@highstate/library 0.15.0 → 0.16.0

package/dist/index.js

@@ -1,5 +1,5 @@
-import { registerKnownAbbreviations, z, camelCaseToHumanReadable, defineEntity, defineUnit, $addArgumentDescription, $addInputDescription, fileContentSchema as fileContentSchema$1, fileMetaSchema, unitArtifactSchema, $secrets, $inputs, $outputs, $args, text } from '@highstate/contract';
-import { mapValues, pick, omit } from 'remeda';
+import { registerKnownAbbreviations, z, defineEntity, camelCaseToHumanReadable, genericNameSchema, $args, $addArgumentDescription, defineUnit, $addInputDescription, fileContentSchema as fileContentSchema$1, fileMetaSchema, unitArtifactSchema, $secrets, $inputs, $outputs, text } from '@highstate/contract';
+import { mapValues, pick } from 'remeda';
 
 var __defProp = Object.defineProperty;
 var __export = (target, all) => {
@@ -35,7 +35,8 @@ registerKnownAbbreviations([
   "CSI",
   "MariaDB",
   "PostgreSQL",
-  "MongoDB"
+  "MongoDB",
+  "etcd"
 ]);
 
 // src/common/index.ts
@@ -54,7 +55,6 @@ __export(common_exports, {
   gatewayEntity: () => gatewayEntity,
   remoteFile: () => remoteFile,
   script: () => script,
-  serverDns: () => serverDns,
   serverEntity: () => serverEntity,
   serverOutputs: () => serverOutputs,
   serverPatch: () => serverPatch,
@@ -66,100 +66,283 @@ __export(common_exports, {
 // src/dns.ts
 var dns_exports = {};
 __export(dns_exports, {
-  createArgs: () => createArgs,
-  inputs: () => inputs,
+  inputs: () => inputs2,
   providerEntity: () => providerEntity,
   recordSet: () => recordSet
 });
-var implementationReferenceSchema = z.object({
-  /**
-   * The name of the package which contains the implementation.
-   */
-  package: z.string().meta({ title: camelCaseToHumanReadable("package"), description: `The name of the package which contains the implementation.` }),
-  /**
-   * The implementation specific data.
-   */
-  data: z.record(z.string(), z.unknown()).meta({ title: camelCaseToHumanReadable("data"), description: `The implementation specific data.` })
-});
 
-// src/network.ts
+// src/network/index.ts
 var network_exports = {};
 __export(network_exports, {
+  addressEntity: () => addressEntity,
+  addressSpace: () => addressSpace,
+  addressSpaceEntity: () => addressSpaceEntity,
+  addressTypeSchema: () => addressTypeSchema,
+  dynamicL3EndpointEntity: () => dynamicL3EndpointEntity,
+  dynamicL4EndpointEntity: () => dynamicL4EndpointEntity,
+  dynamicL7EndpointEntity: () => dynamicL7EndpointEntity,
+  endpointArgs: () => endpointArgs,
   endpointFilter: () => endpointFilter,
-  endpointFilterSchema: () => endpointFilterSchema,
-  endpointVisibilitySchema: () => endpointVisibilitySchema,
   ipv46Schema: () => ipv46Schema,
   ipv4PrefixSchema: () => ipv4PrefixSchema,
-  l34EndpointSchema: () => l34EndpointSchema,
   l3Endpoint: () => l3Endpoint,
   l3EndpointEntity: () => l3EndpointEntity,
+  l3EndpointSchema: () => l3EndpointSchema,
   l4Endpoint: () => l4Endpoint,
   l4EndpointEntity: () => l4EndpointEntity,
+  l4EndpointSchema: () => l4EndpointSchema,
   l4PortInfoSchema: () => l4PortInfoSchema,
   l4ProtocolSchema: () => l4ProtocolSchema,
   l7AppInfoSchema: () => l7AppInfoSchema,
   l7Endpoint: () => l7Endpoint,
   l7EndpointEntity: () => l7EndpointEntity,
-  portSchema: () => portSchema
-});
-var endpointVisibilitySchema = z.enum([
-  "public",
-  // reachable from the public internet
-  "external",
-  // reachable from outside the system boundary, but not public
-  "internal"
-  // reachable only from within the system or cluster
+  l7EndpointSchema: () => l7EndpointSchema,
+  networkArgs: () => networkArgs,
+  optionalNetworkArgs: () => optionalNetworkArgs,
+  portSchema: () => portSchema,
+  subnetEntity: () => subnetEntity
+});
+var addressTypeSchema = z.enum(["ipv4", "ipv6"]);
+var subnetEntity = defineEntity({
+  type: "network.subnet.v1",
+  schema: z.object({
+    /**
+     * The type of the subnet.
+     */
+    type: addressTypeSchema.meta({ title: camelCaseToHumanReadable("type"), description: `The type of the subnet.` }),
+    /**
+     * The canonical base IP address of the subnet.
+     */
+    baseAddress: z.string().meta({ title: camelCaseToHumanReadable("baseAddress"), description: `The canonical base IP address of the subnet.` }),
+    /**
+     * The prefix length of the subnet.
+     */
+    prefixLength: z.number().int().nonnegative().meta({ title: camelCaseToHumanReadable("prefixLength"), description: `The prefix length of the subnet.` })
+  }),
+  meta: {
+    color: "#3F51B5"
+  }
+});
+
+// src/network/address.ts
+var addressEntity = defineEntity({
+  type: "network.address.v1",
+  includes: {
+    /**
+     * The subnet to which the address belongs.
+     */
+    subnet: subnetEntity
+  },
+  schema: z.object({
+    /**
+     * The type of the address.
+     */
+    type: addressTypeSchema.meta({ title: camelCaseToHumanReadable("type"), description: `The type of the address.` }),
+    /**
+     * The address in canonical string representation.
+     *
+     * IPv6 addresses must be in shortest possible notation as per RFC 5952.
+     *
+     * For example:
+     * - IPv4: `192.168.1.1`
+     * - IPv6: `2001:db8:85a3::8a2e:370:7334`
+     */
+    value: z.string().meta({ title: camelCaseToHumanReadable("value"), description: `The address in canonical string representation.
+
+ IPv6 addresses must be in shortest possible notation as per RFC 5952.
+
+ For example:
+ - IPv4: \`192.168.1.1\`
+ - IPv6: \`2001:db8:85a3::8a2e:370:7334\`` })
+  })
+});
+function prefixWith(string, prefix) {
+  return prefix ? `${prefix}${string.charAt(0).toUpperCase()}${string.slice(1)}` : string;
+}
+function prefixKeysWith(prefix, obj) {
+  return Object.fromEntries(
+    Object.entries(obj).map(([key, value]) => [prefixWith(key, prefix), value])
+  );
+}
+var booleanPatchSchema = z.enum(["keep", "true", "false"]).default("keep");
+function toPatchArgs(args) {
+  return mapValues(args, (arg) => {
+    if (arg.schema instanceof z.ZodBoolean || arg.schema instanceof z.ZodDefault && arg.schema.unwrap() instanceof z.ZodBoolean || arg.schema instanceof z.ZodOptional && arg.schema.unwrap() instanceof z.ZodBoolean) {
+      return { ...arg, schema: booleanPatchSchema };
+    }
+    return arg;
+  });
+}
+var metadataKeySchema = z.templateLiteral([
+  genericNameSchema,
+  z.literal("."),
+  genericNameSchema
 ]);
-var endpointFilterSchema = endpointVisibilitySchema.array();
-var l3EndpointEntity = defineEntity({
-  type: "network.l3-endpoint.v1",
-  schema: z.intersection(
+var metadataSchema = z.record(metadataKeySchema, z.unknown());
+var implementationReferenceSchema = z.object({
+  /**
+   * The name of the package which contains the implementation.
+   */
+  package: z.string().meta({ title: camelCaseToHumanReadable("package"), description: `The name of the package which contains the implementation.` }),
+  /**
+   * The implementation specific data.
+   */
+  data: z.record(z.string(), z.unknown()).meta({ title: camelCaseToHumanReadable("data"), description: `The implementation specific data.` })
+});
+function createEndpointSchema(level, shape) {
+  return z.intersection(
     z.object({
       /**
-       * The generic visibility of an endpoint.
-       *
-       * - `public`: reachable from the public internet;
-       * - `external`: reachable from outside the system boundary (e.g., LAN, VPC), but not public;
-       * - `internal`: reachable only from within the application or infrastructure boundary (e.g., within a cluster).
+       * The level of the endpoint in the network stack.
        */
-      visibility: endpointVisibilitySchema.meta({ title: camelCaseToHumanReadable("visibility"), description: `The generic visibility of an endpoint.
-
- - \`public\`: reachable from the public internet;
- - \`external\`: reachable from outside the system boundary (e.g., LAN, VPC), but not public;
- - \`internal\`: reachable only from within the application or infrastructure boundary (e.g., within a cluster).` }),
+      level: z.literal(level).default(level).meta({ title: camelCaseToHumanReadable("level"), description: `The level of the endpoint in the network stack.` }),
       /**
        * The extra metadata for the endpoint.
        *
        * In most cases, this is provided by the endpoint origin (e.g., a Kubernetes service).
        */
-      metadata: z.record(z.string(), z.unknown()).optional().meta({ title: camelCaseToHumanReadable("metadata"), description: `The extra metadata for the endpoint.
-
- In most cases, this is provided by the endpoint origin (e.g., a Kubernetes service).` })
+      metadata: z.intersection(
+        metadataSchema,
+        z.object({
+          /**
+           * The scope of the endpoint as per IANA definitions.
+           *
+           * - `private`: The endpoint is intended for use within a private network.
+           * - `global`: The endpoint is intended for public access over the internet.
+           *
+           * If not specified, the scope is considered unknown.
+           */
+          "iana.scope": z.enum(["private", "global"]).optional()
+        })
+      ).meta({ title: camelCaseToHumanReadable("metadata"), description: `The extra metadata for the endpoint.
+
+ In most cases, this is provided by the endpoint origin (e.g., a Kubernetes service).` }),
+      ...shape
     }),
     z.union([
       z.object({
         type: z.literal("hostname"),
         /**
-         * The hostname of the endpoint in the format of a domain name.
+         * The hostname of the endpoint in the format of a domain name as per RFC 1035.
          */
-        hostname: z.string().meta({ title: camelCaseToHumanReadable("hostname"), description: `The hostname of the endpoint in the format of a domain name.` })
+        hostname: z.string().meta({ title: camelCaseToHumanReadable("hostname"), description: `The hostname of the endpoint in the format of a domain name as per RFC 1035.` }),
+        address: z.undefined().optional()
       }),
       z.object({
-        type: z.literal("ipv4"),
+        type: z.enum(["ipv4", "ipv6"]),
+        /**
+         * The address entity representing the IP address of the endpoint.
+         */
+        address: addressEntity.schema.meta({ title: camelCaseToHumanReadable("address"), description: `The address entity representing the IP address of the endpoint.` }),
+        hostname: z.undefined().optional()
+      })
+    ])
+  );
+}
+var l4ProtocolSchema = z.enum(["tcp", "udp"]);
+var portSchema = z.number().int().min(1).max(65535);
+var l4PortInfoSchema = z.object({
+  port: portSchema,
+  protocol: l4ProtocolSchema
+});
+var l7AppInfoSchema = z.object({
+  /**
+   * The name of the application protocol used by the endpoint.
+   */
+  appProtocol: z.string().meta({ title: camelCaseToHumanReadable("appProtocol"), description: `The name of the application protocol used by the endpoint.` }),
+  /**
+   * The resource path of the application endpoint, including query parameters.
+   * Must not start with a slash (`/`).
+   *
+   * Example: `api/v1/resource?query=value`, `database?param=value`, `user/repo.git`.
+   */
+  path: z.string().optional().meta({ title: camelCaseToHumanReadable("path"), description: `The resource path of the application endpoint, including query parameters.
+ Must not start with a slash (\`/\`).
+
+ Example: \`api/v1/resource?query=value\`, \`database?param=value\`, \`user/repo.git\`.` })
+});
+var onlyl3EndpointSchema = createEndpointSchema(3, {
+  port: z.undefined().optional(),
+  protocol: z.undefined().optional(),
+  appProtocol: z.undefined().optional(),
+  path: z.undefined().optional()
+});
+var onlyl4EndpointSchema = createEndpointSchema(4, {
+  ...l4PortInfoSchema.shape,
+  appProtocol: z.undefined().optional(),
+  path: z.undefined().optional()
+});
+var onlyl7EndpointSchema = createEndpointSchema(7, {
+  ...l4PortInfoSchema.shape,
+  ...l7AppInfoSchema.shape
+});
+var l3EndpointSchema = z.union([
+  onlyl3EndpointSchema,
+  onlyl4EndpointSchema,
+  onlyl7EndpointSchema
+]);
+var l4EndpointSchema = z.union([onlyl4EndpointSchema, onlyl7EndpointSchema]);
+var l7EndpointSchema = onlyl7EndpointSchema;
+
+// src/network/dynamic-endpoint.ts
+function defineDynamicEndpointEntity(level, endpointSchema) {
+  return defineEntity({
+    type: `network.dynamic-l${level}-endpoint.v1`,
+    schema: z.union([
+      z.object({
+        type: z.literal("static"),
         /**
-         * The IPv4 address of the endpoint.
+         * The static endpoint.
          */
-        address: z.string().meta({ title: camelCaseToHumanReadable("address"), description: `The IPv4 address of the endpoint.` })
+        endpoint: endpointSchema.meta({ title: camelCaseToHumanReadable("endpoint"), description: `The static endpoint.` })
       }),
       z.object({
-        type: z.literal("ipv6"),
+        type: z.literal("dynamic"),
         /**
-         * The IPv6 address of the endpoint.
+         * The implementation reference to resolve the dynamic endpoint.
          */
-        address: z.string().meta({ title: camelCaseToHumanReadable("address"), description: `The IPv6 address of the endpoint.` })
+        implRef: implementationReferenceSchema.meta({ title: camelCaseToHumanReadable("implRef"), description: `The implementation reference to resolve the dynamic endpoint.` })
       })
     ])
-  ),
+  });
+}
+var dynamicL3EndpointEntity = defineDynamicEndpointEntity(3, l3EndpointSchema);
+var dynamicL4EndpointEntity = defineDynamicEndpointEntity(4, l3EndpointSchema);
+var dynamicL7EndpointEntity = defineDynamicEndpointEntity(7, l3EndpointSchema);
+
+// src/network/endpoint.ts
+var l3EndpointEntity = defineEntity({
+  type: "network.l3-endpoint.v1",
+  includes: {
+    /**
+     * The subnet containing the endpoint.
+     *
+     * If type is "hostname", will be omitted.
+     */
+    subnet: {
+      entity: subnetEntity,
+      required: false
+    },
+    /**
+     * The address of the endpoint.
+     *
+     * If type is "hostname", will be omitted.
+     */
+    address: {
+      entity: addressEntity,
+      required: false
+    },
+    /**
+     * The dynamic endpoint which statically resolves to this endpoint.
+     *
+     * Allows to use any static endpoint as a dynamic without extra units.
+     */
+    dynamic: {
+      entity: dynamicL3EndpointEntity,
+      required: false
+    }
+  },
+  schema: l3EndpointSchema,
   meta: {
     description: `The L3 endpoint for some service.
 
@@ -167,17 +350,20 @@ var l3EndpointEntity = defineEntity({
     color: "#4CAF50"
   }
 });
-var l4ProtocolSchema = z.enum(["tcp", "udp"]);
-var portSchema = z.number().int().min(1).max(65535);
 var ipv4PrefixSchema = z.number().int().min(0).max(32);
 var ipv46Schema = z.union([z.ipv4(), z.ipv6()]);
-var l4PortInfoSchema = z.object({
-  port: portSchema,
-  protocol: l4ProtocolSchema
-});
 var l4EndpointEntity = defineEntity({
   type: "network.l4-endpoint.v1",
-  schema: z.intersection(l3EndpointEntity.schema, l4PortInfoSchema),
+  extends: { l3EndpointEntity },
+  includes: {
+    /**
+     * The dynamic endpoint which statically resolves to this endpoint.
+     *
+     * Allows to use any static endpoint as a dynamic without extra units.
+     */
+    dynamic: dynamicL4EndpointEntity
+  },
+  schema: l4EndpointSchema,
   meta: {
     description: `The L4 endpoint for some service.
 
@@ -185,25 +371,18 @@ var l4EndpointEntity = defineEntity({
     color: "#2196F3"
   }
 });
-var l7AppInfoSchema = z.object({
-  /**
-   * The name of the application protocol used by the endpoint.
-   */
-  appProtocol: z.string().meta({ title: camelCaseToHumanReadable("appProtocol"), description: `The name of the application protocol used by the endpoint.` }),
-  /**
-   * The resource path of the application endpoint, including query parameters.
-   * Must not start with a slash (`/`).
-   *
-   * Example: `api/v1/resource?query=value`, `database?param=value`, `user/repo.git`.
-   */
-  resource: z.string().optional().meta({ title: camelCaseToHumanReadable("resource"), description: `The resource path of the application endpoint, including query parameters.
- Must not start with a slash (\`/\`).
-
- Example: \`api/v1/resource?query=value\`, \`database?param=value\`, \`user/repo.git\`.` })
-});
 var l7EndpointEntity = defineEntity({
   type: "network.l7-endpoint.v1",
-  schema: z.intersection(l4EndpointEntity.schema, l7AppInfoSchema),
+  extends: { l4EndpointEntity },
+  includes: {
+    /**
+     * The dynamic endpoint which statically resolves to this endpoint.
+     *
+     * Allows to use any static endpoint as a dynamic without extra units.
+     */
+    dynamic: dynamicL7EndpointEntity
+  },
+  schema: l7EndpointSchema,
   meta: {
     description: `The L7 endpoint for some service.
 
@@ -211,6 +390,16 @@ var l7EndpointEntity = defineEntity({
     color: "#FF9800"
   }
 });
+var endpointArgs = $args({
+  /**
+   * The custom metadata entries of the endpoint.
+   *
+   * Can be used to filter them (for example, by environment, region, etc.).
+   */
+  metadata: $addArgumentDescription(metadataSchema, `The custom metadata entries of the endpoint.
+
+ Can be used to filter them (for example, by environment, region, etc.).`)
+});
 var l3Endpoint = defineUnit({
   type: "network.l3-endpoint.v1",
   args: {
@@ -222,24 +411,7 @@ var l3Endpoint = defineUnit({
     endpoint: $addArgumentDescription(z.string(), `The string representation of the endpoint.
 
  May be a domain name or an IP address.`),
-    /**
-     * The visibility of the endpoint.
-     *
-     * The visibility levels are:
-     * - `public`: reachable from the public internet;
-     * - `external`: reachable from outside the system boundary (e.g., LAN, VPC), but not public;
-     * - `internal`: reachable only from within the application or infrastructure boundary (e.g., within a cluster).
-     *
-     * If not specified, defaults to `public`.
-     */
-    visibility: $addArgumentDescription(endpointVisibilitySchema.default("public"), `The visibility of the endpoint.
-
- The visibility levels are:
- - \`public\`: reachable from the public internet;
- - \`external\`: reachable from outside the system boundary (e.g., LAN, VPC), but not public;
- - \`internal\`: reachable only from within the application or infrastructure boundary (e.g., within a cluster).
-
- If not specified, defaults to \`public\`.`)
+    ...endpointArgs
   },
   outputs: {
     endpoint: l3EndpointEntity
@@ -280,24 +452,7 @@ var l4Endpoint = defineUnit({
  - \`endpoint:port\` (TCP by default)
  - \`tcp://endpoint:port\`
  - \`udp://endpoint:port\``),
-    /**
-     * The visibility of the endpoint.
-     *
-     * The visibility levels are:
-     * - `public`: reachable from the public internet;
-     * - `external`: reachable from outside the system boundary (e.g., LAN, VPC), but not public;
-     * - `internal`: reachable only from within the application or infrastructure boundary (e.g., within a cluster).
-     *
-     * If not specified, defaults to `public`.
-     */
-    visibility: $addArgumentDescription(endpointVisibilitySchema.default("public"), `The visibility of the endpoint.
-
- The visibility levels are:
- - \`public\`: reachable from the public internet;
- - \`external\`: reachable from outside the system boundary (e.g., LAN, VPC), but not public;
- - \`internal\`: reachable only from within the application or infrastructure boundary (e.g., within a cluster).
-
- If not specified, defaults to \`public\`.`)
+    ...endpointArgs
   },
   outputs: {
     endpoint: l4EndpointEntity
@@ -321,37 +476,20 @@ var l7Endpoint = defineUnit({
     /**
      * The string representation of the endpoint.
      *
-     * The possible formats are:
-     *
-     * - `https://endpoint:port/resource`
-     * - `ftp://endpoint:port/resource`
-     * - `someotherprotocol://endpoint:port/resource`
+     * The format is `[protocol://]endpoint[:port][/path]`.
      */
     endpoint: $addArgumentDescription(z.string(), `The string representation of the endpoint.
 
- The possible formats are:
-
- - \`https://endpoint:port/resource\`
- - \`ftp://endpoint:port/resource\`
- - \`someotherprotocol://endpoint:port/resource\``),
+ The format is \`[protocol://]endpoint[:port][/path]\`.`),
     /**
-     * The visibility of the endpoint.
-     *
-     * The visibility levels are:
-     * - `public`: reachable from the public internet;
-     * - `external`: reachable from outside the system boundary (e.g., LAN, VPC), but not public;
-     * - `internal`: reachable only from within the application or infrastructure boundary (e.g., within a cluster).
+     * The L4 protocol of the endpoint.
      *
-     * If not specified, defaults to `public`.
+     * If not specified, it will be inferred from the endpoint string if possible or default to `tcp`.
      */
-    visibility: $addArgumentDescription(endpointVisibilitySchema.default("public"), `The visibility of the endpoint.
+    protocol: $addArgumentDescription(z.enum(["infer", "tcp", "udp"]).default("infer"), `The L4 protocol of the endpoint.
 
- The visibility levels are:
- - \`public\`: reachable from the public internet;
- - \`external\`: reachable from outside the system boundary (e.g., LAN, VPC), but not public;
- - \`internal\`: reachable only from within the application or infrastructure boundary (e.g., within a cluster).
-
- If not specified, defaults to \`public\`.`)
+ If not specified, it will be inferred from the endpoint string if possible or default to \`tcp\`.`),
+    ...endpointArgs
   },
   outputs: {
     endpoint: l7EndpointEntity
@@ -369,41 +507,39 @@ var l7Endpoint = defineUnit({
     path: "units/network/l7-endpoint"
   }
 });
-var endpointFilter = defineUnit({
-  type: "network.endpoint-filter.v1",
-  args: {
-    /**
-     * The endpoint filter to filter the endpoints before creating the DNS records.
-     *
-     * Possible values:
-     *
-     * - `public`: only endpoints exposed to the public internet;
-     * - `external`: reachable from outside the system but not public (e.g., LAN, VPC);
-     * - `internal`: reachable only from within the system boundary (e.g., inside a cluster).
-     *
-     * You can select one or more values.
-     *
-     * If no value is provided, the endpoints will be filtered by the most accessible type:
-     *
-     * - if any public endpoints exist, all public endpoints are selected;
-     * - otherwise, if any external endpoints exist, all external endpoints are selected;
-     * - if neither exist, all internal endpoints are selected.
-     */
-    endpointFilter: $addArgumentDescription(endpointFilterSchema.default([]), `The endpoint filter to filter the endpoints before creating the DNS records.
-
- Possible values:
-
- - \`public\`: only endpoints exposed to the public internet;
- - \`external\`: reachable from outside the system but not public (e.g., LAN, VPC);
- - \`internal\`: reachable only from within the system boundary (e.g., inside a cluster).
+var networkArgs = $args({
+  /**
+   * The filter expression to select endpoints by their properties and metadata.
+   *
+   * The following properties are available for filtering:
+   *
+   * - `type`: The type of the endpoint (`ipv4`, `ipv6`, `hostname`).
+   * - `level`: The level of the endpoint in the network stack (`3`, `4`, `7`). Numeric, can be used in expressions like `level >= 4`.
+   * - `protocol`: The L4 protocol of the endpoint (`tcp`, `udp`). Only available for L4 and L7 endpoints.
+   * - `port`: The port of the endpoint. Only available for L4 and L7 endpoints.
+   * - `appProtocol`: The application protocol of the endpoint (e.g., `http`, `https`, `dns`). Only available for L7 endpoints.
+   * - `metadata.{key}`: Any custom metadata field added to the endpoint. Nested fields (e.g., `metadata.k8s.service.clusterId`) are supported.
+   *
+   * See [filter-expression](https://github.com/tronghieu/filter-expression?tab=readme-ov-file#language) for more details on the expression syntax.
+   */
+  endpointFilter: $addArgumentDescription(z.string().meta({ language: "javascript" }), `The filter expression to select endpoints by their properties and metadata.
 
- You can select one or more values.
+ The following properties are available for filtering:
 
- If no value is provided, the endpoints will be filtered by the most accessible type:
+ - \`type\`: The type of the endpoint (\`ipv4\`, \`ipv6\`, \`hostname\`).
+ - \`level\`: The level of the endpoint in the network stack (\`3\`, \`4\`, \`7\`). Numeric, can be used in expressions like \`level >= 4\`.
+ - \`protocol\`: The L4 protocol of the endpoint (\`tcp\`, \`udp\`). Only available for L4 and L7 endpoints.
+ - \`port\`: The port of the endpoint. Only available for L4 and L7 endpoints.
+ - \`appProtocol\`: The application protocol of the endpoint (e.g., \`http\`, \`https\`, \`dns\`). Only available for L7 endpoints.
+ - \`metadata.{key}\`: Any custom metadata field added to the endpoint. Nested fields (e.g., \`metadata.k8s.service.clusterId\`) are supported.
 
- - if any public endpoints exist, all public endpoints are selected;
- - otherwise, if any external endpoints exist, all external endpoints are selected;
- - if neither exist, all internal endpoints are selected.`)
+ See [filter-expression](https://github.com/tronghieu/filter-expression?tab=readme-ov-file#language) for more details on the expression syntax.`)
+});
+var optionalNetworkArgs = mapValues(networkArgs, (x) => ({ schema: x.schema.optional() }));
+var endpointFilter = defineUnit({
+  type: "network.endpoint-filter.v1",
+  args: {
+    ...pick(networkArgs, ["endpointFilter"])
   },
   inputs: {
     l3Endpoints: {
@@ -415,6 +551,11 @@ var endpointFilter = defineUnit({
       entity: l4EndpointEntity,
       multiple: true,
       required: false
+    },
+    l7Endpoints: {
+      entity: l7EndpointEntity,
+      multiple: true,
+      required: false
     }
   },
   outputs: {
@@ -425,6 +566,10 @@ var endpointFilter = defineUnit({
     l4Endpoints: {
       entity: l4EndpointEntity,
       multiple: true
+    },
+    l7Endpoints: {
+      entity: l7EndpointEntity,
+      multiple: true
     }
   },
   meta: {
@@ -440,286 +585,103 @@ var endpointFilter = defineUnit({
     path: "units/network/endpoint-filter"
   }
 });
-var l34EndpointSchema = z.union([
-  z.intersection(
-    l3EndpointEntity.schema,
-    z.object({
-      port: z.undefined().optional(),
-      protocol: z.undefined().optional()
-    })
-  ),
-  l4EndpointEntity.schema
-]);
-function prefixWith(string, prefix) {
-  return prefix ? `${prefix}${string.charAt(0).toUpperCase()}${string.slice(1)}` : string;
-}
-function prefixKeysWith(prefix, obj) {
-  return Object.fromEntries(
-    Object.entries(obj).map(([key, value]) => [prefixWith(key, prefix), value])
-  );
-}
-var arrayPatchModeSchema = z.enum(["prepend", "replace"]);
-var booleanPatchSchema = z.enum(["keep", "true", "false"]);
 
-// src/dns.ts
-var providerEntity = defineEntity({
-  type: "dns.provider.v1",
-  schema: z.object({
-    /**
-     * The ID of the DNS provider unique within the system.
-     */
-    id: z.string().meta({ title: camelCaseToHumanReadable("id"), description: `The ID of the DNS provider unique within the system.` }),
+// src/network/address-space.ts
+var addressSpaceEntity = defineEntity({
+  type: "network.address-space.v1",
+  includes: {
     /**
-     * The domain apex for which the DNS records will be created.
-     *
-     * If the provider manages multiple domains, the separate provider entity should be created for each domain.
-     */
-    domain: z.string().meta({ title: camelCaseToHumanReadable("domain"), description: `The domain apex for which the DNS records will be created.
-
- If the provider manages multiple domains, the separate provider entity should be created for each domain.` }),
-    /**
-     * The reference to the implementation of the DNS provider.
+     * The minimal set of subnets that fully cover the address space.
      */
-    implRef: implementationReferenceSchema.meta({ title: camelCaseToHumanReadable("implRef"), description: `The reference to the implementation of the DNS provider.` })
-  }),
+    subnets: {
+      entity: subnetEntity,
+      multiple: true
+    }
+  },
+  schema: z.unknown(),
   meta: {
-    color: "#FF5722"
+    description: `The entity representing a network address space.`,
+    color: "#3F51B5"
   }
 });
-var recordSet = defineUnit({
-  type: "dns.record-set.v1",
+var addressSpace = defineUnit({
+  type: "network.address-space.v1",
   args: {
-    ...createArgs(),
-    /**
-     * The values of the DNS record.
-     */
-    values: $addArgumentDescription(z.string().array().default([]), `The values of the DNS record.`),
     /**
-     * The TTL of the DNS record.
-     */
-    ttl: $addArgumentDescription(z.number().optional(), `The TTL of the DNS record.`),
-    /**
-     * The priority of the DNS record.
+     * The list of addresses to include in the address space.
+     *
+     * The supported formats are:
+     * - Single IP address (e.g., `192.168.1.1`);
+     * - CIDR notation (e.g., `192.168.1.1/24`);
+     * - Dash notation (e.g., `192.168.1.1-192.168.1.254`).
+     *
+     * The addresses can be a mix of IPv4 and IPv6.
      */
-    priority: $addArgumentDescription(z.number().optional(), `The priority of the DNS record.`),
+    included: $addArgumentDescription(z.string().array().default([]), `The list of addresses to include in the address space.
+
+ The supported formats are:
+ - Single IP address (e.g., \`192.168.1.1\`);
+ - CIDR notation (e.g., \`192.168.1.1/24\`);
+ - Dash notation (e.g., \`192.168.1.1-192.168.1.254\`).
+
+ The addresses can be a mix of IPv4 and IPv6.`),
     /**
-     * Whether the DNS record is proxied.
+     * The list of addresses to exclude from the `addresses` list.
      *
-     * Available only for public IPs and some DNS providers like Cloudflare.
+     * The supported formats are the same as in `addresses`.
      */
-    proxied: $addArgumentDescription(z.boolean().default(false), `Whether the DNS record is proxied.
+    excluded: $addArgumentDescription(z.string().array().default([]), `The list of addresses to exclude from the \`addresses\` list.
 
- Available only for public IPs and some DNS providers like Cloudflare.`)
+ The supported formats are the same as in \`addresses\`.`)
   },
   inputs: {
     /**
-     * The DNS providers to use to create the DNS records.
-     *
-     * For each provider, a separate DNS record will be created.
+     * The endpoints to include in the address space.
      */
-    dnsProviders: $addInputDescription({
-      entity: providerEntity,
-      multiple: true
-    }, `The DNS providers to use to create the DNS records.
-
- For each provider, a separate DNS record will be created.`),
-    /**
-     * The L3 endpoints to use as values of the DNS records.
-     */
-    l3Endpoints: $addInputDescription({
+    included: $addInputDescription({
       entity: l3EndpointEntity,
-      required: false,
-      multiple: true
-    }, `The L3 endpoints to use as values of the DNS records.`),
+      multiple: true,
+      required: false
+    }, `The endpoints to include in the address space.`),
     /**
-     * The L4 endpoints to use as values of the DNS records.
+     * The endpoints to exclude from the `included` list.
      */
-    l4Endpoints: $addInputDescription({
-      entity: l4EndpointEntity,
-      required: false,
-      multiple: true
-    }, `The L4 endpoints to use as values of the DNS records.`)
+    excluded: $addInputDescription({
+      entity: l3EndpointEntity,
+      multiple: true,
+      required: false
+    }, `The endpoints to exclude from the \`included\` list.`)
   },
   outputs: {
-    l3Endpoints: {
-      entity: l3EndpointEntity,
-      multiple: true
-    },
-    l4Endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true
-    }
+    /**
+     * The address space entity representing the created address space.
+     */
+    addressSpace: $addInputDescription(addressSpaceEntity, `The address space entity representing the created address space.`)
   },
   meta: {
-    title: "DNS Record Set",
-    description: "A set of DNS records to be created.",
-    icon: "mdi:server",
-    defaultNamePrefix: "record",
+    description: `Defines an address space from a list of addresses/subnets/ranges.`,
+    title: "Address Space",
+    icon: "mdi:network",
     category: "Network"
   },
   source: {
     package: "@highstate/common",
-    path: "units/dns/record-set"
+    path: "units/network/address-space"
   }
 });
-function createArgs(prefix) {
-  return prefixKeysWith(prefix, {
-    /**
-     * The FQDN to register the existing endpoints with.
-     *
-     * Will be inserted at the beginning of the resulting endpoint list.
-     *
-     * Will throw an error if no matching provider is found.
-     */
-    fqdn: z.string().optional(),
-    /**
-     * The endpoint filter to filter the endpoints before creating the DNS records.
-     *
-     * Possible values:
-     *
-     * - `public`: only endpoints exposed to the public internet;
-     * - `external`: reachable from outside the system but not public (e.g., LAN, VPC);
-     * - `internal`: reachable only from within the system boundary (e.g., inside a cluster).
-     *
-     * You can select one or more values.
-     *
-     * If no value is provided, the endpoints will be filtered by the most accessible type:
-     *
-     * - if any public endpoints exist, all public endpoints are selected;
-     * - otherwise, if any external endpoints exist, all external endpoints are selected;
-     * - if neither exist, all internal endpoints are selected.
-     */
-    endpointFilter: endpointFilterSchema.default([]),
-    /**
-     * The mode to use for patching the existing endpoints.
-     *
-     * - `prepend`: Prepend the FQDN to the existing endpoints. It will make them prioritized.
-     * - `replace`: Replace the existing endpoints with the FQDN. It will ensure that the only the FQDN is used.
-     *
-     * The default is `prepend`.
-     */
-    patchMode: arrayPatchModeSchema.default("prepend")
-  });
-}
-var inputs = {
-  /**
-   * The DNS providers to use to create the DNS records.
-   *
-   * If multiple providers match the domain, all of them will be used and multiple DNS records will be created.
-   */
-  dnsProviders: {
-    entity: providerEntity,
-    multiple: true
-  }
-};
-
-// src/common/access-point.ts
-var gatewayEntity = defineEntity({
-  type: "common.gateway.v1",
-  schema: z.object({
-    /**
-     * The reference to the implementation of the gateway.
-     */
-    implRef: implementationReferenceSchema.meta({ title: camelCaseToHumanReadable("implRef"), description: `The reference to the implementation of the gateway.` }),
-    /**
-     * The public L3 endpoints of the gateway.
-     *
-     * If not provided, should be automatically detected by the implementation.
-     */
-    endpoints: l3EndpointEntity.schema.array().default([]).meta({ title: camelCaseToHumanReadable("endpoints"), description: `The public L3 endpoints of the gateway.
 
- If not provided, should be automatically detected by the implementation.` })
-  }),
-  meta: {
-    color: "#F57F17"
-  }
-});
-var tlsIssuerEntity = defineEntity({
-  type: "common.tls-issuer.v1",
-  schema: z.object({
-    /**
-     * The domain apex for which the TLS issuer will manage certificates.
-     */
-    domain: z.string().meta({ title: camelCaseToHumanReadable("domain"), description: `The domain apex for which the TLS issuer will manage certificates.` }),
-    /**
-     * The reference to the implementation of the TLS issuer.
-     */
-    implRef: implementationReferenceSchema.meta({ title: camelCaseToHumanReadable("implRef"), description: `The reference to the implementation of the TLS issuer.` })
-  }),
-  meta: {
-    color: "#F57F17"
-  }
-});
-var accessPointEntity = defineEntity({
-  type: "common.access-point.v1",
-  schema: z.object({
-    /**
-     * The gateway of the access point.
-     */
-    gateway: gatewayEntity.schema.meta({ title: camelCaseToHumanReadable("gateway"), description: `The gateway of the access point.` }),
-    /**
-     * The TLS issuers used to manage TLS certificates for the access point.
-     */
-    tlsIssuers: tlsIssuerEntity.schema.array().meta({ title: camelCaseToHumanReadable("tlsIssuers"), description: `The TLS issuers used to manage TLS certificates for the access point.` }),
-    /**
-     * The DNS providers used to manage the DNS records for the access point.
-     */
-    dnsProviders: providerEntity.schema.array().meta({ title: camelCaseToHumanReadable("dnsProviders"), description: `The DNS providers used to manage the DNS records for the access point.` }),
-    /**
-     * Whether the DNS records created for the access point should be proxied.
-     */
-    proxied: z.boolean().default(false).meta({ title: camelCaseToHumanReadable("proxied"), description: `Whether the DNS records created for the access point should be proxied.` })
-  }),
-  meta: {
-    color: "#F57F17"
-  }
-});
-var accessPoint = defineUnit({
-  type: "common.access-point.v1",
-  args: {
-    /**
-     * Whether the DNS records created for the access point should be proxied.
-     *
-     * This option is specific to certain DNS providers that support proxying, such as Cloudflare.
-     * When enabled, the DNS records will be proxied through the provider's network, providing additional security and performance benefits.
-     *
-     * Defaults to `false`.
-     */
-    proxied: $addArgumentDescription(z.boolean().default(false), `Whether the DNS records created for the access point should be proxied.
-
- This option is specific to certain DNS providers that support proxying, such as Cloudflare.
- When enabled, the DNS records will be proxied through the provider's network, providing additional security and performance benefits.
-
- Defaults to \`false\`.`)
-  },
-  inputs: {
-    gateway: gatewayEntity,
-    tlsIssuers: {
-      entity: tlsIssuerEntity,
-      required: false,
-      multiple: true
-    },
-    dnsProviders: {
-      entity: providerEntity,
-      required: false,
-      multiple: true
-    }
-  },
-  outputs: {
-    accessPoint: accessPointEntity
-  },
-  meta: {
-    description: `The access point unit which can be used to connect to services.
-
- It can be used to expose services and applications running in Kubernetes clusters or other environments.`,
-    title: "Access Point",
-    icon: "mdi:access-point",
-    category: "Kubernetes"
-  },
-  source: {
-    package: "@highstate/common",
-    path: "units/access-point"
-  }
+// src/ssh.ts
+var ssh_exports = {};
+__export(ssh_exports, {
+  argsSchema: () => argsSchema,
+  connectionSchema: () => connectionSchema,
+  inputs: () => inputs,
+  keyPair: () => keyPair,
+  keyPairEntity: () => keyPairEntity,
+  keyTypeSchema: () => keyTypeSchema,
+  publicKey: () => publicKey,
+  publicKeyEntity: () => publicKeyEntity,
+  secrets: () => secrets
 });
 var checksumAlgorithmSchema = z.enum(["md5", "sha1", "sha256", "sha384", "sha512"]);
 var checksumSchema = z.object({
@@ -791,8 +753,22 @@ var remoteFile = defineUnit({
   args: {
     /**
      * The URL of the remote file.
+     *
+     * Either this or the 'endpoint' input must be provided.
      */
-    url: $addArgumentDescription(z.string().optional(), `The URL of the remote file.`)
+    url: $addArgumentDescription(z.string().optional(), `The URL of the remote file.
+
+ Either this or the 'endpoint' input must be provided.`),
+    /**
+     * The name of the file.
+     *
+     * If not provided, the name will be derived from the URL or endpoint path.
+     * If not possible, the name of the unit will be used.
+     */
+    fileName: $addArgumentDescription(z.string().optional(), `The name of the file.
+
+ If not provided, the name will be derived from the URL or endpoint path.
+ If not possible, the name of the unit will be used.`)
   },
   inputs: {
     /**
@@ -819,19 +795,9 @@ var remoteFile = defineUnit({
 });
 
 // src/ssh.ts
-var ssh_exports = {};
-__export(ssh_exports, {
-  argsSchema: () => argsSchema,
-  connectionSchema: () => connectionSchema,
-  inputs: () => inputs2,
-  keyPair: () => keyPair,
-  keyPairEntity: () => keyPairEntity,
-  keyTypeSchema: () => keyTypeSchema,
-  secrets: () => secrets
-});
 var keyTypeSchema = z.enum(["ed25519"]);
-var keyPairEntity = defineEntity({
-  type: "ssh.key-pair.v1",
+var publicKeyEntity = defineEntity({
+  type: "ssh.public-key.v1",
   schema: z.object({
     /**
      * The type of the SSH key.
@@ -841,14 +807,23 @@ var keyPairEntity = defineEntity({
     type: keyTypeSchema.meta({ title: camelCaseToHumanReadable("type"), description: `The type of the SSH key.
 
  For now, only \`ed25519\` is supported.` }),
-    /**
-     * The fingerprint of the SSH key.
-     */
-    fingerprint: z.string().meta({ title: camelCaseToHumanReadable("fingerprint"), description: `The fingerprint of the SSH key.` }),
     /**
      * The public key in OpenSSH format.
      */
     publicKey: z.string().meta({ title: camelCaseToHumanReadable("publicKey"), description: `The public key in OpenSSH format.` }),
+    /**
+     * The fingerprint of the SSH key.
+     */
+    fingerprint: z.string().meta({ title: camelCaseToHumanReadable("fingerprint"), description: `The fingerprint of the SSH key.` })
+  }),
+  meta: {
+    color: "#2b5797"
+  }
+});
+var keyPairEntity = defineEntity({
+  type: "ssh.key-pair.v1",
+  extends: { publicKeyEntity },
+  schema: z.object({
     /**
      * The private key in PEM format.
      */
@@ -913,14 +888,51 @@ var secrets = $secrets({
    */
   sshPassword: $addArgumentDescription(z.string().optional(), `The SSH password to use for authentication.`)
 });
-var inputs2 = $inputs({
+var inputs = $inputs({
   /**
-   * The SSH key pair to use for authentication.
+   * The SSH key pair to use for authentication by Highstate.
    */
   sshKeyPair: $addInputDescription({
     entity: keyPairEntity,
     required: false
-  }, `The SSH key pair to use for authentication.`)
+  }, `The SSH key pair to use for authentication by Highstate.`),
+  /**
+   * The extra SSH public keys to add to the server's `authorized_keys` file.
+   *
+   * Will not (and cannot) be used for authentication by Highstate.
+   */
+  sshPublicKeys: $addInputDescription({
+    entity: publicKeyEntity,
+    required: false,
+    multiple: true
+  }, `The extra SSH public keys to add to the server's \`authorized_keys\` file.
+
+ Will not (and cannot) be used for authentication by Highstate.`)
+});
+var publicKey = defineUnit({
+  type: "ssh.public-key.v1",
+  args: {
+    /**
+     * The public key in OpenSSH format.
+     */
+    publicKey: $addArgumentDescription(z.string().meta({ multiline: true }), `The public key in OpenSSH format.`)
+  },
+  outputs: {
+    publicKey: publicKeyEntity
+  },
+  meta: {
+    description: `Provides existing SSH public key.`,
+    title: "SSH Public Key",
+    category: "ssh",
+    icon: "charm:key",
+    iconColor: "#ffffff",
+    secondaryIcon: "mdi:lock-open",
+    secondaryIconColor: "#ffffff"
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/ssh/public-key"
+  }
 });
 var keyPair = defineUnit({
   type: "ssh.key-pair.v1",
@@ -956,9 +968,14 @@ var keyPair = defineUnit({
 // src/common/server.ts
 var serverEntity = defineEntity({
   type: "common.server.v1",
+  includes: {
+    endpoints: {
+      entity: l3EndpointEntity,
+      multiple: true
+    }
+  },
   schema: z.object({
     hostname: z.string(),
-    endpoints: l3EndpointEntity.schema.array(),
     ssh: connectionSchema.optional()
   }),
   meta: {
@@ -974,14 +991,7 @@ var serverOutputs = $outputs({
   /**
    * The server entity representing the server.
    */
-  server: $addInputDescription(serverEntity, `The server entity representing the server.`),
-  /**
-   * The L3 endpoints of the server.
-   */
-  endpoints: $addInputDescription({
-    entity: l3EndpointEntity,
-    multiple: true
-  }, `The L3 endpoints of the server.`)
+  server: $addInputDescription(serverEntity, `The server entity representing the server.`)
 });
 var vmSshArgs = argsSchema.omit({ user: true }).prefault({});
 var vmSecrets = $secrets({
@@ -1022,11 +1032,12 @@ var existingServer = defineUnit({
     ...secrets
   },
   inputs: {
-    endpoint: {
+    endpoints: {
       entity: l3EndpointEntity,
-      required: false
+      required: false,
+      multiple: true
     },
-    ...inputs2
+    ...inputs
   },
   outputs: serverOutputs,
   meta: {
@@ -1045,129 +1056,443 @@ var serverPatch = defineUnit({
   type: "common.server-patch.v1",
   args: {
     /**
-     * The endpoints of the server.
+     * The new hostname of the server.
      *
-     * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
+     * If not specified, the existing hostname will be kept.
+     */
+    hostname: $addArgumentDescription(z.string().optional(), `The new hostname of the server.
+
+ If not specified, the existing hostname will be kept.`),
+    /**
+     * The endpoints to set on the server.
      *
-     * The same server may also be represented by multiple entries (e.g. a node with private and public IP).
+     * If not specified, the existing endpoints will be kept.
+     */
+    endpoints: $addArgumentDescription(z.string().array().default([]), `The endpoints to set on the server.
+
+ If not specified, the existing endpoints will be kept.`)
+  },
+  inputs: {
+    server: serverEntity,
+    endpoints: {
+      entity: l3EndpointEntity,
+      required: false,
+      multiple: true
+    }
+  },
+  outputs: {
+    ...serverOutputs
+  },
+  meta: {
+    description: `Patches some properties of the server and outputs the updated server.`,
+    title: "Server Patch",
+    icon: "mdi:server",
+    secondaryIcon: "fluent:patch-20-filled",
+    category: "Infrastructure"
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/server-patch"
+  }
+});
+var script = defineUnit({
+  type: "common.script.v1",
+  args: {
+    script: z.string().meta({ language: "shell" }),
+    updateScript: z.string().optional().meta({ language: "shell" }),
+    deleteScript: z.string().optional().meta({ language: "shell" })
+  },
+  inputs: {
+    server: serverEntity
+  },
+  outputs: {
+    server: serverEntity
+  },
+  meta: {
+    description: `Runs a shell script on the server.`,
+    title: "Shell Script",
+    icon: "mdi:bash",
+    category: "Infrastructure"
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/script"
+  }
+});
+
+// src/dns.ts
+var providerEntity = defineEntity({
+  type: "dns.provider.v1",
+  schema: z.object({
+    /**
+     * The ID of the DNS provider unique within the system.
+     */
+    id: z.string().meta({ title: camelCaseToHumanReadable("id"), description: `The ID of the DNS provider unique within the system.` }),
+    /**
+     * The zones managed by the DNS provider.
+     */
+    zones: z.string().array().meta({ title: camelCaseToHumanReadable("zones"), description: `The zones managed by the DNS provider.` }),
+    /**
+     * The reference to the implementation of the DNS provider.
+     */
+    implRef: implementationReferenceSchema.meta({ title: camelCaseToHumanReadable("implRef"), description: `The reference to the implementation of the DNS provider.` })
+  }),
+  meta: {
+    color: "#FF5722"
+  }
+});
+var recordSet = defineUnit({
+  type: "dns.record-set.v1",
+  args: {
+    /**
+     * The FQDN of the DNS to create.
+     *
+     * If not provided, the name of the unit will be used.
+     */
+    recordName: $addArgumentDescription(z.string().optional(), `The FQDN of the DNS to create.
+
+ If not provided, the name of the unit will be used.`),
+    /**
+     * The values of the DNS record.
+     *
+     * Will be parsed as endpoints and merged with provided L3/L4/L7 endpoint inputs.
+     */
+    values: $addArgumentDescription(z.string().array().default([]), `The values of the DNS record.
+
+ Will be parsed as endpoints and merged with provided L3/L4/L7 endpoint inputs.`),
+    ...mapValues(
+      //
+      pick(networkArgs, ["endpointFilter"]),
+      (arg) => ({ ...arg, schema: arg.schema.default(`type != "hostname"`) })
+    ),
+    /**
+     * The TTL of the DNS record.
+     */
+    ttl: $addArgumentDescription(z.number().optional(), `The TTL of the DNS record.`),
+    /**
+     * The priority of the DNS record.
+     */
+    priority: $addArgumentDescription(z.number().optional(), `The priority of the DNS record.`),
+    /**
+     * Whether the DNS record is proxied.
+     *
+     * Available only for public IPs and some DNS providers like Cloudflare.
+     */
+    proxied: $addArgumentDescription(z.boolean().default(false), `Whether the DNS record is proxied.
+
+ Available only for public IPs and some DNS providers like Cloudflare.`),
+    /**
+     * Wait for the DNS record creation/update to be visible at local DNS before continuing.
+     */
+    waitLocal: $addArgumentDescription(z.boolean().default(true), `Wait for the DNS record creation/update to be visible at local DNS before continuing.`)
+  },
+  inputs: {
+    /**
+     * The DNS providers to use to create the DNS records.
+     *
+     * For each provider, a separate DNS record will be created.
+     */
+    dnsProviders: $addInputDescription({
+      entity: providerEntity,
+      multiple: true
+    }, `The DNS providers to use to create the DNS records.
+
+ For each provider, a separate DNS record will be created.`),
+    /**
+     * The servers to wait for the DNS records to be visible at before continuing.
+     */
+    waitServers: $addInputDescription({
+      entity: serverEntity,
+      required: false,
+      multiple: true
+    }, `The servers to wait for the DNS records to be visible at before continuing.`),
+    /**
+     * The L3 endpoints to use as values of the DNS records.
+     */
+    l3Endpoints: $addInputDescription({
+      entity: l3EndpointEntity,
+      required: false,
+      multiple: true
+    }, `The L3 endpoints to use as values of the DNS records.`),
+    /**
+     * The L4 endpoints to use as values of the DNS records.
      */
-    endpoints: $addArgumentDescription(z.string().array().default([]), `The endpoints of the server.
+    l4Endpoints: $addInputDescription({
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true
+    }, `The L4 endpoints to use as values of the DNS records.`),
+    /**
+     * The L7 endpoints to use as values of the DNS records.
+     */
+    l7Endpoints: $addInputDescription({
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true
+    }, `The L7 endpoints to use as values of the DNS records.`)
+  },
+  outputs: {
+    /**
+     * The filtered L3 endpoints with all IPs replaced with FQDNs.
+     * The duplicates are removed and metadata is merged.
+     */
+    l3Endpoints: $addInputDescription({
+      entity: l3EndpointEntity,
+      multiple: true
+    }, `The filtered L3 endpoints with all IPs replaced with FQDNs.
+ The duplicates are removed and metadata is merged.`),
+    /**
+     * The filtered L4 endpoints with all IPs replaced with FQDNs.
+     * The duplicates are removed and metadata is merged.
+     */
+    l4Endpoints: $addInputDescription({
+      entity: l4EndpointEntity,
+      multiple: true
+    }, `The filtered L4 endpoints with all IPs replaced with FQDNs.
+ The duplicates are removed and metadata is merged.`),
+    /**
+     * The filtered L7 endpoints with all IPs replaced with FQDNs.
+     * The duplicates are removed and metadata is merged.
+     */
+    l7Endpoints: $addInputDescription({
+      entity: l4EndpointEntity,
+      multiple: true
+    }, `The filtered L7 endpoints with all IPs replaced with FQDNs.
+ The duplicates are removed and metadata is merged.`)
+  },
+  meta: {
+    title: "DNS Record Set",
+    description: "A set of DNS records to be created.",
+    icon: "mdi:server",
+    defaultNamePrefix: "record",
+    category: "Network"
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/dns/record-set"
+  }
+});
+var inputs2 = {
+  /**
+   * The DNS providers to use to create the DNS records.
+   *
+   * If multiple providers match the domain, all of them will be used and multiple DNS records will be created.
+   */
+  dnsProviders: {
+    entity: providerEntity,
+    multiple: true
+  }
+};
 
- The entry may represent real node endpoint or virtual endpoint (like a load balancer).
+// src/common/access-point.ts
+var gatewayEntity = defineEntity({
+  type: "common.gateway.v1",
+  schema: z.object({
+    /**
+     * The reference to the implementation of the gateway.
+     */
+    implRef: implementationReferenceSchema.meta({ title: camelCaseToHumanReadable("implRef"), description: `The reference to the implementation of the gateway.` }),
+    /**
+     * The public L3 endpoints of the gateway.
+     *
+     * If not provided, should be automatically detected by the implementation.
+     */
+    endpoints: l3EndpointEntity.schema.array().default([]).meta({ title: camelCaseToHumanReadable("endpoints"), description: `The public L3 endpoints of the gateway.
 
- The same server may also be represented by multiple entries (e.g. a node with private and public IP).`),
+ If not provided, should be automatically detected by the implementation.` })
+  }),
+  meta: {
+    color: "#F57F17"
+  }
+});
+var tlsIssuerEntity = defineEntity({
+  type: "common.tls-issuer.v1",
+  schema: z.object({
+    /**
+     * The zones for which the TLS issuer will manage certificates.
+     */
+    zones: z.string().array().meta({ title: camelCaseToHumanReadable("zones"), description: `The zones for which the TLS issuer will manage certificates.` }),
+    /**
+     * The reference to the implementation of the TLS issuer.
+     */
+    implRef: implementationReferenceSchema.meta({ title: camelCaseToHumanReadable("implRef"), description: `The reference to the implementation of the TLS issuer.` })
+  }),
+  meta: {
+    color: "#F57F17"
+  }
+});
+var accessPointEntity = defineEntity({
+  type: "common.access-point.v1",
+  schema: z.object({
+    /**
+     * The gateway of the access point.
+     */
+    gateway: gatewayEntity.schema.meta({ title: camelCaseToHumanReadable("gateway"), description: `The gateway of the access point.` }),
+    /**
+     * The TLS issuers used to manage TLS certificates for the access point.
+     */
+    tlsIssuers: tlsIssuerEntity.schema.array().meta({ title: camelCaseToHumanReadable("tlsIssuers"), description: `The TLS issuers used to manage TLS certificates for the access point.` }),
+    /**
+     * The DNS providers used to manage the DNS records for the access point.
+     */
+    dnsProviders: providerEntity.schema.array().meta({ title: camelCaseToHumanReadable("dnsProviders"), description: `The DNS providers used to manage the DNS records for the access point.` }),
+    /**
+     * Whether the DNS records created for the access point should be proxied.
+     */
+    proxied: z.boolean().default(false).meta({ title: camelCaseToHumanReadable("proxied"), description: `Whether the DNS records created for the access point should be proxied.` })
+  }),
+  meta: {
+    color: "#F57F17"
+  }
+});
+var accessPoint = defineUnit({
+  type: "common.access-point.v1",
+  args: {
     /**
-     * The mode to use for patching the endpoints.
+     * Whether the DNS records created for the access point should be proxied.
+     *
+     * This option is specific to certain DNS providers that support proxying, such as Cloudflare.
+     * When enabled, the DNS records will be proxied through the provider's network, providing additional security and performance benefits.
      *
-     * - `prepend`: prepend the new endpoints to the existing ones (default);
-     * - `replace`: replace the existing endpoints with the new ones.
+     * Defaults to `false`.
      */
-    endpointsPatchMode: $addArgumentDescription(arrayPatchModeSchema.default("prepend"), `The mode to use for patching the endpoints.
+    proxied: $addArgumentDescription(z.boolean().default(false), `Whether the DNS records created for the access point should be proxied.
+
+ This option is specific to certain DNS providers that support proxying, such as Cloudflare.
+ When enabled, the DNS records will be proxied through the provider's network, providing additional security and performance benefits.
 
- - \`prepend\`: prepend the new endpoints to the existing ones (default);
- - \`replace\`: replace the existing endpoints with the new ones.`)
+ Defaults to \`false\`.`)
   },
   inputs: {
-    server: serverEntity,
-    endpoints: {
-      entity: l3EndpointEntity,
+    gateway: gatewayEntity,
+    tlsIssuers: {
+      entity: tlsIssuerEntity,
       required: false,
       multiple: true
-    }
-  },
-  outputs: {
-    ...serverOutputs
-  },
-  meta: {
-    description: `Patches some properties of the server and outputs the updated server.`,
-    title: "Server Patch",
-    icon: "mdi:server",
-    secondaryIcon: "fluent:patch-20-filled",
-    category: "Infrastructure"
-  },
-  source: {
-    package: "@highstate/common",
-    path: "units/server-patch"
-  }
-});
-var serverDns = defineUnit({
-  type: "common.server-dns.v1",
-  args: createArgs(),
-  inputs: {
-    server: serverEntity,
-    ...inputs
-  },
-  outputs: {
-    server: serverEntity,
-    endpoints: {
-      entity: l3EndpointEntity,
+    },
+    dnsProviders: {
+      entity: providerEntity,
+      required: false,
       multiple: true
     }
   },
-  meta: {
-    description: `Creates a DNS record for the server and updates the endpoints.
-
- The DNS record will be created with the provided FQDN and the endpoints will be updated with the DNS record.`,
-    title: "Server DNS",
-    icon: "mdi:server",
-    secondaryIcon: "mdi:dns",
-    category: "Infrastructure"
-  },
-  source: {
-    package: "@highstate/common",
-    path: "units/server-dns"
-  }
-});
-var script = defineUnit({
-  type: "common.script.v1",
-  args: {
-    script: z.string().meta({ language: "shell" }),
-    updateScript: z.string().optional().meta({ language: "shell" }),
-    deleteScript: z.string().optional().meta({ language: "shell" })
-  },
-  inputs: {
-    server: serverEntity
-  },
   outputs: {
-    server: serverEntity
+    accessPoint: accessPointEntity
   },
   meta: {
-    description: `Runs a shell script on the server.`,
-    title: "Shell Script",
-    icon: "mdi:bash",
-    category: "Infrastructure"
+    description: `The access point unit which can be used to connect to services.
+
+ It can be used to expose services and applications running in Kubernetes clusters or other environments.`,
+    title: "Access Point",
+    icon: "mdi:access-point",
+    category: "Kubernetes"
   },
   source: {
     package: "@highstate/common",
-    path: "units/script"
+    path: "units/access-point"
   }
 });
 
 // src/databases/index.ts
 var databases_exports = {};
 __export(databases_exports, {
+  etcdEntity: () => etcdEntity,
+  etcdPatch: () => etcdPatch,
+  existingEtcd: () => existingEtcd,
   existingMariadb: () => existingMariadb,
   existingMongodb: () => existingMongodb,
   existingPostgresql: () => existingPostgresql,
   existingRedis: () => existingRedis,
   existingS3: () => existingS3,
   mariadbEntity: () => mariadbEntity,
+  mariadbPatch: () => mariadbPatch,
   mongodbEntity: () => mongodbEntity,
+  mongodbPatch: () => mongodbPatch,
+  optionalSharedArgs: () => optionalSharedArgs,
   postgresqlEntity: () => postgresqlEntity,
+  postgresqlPatch: () => postgresqlPatch,
   redisEntity: () => redisEntity,
+  redisPatch: () => redisPatch,
   s3BucketPolicySchema: () => s3BucketPolicySchema,
   s3BucketSchema: () => s3BucketSchema,
   s3Entity: () => s3Entity,
+  s3Patch: () => s3Patch,
   sharedArgs: () => sharedArgs,
   sharedInputs: () => sharedInputs,
   sharedSchema: () => sharedSchema,
   sharedSecrets: () => sharedSecrets
 });
+var etcdArgs = {
+  endpoints: {
+    schema: z.string().array().default([])
+  }
+};
+var etcdEntity = defineEntity({
+  type: "databases.etcd.v1",
+  includes: {
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
+  },
+  schema: z.unknown(),
+  meta: {
+    description: `Represents the etcd database instance.`,
+    color: "#0064bf"
+  }
+});
+var existingEtcd = defineUnit({
+  type: "databases.etcd.existing.v1",
+  args: etcdArgs,
+  inputs: {
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true,
+      required: false
+    }
+  },
+  outputs: {
+    etcd: etcdEntity
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/databases/existing-etcd"
+  },
+  meta: {
+    description: `The existing etcd database instance.`,
+    title: "Existing etcd Database",
+    icon: "simple-icons:etcd",
+    secondaryIcon: "mdi:database",
+    category: "Databases"
+  }
+});
+var etcdPatch = defineUnit({
+  type: "databases.etcd-patch.v1",
+  args: toPatchArgs(etcdArgs),
+  inputs: {
+    etcd: etcdEntity,
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true,
+      required: false
+    }
+  },
+  outputs: {
+    etcd: etcdEntity
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/databases/etcd-patch"
+  },
+  meta: {
+    description: `Patches some properties of the etcd database and outputs the updated database.`,
+    title: "etcd Patch",
+    icon: "simple-icons:etcd",
+    secondaryIcon: "fluent:patch-20-filled",
+    category: "Databases"
+  }
+});
 var sharedSchema = z.object({
-  /**
-   * The endpoints to connect to the database.
-   */
-  endpoints: l4EndpointEntity.schema.array().meta({ title: camelCaseToHumanReadable("endpoints"), description: `The endpoints to connect to the database.` }),
   /**
    * The username to connect to the database with.
    */
@@ -1199,6 +1524,10 @@ var sharedArgs = $args({
    */
   database: $addArgumentDescription(z.string().optional(), `The name of the database to connect to.`)
 });
+var optionalSharedArgs = mapValues(sharedArgs, (arg) => ({
+  ...arg,
+  schema: arg.schema.optional()
+}));
 var sharedSecrets = $secrets({
   /**
    * The password to connect to the database with.
@@ -1219,6 +1548,12 @@ var sharedInputs = $inputs({
 // src/databases/mariadb.ts
 var mariadbEntity = defineEntity({
   type: "databases.mariadb.v1",
+  includes: {
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
+  },
   schema: sharedSchema,
   meta: {
     description: `Represents the MariaDB database or virtual database behind it.`,
@@ -1245,8 +1580,42 @@ var existingMariadb = defineUnit({
     category: "Databases"
   }
 });
+var mariadbPatch = defineUnit({
+  type: "databases.mariadb-patch.v1",
+  args: {
+    ...toPatchArgs(optionalSharedArgs),
+    endpoints: {
+      ...sharedArgs.endpoints,
+      schema: z.string().array().default([])
+    }
+  },
+  inputs: {
+    mariadb: mariadbEntity,
+    ...sharedInputs
+  },
+  outputs: {
+    mariadb: mariadbEntity
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/databases/mariadb-patch"
+  },
+  meta: {
+    description: `Patches some properties of the MariaDB database and outputs the updated database.`,
+    title: "MariaDB Patch",
+    icon: "simple-icons:mariadb",
+    secondaryIcon: "fluent:patch-20-filled",
+    category: "Databases"
+  }
+});
 var mongodbEntity = defineEntity({
   type: "databases.mongodb.v1",
+  includes: {
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
+  },
   schema: sharedSchema,
   meta: {
     description: `Represents the MongoDB database or virtual database behind it.`,
@@ -1273,8 +1642,42 @@ var existingMongodb = defineUnit({
     category: "Databases"
   }
 });
+var mongodbPatch = defineUnit({
+  type: "databases.mongodb-patch.v1",
+  args: {
+    ...toPatchArgs(optionalSharedArgs),
+    endpoints: {
+      ...sharedArgs.endpoints,
+      schema: z.string().array().default([])
+    }
+  },
+  inputs: {
+    mongodb: mongodbEntity,
+    ...sharedInputs
+  },
+  outputs: {
+    mongodb: mongodbEntity
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/databases/mongodb-patch"
+  },
+  meta: {
+    description: `Patches some properties of the MongoDB database and outputs the updated database.`,
+    title: "MongoDB Patch",
+    icon: "simple-icons:mongodb",
+    secondaryIcon: "fluent:patch-20-filled",
+    category: "Databases"
+  }
+});
 var postgresqlEntity = defineEntity({
   type: "databases.postgresql.v1",
+  includes: {
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
+  },
   schema: sharedSchema,
   meta: {
     description: `Represents the PostgreSQL database or virtual database behind it.`,
@@ -1301,13 +1704,53 @@ var existingPostgresql = defineUnit({
     category: "Databases"
   }
 });
+var postgresqlPatch = defineUnit({
+  type: "databases.postgresql-patch.v1",
+  args: {
+    ...toPatchArgs(optionalSharedArgs),
+    /**
+     * The endpoints to connect to the database in form of `host:port`.
+     *
+     * If at least one endpoint is provided (either via args or inputs), the existing endpoints
+     * will be replaced completely.
+     */
+    endpoints: $addArgumentDescription(z.string().array().default([]), `The endpoints to connect to the database in form of \`host:port\`.
+
+ If at least one endpoint is provided (either via args or inputs), the existing endpoints
+ will be replaced completely.`)
+  },
+  inputs: {
+    postgresql: postgresqlEntity,
+    ...sharedInputs
+  },
+  outputs: {
+    postgresql: postgresqlEntity
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/databases/postgresql-patch"
+  },
+  meta: {
+    description: `Patches some properties of the PostgreSQL database and outputs the updated database.`,
+    title: "PostgreSQL Patch",
+    icon: "simple-icons:postgresql",
+    secondaryIcon: "fluent:patch-20-filled",
+    category: "Databases"
+  }
+});
 var redisEntity = defineEntity({
   type: "databases.redis.v1",
-  schema: sharedSchema.pick({ endpoints: true }).extend({
+  includes: {
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
+  },
+  schema: z.object({
     /**
      * The number of the database to use.
      */
-    database: z.number().default(0)
+    database: z.number().default(0).meta({ title: camelCaseToHumanReadable("database"), description: `The number of the database to use.` })
   }),
   meta: {
     description: `Represents the Redis database or virtual database behind it.`,
@@ -1333,6 +1776,34 @@ var existingRedis = defineUnit({
     category: "Databases"
   }
 });
+var redisPatch = defineUnit({
+  type: "databases.redis-patch.v1",
+  args: {
+    ...toPatchArgs(optionalSharedArgs),
+    endpoints: {
+      ...sharedArgs.endpoints,
+      schema: z.string().array().default([])
+    }
+  },
+  inputs: {
+    redis: redisEntity,
+    ...sharedInputs
+  },
+  outputs: {
+    redis: redisEntity
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/databases/redis-patch"
+  },
+  meta: {
+    description: `Patches some properties of the Redis database and outputs the updated database.`,
+    title: "Redis Patch",
+    icon: "simple-icons:redis",
+    secondaryIcon: "fluent:patch-20-filled",
+    category: "Databases"
+  }
+});
 var s3BucketPolicySchema = z.enum(["none", "download", "upload", "public"]);
 var s3BucketSchema = z.object({
   /**
@@ -1362,6 +1833,10 @@ var s3Args = $args({
    */
   buckets: $addArgumentDescription(s3BucketSchema.array().default([]), `The buckets that must exist on the instance.`)
 });
+var optionalS3Args = mapValues(s3Args, (arg) => ({
+  ...arg,
+  schema: arg.schema.optional()
+}));
 var s3Secrets = $secrets({
   /**
    * The secret key used to authenticate against the S3-compatible API.
@@ -1380,11 +1855,13 @@ var s3Inputs = $inputs({
 });
 var s3Entity = defineEntity({
   type: "databases.s3.v1",
+  includes: {
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
+  },
   schema: z.object({
-    /**
-     * The endpoints that expose the S3-compatible API.
-     */
-    endpoints: l4EndpointEntity.schema.array().meta({ title: camelCaseToHumanReadable("endpoints"), description: `The endpoints that expose the S3-compatible API.` }),
     /**
      * The region associated with the object storage instance.
      */
@@ -1427,6 +1904,34 @@ var existingS3 = defineUnit({
     category: "Databases"
   }
 });
+var s3Patch = defineUnit({
+  type: "databases.s3-patch.v1",
+  args: {
+    ...toPatchArgs(optionalS3Args),
+    endpoints: {
+      ...s3Args.endpoints,
+      schema: z.string().array().default([])
+    }
+  },
+  inputs: {
+    s3: s3Entity,
+    ...s3Inputs
+  },
+  outputs: {
+    s3: s3Entity
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/databases/s3-patch"
+  },
+  meta: {
+    description: `Patches some properties of the S3-compatible object storage and outputs the updated storage.`,
+    title: "S3 Patch",
+    icon: "simple-icons:amazons3",
+    secondaryIcon: "fluent:patch-20-filled",
+    category: "Databases"
+  }
+});
 
 // src/distributions/index.ts
 var distributions_exports = {};
@@ -1528,32 +2033,55 @@ __export(k3s_exports, {
   internalComponents: () => internalComponents,
   packagedComponents: () => packagedComponents
 });
-var metadataSchema = z.object({
+var metadataSchema2 = z.object({
   name: z.string(),
   labels: z.record(z.string(), z.string()).optional(),
   annotations: z.record(z.string(), z.string()).optional(),
-  uid: z.string()
+  uid: z.string(),
+  namespace: z.string().optional()
 });
-var scopedMetadataSchema = z.object({
-  ...metadataSchema.shape,
+var namespacedMetadataSchema = z.object({
+  ...metadataSchema2.shape,
   namespace: z.string()
 });
-var resourceSchema = z.object({
-  clusterId: z.string(),
-  clusterName: z.string(),
-  type: z.string(),
-  metadata: metadataSchema
+var resourceEntity = defineEntity({
+  type: "k8s.resource.v1",
+  schema: z.intersection(
+    z.object({
+      clusterId: z.string(),
+      clusterName: z.string(),
+      apiVersion: z.string(),
+      kind: z.string()
+    }),
+    z.union([
+      z.object({
+        isNamespaced: z.literal(false),
+        metadata: metadataSchema2
+      }),
+      z.object({
+        isNamespaced: z.literal(true),
+        metadata: namespacedMetadataSchema
+      })
+    ])
+  ),
+  meta: {
+    description: `The entity which represents a Kubernetes resource.`
+  }
 });
-var scopedResourceSchema = z.object({
-  ...resourceSchema.shape,
-  metadata: scopedMetadataSchema
+var namespacedResourceEntity = defineEntity({
+  type: "k8s.namespaced-resource.v1",
+  extends: { resourceEntity },
+  schema: z.object({
+    isNamespaced: z.literal(true)
+  }),
+  meta: {
+    description: `The entity which represents a Kubernetes resource scoped to a namespace.`
+  }
 });
 var namespaceEntity = defineEntity({
   type: "k8s.namespace.v1",
-  schema: z.object({
-    ...resourceSchema.shape,
-    type: z.literal("namespace")
-  }),
+  extends: { resourceEntity },
+  schema: z.unknown(),
   meta: {
     description: `The entity which represents a Kubernetes namespace managed by Highstate.`,
     color: "#9E9E9E"
@@ -1561,10 +2089,8 @@ var namespaceEntity = defineEntity({
 });
 var persistentVolumeClaimEntity = defineEntity({
   type: "k8s.persistent-volume-claim.v1",
-  schema: z.object({
-    ...scopedResourceSchema.shape,
-    type: z.literal("persistent-volume-claim")
-  }),
+  extends: { namespacedResourceEntity },
+  schema: z.unknown(),
   meta: {
     description: `The entity which represents a Kubernetes persistent volume claim managed by Highstate.`,
     color: "#FFC107"
@@ -1572,10 +2098,8 @@ var persistentVolumeClaimEntity = defineEntity({
 });
 var gatewayEntity2 = defineEntity({
   type: "k8s.gateway.v1",
-  schema: z.object({
-    ...scopedResourceSchema.shape,
-    type: z.literal("gateway")
-  }),
+  extends: { namespacedResourceEntity },
+  schema: z.unknown(),
   meta: {
     description: `The entity which represents a Gateway resource from the Gateway API.`,
     color: "#4CAF50"
@@ -1583,10 +2107,27 @@ var gatewayEntity2 = defineEntity({
 });
 var certificateEntity = defineEntity({
   type: "k8s.certificate.v1",
-  schema: z.object({
-    ...scopedResourceSchema.shape,
-    type: z.literal("certificate")
-  })
+  extends: { namespacedResourceEntity },
+  schema: z.unknown(),
+  meta: {
+    color: "#3F51B5"
+  }
+});
+var configMapEntity = defineEntity({
+  type: "k8s.config-map.v1",
+  extends: { namespacedResourceEntity },
+  schema: z.unknown(),
+  meta: {
+    color: "#FF9800"
+  }
+});
+var secretEntity = defineEntity({
+  type: "k8s.secret.v1",
+  extends: { namespacedResourceEntity },
+  schema: z.unknown(),
+  meta: {
+    color: "#9C27B0"
+  }
 });
 
 // src/k8s/shared.ts
@@ -1594,7 +2135,7 @@ var fallbackKubeApiAccessSchema = z.object({
   serverIp: z.string(),
   serverPort: z.number()
 });
-var tunDevicePolicySchema = z.union([
+var tunDevicePolicySchema = z.discriminatedUnion("type", [
   z.object({
     type: z.literal("host")
   }),
@@ -1622,7 +2163,7 @@ var clusterQuirksSchema = z.object({
    *
    * For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
    */
-  tunDevicePolicy: tunDevicePolicySchema.optional().meta({ title: camelCaseToHumanReadable("tunDevicePolicy"), description: `Specifies the policy for using the tun device inside containers.
+  tunDevicePolicy: tunDevicePolicySchema.prefault({ type: "host" }).meta({ title: camelCaseToHumanReadable("tunDevicePolicy"), description: `Specifies the policy for using the tun device inside containers.
 
  If not provided, the default policy is \`host\` which assumes just mounting /dev/net/tun from the host.
 
@@ -1632,7 +2173,7 @@ var clusterQuirksSchema = z.object({
    *
    * If not provided, the default service type is `NodePort` since `LoadBalancer` may not be available.
    */
-  externalServiceType: externalServiceTypeSchema.optional().meta({ title: camelCaseToHumanReadable("externalServiceType"), description: `The service type to use for external services.
+  externalServiceType: externalServiceTypeSchema.default("NodePort").meta({ title: camelCaseToHumanReadable("externalServiceType"), description: `The service type to use for external services.
 
  If not provided, the default service type is \`NodePort\` since \`LoadBalancer\` may not be available.` })
 });
@@ -1661,14 +2202,6 @@ var clusterInfoProperties = {
    * If not provided, the native Kubernetes NetworkPolicy implementation will be used.
    */
   networkPolicyImplRef: implementationReferenceSchema.optional(),
-  /**
-   * The endpoints of the cluster nodes.
-   *
-   * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
-   *
-   * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
-   */
-  endpoints: l3EndpointEntity.schema.array(),
   /**
    * The endpoints of the API server.
    *
@@ -1680,7 +2213,7 @@ var clusterInfoProperties = {
   /**
    * The external IPs of the cluster nodes allowed to be used for external access.
    */
-  externalIps: z.string().array(),
+  externalIps: addressEntity.schema.array(),
   /**
    * The extra quirks of the cluster to improve compatibility.
    */
@@ -1688,10 +2221,23 @@ var clusterInfoProperties = {
   /**
    * The extra metadata to attach to the cluster.
    */
-  metadata: z.record(z.string(), z.unknown()).optional()
+  metadata: metadataSchema.optional()
 };
 var clusterEntity = defineEntity({
   type: "k8s.cluster.v1",
+  includes: {
+    /**
+     * The endpoints of the cluster nodes.
+     *
+     * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
+     *
+     * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
+     */
+    endpoints: {
+      entity: l3EndpointEntity,
+      multiple: true
+    }
+  },
   schema: z.object({
     ...clusterInfoProperties,
     kubeconfig: z.string()
@@ -1727,43 +2273,63 @@ var clusterInputs = {
   }
 };
 var clusterOutputs = {
-  k8sCluster: clusterEntity,
-  apiEndpoints: {
-    entity: l4EndpointEntity,
-    multiple: true
-  },
-  endpoints: {
-    entity: l3EndpointEntity,
-    multiple: true
-  }
+  k8sCluster: clusterEntity
 };
 var existingCluster = defineUnit({
   type: "k8s.existing-cluster.v1",
   args: {
     /**
-     * The list of external IPs of the cluster nodes allowed to be used for external access.
-     *
-     * If not provided, will be automatically detected by querying the cluster nodes.
+     * Whether to auto-detect external IPs of the cluster nodes and merge them with the provided external IPs.
      */
-    externalIps: $addArgumentDescription(z.string().array().optional(), `The list of external IPs of the cluster nodes allowed to be used for external access.
-
- If not provided, will be automatically detected by querying the cluster nodes.`),
+    autoDetectExternalIps: $addArgumentDescription(z.boolean().default(true), `Whether to auto-detect external IPs of the cluster nodes and merge them with the provided external IPs.`),
     /**
      * The policy for using internal IPs of the nodes as external IPs.
      *
      * - `always`: always use internal IPs as external IPs;
      * - `public`: use internal IPs as external IPs only if they are (theoretically) routable from the public internet **(default)**;
      * - `never`: never use internal IPs as external IPs.
+     *
+     * Have no effect if `autoDetectExternalIps` is `false`.
      */
     internalIpsPolicy: $addArgumentDescription(internalIpsPolicySchema.default("public"), `The policy for using internal IPs of the nodes as external IPs.
 
  - \`always\`: always use internal IPs as external IPs;
  - \`public\`: use internal IPs as external IPs only if they are (theoretically) routable from the public internet **(default)**;
- - \`never\`: never use internal IPs as external IPs.`),
+ - \`never\`: never use internal IPs as external IPs.
+
+ Have no effect if \`autoDetectExternalIps\` is \`false\`.`),
+    /**
+     * The list of external IPs of the cluster nodes allowed to be used for external access.
+     */
+    externalIps: $addArgumentDescription(z.string().array().default([]), `The list of external IPs of the cluster nodes allowed to be used for external access.`),
+    /**
+     * Whether to use all external IPs (auto-detected and provided) as endpoints of the cluster.
+     *
+     * Set to `false` if you want to manage endpoints manually.
+     */
+    useExternalIpsAsEndpoints: $addArgumentDescription(z.boolean().default(true), `Whether to use all external IPs (auto-detected and provided) as endpoints of the cluster.
+
+ Set to \`false\` if you want to manage endpoints manually.`),
+    /**
+     * The list of endpoints of the cluster nodes.
+     */
+    endpoints: $addArgumentDescription(z.string().array().default([]), `The list of endpoints of the cluster nodes.`),
+    /**
+     * Whether to add endpoints from `kubeconfig` to the list of API endpoints.
+     *
+     * Set to `false` if you want to manage API endpoints manually.
+     */
+    useKubeconfigApiEndpoint: $addArgumentDescription(z.boolean().default(true), `Whether to add endpoints from \`kubeconfig\` to the list of API endpoints.
+
+ Set to \`false\` if you want to manage API endpoints manually.`),
+    /**
+     * The list of endpoints of the API server.
+     */
+    apiEndpoints: $addArgumentDescription(z.string().array().default([]), `The list of endpoints of the API server.`),
     /**
      * The extra quirks of the cluster to improve compatibility.
      */
-    quirks: $addArgumentDescription(clusterQuirksSchema.optional(), `The extra quirks of the cluster to improve compatibility.`)
+    quirks: $addArgumentDescription(clusterQuirksSchema.optional().meta({ complex: true }), `The extra quirks of the cluster to improve compatibility.`)
   },
   secrets: {
     /**
@@ -1791,49 +2357,13 @@ var clusterPatch = defineUnit({
   type: "k8s.cluster-patch.v1",
   args: {
     /**
-     * The endpoints of the API server.
-     *
-     * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
-     *
-     * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
-     */
-    apiEndpoints: $addArgumentDescription(z.string().array().default([]), `The endpoints of the API server.
-
- The entry may represent real node endpoint or virtual endpoint (like a load balancer).
-
- The same node may also be represented by multiple entries (e.g. a node with private and public IP).`),
-    /**
-     * The mode to use for patching the API endpoints.
-     *
-     * - `prepend`: prepend the new endpoints to the existing ones (default);
-     * - `replace`: replace the existing endpoints with the new ones.
-     */
-    apiEndpointsPatchMode: $addArgumentDescription(arrayPatchModeSchema.default("prepend"), `The mode to use for patching the API endpoints.
-
- - \`prepend\`: prepend the new endpoints to the existing ones (default);
- - \`replace\`: replace the existing endpoints with the new ones.`),
-    /**
-     * The endpoints of the cluster nodes.
-     *
-     * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
-     *
-     * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
+     * The endpoints to set on the cluster.
      */
-    endpoints: $addArgumentDescription(z.string().array().default([]), `The endpoints of the cluster nodes.
-
- The entry may represent real node endpoint or virtual endpoint (like a load balancer).
-
- The same node may also be represented by multiple entries (e.g. a node with private and public IP).`),
+    endpoints: $addArgumentDescription(z.string().array().default([]), `The endpoints to set on the cluster.`),
     /**
-     * The mode to use for patching the endpoints.
-     *
-     * - `prepend`: prepend the new endpoints to the existing ones (default);
-     * - `replace`: replace the existing endpoints with the new ones.
+     * The API endpoints to set on the cluster.
      */
-    endpointsPatchMode: $addArgumentDescription(arrayPatchModeSchema.default("prepend"), `The mode to use for patching the endpoints.
-
- - \`prepend\`: prepend the new endpoints to the existing ones (default);
- - \`replace\`: replace the existing endpoints with the new ones.`)
+    apiEndpoints: $addArgumentDescription(z.string().array().default([]), `The API endpoints to set on the cluster.`)
   },
   inputs: {
     k8sCluster: clusterEntity,
@@ -1861,29 +2391,6 @@ var clusterPatch = defineUnit({
     path: "units/cluster-patch"
   }
 });
-var clusterDns = defineUnit({
-  type: "k8s.cluster-dns.v1",
-  args: {
-    ...createArgs(),
-    ...createArgs("api")
-  },
-  inputs: {
-    k8sCluster: clusterEntity,
-    ...inputs
-  },
-  outputs: clusterOutputs,
-  meta: {
-    description: `Creates a set of DNS records for the cluster and updates the endpoints.`,
-    title: "Cluster DNS",
-    icon: "devicon:kubernetes",
-    secondaryIcon: "mdi:dns",
-    category: "Kubernetes"
-  },
-  source: {
-    package: "@highstate/k8s",
-    path: "units/cluster-dns"
-  }
-});
 var monitorWorkerResourceGroupSchema = z.object({
   type: z.enum(["deployment", "statefulset", "pod", "service"]),
   namespace: z.string(),
@@ -1897,7 +2404,7 @@ var monitorWorkerParamsSchema = z.object({
   /**
    * The resources to monitor in the cluster.
    */
-  resources: scopedResourceSchema.array().meta({ title: camelCaseToHumanReadable("resources"), description: `The resources to monitor in the cluster.` })
+  resources: namespacedResourceEntity.schema.array().meta({ title: camelCaseToHumanReadable("resources"), description: `The resources to monitor in the cluster.` })
 });
 
 // src/k3s.ts
@@ -1986,21 +2493,23 @@ var cluster = defineUnit({
 // src/k8s/index.ts
 var k8s_exports = {};
 __export(k8s_exports, {
+  accessVerbSchema: () => accessVerbSchema,
+  acessRuleSchema: () => acessRuleSchema,
   apps: () => apps_exports,
   certManager: () => certManager,
   certificateEntity: () => certificateEntity,
   cilium: () => cilium,
   ciliumClusterMetadata: () => ciliumClusterMetadata,
-  clusterDns: () => clusterDns,
   clusterEntity: () => clusterEntity,
   clusterInfoProperties: () => clusterInfoProperties,
   clusterInputs: () => clusterInputs,
   clusterOutputs: () => clusterOutputs,
   clusterPatch: () => clusterPatch,
   clusterQuirksSchema: () => clusterQuirksSchema,
+  configMapEntity: () => configMapEntity,
+  cronJobEntity: () => cronJobEntity,
   deploymentEntity: () => deploymentEntity,
   dns01TlsIssuer: () => dns01TlsIssuer,
-  endpointServiceMetadataSchema: () => endpointServiceMetadataSchema,
   existingCluster: () => existingCluster,
   exposableWorkloadEntity: () => exposableWorkloadEntity,
   externalServiceTypeSchema: () => externalServiceTypeSchema,
@@ -2011,25 +2520,29 @@ __export(k8s_exports, {
   gatewayEntity: () => gatewayEntity2,
   gatewayImplRefSchema: () => gatewayImplRefSchema,
   internalIpsPolicySchema: () => internalIpsPolicySchema,
-  metadataSchema: () => metadataSchema,
+  jobEntity: () => jobEntity,
+  metadataSchema: () => metadataSchema2,
   monitorWorkerParamsSchema: () => monitorWorkerParamsSchema,
   monitorWorkerResourceGroupSchema: () => monitorWorkerResourceGroupSchema,
   namespaceEntity: () => namespaceEntity,
+  namespacedMetadataSchema: () => namespacedMetadataSchema,
+  namespacedResourceEntity: () => namespacedResourceEntity,
   networkInterfaceEntity: () => networkInterfaceEntity,
   obfuscators: () => obfuscators_exports,
   persistentVolumeClaimEntity: () => persistentVolumeClaimEntity,
   reducedAccessCluster: () => reducedAccessCluster,
-  resourceSchema: () => resourceSchema,
+  resourceEntity: () => resourceEntity,
   scheduleOnMastersPolicyArgs: () => scheduleOnMastersPolicyArgs,
   scheduleOnMastersPolicySchema: () => scheduleOnMastersPolicySchema,
-  scopedMetadataSchema: () => scopedMetadataSchema,
-  scopedResourceSchema: () => scopedResourceSchema,
+  secretEntity: () => secretEntity,
+  serviceEndpointMetadataSchema: () => serviceEndpointMetadataSchema,
   serviceEndpointSchema: () => serviceEndpointSchema,
   serviceEntity: () => serviceEntity,
   serviceTypeSchema: () => serviceTypeSchema,
   statefulSetEntity: () => statefulSetEntity,
   tlsIssuerDataSchema: () => tlsIssuerDataSchema,
-  tunDevicePolicySchema: () => tunDevicePolicySchema
+  tunDevicePolicySchema: () => tunDevicePolicySchema,
+  workloadEntity: () => workloadEntity
 });
 
 // src/k8s/apps/index.ts
@@ -2040,6 +2553,7 @@ __export(apps_exports, {
   codeServer: () => codeServer,
   databaseConfigKeySchema: () => databaseConfigKeySchema,
   environmentVariableSchema: () => environmentVariableSchema,
+  etcd: () => etcd,
   grocy: () => grocy,
   hubble: () => hubble,
   kubernetesDashboard: () => kubernetesDashboard,
@@ -2050,7 +2564,7 @@ __export(apps_exports, {
   mongodb: () => mongodb,
   mongodbDatabase: () => mongodbDatabase,
   node: () => node,
-  optionalSharedArgs: () => optionalSharedArgs,
+  optionalSharedArgs: () => optionalSharedArgs2,
   optionalSharedInputs: () => optionalSharedInputs,
   postgresql: () => postgresql,
   postgresqlDatabase: () => postgresqlDatabase,
@@ -2063,9 +2577,10 @@ __export(apps_exports, {
   traefik: () => traefik,
   valkey: () => valkey,
   vaultwarden: () => vaultwarden,
+  wgFeedServer: () => wgFeedServer,
   workload: () => workload
 });
-var endpointServiceMetadataSchema = z.object({
+var serviceEndpointMetadataSchema = z.object({
   "k8s.service": z.object({
     /**
      * The ID of the cluster where the service is located.
@@ -2083,6 +2598,10 @@ var endpointServiceMetadataSchema = z.object({
      * The namespace of the service.
      */
     namespace: z.string().meta({ title: camelCaseToHumanReadable("namespace"), description: `The namespace of the service.` }),
+    /**
+     * Whether this endpoint is only accessible within the cluster.
+     */
+    isInternal: z.boolean().meta({ title: camelCaseToHumanReadable("isInternal"), description: `Whether this endpoint is only accessible within the cluster.` }),
     /**
      * The selector of the service.
      */
@@ -2096,16 +2615,19 @@ var endpointServiceMetadataSchema = z.object({
 var serviceEndpointSchema = z.intersection(
   l4EndpointEntity.schema,
   z.object({
-    metadata: endpointServiceMetadataSchema
+    metadata: serviceEndpointMetadataSchema
   })
 );
 var serviceEntity = defineEntity({
   type: "k8s.service.v1",
-  schema: z.object({
-    ...scopedResourceSchema.shape,
-    type: z.literal("service"),
-    endpoints: serviceEndpointSchema.array()
-  }),
+  extends: { namespacedResourceEntity },
+  includes: {
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
+  },
+  schema: z.unknown(),
   meta: {
     color: "#2196F3"
   }
@@ -2113,13 +2635,58 @@ var serviceEntity = defineEntity({
 var serviceTypeSchema = z.enum(["NodePort", "LoadBalancer", "ClusterIP"]);
 
 // src/k8s/workload.ts
+var workloadEntity = defineEntity({
+  type: "k8s.workload.v1",
+  extends: { namespacedResourceEntity },
+  schema: z.unknown(),
+  meta: {
+    description: `The entity which represents a Kubernetes workload.`,
+    color: "#9C27B0"
+  }
+});
+var jobEntity = defineEntity({
+  type: "k8s.job.v1",
+  extends: { workloadEntity },
+  schema: z.unknown(),
+  meta: {
+    description: `The entity which represents a Kubernetes job managed by Highstate.`,
+    color: "#FF5722"
+  }
+});
+var cronJobEntity = defineEntity({
+  type: "k8s.cron-job.v1",
+  extends: { workloadEntity },
+  schema: z.unknown(),
+  meta: {
+    description: `The entity which represents a Kubernetes cron job managed by Highstate.`,
+    color: "#FF9800"
+  }
+});
+var exposableWorkloadEntity = defineEntity({
+  type: "k8s.exposable-workload.v1",
+  extends: { workloadEntity },
+  includes: {
+    service: {
+      entity: serviceEntity,
+      required: false
+    },
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
+  },
+  schema: z.unknown(),
+  meta: {
+    description: `The entity which represents a Kubernetes workload (optionally) exposed via a service.
+
+ Includes both the workload and its associated service.`,
+    color: "#4CAF50"
+  }
+});
 var deploymentEntity = defineEntity({
   type: "k8s.deployment.v1",
-  schema: z.object({
-    ...scopedResourceSchema.shape,
-    type: z.literal("deployment"),
-    service: serviceEntity.schema.optional()
-  }),
+  extends: { exposableWorkloadEntity },
+  schema: z.unknown(),
   meta: {
     description: `The entity which represents a Kubernetes deployment managed by Highstate.
 
@@ -2129,11 +2696,11 @@ var deploymentEntity = defineEntity({
 });
 var statefulSetEntity = defineEntity({
   type: "k8s.stateful-set.v1",
-  schema: z.object({
-    ...scopedResourceSchema.shape,
-    type: z.literal("stateful-set"),
-    service: serviceEntity.schema
-  }),
+  extends: { exposableWorkloadEntity },
+  includes: {
+    service: serviceEntity
+  },
+  schema: z.unknown(),
   meta: {
     description: `The entity which represents a Kubernetes stateful set managed by Highstate.
 
@@ -2141,21 +2708,11 @@ var statefulSetEntity = defineEntity({
     color: "#FFC107"
   }
 });
-var exposableWorkloadEntity = defineEntity({
-  type: "k8s.exposable-workload.v1",
-  schema: z.union([deploymentEntity.schema, statefulSetEntity.schema]),
-  meta: {
-    description: `The entity which represents a Kubernetes workload exposed via a service.
-
- It can be either a deployment or a stateful set.`,
-    color: "#4CAF50"
-  }
-});
 var networkInterfaceEntity = defineEntity({
   type: "k8s.network-interface.v1",
   schema: z.object({
     name: z.string(),
-    workload: exposableWorkloadEntity.schema
+    workload: workloadEntity.schema
   }),
   meta: {
     description: `The network interface in a network namespace of the pod which can accept and transmit network traffic.`,
@@ -2272,7 +2829,7 @@ var sharedArgs2 = $args({
    */
   replicas: $addArgumentDescription(z.number().default(1), `The number of replicas for the application.`)
 });
-var optionalSharedArgs = mapValues(sharedArgs2, (arg) => ({
+var optionalSharedArgs2 = mapValues(sharedArgs2, (arg) => ({
   ...arg,
   schema: arg.schema.optional()
 }));
@@ -2360,6 +2917,9 @@ var sharedInputs2 = $inputs({
   },
   redis: {
     entity: redisEntity
+  },
+  etcd: {
+    entity: etcdEntity
   }
 });
 var optionalSharedInputs = mapValues(sharedInputs2, (input) => ({
@@ -2401,6 +2961,32 @@ var codeServer = defineUnit({
   },
   source: source("code-server")
 });
+var etcd = defineUnit({
+  type: "k8s.apps.etcd.v1",
+  args: {
+    ...appName("etcd"),
+    ...pick(sharedArgs2, ["external"])
+  },
+  secrets: {
+    ...pick(sharedSecrets2, ["backupKey"])
+  },
+  inputs: {
+    ...pick(sharedInputs2, ["k8sCluster"]),
+    ...pick(optionalSharedInputs, ["resticRepo"])
+  },
+  outputs: {
+    etcd: etcdEntity
+  },
+  meta: {
+    description: `The etcd instance deployed on Kubernetes.`,
+    title: "etcd",
+    icon: "simple-icons:etcd",
+    iconColor: "#0069ab",
+    secondaryIcon: "mdi:database",
+    category: "Databases"
+  },
+  source: source("etcd/app")
+});
 var grocy = defineUnit({
   type: "k8s.apps.grocy.v1",
   args: {
@@ -2477,11 +3063,7 @@ var mariadb = defineUnit({
   },
   outputs: {
     mariadb: mariadbEntity,
-    service: serviceEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true
-    }
+    service: serviceEntity
   },
   meta: {
     description: `The MariaDB database deployed on Kubernetes.`,
@@ -2584,11 +3166,7 @@ var minio = defineUnit({
   },
   outputs: {
     s3: s3Entity,
-    service: serviceEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true
-    }
+    service: serviceEntity
   },
   meta: {
     description: `The MinIO object storage deployed on Kubernetes.`,
@@ -2614,11 +3192,7 @@ var mongodb = defineUnit({
   },
   outputs: {
     mongodb: mongodbEntity,
-    service: serviceEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true
-    }
+    service: serviceEntity
   },
   meta: {
     description: `The MongoDB instance deployed on Kubernetes.`,
@@ -2666,11 +3240,7 @@ var postgresql = defineUnit({
   },
   outputs: {
     postgresql: postgresqlEntity,
-    service: serviceEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true
-    }
+    service: serviceEntity
   },
   meta: {
     description: `The PostgreSQL instance deployed on Kubernetes.`,
@@ -2812,7 +3382,7 @@ var traefik = defineUnit({
   type: "k8s.apps.traefik.v1",
   args: {
     ...appName("traefik"),
-    ...pick(sharedArgs2, ["external", "replicas", "endpoints"]),
+    ...pick(sharedArgs2, ["external", "replicas"]),
     /**
      * The name of the class to configure for ingress and gateway resources.
      *
@@ -2820,7 +3390,19 @@ var traefik = defineUnit({
      */
     className: $addArgumentDescription(z.string().default("traefik"), `The name of the class to configure for ingress and gateway resources.
 
- Defaults to "traefik".`)
+ Defaults to "traefik".`),
+    /**
+     * Whether to create and enable reconciliation for Traefik CRDs.
+     */
+    enableTraefikCrds: $addArgumentDescription(z.boolean().default(true), `Whether to create and enable reconciliation for Traefik CRDs.`),
+    /**
+     * Whether to enable reconciliation for Ingress resources and create ingress class.
+     */
+    enableIngressApi: $addArgumentDescription(z.boolean().default(true), `Whether to enable reconciliation for Ingress resources and create ingress class.`),
+    /**
+     * Whether to enable reconciliation for Gateway API resources and create gateway class.
+     */
+    enableGatewayApi: $addArgumentDescription(z.boolean().default(false), `Whether to enable reconciliation for Gateway API resources and create gateway class.`)
   },
   inputs: {
     ...pick(sharedInputs2, ["k8sCluster"])
@@ -2856,11 +3438,7 @@ var valkey = defineUnit({
   },
   outputs: {
     redis: databases_exports.redisEntity,
-    service: serviceEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true
-    }
+    service: serviceEntity
   },
   meta: {
     description: `The Valkey instance deployed on Kubernetes.`,
@@ -2891,6 +3469,28 @@ var vaultwarden = defineUnit({
   },
   source: source("vaultwarden")
 });
+var wgFeedServer = defineUnit({
+  type: "k8s.apps.wg-feed-server.v1",
+  args: {
+    ...appName("wg-feed-server"),
+    ...pick(sharedArgs2, ["fqdn"])
+  },
+  inputs: {
+    ...pick(sharedInputs2, ["k8sCluster", "accessPoint", "etcd"])
+  },
+  outputs: {
+    endpoint: l4EndpointEntity
+  },
+  meta: {
+    description: `The WG Feed Server deployed on Kubernetes.`,
+    title: "WG Feed Server",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
+    secondaryIcon: "mdi:broadcast",
+    category: "Wireguard"
+  },
+  source: source("wg-feed-server")
+});
 var databaseConfigKeySchema = z.enum([
   "url",
   "host",
@@ -3504,7 +4104,7 @@ var obfuscator = defineUnit({
     path: "phantun/obfuscator"
   }
 });
-var k8sVerbsSchema = z.enum([
+var accessVerbSchema = z.enum([
   "get",
   "list",
   "watch",
@@ -3514,80 +4114,56 @@ var k8sVerbsSchema = z.enum([
   "delete",
   "deletecollection"
 ]);
+var acessRuleSchema = z.object({
+  apiGroups: z.string().array(),
+  resources: z.string().array(),
+  verbs: accessVerbSchema.array(),
+  resourceNames: z.string().array().default([])
+});
 var reducedAccessCluster = defineUnit({
-  type: "k8s.reduced-access-cluster.v0",
+  type: "k8s.reduced-access-cluster.v1",
   args: {
     /**
-     * The verbs to allow on the specified resources.
+     * The name of the ServiceAccount to create.
      *
-     * Defaults to read-only access (get, list, watch).
+     * If not provided, will be the same as the unit name.
      */
-    verbs: $addArgumentDescription(k8sVerbsSchema.array().default(["get", "list", "watch"]), `The verbs to allow on the specified resources.
+    serviceAccountName: $addArgumentDescription(z.string().optional(), `The name of the ServiceAccount to create.
 
- Defaults to read-only access (get, list, watch).`),
+ If not provided, will be the same as the unit name.`),
     /**
-     * The name of the ServiceAccount to create.
+     * The rules defining the access permissions for the ServiceAccount.
      *
-     * If not provided, will be the same as the unit name.
+     * If rule's `apiGroups` and `resources` exactly match resources from the `resources` input,
+     * their names will be added to the rule's `resourceNames` list.
      */
-    serviceAccountName: $addArgumentDescription(z.string().optional(), `The name of the ServiceAccount to create.
+    rules: $addArgumentDescription(acessRuleSchema.array().default([]), `The rules defining the access permissions for the ServiceAccount.
 
- If not provided, will be the same as the unit name.`)
+ If rule's \`apiGroups\` and \`resources\` exactly match resources from the \`resources\` input,
+ their names will be added to the rule's \`resourceNames\` list.`)
   },
   inputs: {
     k8sCluster: clusterEntity,
     /**
      * The namespace where the ServiceAccount will be created.
      */
-    namespace: $addInputDescription(namespaceEntity, `The namespace where the ServiceAccount will be created.`),
-    /**
-     * The deployments to grant access to.
-     */
-    deployments: $addInputDescription({
-      entity: deploymentEntity,
-      multiple: true,
-      required: false
-    }, `The deployments to grant access to.`),
-    /**
-     * The stateful sets to grant access to.
-     */
-    statefulSets: $addInputDescription({
-      entity: statefulSetEntity,
-      multiple: true,
-      required: false
-    }, `The stateful sets to grant access to.`),
-    /**
-     * The services to grant access to.
-     */
-    services: $addInputDescription({
-      entity: serviceEntity,
-      multiple: true,
-      required: false
-    }, `The services to grant access to.`),
-    /**
-     * The persistent volume claims to grant access to.
-     */
-    persistentVolumeClaims: $addInputDescription({
-      entity: persistentVolumeClaimEntity,
-      multiple: true,
-      required: false
-    }, `The persistent volume claims to grant access to.`),
+    namespace: $addInputDescription(namespaceEntity, `The namespace where the ServiceAccount will be created.`),
     /**
-     * The secrets to grant access to.
+     * The extra namespaces to bind to the ClusterRole and allow ServiceAccount to access them with specified rules.
      */
-    secrets: $addInputDescription({
-      entity: certificateEntity,
+    extraNamespaces: $addInputDescription({
+      entity: namespaceEntity,
       multiple: true,
       required: false
-    }, `The secrets to grant access to.`),
+    }, `The extra namespaces to bind to the ClusterRole and allow ServiceAccount to access them with specified rules.`),
     /**
-     * The config maps to grant access to.
+     * The resources to which access will be granted.
      */
-    configMaps: $addInputDescription({
-      entity: certificateEntity,
+    resources: $addInputDescription({
+      entity: resourceEntity,
       multiple: true,
       required: false
-    }, `The config maps to grant access to.`)
+    }, `The resources to which access will be granted.`)
   },
   outputs: {
     k8sCluster: clusterEntity
@@ -3850,7 +4426,7 @@ var connection = defineUnit({
     ...secrets
   },
   inputs: {
-    ...inputs2
+    ...inputs
   },
   outputs: {
     /**
@@ -4126,7 +4702,7 @@ var virtualMachine = defineUnit({
     }, `The cloud-init vendor data to use for the virtual machine.
 
  You can provide a cloud-config from the distribution component.`),
-    ...inputs2
+    ...inputs
   },
   outputs: serverOutputs,
   meta: {
@@ -4357,6 +4933,7 @@ var connection2 = defineUnit({
     description: `The Cloudflare connection for a single zone.`,
     title: "Cloudflare Connection",
     icon: "simple-icons:cloudflare",
+    iconColor: "#F38020",
     category: "Cloudflare"
   },
   source: {
@@ -4377,6 +4954,10 @@ __export(wireguard_exports, {
   backendSchema: () => backendSchema,
   config: () => config,
   configBundle: () => configBundle,
+  configEntity: () => configEntity,
+  feed: () => feed,
+  feedDisplayInfoSchema: () => feedDisplayInfoSchema,
+  feedMetadataSchema: () => feedMetadataSchema,
   identity: () => identity,
   identityEntity: () => identityEntity,
   network: () => network,
@@ -4389,23 +4970,25 @@ __export(wireguard_exports, {
   peerPatch: () => peerPatch
 });
 var backendSchema = z.enum(["wireguard", "amneziawg"]);
-var networkArgs = {
+var networkArgs2 = {
   /**
    * The backend to use for the WireGuard network.
    *
    * Possible values are:
    * - `wireguard` - the default backend;
-   * - `amneziawg` - the censorship-resistant fork of WireGuard.
+   * - `amneziawg` - the censorship-resistant fork of WireGuard (NOT SUPPORTED YET).
    */
   backend: backendSchema.default("wireguard"),
   /**
    * Whether to enable IPv4 support in the network.
+   * Affects addresses inside network, not the endpoints of peers.
    *
    * By default, IPv4 support is enabled.
    */
   ipv4: z.boolean().default(true),
   /**
    * Whether to enable IPv6 support in the network.
+   * Affects addresses inside network, not the endpoints of peers.
    *
    * By default, IPv6 support is disabled.
    */
@@ -4413,7 +4996,7 @@ var networkArgs = {
 };
 var networkEntity = defineEntity({
   type: "wireguard.network.v1",
-  schema: z.object(networkArgs),
+  schema: z.object(networkArgs2),
   meta: {
     description: `The entity representing the WireGuard network configuration.
 
@@ -4423,14 +5006,44 @@ var networkEntity = defineEntity({
 var nodeExposePolicySchema = z.enum(["always", "when-has-endpoint", "never"]);
 var peerEntity = defineEntity({
   type: "wireguard.peer.v1",
+  includes: {
+    /**
+     * The endpoints where the WireGuard peer can be reached.
+     */
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
+  },
   schema: z.object({
-    name: z.string(),
-    network: networkEntity.schema.optional(),
-    publicKey: z.string(),
-    address: z.string().optional(),
-    allowedIps: z.string().array(),
-    endpoints: l4EndpointEntity.schema.array(),
-    allowedEndpoints: z.union([l3EndpointEntity.schema, l4EndpointEntity.schema]).array(),
+    /**
+     * The name of the WireGuard peer.
+     */
+    name: genericNameSchema.meta({ title: camelCaseToHumanReadable("name"), description: `The name of the WireGuard peer.` }),
+    /**
+     * The network to which the WireGuard peer belongs.
+     *
+     * Holds shared configuration for all identities, peers, and nodes.
+     */
+    network: networkEntity.schema.optional().meta({ title: camelCaseToHumanReadable("network"), description: `The network to which the WireGuard peer belongs.
+
+ Holds shared configuration for all identities, peers, and nodes.` }),
+    /**
+     * The addresses of the WireGuard interface.
+     */
+    addresses: addressEntity.schema.array().meta({ title: camelCaseToHumanReadable("addresses"), description: `The addresses of the WireGuard interface.` }),
+    /**
+     * The allowed subnets of the WireGuard peer.
+     *
+     * Will be used to configure the `AllowedIPs` of the peer.
+     */
+    allowedSubnets: subnetEntity.schema.array().meta({ title: camelCaseToHumanReadable("allowedSubnets"), description: `The allowed subnets of the WireGuard peer.
+
+ Will be used to configure the \`AllowedIPs\` of the peer.` }),
+    /**
+     * The public key of the WireGuard peer.
+     */
+    publicKey: z.string().meta({ title: camelCaseToHumanReadable("publicKey"), description: `The public key of the WireGuard peer.` }),
     /**
      * The pre-shared key of the WireGuard peer.
      *
@@ -4446,14 +5059,27 @@ var peerEntity = defineEntity({
     /**
      * The pre-shared key part of the WireGuard peer.
      *
-     * If both peers have `presharedKeyPart` set, their `presharedKey` will be calculated as XOR of the two parts.
+     * If both peers have `presharedKeyPart` set, their `presharedKey` will be calculated as sha256 of the two parts.
      */
     presharedKeyPart: z.string().optional().meta({ title: camelCaseToHumanReadable("presharedKeyPart"), description: `The pre-shared key part of the WireGuard peer.
 
- If both peers have \`presharedKeyPart\` set, their \`presharedKey\` will be calculated as XOR of the two parts.` }),
-    excludedIps: z.string().array(),
-    dns: z.string().array(),
-    listenPort: z.number().optional(),
+ If both peers have \`presharedKeyPart\` set, their \`presharedKey\` will be calculated as sha256 of the two parts.` }),
+    /**
+     * The list of DNS servers to setup for the interface connected to the WireGuard peer.
+     */
+    dns: addressEntity.schema.array().meta({ title: camelCaseToHumanReadable("dns"), description: `The list of DNS servers to setup for the interface connected to the WireGuard peer.` }),
+    /**
+     * The port where the WireGuard peer is listening.
+     *
+     * Will be used:
+     * 1. For implementations if the listen port is not set elsewhere.
+     * 2. To map L3 endpoints to L4 endpoints with this port.
+     */
+    listenPort: z.number().default(51820).meta({ title: camelCaseToHumanReadable("listenPort"), description: `The port where the WireGuard peer is listening.
+
+ Will be used:
+ 1. For implementations if the listen port is not set elsewhere.
+ 2. To map L3 endpoints to L4 endpoints with this port.` }),
     /**
      * The keepalive interval in seconds that will be used by all nodes connecting to this peer.
      *
@@ -4461,7 +5087,19 @@ var peerEntity = defineEntity({
      */
     persistentKeepalive: z.number().int().nonnegative().default(0).meta({ title: camelCaseToHumanReadable("persistentKeepalive"), description: `The keepalive interval in seconds that will be used by all nodes connecting to this peer.
 
- If set to 0, keepalive is disabled.` })
+ If set to 0, keepalive is disabled.` }),
+    /**
+     * The peers which are relayed through this peer.
+     *
+     * All their allowed IPs will be added to this peer's allowed IPs
+     * and will be used to setup routing for all other peers except the relayed ones.
+     */
+    get relayedPeers() {
+      return peerEntity.schema.array().optional().meta({ title: camelCaseToHumanReadable("relayedPeers"), description: `The peers which are relayed through this peer.
+
+ All their allowed IPs will be added to this peer's allowed IPs
+ and will be used to setup routing for all other peers except the relayed ones.` });
+    }
   }),
   meta: {
     color: "#673AB7"
@@ -4469,17 +5107,76 @@ var peerEntity = defineEntity({
 });
 var identityEntity = defineEntity({
   type: "wireguard.identity.v1",
+  includes: {
+    /**
+     * The WireGuard peer representing this identity.
+     */
+    peer: peerEntity
+  },
   schema: z.object({
-    peer: peerEntity.schema,
-    privateKey: z.string()
+    /**
+     * The private key of the WireGuard identity.
+     */
+    privateKey: z.string().meta({ title: camelCaseToHumanReadable("privateKey"), description: `The private key of the WireGuard identity.` })
   }),
   meta: {
     color: "#F44336"
   }
 });
+var feedDisplayInfoSchema = z.object({
+  /**
+   * The display title of the tunnel.
+   */
+  title: z.string().meta({ title: camelCaseToHumanReadable("title"), description: `The display title of the tunnel.` }),
+  /**
+   * The display description of the tunnel.
+   */
+  description: z.string().optional().meta({ title: camelCaseToHumanReadable("description"), description: `The display description of the tunnel.` }),
+  /**
+   * The display icon URL of the tunnel.
+   *
+   * Must only be `data:` URL with SVG image.
+   */
+  iconUrl: z.url().optional().meta({ title: camelCaseToHumanReadable("iconUrl"), description: `The display icon URL of the tunnel.
+
+ Must only be \`data:\` URL with SVG image.` })
+});
+var feedMetadataSchema = z.object({
+  /**
+   * The ID of the tunnel in the feed.
+   */
+  id: z.string().meta({ title: camelCaseToHumanReadable("id"), description: `The ID of the tunnel in the feed.` }),
+  /**
+   * The suggested name of the interface for the tunnel.
+   */
+  name: genericNameSchema.meta({ title: camelCaseToHumanReadable("name"), description: `The suggested name of the interface for the tunnel.` }),
+  /**
+   * The display information of the tunnel.
+   */
+  displayInfo: feedDisplayInfoSchema.meta({ title: camelCaseToHumanReadable("displayInfo"), description: `The display information of the tunnel.` })
+});
+var configEntity = defineEntity({
+  type: "wireguard.config.v1",
+  includes: {
+    /**
+     * The file containing the wg-quick configuration.
+     */
+    file: fileEntity
+  },
+  schema: z.object({
+    /**
+     * The metadata to include in the wg-feed for this config.
+     *
+     * Must be provided for the configs uploaded to wg-feed.
+     */
+    feedMetadata: feedMetadataSchema.optional().meta({ title: camelCaseToHumanReadable("feedMetadata"), description: `The metadata to include in the wg-feed for this config.
+
+ Must be provided for the configs uploaded to wg-feed.` })
+  })
+});
 var network = defineUnit({
   type: "wireguard.network.v1",
-  args: networkArgs,
+  args: networkArgs2,
   outputs: {
     network: networkEntity
   },
@@ -4495,35 +5192,39 @@ var network = defineUnit({
     path: "network"
   }
 });
-var sharedPeerArgs = {
+var sharedPeerArgs = $args({
   /**
    * The name of the WireGuard peer.
    *
    * If not provided, the peer will be named after the unit.
    */
-  peerName: z.string().optional(),
+  peerName: $addArgumentDescription(z.string().optional(), `The name of the WireGuard peer.
+
+ If not provided, the peer will be named after the unit.`),
   /**
-   * The address of the WireGuard interface.
+   * The addresses of the WireGuard interface.
    *
    * The address may be any IPv4 or IPv6 address. CIDR notation is also supported.
    */
-  address: z.string().optional(),
+  addresses: $addArgumentDescription(z.string().array().default([]), `The addresses of the WireGuard interface.
+
+ The address may be any IPv4 or IPv6 address. CIDR notation is also supported.`),
   /**
    * The convenience option to set `allowedIps` to `0.0.0.0/0, ::/0`.
    *
    * Will be merged with the `allowedIps` if provided.
    */
-  exitNode: z.boolean().default(false),
+  exitNode: $addArgumentDescription(z.boolean().default(false), `The convenience option to set \`allowedIps\` to \`0.0.0.0/0, ::/0\`.
+
+ Will be merged with the \`allowedIps\` if provided.`),
+  /**
+   * The list of IP ranges to include in the allowed IPs of the peer.
+   */
+  allowedSubnets: $addArgumentDescription(z.string().array().default([]), `The list of IP ranges to include in the allowed IPs of the peer.`),
   /**
    * The list of IP ranges to exclude from the tunnel.
-   *
-   * Implementation notes:
-   *
-   * - this list will not be used to generate the allowed IPs for the peer;
-   * - instead, the node will setup extra direct routes to these IPs via default gateway;
-   * - this allows to use `0.0.0.0/0, ::/0` in the `allowedIps` (and corresponding fwmark magic) and still have some IPs excluded from the tunnel.
    */
-  excludedIps: z.string().array().default([]),
+  excludedSubnets: $addArgumentDescription(z.string().array().default([]), `The list of IP ranges to exclude from the tunnel.`),
   /**
    * The convenience option to exclude private IPs from the tunnel.
    *
@@ -4540,103 +5241,113 @@ var sharedPeerArgs = {
    *
    * Will be merged with `excludedIps` if provided.
    */
-  excludePrivateIps: z.boolean().default(false),
+  excludePrivateSubnets: $addArgumentDescription(z.boolean().default(false), `The convenience option to exclude private IPs from the tunnel.
+
+ For IPv4, the private IPs are:
+
+ - \`10.0.0.0/8\`
+ - \`172.16.0.0/12\`
+ - \`192.168.0.0/16\`
+
+ For IPv6, the private IPs are:
+
+ - \`fc00::/7\`
+ - \`fe80::/10\`
+
+ Will be merged with \`excludedIps\` if provided.`),
   /**
    * The endpoints of the WireGuard peer.
    */
-  endpoints: z.string().array().default([]),
+  endpoints: $addArgumentDescription(z.string().array().default([]), `The endpoints of the WireGuard peer.`),
   /**
-   * The allowed endpoints of the WireGuard peer.
+   * The DNS servers that should be used by the interface connected to the WireGuard peer.
    *
-   * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
+   * If multiple peers define DNS servers, the node will merge them into a single list (but this is discouraged).
    */
-  allowedEndpoints: z.string().array().default([]),
+  dns: $addArgumentDescription(z.string().array().default([]), `The DNS servers that should be used by the interface connected to the WireGuard peer.
+
+ If multiple peers define DNS servers, the node will merge them into a single list (but this is discouraged).`),
   /**
-   * The DNS servers that should be used by the interface connected to the WireGuard peer.
+   * The convenience option to include the addresses to the allowed IPs.
    *
-   * If multiple peers define DNS servers, the node will merge them into a single list (but this is discouraged).
+   * By default, is `true`.
    */
-  dns: z.string().array().default([]),
+  includeAddresses: $addArgumentDescription(z.boolean().default(true), `The convenience option to include the addresses to the allowed IPs.
+
+ By default, is \`true\`.`),
   /**
    * The convenience option to include the DNS servers to the allowed IPs.
    *
    * By default, is `true`.
    */
-  includeDns: z.boolean().default(true),
+  includeDns: $addArgumentDescription(z.boolean().default(true), `The convenience option to include the DNS servers to the allowed IPs.
+
+ By default, is \`true\`.`),
   /**
    * The port to listen on.
    */
-  listenPort: z.number().optional(),
+  listenPort: $addArgumentDescription(z.number().default(51820), `The port to listen on.`),
   /**
    * The keepalive interval in seconds that will be used by all nodes connecting to this peer.
    *
    * If set to 0, keepalive is disabled.
    */
-  persistentKeepalive: z.number().int().nonnegative().default(0)
-};
-var sharedPeerInputs = {
+  persistentKeepalive: $addArgumentDescription(z.number().int().nonnegative().default(0), `The keepalive interval in seconds that will be used by all nodes connecting to this peer.
+
+ If set to 0, keepalive is disabled.`)
+});
+var sharedPeerInputs = $inputs({
   /**
    * The network to use for the WireGuard identity.
    *
    * If not provided, the identity will use default network configuration.
    */
-  network: {
+  network: $addInputDescription({
     entity: networkEntity,
     required: false
-  },
+  }, `The network to use for the WireGuard identity.
+
+ If not provided, the identity will use default network configuration.`),
   /**
-   * The L3 endpoints of the identity.
+   * The L3/L4 endpoints of the identity.
    *
-   * Will produce L4 endpoints for each of the provided L3 endpoints.
+   * All L3 endpoints will be adjusted to L4 endpoints with listen port of the identity.
    */
-  l3Endpoints: {
+  endpoints: $addInputDescription({
     entity: l3EndpointEntity,
     multiple: true,
     required: false
-  },
+  }, `The L3/L4 endpoints of the identity.
+
+ All L3 endpoints will be adjusted to L4 endpoints with listen port of the identity.`),
   /**
-   * The L4 endpoints of the identity.
-   *
-   * Will take priority over all calculated endpoints if provided.
+   * the endpoints to add to the allowed IPs of the identity.
    */
-  l4Endpoints: {
-    entity: l4EndpointEntity,
-    required: false,
-    multiple: true
-  },
+  allowedEndpoints: $addInputDescription({
+    entity: l3EndpointEntity,
+    multiple: true,
+    required: false
+  }, `the endpoints to add to the allowed IPs of the identity.`),
   /**
-   * The L3 endpoints to add to the allowed IPs of the identity.
-   *
-   * `hostname` endpoints will be ignored.
-   *
-   * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
-   * the corresponding network policy will be created.
+   * The subnets to add to the allowed IPs of the identity.
    */
-  allowedL3Endpoints: {
-    entity: l3EndpointEntity,
+  allowedSubnets: $addInputDescription({
+    entity: subnetEntity,
     multiple: true,
     required: false
-  },
+  }, `The subnets to add to the allowed IPs of the identity.`),
   /**
-   * The L4 endpoints to add to the allowed IPs of the identity.
-   *
-   * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
-   * the corresponding network policy will be created.
+   * The peers which are relayed through this peer.
    */
-  allowedL4Endpoints: {
-    entity: l4EndpointEntity,
+  relayedPeers: $addInputDescription({
+    entity: peerEntity,
     multiple: true,
     required: false
-  }
-};
-var sharedPeerOutputs = {
-  peer: peerEntity,
-  endpoints: {
-    entity: l4EndpointEntity,
-    required: false,
-    multiple: true
-  }
-};
+  }, `The peers which are relayed through this peer.`)
+});
+var sharedPeerOutputs = $outputs({
+  peer: peerEntity
+});
 var peer = defineUnit({
   type: "wireguard.peer.v1",
   args: {
@@ -4668,53 +5379,12 @@ var peer = defineUnit({
 });
 var peerPatch = defineUnit({
   type: "wireguard.peer-patch.v1",
-  args: {
-    /**
-     * The endpoints of the WireGuard peer.
-     */
-    endpoints: $addArgumentDescription(z.string().array().default([]), `The endpoints of the WireGuard peer.`),
-    /**
-     * The mode to use for patching the endpoints.
-     *
-     * - `prepend`: prepend the new endpoints to the existing ones (default);
-     * - `replace`: replace the existing endpoints with the new ones.
-     */
-    endpointsPatchMode: $addArgumentDescription(arrayPatchModeSchema.default("prepend"), `The mode to use for patching the endpoints.
-
- - \`prepend\`: prepend the new endpoints to the existing ones (default);
- - \`replace\`: replace the existing endpoints with the new ones.`),
-    /**
-     * The allowed endpoints of the WireGuard peer.
-     *
-     * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
-     */
-    allowedEndpoints: $addArgumentDescription(z.string().array().default([]), `The allowed endpoints of the WireGuard peer.
-
- The non \`hostname\` endpoints will be added to the \`allowedIps\` of the peer.`),
-    /**
-     * The mode to use for patching the allowed endpoints.
-     *
-     * - `prepend`: prepend the new endpoints to the existing ones (default);
-     * - `replace`: replace the existing endpoints with the new ones.
-     */
-    allowedEndpointsPatchMode: $addArgumentDescription(arrayPatchModeSchema.default("prepend"), `The mode to use for patching the allowed endpoints.
-
- - \`prepend\`: prepend the new endpoints to the existing ones (default);
- - \`replace\`: replace the existing endpoints with the new ones.`),
-    ...omit(sharedPeerArgs, ["endpoints", "allowedEndpoints"])
-  },
+  args: toPatchArgs(sharedPeerArgs),
   inputs: {
     peer: peerEntity,
     ...sharedPeerInputs
   },
-  outputs: {
-    peer: peerEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      required: false,
-      multiple: true
-    }
-  },
+  outputs: sharedPeerOutputs,
   meta: {
     description: `Patches some properties of the WireGuard peer.`,
     title: "WireGuard Peer Patch",
@@ -4730,29 +5400,7 @@ var peerPatch = defineUnit({
 });
 var identity = defineUnit({
   type: "wireguard.identity.v1",
-  args: {
-    ...sharedPeerArgs,
-    /**
-     * The port to listen on.
-     *
-     * Used by the implementation of the identity and to calculate the endpoint of the peer.
-     */
-    listenPort: $addArgumentDescription(z.number().optional(), `The port to listen on.
-
- Used by the implementation of the identity and to calculate the endpoint of the peer.`),
-    /**
-     * The endpoint of the WireGuard peer.
-     *
-     * If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
-     *
-     * Will take priority over all calculated endpoints and `l4Endpoint` input.
-     */
-    endpoints: $addArgumentDescription(z.string().array().default([]), `The endpoint of the WireGuard peer.
-
- If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
-
- Will take priority over all calculated endpoints and \`l4Endpoint\` input.`)
-  },
+  args: sharedPeerArgs,
   secrets: {
     /**
      * The private key of the WireGuard identity.
@@ -4773,8 +5421,7 @@ var identity = defineUnit({
   },
   inputs: sharedPeerInputs,
   outputs: {
-    identity: identityEntity,
-    ...sharedPeerOutputs
+    identity: identityEntity
   },
   meta: {
     description: `The WireGuard identity with the public key.`,
@@ -4835,7 +5482,7 @@ var nodeK8s = defineUnit({
      *
      * Useful for peer isolation where you want to prevent cross-peer communication.
      */
-    forwardRestrictedIps: $addArgumentDescription(z.string().array().default([]), `List of CIDR blocks that should be blocked from forwarding through this WireGuard node.
+    forwardRestrictedSubnets: $addArgumentDescription(z.string().array().default([]), `List of CIDR blocks that should be blocked from forwarding through this WireGuard node.
 
  This prevents other peers from reaching these destination CIDRs while still allowing
  the peers in those CIDRs to access the internet and other allowed endpoints.
@@ -4846,7 +5493,7 @@ var nodeK8s = defineUnit({
     identity: identityEntity,
     k8sCluster: clusterEntity,
     workload: {
-      entity: exposableWorkloadEntity,
+      entity: workloadEntity,
       required: false
     },
     interface: {
@@ -4860,18 +5507,14 @@ var nodeK8s = defineUnit({
     }
   },
   outputs: {
+    workload: {
+      entity: workloadEntity
+    },
     interface: {
-      entity: networkInterfaceEntity,
-      required: false
+      entity: networkInterfaceEntity
     },
     peer: {
-      entity: peerEntity,
-      required: false
-    },
-    endpoints: {
-      entity: l4EndpointEntity,
-      required: false,
-      multiple: true
+      entity: peerEntity
     }
   },
   meta: {
@@ -4898,14 +5541,6 @@ var node2 = defineUnit({
     interfaceName: $addArgumentDescription(z.string().optional(), `The name of the WireGuard interface.
 
  By default, the name is \`wg-\${identity.name}\` (truncated to 15 characters).`),
-    /**
-     * The name of the default interface for excluded routes.
-     *
-     * This is used to route excluded IPs through the default interface instead of the WireGuard tunnel.
-     */
-    defaultInterface: $addArgumentDescription(z.string().default("eth0"), `The name of the default interface for excluded routes.
-
- This is used to route excluded IPs through the default interface instead of the WireGuard tunnel.`),
     /**
      * List of CIDR blocks that should be blocked from forwarding through this WireGuard node.
      *
@@ -4981,17 +5616,48 @@ var node2 = defineUnit({
     path: "node"
   }
 });
+var sharedArgs3 = $args({
+  /**
+   * The filter to use when selecting endpoints for each peer.
+   *
+   * The first matching endpoint will be used.
+   *
+   * If not provided, all endpoints will be considered.
+   */
+  peerEndpointFilter: $addArgumentDescription(z.string().optional().meta({ language: "javascript" }), `The filter to use when selecting endpoints for each peer.
+
+ The first matching endpoint will be used.
+
+ If not provided, all endpoints will be considered.`)
+});
 var config = defineUnit({
   type: "wireguard.config.v1",
   args: {
+    ...sharedArgs3,
     /**
-     * The name of the "default" interface where non-tunneled traffic should go.
-     *
-     * If not provided, the config will not respect `excludedIps`.
+     * The metadata to include in the wg-feed for this config.
      */
-    defaultInterface: $addArgumentDescription(z.string().optional(), `The name of the "default" interface where non-tunneled traffic should go.
+    feedMetadata: $addArgumentDescription(z.discriminatedUnion("enabled", [
+      z.object({
+        /**
+         * Whether this config is enabled for upload to wg-feed.
+         *
+         * You must fill the metadata fields.
+         */
+        enabled: z.literal("true").meta({ title: camelCaseToHumanReadable("enabled"), description: `Whether this config is enabled for upload to wg-feed.
 
- If not provided, the config will not respect \`excludedIps\`.`)
+ You must fill the metadata fields.` }),
+        ...pick(feedMetadataSchema.shape, ["id", "name"]),
+        // Highstate does not support nested objects in UI
+        ...feedDisplayInfoSchema.shape
+      }),
+      z.object({
+        /**
+         * Whether this config is enabled for upload to wg-feed.
+         */
+        enabled: z.literal("false").meta({ title: camelCaseToHumanReadable("enabled"), description: `Whether this config is enabled for upload to wg-feed.` })
+      })
+    ]).prefault({ enabled: "false" }), `The metadata to include in the wg-feed for this config.`)
   },
   inputs: {
     identity: identityEntity,
@@ -5001,6 +5667,9 @@ var config = defineUnit({
       required: false
     }
   },
+  outputs: {
+    config: configEntity
+  },
   meta: {
     description: `Just the WireGuard configuration for the identity and peers.`,
     title: "WireGuard Config",
@@ -5016,6 +5685,9 @@ var config = defineUnit({
 });
 var configBundle = defineUnit({
   type: "wireguard.config-bundle.v1",
+  args: {
+    ...sharedArgs3
+  },
   inputs: {
     identity: identityEntity,
     peers: {
@@ -5028,6 +5700,12 @@ var configBundle = defineUnit({
       required: false
     }
   },
+  outputs: {
+    configs: {
+      entity: configEntity,
+      multiple: true
+    }
+  },
   meta: {
     description: `The WireGuard configuration bundle for the identity and peers.`,
     title: "WireGuard Config Bundle",
@@ -5041,6 +5719,96 @@ var configBundle = defineUnit({
     path: "config-bundle"
   }
 });
+var feed = defineUnit({
+  type: "wireguard.feed.v1",
+  args: {
+    /**
+     * The TTL seconds to suggest to wg-feed clients.
+     *
+     * By default, is 900 seconds (15 minutes).
+     */
+    ttlSeconds: $addArgumentDescription(z.number().int().positive().default(900), `The TTL seconds to suggest to wg-feed clients.
+
+ By default, is 900 seconds (15 minutes).`),
+    /**
+     * The endpoints of the wg-feed servers to use for generating the subscription URLs.
+     *
+     * At least one endpoint must be provided either here or via `serverEndpoints` input.
+     *
+     * The resulting subscription URL will be inferred as: `https://{firstEndpoint}/{feedId}#{privateKey}`.
+     */
+    serverEndpoints: $addArgumentDescription(z.string().array().default([]), `The endpoints of the wg-feed servers to use for generating the subscription URLs.
+
+ At least one endpoint must be provided either here or via \`serverEndpoints\` input.
+
+ The resulting subscription URL will be inferred as: \`https://{firstEndpoint}/{feedId}#{privateKey}\`.`),
+    /**
+     * The AGE public key (x25519 recipient) to encrypt the configs with.
+     *
+     * Note: If you provide this, you must provide the corresponding private key to the clients.
+     * Resulting subscription URL will not contain the private key.
+     */
+    publicKey: $addArgumentDescription(z.string().optional(), `The AGE public key (x25519 recipient) to encrypt the configs with.
+
+ Note: If you provide this, you must provide the corresponding private key to the clients.
+ Resulting subscription URL will not contain the private key.`),
+    /**
+     * The display information of the feed.
+     */
+    displayInfo: $addArgumentDescription(feedDisplayInfoSchema, `The display information of the feed.`)
+  },
+  secrets: {
+    /**
+     * The cuidv2 of the feed.
+     * Will be used as path of the feed in etcd/subscription URL.
+     *
+     * In most cases, you don't want to provide this and let it be generated automatically.
+     *
+     * The `id` field of the feed document will be inferred from this value as `uuidv5(feedId, "2b5e358c-3510-48fb-b1cf-a8aee788925a")`.
+     */
+    feedId: $addArgumentDescription(z.string().optional(), `The cuidv2 of the feed.
+ Will be used as path of the feed in etcd/subscription URL.
+
+ In most cases, you don't want to provide this and let it be generated automatically.
+
+ The \`id\` field of the feed document will be inferred from this value as \`uuidv5(feedId, "2b5e358c-3510-48fb-b1cf-a8aee788925a")\`.`),
+    /**
+     * The AGE private key (x25519 identity) to embed in the subscription URL.
+     *
+     * If not provided and `publicKey` is not provided, a new key pair will be generated.
+     */
+    privateKey: $addArgumentDescription(z.string().optional(), `The AGE private key (x25519 identity) to embed in the subscription URL.
+
+ If not provided and \`publicKey\` is not provided, a new key pair will be generated.`)
+  },
+  inputs: {
+    etcd: etcdEntity,
+    serverEndpoints: {
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true
+    },
+    configs: {
+      entity: configEntity,
+      multiple: true
+    }
+  },
+  outputs: {
+    endpoint: l7EndpointEntity
+  },
+  source: {
+    package: "@highstate/wireguard",
+    path: "feed"
+  },
+  meta: {
+    description: `Uploads WireGuard configs to the etcd to be consumed by wg-feed clients.`,
+    title: "WireGuard Feed",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
+    secondaryIcon: "mdi:rss",
+    category: "VPN"
+  }
+});
 
 // src/third-party/mullvad.ts
 var peer2 = defineUnit({
@@ -5168,7 +5936,7 @@ var virtualMachine2 = defineUnit({
   },
   inputs: {
     connection: connectionEntity,
-    ...inputs2
+    ...inputs
   },
   secrets: vmSecrets,
   outputs: {
@@ -5280,7 +6048,7 @@ var connection4 = defineUnit({
  See [Creating an authorized key](https://yandex.cloud/en/docs/iam/operations/authentication/manage-authorized-keys#create-authorized-key) for details.`)
   },
   inputs: {
-    ...inputs2
+    ...inputs
   },
   outputs: {
     /**
@@ -5517,7 +6285,7 @@ var virtualMachine3 = defineUnit({
   inputs: {
     connection: connectionEntity2,
     image: imageEntity2,
-    ...inputs2
+    ...inputs
   },
   outputs: serverOutputs,
   meta: {
@@ -5534,6 +6302,6 @@ var virtualMachine3 = defineUnit({
   }
 });
 
-export { arrayPatchModeSchema, booleanPatchSchema, cloudflare_exports as cloudflare, common_exports as common, databases_exports as databases, distributions_exports as distributions, dns_exports as dns, git_exports as git, implementationReferenceSchema, k3s_exports as k3s, k8s_exports as k8s, mullvad_exports as mullvad, network_exports as network, nixos_exports as nixos, prefixKeysWith, proxmox_exports as proxmox, restic_exports as restic, sops_exports as sops, ssh_exports as ssh, talos_exports as talos, timeweb_exports as timeweb, wireguard_exports as wireguard, yandex_exports as yandex };
+export { booleanPatchSchema, cloudflare_exports as cloudflare, common_exports as common, databases_exports as databases, distributions_exports as distributions, dns_exports as dns, git_exports as git, implementationReferenceSchema, k3s_exports as k3s, k8s_exports as k8s, metadataKeySchema, metadataSchema, mullvad_exports as mullvad, network_exports as network, nixos_exports as nixos, prefixKeysWith, proxmox_exports as proxmox, restic_exports as restic, sops_exports as sops, ssh_exports as ssh, talos_exports as talos, timeweb_exports as timeweb, toPatchArgs, wireguard_exports as wireguard, yandex_exports as yandex };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map