(
@@ -7,9 +7,3 @@ export const authentik = new Authentik(
env.AUTH_CLIENT_SECRET, env.AUTH_CLIENT_SECRET,
`${env.ORIGIN}/auth/authentik/callback`, `${env.ORIGIN}/auth/authentik/callback`,
); );
export const google = new Google(
env.GOOGLE_CLIENT_ID,
env.GOOGLE_CLIENT_SECRET,
`${env.ORIGIN}/auth/google/callback`,
);

2
src/lib/server/opnsense/index.ts
View File

@@ -30,7 +30,7 @@ export async function fetchOpnsenseServer() {
const uuid = servers.rows.find((server) => server.name === opnsenseIfname)?.uuid; const uuid = servers.rows.find((server) => server.name === opnsenseIfname)?.uuid;
assert(uuid, 'Failed to find server UUID for OPNsense WireGuard server'); assert(uuid, 'Failed to find server UUID for OPNsense WireGuard server');
serverUuid = uuid; serverUuid = uuid;
console.log('OPNsense WireGuard server UUID:', serverUuid); console.info('OPNsense WireGuard server UUID:', serverUuid);
const resServerInfo = await fetch( const resServerInfo = await fetch(
`${opnsenseUrl}/api/wireguard/client/get_server_info/${serverUuid}`, `${opnsenseUrl}/api/wireguard/client/get_server_info/${serverUuid}`,

46
src/routes/auth/authentik/callback/+server.ts
View File

@@ -1,28 +1,27 @@
import { createSession, setSessionTokenCookie } from '$lib/server/auth'; import { createSession, setSessionTokenCookie } from "$lib/server/auth";
import { authentik } from '$lib/server/oauth'; import { authentik } from "$lib/server/oauth";
import { decodeIdToken } from 'arctic'; import { decodeIdToken } from "arctic";
import type { RequestEvent } from '@sveltejs/kit'; import type { RequestEvent } from "@sveltejs/kit";
import type { OAuth2Tokens } from 'arctic'; import type { OAuth2Tokens } from "arctic";
import { db } from '$lib/server/db'; import { db } from '$lib/server/db';
import { eq } from 'drizzle-orm'; import { eq } from 'drizzle-orm';
import * as table from '$lib/server/db/schema'; import * as table from '$lib/server/db/schema';
export async function GET(event: RequestEvent): Promise<Response> { export async function GET(event: RequestEvent): Promise<Response> {
const code = event.url.searchParams.get('code'); const code = event.url.searchParams.get("code");
const state = event.url.searchParams.get('state'); const state = event.url.searchParams.get("state");
const storedState = event.cookies.get('authentik_oauth_state') ?? null; const storedState = event.cookies.get("authentik_oauth_state") ?? null;
const codeVerifier = event.cookies.get('authentik_code_verifier') ?? null; const codeVerifier = event.cookies.get("authentik_code_verifier") ?? null;
if (code === null || state === null || storedState === null || codeVerifier === null) { if (code === null || state === null || storedState === null || codeVerifier === null) {
return new Response(null, { return new Response(null, {
status: 400, status: 400
}); });
} }
if (state !== storedState) { if (state !== storedState) {
return new Response(null, { return new Response(null, {
status: 400, status: 400
}); });
} }
@@ -32,19 +31,15 @@ export async function GET(event: RequestEvent): Promise<Response> {
} catch (e) { } catch (e) {
// Invalid code or client credentials // Invalid code or client credentials
return new Response(null, { return new Response(null, {
status: 400, status: 400
}); });
} }
const claims = decodeIdToken(tokens.idToken()) as { const claims = decodeIdToken(tokens.idToken()) as { sub: string, preferred_username: string, name: string };
sub: string; console.info("claims", claims);
preferred_username: string;
name: string;
};
console.log('claims', claims);
const userId: string = claims.sub; const userId: string = claims.sub;
const username: string = claims.preferred_username; const username: string = claims.preferred_username;
const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) }); const existingUser = await db.query.users.findFirst({where: eq(table.users.id, userId)});
if (existingUser) { if (existingUser) {
const session = await createSession(existingUser.id); const session = await createSession(existingUser.id);
@@ -52,14 +47,13 @@ export async function GET(event: RequestEvent): Promise<Response> {
return new Response(null, { return new Response(null, {
status: 302, status: 302,
headers: { headers: {
Location: '/', Location: "/"
}, }
}); });
} }
const user: table.User = { const user: table.User = {
id: userId, id: userId,
authSource: 'authentik',
username, username,
name: claims.name as string, name: claims.name as string,
}; };
@@ -71,14 +65,14 @@ export async function GET(event: RequestEvent): Promise<Response> {
} catch (e) { } catch (e) {
console.error('failed to create user', e); console.error('failed to create user', e);
return new Response(null, { return new Response(null, {
status: 500, status: 500
}); });
} }
return new Response(null, { return new Response(null, {
status: 302, status: 302,
headers: { headers: {
Location: '/', Location: "/"
}, }
}); });
} }

38
src/routes/auth/google/+server.ts
View File

@@ -1,38 +0,0 @@
import type { RequestHandler } from './$types';
import { generateCodeVerifier, generateState } from 'arctic';
import { google } from '$lib/server/oauth';
export const GET: RequestHandler = ({ url, cookies }) => {
const inviteToken = url.searchParams.get('invite');
const state = generateState();
const codeVerifier = generateCodeVerifier();
const scopes = ['openid', 'profile', 'email'];
const authUrl = google.createAuthorizationURL(state, codeVerifier, scopes);
cookies.set('google_oauth_state', state, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
cookies.set('google_code_verifier', codeVerifier, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
if (inviteToken !== null) cookies.set('invite_token', inviteToken, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
return new Response(null, {
status: 302,
headers: {
Location: authUrl.toString(),
},
});
};

100
src/routes/auth/google/callback/+server.ts
View File

@@ -1,100 +0,0 @@
import type { RequestHandler } from './$types';
import * as arctic from 'arctic';
import { google } from '$lib/server/oauth';
import { db } from '$lib/server/db';
import { eq } from 'drizzle-orm';
import * as table from '$lib/server/db/schema';
import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
import type { OAuth2Tokens } from 'arctic';
import { assertGuard } from 'typia';
export const GET: RequestHandler = async (event) => {
const { url, cookies } = event;
const code = url.searchParams.get('code');
const state = url.searchParams.get('state');
const storedState = cookies.get('google_oauth_state') ?? null;
const codeVerifier = cookies.get('google_code_verifier', ) ?? null;
const inviteToken = cookies.get('invite_token') ?? null;
if (code === null || state === null || storedState === null || codeVerifier === null) {
return new Response(null, {
status: 400,
});
}
let tokens: OAuth2Tokens;
try {
tokens = await google.validateAuthorizationCode(code, codeVerifier);
} catch (e) {
if (e instanceof arctic.OAuth2RequestError) {
console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e);
return new Response(null, {
status: 400,
});
}
if (e instanceof arctic.ArcticFetchError) {
console.debug('Arctic: failed to call `fetch()`', e);
return new Response(null, {
status: 400,
});
}
return new Response(null, {
status: 500,
});
}
const idToken = tokens.idToken();
const claims = arctic.decodeIdToken(idToken);
console.log('claims', claims);
assertGuard<{
sub: string;
email: string;
name: string;
}>(claims);
const userId = claims.sub;
const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) });
if (existingUser) {
const session = await createSession(existingUser.id);
setSessionTokenCookie(event, session.id, session.expiresAt);
return new Response(null, {
status: 302,
headers: {
Location: '/',
},
});
}
// TODO: proper error page
if (inviteToken === null || !isValidInviteToken(inviteToken)) {
return new Response(null, {
status: 400,
});
}
const user: table.User = {
id: userId,
authSource: 'google',
username: claims.email,
name: claims.name,
};
// TODO: proper error handling, delete cookies
await db.insert(table.users).values(user);
console.log('created user', user, 'with invite token', inviteToken);
const session = await createSession(user.id);
setSessionTokenCookie(event, session.id, session.expiresAt);
return new Response(null, {
status: 302,
headers: {
Location: '/',
},
});
};

4
src/routes/devices/+page.server.ts
View File

@@ -1,13 +1,13 @@
import type { Actions } from './$types'; import type { Actions } from './$types';
import { createDevice } from '$lib/server/devices'; import { createDevice } from '$lib/server/devices';
import { error, fail, redirect } from '@sveltejs/kit'; import { error, redirect } from '@sveltejs/kit';
export const actions = { export const actions = {
create: async (event) => { create: async (event) => {
if (!event.locals.user) return error(401, 'Unauthorized'); if (!event.locals.user) return error(401, 'Unauthorized');
const formData = await event.request.formData(); const formData = await event.request.formData();
const name = formData.get('name'); const name = formData.get('name');
if (typeof name !== 'string' || name.trim() === '') return fail(400, { name, invalid: true }); if (typeof name !== 'string' || name.trim() === '') return error(400, 'Invalid name');
const res = await createDevice({ const res = await createDevice({
name: name.trim(), name: name.trim(),
user: event.locals.user, user: event.locals.user,

10
src/routes/devices/+page.svelte
View File

@@ -8,7 +8,6 @@
import type { PageData } from './$types'; import type { PageData } from './$types';
import { Label } from '$lib/components/ui/label'; import { Label } from '$lib/components/ui/label';
import { page } from '$app/state'; import { page } from '$app/state';
import DeleteDevice from './delete-device.svelte';
const { data }: { data: PageData } = $props(); const { data }: { data: PageData } = $props();
@@ -57,9 +56,6 @@
<Badge class="select-auto bg-background" variant="secondary">{ip}</Badge> <Badge class="select-auto bg-background" variant="secondary">{ip}</Badge>
{/each} {/each}
</Table.Cell> </Table.Cell>
<Table.Cell class="py-0">
<DeleteDevice device={device} />
</Table.Cell>
</Table.Row> </Table.Row>
{/each} {/each}
</Table.Body> </Table.Body>
@@ -90,11 +86,11 @@
class="max-w-[20ch]" class="max-w-[20ch]"
/> />
</div> </div>
<Dialog.Footer class="gap-y-2"> <Dialog.Footer>
<Button type="submit" disabled={submitted}>
{#if submitted} {#if submitted}
<LucideLoaderCircle class="size-4 animate-spin place-self-center" /> <LucideLoaderCircle class="size-4 mr-2 animate-spin" />
{/if} {/if}
<Button type="submit" disabled={submitted} class="">
Add Add
</Button> </Button>
</Dialog.Footer> </Dialog.Footer>

23
src/routes/devices/[id]/+page.server.ts
View File

@@ -1,23 +0,0 @@
import { error, redirect } from '@sveltejs/kit';
import { deleteDevice } from '$lib/server/devices/delete';
import type { Actions } from './$types';
export const actions = {
delete: async (event) => {
if (!event.locals.user) return error(401, 'Unauthorized');
const deviceId = Number.parseInt(event.params.id);
if (Number.isNaN(deviceId)) return error(400, 'Invalid device id');
const res = await deleteDevice(event.locals.user.id, deviceId);
switch (res._tag) {
case 'ok': {
return redirect(303, '/devices');
}
case 'err': {
const [status, message] = res.error;
return error(status, message);
}
}
},
} satisfies Actions;

6
src/routes/devices/[id]/+page.svelte
View File

@@ -3,7 +3,6 @@
import QRCode from 'qrcode-svg'; import QRCode from 'qrcode-svg';
import { CodeSnippet } from '$lib/components/app/code-snippet'; import { CodeSnippet } from '$lib/components/app/code-snippet';
import { WireguardGuide } from '$lib/components/app/wireguard-guide'; import { WireguardGuide } from '$lib/components/app/wireguard-guide';
import DeleteDevice from '../delete-device.svelte';
const { data }: { data: PageData } = $props(); const { data }: { data: PageData } = $props();
@@ -26,10 +25,7 @@
<title>{data.device.name}</title> <title>{data.device.name}</title>
</svelte:head> </svelte:head>
<div class="flex justify-between"> <h1 class="w-fit rounded-lg bg-accent p-2 text-lg">{data.device.name}</h1>
<h1 class="w-fit rounded-lg bg-accent p-2 text-lg">{data.device.name}</h1>
<DeleteDevice device={data.device} />
</div>
<section id="device-configuration" class="flex flex-wrap items-center justify-center gap-4"> <section id="device-configuration" class="flex flex-wrap items-center justify-center gap-4">
<CodeSnippet data={data.config} filename={deviceWgCleanedName} copy download /> <CodeSnippet data={data.config} filename={deviceWgCleanedName} copy download />

37
src/routes/devices/delete-device.svelte
View File

@@ -1,37 +0,0 @@
<script>
import { Button, buttonVariants } from '$lib/components/ui/button';
import * as Dialog from '$lib/components/ui/dialog';
import { LucideLoaderCircle, LucideTrash } from 'lucide-svelte';
const { device } = $props();
let submitted = $state(false);
</script>
<Dialog.Root>
<Dialog.Trigger class={buttonVariants({ variant: 'destructive', size: 'sm', class: 'bg-accent hover:bg-destructive' })}>
<LucideTrash />
</Dialog.Trigger>
<Dialog.Content>
<form class="contents" method="post" action="/devices/{device.id}?/delete"
onsubmit={() => submitted = true}
>
<Dialog.Header>
Are you sure you want to permanently delete "{device.name}"?
</Dialog.Header>
You will no longer be able to connect from this device.
<Dialog.Footer class="gap-y-2">
{#if submitted}
<LucideLoaderCircle class="size-4 animate-spin place-self-center" />
{/if}
<Button type="submit" variant="destructive" disabled={submitted}>
Delete
</Button>
<Dialog.Close asChild let:builder>
<button class={buttonVariants()} disabled={submitted} use:builder.action {...builder}>
Cancel
</button>
</Dialog.Close>
</Dialog.Footer>
</form>
</Dialog.Content>
</Dialog.Root>

7
src/routes/invite/[id]/+layout.server.ts
View File

@@ -1,7 +0,0 @@
import type { LayoutServerLoad } from './$types';
import { redirect } from '@sveltejs/kit';
import { isValidInviteToken } from '$lib/server/auth';
export const load: LayoutServerLoad = ({ params }) => {
if (!isValidInviteToken(params.id)) redirect(307, '/')
};

16
src/routes/invite/[id]/+page.svelte
View File

@@ -1,16 +0,0 @@
<script lang="ts">
import { AuthForm } from '$lib/components/app/auth-form';
import { page } from '$app/state';
let inviteToken = page.params.id;
</script>
<svelte:head>
<title>You are Invited to VPGen</title>
</svelte:head>
<h1 class="mb-2 scroll-m-20 text-center text-3xl font-extrabold tracking-tight lg:text-4xl">
Welcome to VPGen
</h1>
<AuthForm inviteToken={inviteToken} />

8
tsconfig.json
View File

@@ -9,13 +9,7 @@
"skipLibCheck": true, "skipLibCheck": true,
"sourceMap": true, "sourceMap": true,
"strict": true, "strict": true,
"moduleResolution": "bundler", "moduleResolution": "bundler"
"plugins": [
{
"transform": "typia/lib/transform"
}
],
"strictNullChecks": true
} }
// Path aliases are handled by https://svelte.dev/docs/kit/configuration#alias // Path aliases are handled by https://svelte.dev/docs/kit/configuration#alias
// except $lib which is handled by https://svelte.dev/docs/kit/configuration#files // except $lib which is handled by https://svelte.dev/docs/kit/configuration#files

3
vite.config.ts
View File

@@ -1,7 +1,6 @@
import { sveltekit } from '@sveltejs/kit/vite'; import { sveltekit } from '@sveltejs/kit/vite';
import { defineConfig } from 'vite'; import { defineConfig } from 'vite';
import UnpluginTypia from '@ryoppippi/unplugin-typia/vite';
export default defineConfig({ export default defineConfig({
plugins: [sveltekit(), UnpluginTypia()], plugins: [sveltekit()]
}); });