drizzle initial migration

.env.example

@@ -1,5 +1,18 @@
-DATABASE_URL=local.db
+DATABASE_URL=file:local.db
 AUTH_DOMAIN=auth.lab.cazzzer.com
 AUTH_CLIENT_ID=
 AUTH_CLIENT_SECRET=
 AUTH_REDIRECT_URI=http://localhost:5173/auth/authentik/callback
+
+OPNSENSE_API_URL=https://opnsense.home
+OPNSENSE_API_KEY=
+OPNSENSE_API_SECRET=
+OPNSENSE_WG_IFNAME=wg2
+
+IPV4_STARTING_ADDR=10.18.11.100
+IPV6_STARTING_ADDR=fd00:10:18:11::100:0
+IPV6_CLIENT_PREFIX_SIZE=112
+IP_MAX_INDEX=100
+VPN_ENDPOINT=vpn.lab.cazzzer.com:51820
+VPN_DNS=10.18.11.1,fd00:10:18:11::1
+MAX_CLIENTS_PER_USER=20

.idea/codeStyles/Project.xml

@@ -9,7 +9,7 @@
       <option name="SPACE_BEFORE_FUNCTION_LEFT_PARENTH" value="false" />
       <option name="USE_DOUBLE_QUOTES" value="false" />
       <option name="FORCE_QUOTE_STYlE" value="true" />
-      <option name="ENFORCE_TRAILING_COMMA" value="Remove" />
+      <option name="ENFORCE_TRAILING_COMMA" value="WhenMultiline" />
       <option name="SPACES_WITHIN_OBJECT_LITERAL_BRACES" value="true" />
       <option name="SPACES_WITHIN_IMPORTS" value="true" />
     </JSCodeStyleSettings>
@@ -120,7 +120,7 @@
       <option name="SPACE_BEFORE_FUNCTION_LEFT_PARENTH" value="false" />
       <option name="USE_DOUBLE_QUOTES" value="false" />
       <option name="FORCE_QUOTE_STYlE" value="true" />
-      <option name="ENFORCE_TRAILING_COMMA" value="Remove" />
+      <option name="ENFORCE_TRAILING_COMMA" value="WhenMultiline" />
       <option name="SPACES_WITHIN_OBJECT_LITERAL_BRACES" value="true" />
       <option name="SPACES_WITHIN_IMPORTS" value="true" />
     </TypeScriptCodeStyleSettings>

.idea/dataSources.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="DataSourceManagerImpl" format="xml" multifile-model="true">
+    <data-source source="LOCAL" name="local" uuid="f362368b-ba47-4270-9f81-b0d8484b9928">
+      <driver-ref>sqlite.xerial</driver-ref>
+      <synchronize>true</synchronize>
+      <jdbc-driver>org.sqlite.JDBC</jdbc-driver>
+      <jdbc-url>jdbc:sqlite:$PROJECT_DIR$/local.db</jdbc-url>
+      <working-dir>$ProjectFileDir$</working-dir>
+      <libraries>
+        <library>
+          <url>file://$APPLICATION_CONFIG_DIR$/jdbc-drivers/Xerial SQLiteJDBC/3.45.1/org/xerial/sqlite-jdbc/3.45.1.0/sqlite-jdbc-3.45.1.0.jar</url>
+        </library>
+        <library>
+          <url>file://$APPLICATION_CONFIG_DIR$/jdbc-drivers/Xerial SQLiteJDBC/3.45.1/org/slf4j/slf4j-api/1.7.36/slf4j-api-1.7.36.jar</url>
+        </library>
+      </libraries>
+    </data-source>
+  </component>
+</project>

.prettierrc

@@ -1,7 +1,6 @@
 {
 	"useTabs": true,
 	"singleQuote": true,
-	"trailingComma": "none",
 	"printWidth": 100,
 	"plugins": ["prettier-plugin-svelte", "prettier-plugin-tailwindcss"],
 	"overrides": [

bruno/bruno.json

@@ -0,0 +1,9 @@
+{
+  "version": "1",
+  "name": "vpgen",
+  "type": "collection",
+  "ignore": [
+    "node_modules",
+    ".git"
+  ]
+}

bruno/collection.bru

@@ -0,0 +1,8 @@
+auth {
+  mode: basic
+}
+
+auth:basic {
+  username: {{opnsense_key}}
+  password: {{opnsense_secret}}
+}

bruno/environments/dev.bru

@@ -0,0 +1,8 @@
+vars {
+  opnsense_key: 33NhXqaJwrWy1T4Qi60GK90RXJuS3PWIYwlwYPnQ8f5YPe/J1q/g6/l4bZ2/kJk71MFhwP+9mr+IiQPi
+  base: https://opnsense.home
+}
+vars:secret [
+  vpn_endpoint,
+  opnsense_secret
+]

bruno/opnsense-api/Add Client Builder.bru

@@ -0,0 +1,37 @@
+meta {
+  name: Add Client Builder
+  type: http
+  seq: 9
+}
+
+post {
+  url: {{base}}/api/wireguard/client/addClientBuilder
+  body: json
+  auth: inherit
+}
+
+headers {
+  Content-Type: application/json
+}
+
+body:json {
+  {
+    "configbuilder": {
+      "enabled": "1",
+      "name": "{{clientName}}",
+      "pubkey": "{{clientPubkey}}",
+      "psk": "{{psk}}",
+      "tunneladdress": "{{clientTunnelAddress}}",
+      "server": "{{serverUuid}}",
+      "endpoint": "{{vpn_endpoint}}"
+    }
+  }
+}
+
+vars:pre-request {
+  clientName: vpgen-CaZzzer
+  clientPubkey: BJ5faPVJsDP4CCxNYilmKnwlQXOtXEOJjqIwb4U/CgM=
+  psk: 0LWopbrISXBNHUxr+WOhCSAg+0hD8j3TLmpyzHkBHCQ=
+  clientTunnelAddress: 10.18.11.101/32,fd00::1/128
+  serverUuid: 99f278fb-5b79-4fde-b3d8-afab19f1fc07
+}

bruno/opnsense-api/Get Interfaces.bru

@@ -0,0 +1,31 @@
+meta {
+  name: Get Interfaces
+  type: http
+  seq: 2
+}
+
+post {
+  url: {{base}}/api/wireguard/service/show
+  body: json
+  auth: inherit
+}
+
+headers {
+  Content-Type: application/json
+}
+
+body:json {
+  {
+    "current": 1,
+    "rowCount": 7,
+    "sort": {},
+    "searchPhrase": "{{searchPhrase}}",
+    "type": [
+      "interface"
+    ]
+  }
+}
+
+vars:pre-request {
+  searchPhrase: 
+}

bruno/opnsense-api/Get Key Pair.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Get Key Pair
+  type: http
+  seq: 7
+}
+
+get {
+  url: {{base}}/api/wireguard/server/key_pair
+  body: none
+  auth: inherit
+}

bruno/opnsense-api/Get PSK.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Get PSK
+  type: http
+  seq: 8
+}
+
+get {
+  url: {{base}}/api/wireguard/client/psk
+  body: none
+  auth: inherit
+}

bruno/opnsense-api/Get Peers.bru

@@ -0,0 +1,31 @@
+meta {
+  name: Get Peers
+  type: http
+  seq: 1
+}
+
+post {
+  url: {{base}}/api/wireguard/service/show
+  body: json
+  auth: inherit
+}
+
+headers {
+  Content-Type: application/json
+}
+
+body:json {
+  {
+    "current": 1,
+    "rowCount": 7,
+    "sort": {},
+    "searchPhrase": "{{searchPhrase}}",
+    "type": [
+      "peer"
+    ]
+  }
+}
+
+vars:pre-request {
+  searchPhrase: 
+}

bruno/opnsense-api/Get Server Info.bru

@@ -0,0 +1,15 @@
+meta {
+  name: Get Server Info
+  type: http
+  seq: 6
+}
+
+get {
+  url: {{base}}/api/wireguard/client/get_server_info/:server_uuid
+  body: none
+  auth: inherit
+}
+
+params:path {
+  server_uuid: 8799c789-b6fb-4aa8-9dac-edf18d860340
+}

bruno/opnsense-api/List Servers.bru

@@ -0,0 +1,11 @@
+meta {
+  name: List Servers
+  type: http
+  seq: 6
+}
+
+get {
+  url: {{base}}/api/wireguard/client/list_servers
+  body: none
+  auth: inherit
+}

bruno/opnsense-api/Reconfigure.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Reconfigure
+  type: http
+  seq: 10
+}
+
+post {
+  url: {{base}}/api/wireguard/service/reconfigure
+  body: none
+  auth: inherit
+}

bruno/opnsense-api/Search Client.bru

@@ -0,0 +1,30 @@
+meta {
+  name: Search Client
+  type: http
+  seq: 5
+}
+
+post {
+  url: {{base}}/api/wireguard/client/searchClient
+  body: json
+  auth: inherit
+}
+
+headers {
+  Content-Type: application/json
+}
+
+body:json {
+  {
+    "current": 1,
+    "rowCount": 7,
+    "sort": {},
+    "servers": ["{{serverUuid}}"],
+    "searchPhrase": "{{searchPhrase}}"
+  }
+}
+
+vars:pre-request {
+  searchPhrase: 
+  serverUuid: 64e1d6ec-980a-463d-8583-c863d8e9852b
+}

bruno/opnsense-api/Search Server.bru

@@ -0,0 +1,28 @@
+meta {
+  name: Search Server
+  type: http
+  seq: 4
+}
+
+post {
+  url: {{base}}/api/wireguard/server/searchServer
+  body: json
+  auth: inherit
+}
+
+headers {
+  Content-Type: application/json
+}
+
+body:json {
+  {
+    "current": 1,
+    "rowCount": 7,
+    "sort": {},
+    "searchPhrase": "{{searchPhrase}}"
+  }
+}
+
+vars:pre-request {
+  searchPhrase: 
+}

bruno/opnsense-api/folder.bru

@@ -0,0 +1,7 @@
+meta {
+  name: opnsense-api
+}
+
+headers {
+  Accept: application/json
+}

drizzle/0000_young_wong.sql

@@ -0,0 +1,32 @@
+CREATE TABLE `ip_allocations` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`client_id` integer,
+	FOREIGN KEY (`client_id`) REFERENCES `wg_clients`(`id`) ON UPDATE no action ON DELETE set null
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `ip_allocations_client_id_unique` ON `ip_allocations` (`client_id`);--> statement-breakpoint
+CREATE TABLE `sessions` (
+	`id` text PRIMARY KEY NOT NULL,
+	`user_id` text NOT NULL,
+	`expires_at` integer NOT NULL,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE no action
+);
+--> statement-breakpoint
+CREATE TABLE `users` (
+	`id` text PRIMARY KEY NOT NULL,
+	`username` text NOT NULL,
+	`name` text NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE `wg_clients` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` text NOT NULL,
+	`name` text NOT NULL,
+	`opnsense_id` text,
+	`public_key` text NOT NULL,
+	`private_key` text,
+	`pre_shared_key` text,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE no action
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `wg_clients_public_key_unique` ON `wg_clients` (`public_key`);

drizzle/meta/0000_snapshot.json

@@ -0,0 +1,221 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "29e6fd88-fa47-4f79-ad83-c52538bc36a6",
+  "prevId": "00000000-0000-0000-0000-000000000000",
+  "tables": {
+    "ip_allocations": {
+      "name": "ip_allocations",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "ip_allocations_client_id_unique": {
+          "name": "ip_allocations_client_id_unique",
+          "columns": [
+            "client_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "ip_allocations_client_id_wg_clients_id_fk": {
+          "name": "ip_allocations_client_id_wg_clients_id_fk",
+          "tableFrom": "ip_allocations",
+          "tableTo": "wg_clients",
+          "columnsFrom": [
+            "client_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "sessions": {
+      "name": "sessions",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "wg_clients": {
+      "name": "wg_clients",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "opnsense_id": {
+          "name": "opnsense_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "public_key": {
+          "name": "public_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "private_key": {
+          "name": "private_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pre_shared_key": {
+          "name": "pre_shared_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "wg_clients_public_key_unique": {
+          "name": "wg_clients_public_key_unique",
+          "columns": [
+            "public_key"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "wg_clients_user_id_users_id_fk": {
+          "name": "wg_clients_user_id_users_id_fk",
+          "tableFrom": "wg_clients",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}

drizzle/meta/_journal.json

@@ -0,0 +1,13 @@
+{
+  "version": "7",
+  "dialect": "sqlite",
+  "entries": [
+    {
+      "idx": 0,
+      "version": "6",
+      "when": 1735028333867,
+      "tag": "0000_young_wong",
+      "breakpoints": true
+    }
+  ]
+}

package.json

@@ -11,8 +11,10 @@
 		"format": "prettier --write .",
 		"lint": "prettier --check . && eslint .",
 		"db:push": "drizzle-kit push",
+		"db:generate": "drizzle-kit generate",
 		"db:migrate": "drizzle-kit migrate",
-		"db:studio": "drizzle-kit studio"
+		"db:studio": "drizzle-kit studio",
+		"db:seed": "bun run ./src/lib/server/db/seed.ts"
 	},
 	"devDependencies": {
 		"@sveltejs/adapter-auto": "^3.0.0",
@@ -23,10 +25,11 @@
 		"@tailwindcss/typography": "^0.5.15",
 		"@types/better-sqlite3": "^7.6.11",
 		"@types/eslint": "^9.6.0",
+		"@types/qrcode-svg": "^1.1.5",
 		"autoprefixer": "^10.4.20",
 		"bits-ui": "^0.21.16",
 		"clsx": "^2.1.1",
-		"drizzle-kit": "^0.22.0",
+		"drizzle-kit": "^0.30.1",
 		"eslint": "^9.7.0",
 		"eslint-config-prettier": "^9.1.0",
 		"eslint-plugin-svelte": "^2.36.0",
@@ -44,11 +47,13 @@
 		"vite": "^5.0.3"
 	},
 	"dependencies": {
+		"@libsql/client": "^0.14.0",
 		"@oslojs/crypto": "^1.0.1",
 		"@oslojs/encoding": "^1.1.0",
 		"arctic": "^2.2.1",
-		"better-sqlite3": "^11.1.2",
+		"drizzle-orm": "^0.38.2",
-		"drizzle-orm": "^0.33.0",
+		"ip-address": "^10.0.1",
-		"lucide-svelte": "^0.454.0"
+		"lucide-svelte": "^0.454.0",
+		"qrcode-svg": "^1.1.0"
 	}
 }

src/app.css

@@ -4,16 +4,16 @@
 
 @layer base {
   :root {
-    --background: 0 0% 100%;
+    --background: 0 0% 90%;
     --foreground: 222.2 84% 4.9%;
 
     --muted: 210 40% 96.1%;
     --muted-foreground: 215.4 16.3% 46.9%;
 
-    --popover: 0 0% 100%;
+    --popover: 0 0% 90%;
     --popover-foreground: 222.2 84% 4.9%;
 
-    --card: 0 0% 100%;
+    --card: 0 0% 90%;
     --card-foreground: 222.2 84% 4.9%;
 
     --border: 214.3 31.8% 91.4%;
@@ -22,10 +22,10 @@
     --primary: 222.2 47.4% 11.2%;
     --primary-foreground: 210 40% 98%;
 
-    --secondary: 210 40% 96.1%;
+    --secondary: 210 26% 86%;
     --secondary-foreground: 222.2 47.4% 11.2%;
 
-    --accent: 210 40% 96.1%;
+    --accent: 210 26% 86%;
     --accent-foreground: 222.2 47.4% 11.2%;
 
     --destructive: 0 72.2% 50.6%;
@@ -39,31 +39,31 @@
   @media (prefers-color-scheme: dark) {
     :root {
       --background: 222.2 84% 4.9%;
-      --foreground: 210 40% 98%;
+      --foreground: 210 40% 90%;
 
       --muted: 217.2 32.6% 17.5%;
       --muted-foreground: 215 20.2% 65.1%;
 
       --popover: 222.2 84% 4.9%;
-      --popover-foreground: 210 40% 98%;
+      --popover-foreground: 210 40% 90%;
 
       --card: 222.2 84% 4.9%;
-      --card-foreground: 210 40% 98%;
+      --card-foreground: 210 40% 90%;
 
       --border: 217.2 32.6% 17.5%;
       --input: 217.2 32.6% 17.5%;
 
-      --primary: 210 40% 98%;
+      --primary: 210 40% 90%;
       --primary-foreground: 222.2 47.4% 11.2%;
 
       --secondary: 217.2 32.6% 17.5%;
-      --secondary-foreground: 210 40% 98%;
+      --secondary-foreground: 210 40% 90%;
 
       --accent: 217.2 32.6% 17.5%;
-      --accent-foreground: 210 40% 98%;
+      --accent-foreground: 210 40% 90%;
 
       --destructive: 0 62.8% 30.6%;
-      --destructive-foreground: 210 40% 98%;
+      --destructive-foreground: 210 40% 90%;
 
       --ring: 212.7 26.8% 83.9%;
     }

src/hooks.server.ts

@@ -31,12 +31,16 @@ const handleAuth: Handle = async ({ event, resolve }) => {
 };
 
 
-const authRequired = new Set([
+const authRequired = [
-	'/user',
+	/^\/api/,
-	'/connections',
+	/^\/user/,
-]);
+	/^\/connections/,
+	/^\/clients/,
+];
 const handleProtectedPaths: Handle = ({ event, resolve }) => {
-	if (authRequired.has(event.url.pathname) && !event.locals.user) {
+	const isProtected = authRequired.some((re) => re.test(event.url.pathname));
+
+	if (!event.locals.user && isProtected) {
 			return redirect(302, '/');
 	}
 	return resolve(event);

src/lib/clients.ts

@@ -0,0 +1,33 @@
+import type { ClientDetails } from '$lib/types/clients';
+
+/**
+ * Convert client details to WireGuard configuration.
+ *
+ * ```conf
+ * [Interface]
+ * PrivateKey = wPa07zR0H4wYoc1ljfeiqlSbR8Z28pPc6jplwE7zPms=
+ * Address = 10.18.11.100/32,fd00::1/128
+ * DNS = 10.18.11.1,fd00::0
+ *
+ * [Peer]
+ * PublicKey = BJ5faPVJsDP4CCxNYilmKnwlQXOtXEOJjqIwb4U/CgM=
+ * PresharedKey = uhZUVqXKF0oayP0BS6yPu6Gepgh68Nz9prtbE5Cuok0=
+ * Endpoint = vpn.lab.cazzzer.com:51820
+ * AllowedIPs = 0.0.0.0/0,::/0
+ * ```
+ * @param client
+ */
+export function clientDetailsToConfig(client: ClientDetails): string {
+	return `\
+[Interface]
+PrivateKey = ${client.privateKey}
+Address = ${client.ips.join(', ')}
+DNS = ${client.vpnDns}
+
+[Peer]
+PublicKey = ${client.vpnPublicKey}
+PresharedKey = ${client.preSharedKey}
+Endpoint = ${client.vpnEndpoint}
+AllowedIPs = 0.0.0.0/0,::/0
+`;
+}

src/lib/components/ui/badge/badge.svelte

@@ -0,0 +1,18 @@
+<script lang="ts">
+	import { type Variant, badgeVariants } from "./index.js";
+	import { cn } from "$lib/utils.js";
+
+	let className: string | undefined | null = undefined;
+	export let href: string | undefined = undefined;
+	export let variant: Variant = "default";
+	export { className as class };
+</script>
+
+<svelte:element
+	this={href ? "a" : "span"}
+	{href}
+	class={cn(badgeVariants({ variant, className }))}
+	{...$$restProps}
+>
+	<slot />
+</svelte:element>

src/lib/components/ui/badge/index.ts

@@ -0,0 +1,21 @@
+import { type VariantProps, tv } from "tailwind-variants";
+export { default as Badge } from "./badge.svelte";
+
+export const badgeVariants = tv({
+	base: "focus:ring-ring inline-flex select-none items-center rounded-full border px-2.5 py-0.5 text-xs font-semibold transition-colors focus:outline-none focus:ring-2 focus:ring-offset-2",
+	variants: {
+		variant: {
+			default: "bg-primary text-primary-foreground hover:bg-primary/80 border-transparent",
+			secondary:
+				"bg-secondary text-secondary-foreground hover:bg-secondary/80 border-transparent",
+			destructive:
+				"bg-destructive text-destructive-foreground hover:bg-destructive/80 border-transparent",
+			outline: "text-foreground",
+		},
+	},
+	defaultVariants: {
+		variant: "default",
+	},
+});
+
+export type Variant = VariantProps<typeof badgeVariants>["variant"];

src/lib/components/ui/checkbox/checkbox.svelte

@@ -0,0 +1,35 @@
+<script lang="ts">
+	import { Checkbox as CheckboxPrimitive } from "bits-ui";
+	import Check from "lucide-svelte/icons/check";
+	import Minus from "lucide-svelte/icons/minus";
+	import { cn } from "$lib/utils.js";
+
+	type $$Props = CheckboxPrimitive.Props;
+	type $$Events = CheckboxPrimitive.Events;
+
+	let className: $$Props["class"] = undefined;
+	export let checked: $$Props["checked"] = false;
+	export { className as class };
+</script>
+
+<CheckboxPrimitive.Root
+	class={cn(
+		"border-primary ring-offset-background focus-visible:ring-ring data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground peer box-content h-4 w-4 shrink-0 rounded-sm border focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 data-[disabled=true]:cursor-not-allowed data-[disabled=true]:opacity-50",
+		className
+	)}
+	bind:checked
+	{...$$restProps}
+	on:click
+>
+	<CheckboxPrimitive.Indicator
+		class={cn("flex h-4 w-4 items-center justify-center text-current")}
+		let:isChecked
+		let:isIndeterminate
+	>
+		{#if isChecked}
+			<Check class="h-3.5 w-3.5" />
+		{:else if isIndeterminate}
+			<Minus class="h-3.5 w-3.5" />
+		{/if}
+	</CheckboxPrimitive.Indicator>
+</CheckboxPrimitive.Root>

src/lib/components/ui/checkbox/index.ts

@@ -0,0 +1,6 @@
+import Root from "./checkbox.svelte";
+export {
+	Root,
+	//
+	Root as Checkbox,
+};

src/lib/components/ui/table/index.ts

@@ -0,0 +1,28 @@
+import Root from "./table.svelte";
+import Body from "./table-body.svelte";
+import Caption from "./table-caption.svelte";
+import Cell from "./table-cell.svelte";
+import Footer from "./table-footer.svelte";
+import Head from "./table-head.svelte";
+import Header from "./table-header.svelte";
+import Row from "./table-row.svelte";
+
+export {
+	Root,
+	Body,
+	Caption,
+	Cell,
+	Footer,
+	Head,
+	Header,
+	Row,
+	//
+	Root as Table,
+	Body as TableBody,
+	Caption as TableCaption,
+	Cell as TableCell,
+	Footer as TableFooter,
+	Head as TableHead,
+	Header as TableHeader,
+	Row as TableRow,
+};

src/lib/components/ui/table/table-body.svelte

@@ -0,0 +1,13 @@
+<script lang="ts">
+	import type { HTMLAttributes } from "svelte/elements";
+	import { cn } from "$lib/utils.js";
+
+	type $$Props = HTMLAttributes<HTMLTableSectionElement>;
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<tbody class={cn("[&_tr:last-child]:border-0", className)} {...$$restProps}>
+	<slot />
+</tbody>

src/lib/components/ui/table/table-caption.svelte

@@ -0,0 +1,13 @@
+<script lang="ts">
+	import type { HTMLAttributes } from "svelte/elements";
+	import { cn } from "$lib/utils.js";
+
+	type $$Props = HTMLAttributes<HTMLTableCaptionElement>;
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<caption class={cn("text-muted-foreground mt-4 text-sm", className)} {...$$restProps}>
+	<slot />
+</caption>

src/lib/components/ui/table/table-cell.svelte

@@ -0,0 +1,18 @@
+<script lang="ts">
+	import type { HTMLTdAttributes } from "svelte/elements";
+	import { cn } from "$lib/utils.js";
+
+	type $$Props = HTMLTdAttributes;
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<td
+	class={cn("p-4 align-middle [&:has([role=checkbox])]:pr-0", className)}
+	{...$$restProps}
+	on:click
+	on:keydown
+>
+	<slot />
+</td>

src/lib/components/ui/table/table-footer.svelte

@@ -0,0 +1,13 @@
+<script lang="ts">
+	import type { HTMLAttributes } from "svelte/elements";
+	import { cn } from "$lib/utils.js";
+
+	type $$Props = HTMLAttributes<HTMLTableSectionElement>;
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<tfoot class={cn("bg-muted/50 text-primary-foreground font-medium", className)} {...$$restProps}>
+	<slot />
+</tfoot>

src/lib/components/ui/table/table-head.svelte

@@ -0,0 +1,19 @@
+<script lang="ts">
+	import type { HTMLThAttributes } from "svelte/elements";
+	import { cn } from "$lib/utils.js";
+
+	type $$Props = HTMLThAttributes;
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<th
+	class={cn(
+		"text-muted-foreground h-12 px-4 text-left align-middle font-medium [&:has([role=checkbox])]:pr-0",
+		className
+	)}
+	{...$$restProps}
+>
+	<slot />
+</th>

src/lib/components/ui/table/table-header.svelte

@@ -0,0 +1,14 @@
+<script lang="ts">
+	import type { HTMLAttributes } from "svelte/elements";
+	import { cn } from "$lib/utils.js";
+
+	type $$Props = HTMLAttributes<HTMLTableSectionElement>;
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<!-- svelte-ignore a11y-no-noninteractive-element-interactions -->
+<thead class={cn("[&_tr]:border-b", className)} {...$$restProps} on:click on:keydown>
+	<slot />
+</thead>

src/lib/components/ui/table/table-row.svelte

@@ -0,0 +1,23 @@
+<script lang="ts">
+	import type { HTMLAttributes } from "svelte/elements";
+	import { cn } from "$lib/utils.js";
+
+	type $$Props = HTMLAttributes<HTMLTableRowElement> & {
+		"data-state"?: unknown;
+	};
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<tr
+	class={cn(
+		"hover:bg-muted/50 data-[state=selected]:bg-muted border-b transition-colors",
+		className
+	)}
+	{...$$restProps}
+	on:click
+	on:keydown
+>
+	<slot />
+</tr>

src/lib/components/ui/table/table.svelte

@@ -0,0 +1,15 @@
+<script lang="ts">
+	import type { HTMLTableAttributes } from "svelte/elements";
+	import { cn } from "$lib/utils.js";
+
+	type $$Props = HTMLTableAttributes;
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<div class="relative w-full overflow-auto">
+	<table class={cn("w-full caption-bottom text-sm", className)} {...$$restProps}>
+		<slot />
+	</table>
+</div>

src/lib/opnsense/wg.ts

@@ -0,0 +1,107 @@
+export interface PeerRow {
+	if: string;
+	type: "peer";
+	'public-key': string;
+	endpoint: string;
+	'allowed-ips': string;
+	'latest-handshake': number;
+	'transfer-rx': number;
+	'transfer-tx': number;
+	'persistent-keepalive': string;
+	name: string;
+	ifname: string;
+}
+
+/**
+ * Sample response from OPNsense WireGuard API
+ * ```json
+ * {
+ *   "total": 17,
+ *     "rowCount": 7,
+ *     "current": 1,
+ *     "rows": [
+ *   {
+ *     "if": "wg0",
+ *     "type": "peer",
+ *     "public-key": "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=",
+ *     "endpoint": "10.17.20.107:42516",
+ *     "allowed-ips": "fd00::1/112,10.6.0.3/32",
+ *     "latest-handshake": 1729319339,
+ *     "transfer-rx": 1052194743,
+ *     "transfer-tx": 25203263456,
+ *     "persistent-keepalive": "off",
+ *     "name": "Yura-TPX13",
+ *     "ifname": "wg0"
+ *   }
+ * ]
+ * }
+ * ```
+ */
+export interface OpnsenseWgPeers {
+	total: number;
+	rowCount: number;
+	current: number;
+	rows: PeerRow[];
+}
+
+/**
+ * Sample request to OPNsense WireGuard API
+ * ```js
+ * const url = 'https://opnsense.home/api/wireguard/service/show';
+ * const options = {
+ *   method: 'POST',
+ *   headers: {
+ *     Authorization: 'Basic ...',
+ *     'Content-Type': 'application/json',
+ *     Accept: 'application/json',
+ *   },
+ *   body: '{"current":1,"rowCount":7,"sort":{},"searchPhrase":"","type":["peer"]}'
+ * };
+ * ```
+ */
+
+export interface OpnsenseWgServers {
+	status: "ok" | string | number;
+	rows: {
+		name: string;
+		uuid: string;
+	}[];
+}
+
+/**
+ * Sample response for OPNsense WireGuard clients
+ * ```json
+ * {
+ *   "rows": [
+ *     {
+ *       "uuid": "d99334de-7671-4ca7-9c9b-5f5578acae70",
+ *       "enabled": "1",
+ *       "name": "Yura-TPX13",
+ *       "pubkey": "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08=",
+ *       "tunneladdress": "fd00::1/112,10.6.0.3/32",
+ *       "serveraddress": "",
+ *       "serverport": "",
+ *       "servers": "wg0"
+ *     }
+ *   ],
+ *   "rowCount": 1,
+ *   "total": 10,
+ *   "current": 1
+ * }
+ * ```
+ */
+export interface OpnsenseWgClients {
+	rowCount: number;
+	total: number;
+	current: number;
+	rows: {
+		uuid: string;
+		enabled: string;
+		name: string;
+		pubkey: string;
+		tunneladdress: string;
+		serveraddress: string;
+		serverport: string;
+		servers: string;
+	}[];
+}

src/lib/server/auth.ts

@@ -23,7 +23,7 @@ export async function createSession(userId: string): Promise<table.Session> {
 		userId,
 		expiresAt: new Date(Date.now() + DAY_IN_MS * 30)
 	};
-	await db.insert(table.session).values(session);
+	await db.insert(table.sessions).values(session);
 	return session;
 }
 
@@ -38,7 +38,7 @@ export function setSessionTokenCookie(event: RequestEvent, sessionId: string, ex
 }
 
 export async function invalidateSession(sessionId: string): Promise<void> {
-	await db.delete(table.session).where(eq(table.session.id, sessionId));
+	await db.delete(table.sessions).where(eq(table.sessions.id, sessionId));
 }
 
 export function deleteSessionTokenCookie(event: RequestEvent) {
@@ -49,12 +49,12 @@ export async function validateSession(sessionId: string) {
 	const [result] = await db
 		.select({
 			// Adjust user table here to tweak returned data
-			user: { id: table.user.id, username: table.user.username, name: table.user.name },
+			user: { id: table.users.id, username: table.users.username, name: table.users.name },
-			session: table.session
+			session: table.sessions
 		})
-		.from(table.session)
+		.from(table.sessions)
-		.innerJoin(table.user, eq(table.session.userId, table.user.id))
+		.innerJoin(table.users, eq(table.sessions.userId, table.users.id))
-		.where(eq(table.session.id, sessionId));
+		.where(eq(table.sessions.id, sessionId));
 
 	if (!result) {
 		return { session: null, user: null };
@@ -63,7 +63,7 @@ export async function validateSession(sessionId: string) {
 
 	const sessionExpired = Date.now() >= session.expiresAt.getTime();
 	if (sessionExpired) {
-		await db.delete(table.session).where(eq(table.session.id, session.id));
+		await db.delete(table.sessions).where(eq(table.sessions.id, session.id));
 		return { session: null, user: null };
 	}
 
@@ -71,9 +71,9 @@ export async function validateSession(sessionId: string) {
 	if (renewSession) {
 		session.expiresAt = new Date(Date.now() + DAY_IN_MS * 30);
 		await db
-			.update(table.session)
+			.update(table.sessions)
 			.set({ expiresAt: session.expiresAt })
-			.where(eq(table.session.id, session.id));
+			.where(eq(table.sessions.id, session.id));
 	}
 
 	return { session, user };

src/lib/server/clients.ts

@@ -0,0 +1,227 @@
+import type { User } from '$lib/server/db/schema';
+import { db } from '$lib/server/db';
+import { wgClients, ipAllocations } from '$lib/server/db/schema';
+import { opnsenseAuth, opnsenseUrl, serverPublicKey, serverUuid } from '$lib/server/opnsense';
+import { Address4, Address6 } from 'ip-address';
+import {
+	IP_MAX_INDEX,
+	IPV4_STARTING_ADDR,
+	IPV6_CLIENT_PREFIX_SIZE,
+	IPV6_STARTING_ADDR,
+	MAX_CLIENTS_PER_USER,
+	VPN_DNS,
+	VPN_ENDPOINT,
+} from '$env/static/private';
+import { and, count, eq, isNull } from 'drizzle-orm';
+import { err, ok, type Result } from '$lib/types';
+import type { ClientDetails } from '$lib/types/clients';
+
+export async function findClients(userId: string) {
+	return db.query.wgClients.findMany({
+		columns: {
+			id: true,
+			name: true,
+			publicKey: true,
+			privateKey: true,
+			preSharedKey: true,
+		},
+		with: {
+			ipAllocation: true,
+		},
+		where: eq(wgClients.userId, userId),
+	});
+}
+
+export async function findClient(userId: string, clientId: number) {
+	return db.query.wgClients.findFirst({
+		columns: {
+			id: true,
+			name: true,
+			publicKey: true,
+			privateKey: true,
+			preSharedKey: true,
+		},
+		with: {
+			ipAllocation: true,
+		},
+		where: and(eq(wgClients.userId, userId), eq(wgClients.id, clientId)),
+	});
+}
+
+export function mapClientToDetails(
+	client: Awaited<ReturnType<typeof findClients>>[0],
+): ClientDetails {
+	const ips = getIpsFromIndex(client.ipAllocation.id);
+	return {
+		id: client.id,
+		name: client.name,
+		publicKey: client.publicKey,
+		privateKey: client.privateKey,
+		preSharedKey: client.preSharedKey,
+		ips,
+		vpnPublicKey: serverPublicKey,
+		vpnEndpoint: VPN_ENDPOINT,
+		vpnDns: VPN_DNS,
+	};
+}
+
+export async function createClient(params: {
+	name: string;
+	user: User;
+}): Promise<Result<null, [400 | 500, string]>> {
+	// check if user exceeds the limit of clients
+	const [{ clientCount }] = await db
+		.select({ clientCount: count() })
+		.from(wgClients)
+		.where(eq(wgClients.userId, params.user.id));
+	if (clientCount >= parseInt(MAX_CLIENTS_PER_USER))
+		return err([400, 'Maximum number of clients reached'] as [400, string]);
+
+	// this is going to be quite long
+	// 1. fetch params for new client from opnsense api
+	// 2.1 get an allocation for the client
+	// 2.2. insert new client into db
+	// 2.3. update the allocation with the client id
+	// 3. create the client in opnsense
+	// 4. reconfigure opnsense to enable the new client
+	const error = await db.transaction(async (tx) => {
+		const [keys, availableAllocation, lastAllocation] = await Promise.all([
+			// fetch params for new client from opnsense api
+			getKeys(),
+			// find first unallocated IP
+			await tx.query.ipAllocations.findFirst({
+				columns: {
+					id: true,
+				},
+				where: isNull(ipAllocations.clientId),
+			}),
+			// find last allocation to check if we have any IPs left
+			await tx.query.ipAllocations.findFirst({
+				columns: {
+					id: true,
+				},
+				orderBy: (ipAllocations, { desc }) => desc(ipAllocations.id),
+			}),
+		]);
+
+		// check for existing allocation or if we have any IPs left
+		if (!availableAllocation && lastAllocation && lastAllocation.id >= parseInt(IP_MAX_INDEX)) {
+			return err([500, 'No more IP addresses available'] as [500, string]);
+		}
+
+		// use existing allocation or create a new one
+		const ipAllocationId =
+			availableAllocation?.id ??
+			(await tx.insert(ipAllocations).values({}).returning({ id: ipAllocations.id }))[0].id;
+
+		// transaction savepoint after creating a new IP allocation
+		// TODO: not sure if this is needed
+		return await tx.transaction(async (tx2) => {
+			// create new client in db
+			const [newClient] = await tx2
+				.insert(wgClients)
+				.values({
+					userId: params.user.id,
+					name: params.name,
+					publicKey: keys.pubkey,
+					privateKey: keys.privkey,
+					preSharedKey: keys.psk,
+				})
+				.returning({ id: wgClients.id });
+
+			// update IP allocation with client ID
+			await tx2
+				.update(ipAllocations)
+				.set({ clientId: newClient.id })
+				.where(eq(ipAllocations.id, ipAllocationId));
+
+			// create client in opnsense
+			const opnsenseRes = await opnsenseCreateClient({
+				username: params.user.username,
+				pubkey: keys.pubkey,
+				psk: keys.psk,
+				allowedIps: getIpsFromIndex(ipAllocationId).join(','),
+			});
+			const opnsenseResJson = await opnsenseRes.json();
+			if (opnsenseResJson['result'] !== 'saved') {
+				tx2.rollback();
+				console.error(`Error creating client in OPNsense: \n${opnsenseResJson}`);
+				return err([500, 'Error creating client in OPNsense'] as [500, string]);
+			}
+
+			// reconfigure opnsense
+			await opnsenseReconfigure();
+		});
+	});
+	if (error) return error;
+	return ok(null);
+}
+
+async function getKeys() {
+	// fetch key pair from opnsense
+	const options: RequestInit = {
+		method: 'GET',
+		headers: {
+			Authorization: opnsenseAuth,
+			Accept: 'application/json',
+		},
+	};
+	const resKeyPair = await fetch(`${opnsenseUrl}/api/wireguard/server/key_pair`, options);
+	const resPsk = await fetch(`${opnsenseUrl}/api/wireguard/client/psk`, options);
+	const keyPair = await resKeyPair.json();
+	const psk = await resPsk.json();
+	return {
+		pubkey: keyPair['pubkey'] as string,
+		privkey: keyPair['privkey'] as string,
+		psk: psk['psk'] as string,
+	};
+}
+
+export function getIpsFromIndex(ipIndex: number) {
+	ipIndex -= 1; // 1-indexed in the db
+	const v4StartingAddr = new Address4(IPV4_STARTING_ADDR);
+	const v6StartingAddr = new Address6(IPV6_STARTING_ADDR);
+	const v4Allowed = Address4.fromBigInt(v4StartingAddr.bigInt() + BigInt(ipIndex));
+	const v6Offset = BigInt(ipIndex) << (128n - BigInt(IPV6_CLIENT_PREFIX_SIZE));
+	const v6Allowed = Address6.fromBigInt(v6StartingAddr.bigInt() + v6Offset);
+	const v6AllowedShort = v6Allowed.parsedAddress.join(':');
+
+	return [v4Allowed.address + '/32', v6AllowedShort + '/' + IPV6_CLIENT_PREFIX_SIZE];
+}
+
+async function opnsenseCreateClient(params: {
+	username: string;
+	pubkey: string;
+	psk: string;
+	allowedIps: string;
+}) {
+	return fetch(`${opnsenseUrl}/api/wireguard/client/addClientBuilder`, {
+		method: 'POST',
+		headers: {
+			Authorization: opnsenseAuth,
+			Accept: 'application/json',
+			'Content-Type': 'application/json',
+		},
+		body: JSON.stringify({
+			configbuilder: {
+				enabled: '1',
+				name: `vpgen-${params.username}`,
+				pubkey: params.pubkey,
+				psk: params.psk,
+				tunneladdress: params.allowedIps,
+				server: serverUuid,
+				endpoint: VPN_ENDPOINT,
+			},
+		}),
+	});
+}
+
+async function opnsenseReconfigure() {
+	return fetch(`${opnsenseUrl}/api/wireguard/service/reconfigure`, {
+		method: 'POST',
+		headers: {
+			Authorization: opnsenseAuth,
+			Accept: 'application/json',
+		},
+	});
+}

src/lib/server/db/index.ts

@@ -1,8 +1,5 @@
-import { drizzle } from 'drizzle-orm/better-sqlite3';
+import { drizzle } from 'drizzle-orm/libsql';
-import Database from 'better-sqlite3';
+import * as schema from './schema';
-import { env } from '$env/dynamic/private';
+import { DATABASE_URL } from '$env/static/private';
-import assert from 'node:assert';
 
-assert(env.DATABASE_URL, 'DATABASE_URL is not set');
+export const db= drizzle(DATABASE_URL, { schema });
-const client = new Database(env.DATABASE_URL);
-export const db = drizzle(client);

src/lib/server/db/schema.ts

@@ -1,19 +1,66 @@
 import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core';
+import { relations } from 'drizzle-orm';
 
-export const user = sqliteTable('user', {
+export const users = sqliteTable('users', {
 	id: text('id').primaryKey(),
 	username: text('username').notNull(),
 	name: text('name').notNull(),
 });
 
-export const session = sqliteTable('session', {
+export const usersRelations = relations(users, ({ many }) => ({
+	wgClients: many(wgClients),
+}));
+
+export const sessions = sqliteTable('sessions', {
 	id: text('id').primaryKey(),
 	userId: text('user_id')
 		.notNull()
-		.references(() => user.id),
+		.references(() => users.id),
-	expiresAt: integer('expires_at', { mode: 'timestamp' }).notNull()
+	expiresAt: integer('expires_at', { mode: 'timestamp' }).notNull(),
 });
 
-export type Session = typeof session.$inferSelect;
+export const ipAllocations = sqliteTable('ip_allocations', {
+	// for now, id will be the same as the ipIndex
+	id: integer('id').primaryKey({ autoIncrement: true }),
+	// clientId is nullable because allocations can remain after the client is deleted
+	// unique for now, only allowing one allocation per client
+	clientId: integer('client_id')
+		.unique()
+		.references(() => wgClients.id, { onDelete: 'set null' }),
+});
 
-export type User = typeof user.$inferSelect;
+export const wgClients = sqliteTable('wg_clients', {
+	id: integer().primaryKey({ autoIncrement: true }),
+	userId: text('user_id')
+		.notNull()
+		.references(() => users.id),
+	name: text('name').notNull(),
+	// questioning whether this should be nullable
+	opnsenseId: text('opnsense_id'),
+	publicKey: text('public_key').notNull().unique(),
+	// nullable for the possibility of a client supplying their own private key
+	privateKey: text('private_key'),
+	// nullable for the possibility of no psk
+	preSharedKey: text('pre_shared_key'),
+	// discarded ideas:
+	// (mostly because they make finding the next available ipIndex difficult)
+	// ipIndex: integer('ip_index').notNull().unique(),
+	// allowedIps: text('allowed_ips').notNull(),
+});
+
+export const wgClientsRelations = relations(wgClients, ({ one }) => ({
+	user: one(users, {
+		fields: [wgClients.userId],
+		references: [users.id],
+	}),
+	ipAllocation: one(ipAllocations, {
+		fields: [wgClients.id],
+		references: [ipAllocations.clientId],
+	}),
+}));
+
+export type WgClient = typeof wgClients.$inferSelect;
+
+export type Session = typeof sessions.$inferSelect;
+
+export type User = typeof users.$inferSelect;

src/lib/server/db/seed.ts

@@ -0,0 +1,33 @@
+import { ipAllocations, users, wgClients } from './schema';
+import { eq } from 'drizzle-orm';
+import assert from 'node:assert';
+import { drizzle } from 'drizzle-orm/libsql';
+import * as schema from '$lib/server/db/schema';
+
+assert(process.env.DATABASE_URL, 'DATABASE_URL is not set');
+const db = drizzle(process.env.DATABASE_URL, { schema });
+
+async function seed() {
+	const user = await db.query.users.findFirst({ where: eq(users.username, 'CaZzzer') });
+	assert(user, 'User not found');
+
+	const clients: typeof wgClients.$inferInsert[] = [
+		{
+			userId: user.id,
+			name: 'Client1',
+			publicKey: 'BJ5faPVJsDP4CCxNYilmKnwlQXOtXEOJjqIwb4U/CgM=',
+			privateKey: 'KKqsHDu30WCSrVsyzMkOKbE3saQ+wlx0sBwGs61UGXk=',
+			preSharedKey: '0LWopbrISXBNHUxr+WOhCSAg+0hD8j3TLmpyzHkBHCQ=',
+			// ipIndex: 1,
+			// allowedIps: '10.18.11.101/32,fd00::1/112',
+		},
+	];
+	const returned = await db.insert(wgClients).values(clients).returning({ insertedId: wgClients.id });
+
+	const ipAllocation: typeof ipAllocations.$inferInsert = {
+		clientId: returned[0].insertedId,
+	};
+	await db.insert(ipAllocations).values(ipAllocation);
+}
+
+seed();

src/lib/server/opnsense/index.ts

@@ -0,0 +1,49 @@
+import { env } from '$env/dynamic/private';
+import assert from 'node:assert';
+import { encodeBasicCredentials } from 'arctic/dist/request';
+import { dev } from '$app/environment';
+import type { OpnsenseWgServers } from '$lib/opnsense/wg';
+
+assert(env.OPNSENSE_API_URL, 'OPNSENSE_API_URL is not set');
+assert(env.OPNSENSE_API_KEY, 'OPNSENSE_API_KEY is not set');
+assert(env.OPNSENSE_API_SECRET, 'OPNSENSE_API_SECRET is not set');
+assert(env.OPNSENSE_WG_IFNAME, 'OPNSENSE_WG_IFNAME is not set');
+
+export const opnsenseUrl = env.OPNSENSE_API_URL;
+export const opnsenseAuth =
+	'Basic ' + encodeBasicCredentials(env.OPNSENSE_API_KEY, env.OPNSENSE_API_SECRET);
+export const opnsenseIfname = env.OPNSENSE_WG_IFNAME;
+
+// unset secret for security
+if (!dev) env.OPNSENSE_API_SECRET = '';
+
+// this might be pretty bad if the server is down and in a bunch of other cases
+// TODO: write a retry loop later
+const resServers = await fetch(`${opnsenseUrl}/api/wireguard/client/list_servers`, {
+	method: 'GET',
+	headers: {
+		Authorization: opnsenseAuth,
+		Accept: 'application/json',
+	},
+});
+assert(resServers.ok, 'Failed to fetch OPNsense WireGuard servers');
+const servers = (await resServers.json()) as OpnsenseWgServers;
+assert.equal(servers.status, 'ok', 'Failed to fetch OPNsense WireGuard servers');
+export const serverUuid = servers.rows.find((server) => server.name === opnsenseIfname)?.uuid;
+assert(serverUuid, 'Failed to find server UUID for OPNsense WireGuard server');
+console.log('OPNsense WireGuard server UUID:', serverUuid);
+
+const resServerInfo = await fetch(
+	`${opnsenseUrl}/api/wireguard/client/get_server_info/${serverUuid}`,
+	{
+		method: 'GET',
+		headers: {
+			Authorization: opnsenseAuth,
+			Accept: 'application/json',
+		},
+	},
+);
+assert(resServerInfo.ok, 'Failed to fetch OPNsense WireGuard server info');
+const serverInfo = await resServerInfo.json();
+assert.equal(serverInfo.status, 'ok', 'Failed to fetch OPNsense WireGuard server info');
+export const serverPublicKey = serverInfo['pubkey'];

src/lib/types/clients.ts

@@ -0,0 +1,11 @@
+export type ClientDetails = {
+	id: number;
+	name: string;
+	publicKey: string;
+	privateKey: string | null;
+	preSharedKey: string | null;
+	ips: string[];
+	vpnPublicKey: string;
+	vpnEndpoint: string;
+	vpnDns: string;
+};

src/lib/types/index.ts

@@ -0,0 +1,27 @@
+class Ok<T> {
+	readonly _tag = 'ok';
+	value: T;
+
+	constructor(value: T) {
+		this.value = value;
+	}
+}
+
+class Err<E> {
+	readonly _tag = 'err';
+	error: E;
+
+	constructor(error: E) {
+		this.error = error;
+	}
+}
+
+export type Result<T, E> = Ok<T> | Err<E>;
+
+export function err<E>(e: E): Err<E> {
+	return new Err(e);
+}
+
+export function ok<T>(t: T): Ok<T> {
+	return new Ok(t);
+}

src/routes/+layout.svelte

@@ -5,20 +5,25 @@
 
 	const { data, children } = $props();
 	const { user } = data;
+
+	function getNavClass(path: RegExp) {
+		return cn('hover:text-foreground/80 transition-colors',
+			path.test($page.url.pathname) ? 'text-foreground' : 'text-foreground/60');
+	}
 </script>
 
 <header class="p-4 sm:flex">
-	<span class=" mr-6 font-bold sm:inline-block">My App</span>
+	<span class=" mr-6 font-bold sm:inline-block">VPGen</span>
 	<nav class="flex items-center gap-6 text-sm">
-		<a href="/" class={cn("hover:text-foreground/80 transition-colors",
+		<a href="/" class={getNavClass(/^\/$/)}>Home</a>
-				$page.url.pathname === "/" ? "text-foreground" : "text-foreground/60")}>Home</a>
 		{#if user}
-			<a href="/user" class={cn("hover:text-foreground/80 transition-colors",
+			<a href="/user" class={getNavClass(/^\/user$/)}>Profile</a>
-				$page.url.pathname === "/user" ? "text-foreground" : "text-foreground/60")}>Profile</a>
+			<a href="/connections" class={getNavClass(/^\/connections$/)}>Connections</a>
+			<a href="/clients" class={getNavClass(/^\/clients(\/\d+)?$/)}>Clients</a>
 		{/if}
 	</nav>
 </header>
-<main class="flex-grow p-4">
+<main class="flex flex-col flex-grow p-4">
 	{@render children()}
 </main>
 

src/routes/+page.svelte

@@ -6,10 +6,10 @@
 </script>
 
 <svelte:head>
-	<title>VpGen</title>
+	<title>VPGen</title>
 </svelte:head>
 
-<h1>Welcome to SvelteKit</h1>
+<h1>Welcome to VPGen</h1>
 
 {#if user }
 	<p>Hi {user.name}</p>

src/routes/api/clients/+server.ts

@@ -0,0 +1,42 @@
+import { error } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { createClient, findClients, mapClientToDetails } from '$lib/server/clients';
+
+export const GET: RequestHandler = async (event) => {
+	if (!event.locals.user) {
+		return error(401, 'Unauthorized');
+	}
+
+	const clients = await findClients(event.locals.user.id);
+	return new Response(
+		JSON.stringify({
+			clients: clients.map(mapClientToDetails),
+		}),
+	);
+};
+
+
+export type Clients = Awaited<ReturnType<typeof findClients>>;
+
+export const POST: RequestHandler = async (event) => {
+	if (!event.locals.user) {
+		return error(401, 'Unauthorized');
+	}
+	const { name } = await event.request.json();
+	const res = await createClient({
+		name,
+		user: event.locals.user,
+	});
+
+	switch (res._tag) {
+		case 'ok': {
+			return new Response(null, {
+				status: 201,
+			});
+		}
+		case 'err': {
+			const [status, message] = res.error;
+			return error(status, message);
+		}
+	}
+};

src/routes/api/clients/[id]/+server.ts

@@ -0,0 +1,20 @@
+import { error } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { findClient, mapClientToDetails } from '$lib/server/clients';
+
+export const GET: RequestHandler = async (event) => {
+	if (!event.locals.user) {
+		return error(401, 'Unauthorized');
+	}
+
+	const { id } = event.params;
+	const clientId = parseInt(id);
+	if (isNaN(clientId)) {
+		return error(400, 'Invalid client ID');
+	}
+	const client = await findClient(event.locals.user.id, clientId);
+	if (!client) {
+		return error(404, 'Client not found');
+	}
+	return new Response(JSON.stringify(mapClientToDetails(client)));
+};

src/routes/api/connections/+server.ts

@@ -0,0 +1,43 @@
+import { error } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { opnsenseAuth, opnsenseUrl } from '$lib/server/opnsense';
+import type { OpnsenseWgPeers } from '$lib/opnsense/wg';
+
+export const GET: RequestHandler = async (event) => {
+	if (!event.locals.user) {
+		return error(401, 'Unauthorized');
+	}
+	const apiUrl = `${opnsenseUrl}/api/wireguard/service/show`;
+	const options: RequestInit = {
+		method: 'POST',
+		headers: {
+			Authorization: opnsenseAuth,
+			Accept: 'application/json',
+			'Content-Type': 'application/json',
+		},
+		body: JSON.stringify({
+			'current': 1,
+			// "rowCount": 7,
+			'sort': {},
+			// TODO: use a more unique search phrase
+			// unfortunately 64 character limit,
+			// but it should be fine if users can't change their own username
+			'searchPhrase': `vpgen-${event.locals.user.username}`,
+			'type': ['peer'],
+		}),
+	};
+
+	const res = await fetch(apiUrl, options);
+	const peers = await res.json() as OpnsenseWgPeers;
+	peers.rows = peers.rows.filter(peer => peer['latest-handshake'])
+
+	if (!peers) {
+		return error(500, 'Error getting info from OPNsense API');
+	}
+	return new Response(JSON.stringify(peers), {
+		headers: {
+			'Content-Type': 'application/json',
+			'Cache-Control': 'max-age=5',
+		}
+	});
+};

src/routes/auth/authentik/callback/+server.ts

@@ -39,7 +39,7 @@ export async function GET(event: RequestEvent): Promise<Response> {
 	const userId: string = claims.sub;
 	const username: string = claims.preferred_username;
 
-	const [existingUser] = await db.select().from(table.user).where(eq(table.user.id, userId));
+	const existingUser = await db.query.users.findFirst({where: eq(table.users.id, userId)});
 
 	if (existingUser) {
 		const session = await createSession(existingUser.id);
@@ -59,7 +59,7 @@ export async function GET(event: RequestEvent): Promise<Response> {
 	};
 
 	try {
-		await db.insert(table.user).values(user);
+		await db.insert(table.users).values(user);
 		const session = await createSession(user.id);
 		setSessionTokenCookie(event, session.id, session.expiresAt);
 	} catch (e) {

src/routes/clients/+page.server.ts

@@ -0,0 +1,28 @@
+import type { Actions } from './$types';
+import { createClient } from '$lib/server/clients';
+import { error } from '@sveltejs/kit';
+
+export const actions = {
+	create: async (event) => {
+		if (!event.locals.user) return error(401, 'Unauthorized');
+		const formData = await event.request.formData();
+		const name = formData.get('name');
+		if (typeof name !== 'string' || name.trim() === '') return error(400, 'Invalid name');
+		const res = await createClient({
+			name: name.trim(),
+			user: event.locals.user,
+		});
+
+		switch (res._tag) {
+			case 'ok': {
+				return {
+					status: 201,
+				};
+			}
+			case 'err': {
+				const [status, message] = res.error;
+				return error(status, message);
+			}
+		}
+	},
+} satisfies Actions;

src/routes/clients/+page.svelte

@@ -0,0 +1,55 @@
+<script lang="ts">
+	import * as Table from '$lib/components/ui/table';
+	import { Badge } from '$lib/components/ui/badge';
+	import { Button } from '$lib/components/ui/button';
+	import { Input } from '$lib/components/ui/input';
+	import type { PageData } from './$types';
+	import { LucidePlus } from 'lucide-svelte';
+
+	const { data }: { data: PageData } = $props();
+</script>
+
+<svelte:head>
+	<title>Clients</title>
+</svelte:head>
+
+<Table.Root class="bg-accent rounded-lg overflow-hidden divide-y-2 divide-background">
+	<Table.Header>
+		<Table.Row>
+			<Table.Head scope="col">Name</Table.Head>
+			<Table.Head scope="col">Public Key</Table.Head>
+<!--			<Table.Head scope="col">Private Key</Table.Head>-->
+<!--			<Table.Head scope="col">Pre-Shared Key</Table.Head>-->
+			<Table.Head scope="col">IP Allocation</Table.Head>
+		</Table.Row>
+	</Table.Header>
+	<Table.Body class="divide-y-2 divide-background">
+		{#each data.clients as client}
+			<Table.Row class="hover:bg-background hover:bg-opacity-40 group">
+				<Table.Head scope="row">
+					<a href={`/clients/${client.id}`} class="flex items-center size-full group-hover:underline">
+						{client.name}
+					</a>
+				</Table.Head>
+				<Table.Cell class="truncate">{client.publicKey}</Table.Cell>
+<!--				<Table.Cell class="truncate max-w-[10ch]">{client.privateKey}</Table.Cell>-->
+<!--				<Table.Cell class="truncate max-w-[10ch]">{client.preSharedKey}</Table.Cell>-->
+				<Table.Cell class="flex flex-wrap gap-1">
+					{#each client.ips as ip}
+						<Badge class="bg-background select-auto" variant="secondary">{ip}</Badge>
+					{/each}
+				</Table.Cell>
+			</Table.Row>
+		{/each}
+	</Table.Body>
+</Table.Root>
+
+<!--Floating action button for adding a new client-->
+<!--Not sure if this is the best place for the input field, will think about it later-->
+<form class="flex self-end mt-auto pt-4" method="post" action="?/create">
+	<Input type="text" name="name" placeholder="New Client" class="mr-2" />
+	<Button type="submit">
+		<LucidePlus class="mr-2 h-4 w-4" />
+		Add Client
+	</Button>
+</form>

src/routes/clients/+page.ts

@@ -0,0 +1,9 @@
+import type { PageLoad } from './$types';
+import type { ClientDetails } from '$lib/types/clients';
+
+export const load: PageLoad = async ({ fetch }) => {
+	const res = await fetch('/api/clients');
+	const { clients } = await res.json() as { clients: ClientDetails[] };
+
+	return { clients };
+};

src/routes/clients/[id]/+page.svelte

@@ -0,0 +1,55 @@
+<script lang="ts">
+	import type { PageData } from './$types';
+	import { LucideClipboardCopy } from 'lucide-svelte';
+	import { Button } from '$lib/components/ui/button';
+	import QRCode from 'qrcode-svg';
+
+	const { data }: { data: PageData } = $props();
+
+	let tooltipText = $state('Copy to clipboard');
+	let qrCode = new QRCode({
+		content: data.config,
+		join: true,
+	});
+
+	async function copyToClipboard() {
+		await navigator.clipboard.writeText(data.config);
+		tooltipText = 'Copied!';
+	}
+
+	function onMouseLeave() {
+		tooltipText = 'Copy to clipboard';
+	}
+</script>
+
+<svelte:head>
+	<title></title>
+</svelte:head>
+
+<h1 class="bg-accent text-lg w-fit rounded-lg p-2 mb-4">{data.client.name}</h1>
+
+<div class="flex flex-wrap gap-4">
+	<div class="relative bg-accent rounded-lg max-w-fit">
+		<div class="flex items-start p-2 overflow-x-auto">
+			<pre><code>{data.config}</code></pre>
+
+			<!--Copy button for the configuration-->
+			<!--Flex reverse for peer hover to work properly-->
+			<div class="absolute group flex flex-row-reverse items-center gap-1 right-2">
+				<Button class="peer size-10 p-2"
+								onclick={copyToClipboard}
+								onmouseleave={onMouseLeave}
+				>
+					<LucideClipboardCopy />
+				</Button>
+				<span class="hidden peer-hover:block bg-background text-xs rounded-lg p-2">
+				{tooltipText}
+			</span>
+			</div>
+		</div>
+	</div>
+
+	<div class="rounded-lg overflow-hidden">
+		{@html qrCode.svg()}
+	</div>
+</div>

src/routes/clients/[id]/+page.ts

@@ -0,0 +1,16 @@
+import type { PageLoad } from './$types';
+import type { ClientDetails } from '$lib/types/clients';
+import { clientDetailsToConfig } from '$lib/clients';
+import { error } from '@sveltejs/kit';
+
+export const load: PageLoad = async ({ fetch, params }) => {
+	const res = await fetch(`/api/clients/${params.id}`);
+	const resJson = await res.json();
+	if (!res.ok) {
+		return error(res.status, resJson['message']);
+	}
+	const client = resJson as ClientDetails;
+	const config = clientDetailsToConfig(client);
+
+	return { client, config };
+};

src/routes/connections/+page.svelte

@@ -0,0 +1,71 @@
+<script lang="ts">
+	import type { PageData } from './$types';
+	import { invalidate } from '$app/navigation';
+	import * as Table from '$lib/components/ui/table';
+	import { Badge } from '$lib/components/ui/badge';
+
+	const { data }: { data: PageData } = $props();
+
+	$effect(() => {
+		// refresh every 5 seconds
+		const interval = setInterval(() => {
+			console.log('Refreshing connections');
+			invalidate('/api/connections');
+		}, 5000);
+
+		return () => clearInterval(interval);
+	});
+
+	function getSize(size: number) {
+		let sizes = ['Bytes', 'KiB', 'MiB', 'GiB',
+			'TiB', 'PiB', 'EiB', 'ZiB', 'YiB'];
+
+		for (let i = 1; i < sizes.length; i++) {
+			if (size < Math.pow(1024, i))
+				return (Math.round((size / Math.pow(
+					1024, i - 1)) * 100) / 100) + ' ' + sizes[i - 1];
+		}
+		return size;
+	}
+</script>
+
+<svelte:head>
+	<title>Connections</title>
+</svelte:head>
+
+<Table.Root class="bg-accent rounded-lg overflow-hidden divide-y-2 divide-background">
+	<Table.Header>
+		<Table.Row>
+			<Table.Head scope="col">Name</Table.Head>
+			<Table.Head scope="col">Public Key</Table.Head>
+			<Table.Head scope="col">Endpoint</Table.Head>
+			<Table.Head scope="col">Allowed IPs</Table.Head>
+			<Table.Head scope="col">Latest Handshake</Table.Head>
+			<Table.Head scope="col">RX</Table.Head>
+			<Table.Head scope="col">TX</Table.Head>
+			<Table.Head scope="col" class="hidden">Persistent Keepalive</Table.Head>
+			<Table.Head scope="col" class="hidden">Interface Name</Table.Head>
+		</Table.Row>
+	</Table.Header>
+	<Table.Body class="divide-y-2 divide-background">
+		{#each data.peers.rows as peer}
+			<Table.Row class="hover:bg-background hover:bg-opacity-40">
+				<Table.Head scope="row">{peer.name}</Table.Head>
+				<Table.Cell class="truncate max-w-[10ch]">{peer['public-key']}</Table.Cell>
+				<Table.Cell>{peer.endpoint}</Table.Cell>
+				<Table.Cell>
+					<div class="flex flex-wrap gap-1">
+						{#each peer['allowed-ips'].split(',') as addr}
+							<Badge class="bg-background select-auto" variant="secondary">{addr}</Badge>
+						{/each}
+					</div>
+				</Table.Cell>
+				<Table.Cell>{new Date(peer['latest-handshake'] * 1000).toLocaleString()}</Table.Cell>
+				<Table.Cell>{getSize(peer['transfer-rx'])}</Table.Cell>
+				<Table.Cell>{getSize(peer['transfer-tx'])}</Table.Cell>
+				<Table.Cell class="hidden">{peer['persistent-keepalive']}</Table.Cell>
+				<Table.Cell class="hidden">{peer.ifname}</Table.Cell>
+			</Table.Row>
+		{/each}
+	</Table.Body>
+</Table.Root>

src/routes/connections/+page.ts

@@ -0,0 +1,9 @@
+import type { PageLoad } from './$types';
+import type { OpnsenseWgPeers } from '$lib/opnsense/wg';
+
+export const load: PageLoad = async ({ fetch }) => {
+	const res = await fetch('/api/connections');
+	const peers = await res.json() as OpnsenseWgPeers;
+
+	return { peers };
+};

src/routes/user/+page.svelte

@@ -7,9 +7,9 @@
 	let isLoadingSignOut = $state(false);
 
 	function refetch() {
-		console.log("refetching");
+		console.log('refetching');
 		invalidate((url) => {
-			console.log("invalidation url", url);
+			console.log('invalidation url', url);
 			return true;
 		});
 		invalidateAll();
@@ -20,15 +20,14 @@
 	<title>User Profile</title>
 </svelte:head>
 
-<p>
+<pre>{JSON.stringify(data.user, null, 2)}</pre>
-	{JSON.stringify(data.user)}
-</p>
 
-<Button onclick={refetch}>
+<div class="flex gap-2">
+	<Button onclick={refetch}>
 		<LucideRefreshCw class="mr-2 h-4 w-4" />
 		Invalidate Data
-</Button>
+	</Button>
-<form class="inline-flex" method="post" action="/auth?/logout">
+	<form class="inline-flex" method="post" action="/auth?/logout">
 		<Button type="submit" onclick={() => {isLoadingSignOut = true}}>
 			{#if isLoadingSignOut}
 				<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
@@ -37,4 +36,5 @@
 			{/if}
 			Sign Out
 		</Button>
-</form>
+	</form>
+</div>