@highstate/library 0.9.14 → 0.9.16

package/src/talos.ts

@@ -27,8 +27,6 @@ export const cluster = defineUnit({
      * The name of the cluster.
      *
      * By default, the name of the instance is used.
-     *
-     * @schema
      */
     clusterName: Type.Optional(Type.String()),
 
@@ -41,8 +39,6 @@ export const cluster = defineUnit({
      * - "none" (disable CNI, must be installed manually)
      *
      * The "cilium" CNI plugin is recommended to cover advanced network policies like FQDNs.
-     *
-     * @schema
      */
     cni: Type.Default(cniSchema, "cilium"),
 
@@ -52,32 +48,24 @@ export const cluster = defineUnit({
      * The following options are available:
      * - "local-path-provisioner" (default)
      * - "none" (disable CSI, must be installed manually if needed)
-     *
-     * @schema
      */
     csi: Type.Default(csiSchema, "local-path-provisioner"),
 
     /**
      * The shared configuration patch.
      * It will be applied to all nodes.
-     *
-     * @schema
      */
     sharedConfigPatch: Type.Optional(Type.Record(Type.String(), Type.Any())),
 
     /**
      * The master configuration patch.
      * It will be applied to all master nodes.
-     *
-     * @schema
      */
     masterConfigPatch: Type.Optional(Type.Record(Type.String(), Type.Any())),
 
     /**
      * The worker configuration patch.
      * It will be applied to all worker nodes.
-     *
-     * @schema
      */
     workerConfigPatch: Type.Optional(Type.Record(Type.String(), Type.Any())),
 

package/src/wireguard.ts

@@ -90,8 +90,6 @@ export const network = defineUnit({
      * 2. `amneziawg` - The censorship-resistant fork of WireGuard.
      *
      * By default, the `wireguard` backend is used.
-     *
-     * @schema
      */
     backend: Type.Default(backendSchema, "wireguard"),
 
@@ -99,8 +97,6 @@ export const network = defineUnit({
      * The option to enable IPv6 support in the network.
      *
      * By default, IPv6 support is disabled.
-     *
-     * @schema
      */
     ipv6: Type.Default(Type.Boolean(), false),
   },
@@ -128,8 +124,6 @@ const sharedPeerArgs = {
    * The name of the WireGuard peer.
    *
    * If not provided, the peer will be named after the unit.
-   *
-   * @schema
    */
   peerName: Type.Optional(Type.String()),
 
@@ -137,8 +131,6 @@ const sharedPeerArgs = {
    * The address of the WireGuard interface.
    *
    * The address may be any IPv4 or IPv6 address. CIDR notation is also supported.
-   *
-   * @schema
    */
   address: Type.Optional(Type.String()),
 
@@ -146,8 +138,6 @@ const sharedPeerArgs = {
    * The convenience option to set `allowedIps` to `0.0.0.0/0, ::/0`.
    *
    * Will be merged with the `allowedIps` if provided.
-   *
-   * @schema
    */
   exitNode: Type.Default(Type.Boolean(), false),
 
@@ -159,8 +149,6 @@ const sharedPeerArgs = {
    * - This list will not be used to generate the allowed IPs for the peer.
    * - Instead, the node will setup extra direct routes to these IPs via default gateway.
    * - This allows to use `0.0.0.0/0, ::/0` in the `allowedIps` (and corresponding fwmark magic) and still have some IPs excluded from the tunnel.
-   *
-   * @schema
    */
   excludedIps: Type.Default(Type.Array(Type.String()), []),
 
@@ -179,15 +167,11 @@ const sharedPeerArgs = {
    * - `fe80::/10`
    *
    * Will be merged with `excludedIps` if provided.
-   *
-   * @schema
    */
   excludePrivateIps: Type.Default(Type.Boolean(), false),
 
   /**
    * The endpoints of the WireGuard peer.
-   *
-   * @schema
    */
   endpoints: Type.Default(Type.Array(Type.String()), []),
 
@@ -195,8 +179,6 @@ const sharedPeerArgs = {
    * The allowed endpoints of the WireGuard peer.
    *
    * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
-   *
-   * @schema
    */
   allowedEndpoints: Type.Default(Type.Array(Type.String()), []),
 
@@ -204,8 +186,6 @@ const sharedPeerArgs = {
    * The DNS servers that should be used by the interface connected to the WireGuard peer.
    *
    * If multiple peers define DNS servers, the node will merge them into a single list (but this is discouraged).
-   *
-   * @schema
    */
   dns: Type.Default(Type.Array(Type.String()), []),
 
@@ -213,15 +193,11 @@ const sharedPeerArgs = {
    * The convenience option to include the DNS servers to the allowed IPs.
    *
    * By default, is `true`.
-   *
-   * @schema
    */
   includeDns: Type.Default(Type.Boolean(), true),
 
   /**
    * The port to listen on.
-   *
-   * @schema
    */
   listenPort: Type.Optional(Type.Number()),
 }
@@ -231,8 +207,6 @@ const sharedPeerInputs = {
    * The network to use for the WireGuard identity.
    *
    * If not provided, the identity will use default network configuration.
-   *
-   * @schema
    */
   network: {
     entity: networkEntity,
@@ -243,8 +217,6 @@ const sharedPeerInputs = {
    * The L3 endpoints of the identity.
    *
    * Will produce L4 endpoints for each of the provided L3 endpoints.
-   *
-   * @schema
    */
   l3Endpoints: {
     entity: l3EndpointEntity,
@@ -256,8 +228,6 @@ const sharedPeerInputs = {
    * The L4 endpoints of the identity.
    *
    * Will take priority over all calculated endpoints if provided.
-   *
-   * @schema
    */
   l4Endpoints: {
     entity: l4EndpointEntity,
@@ -272,8 +242,6 @@ const sharedPeerInputs = {
    *
    * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
    * the corresponding network policy will be created.
-   *
-   * @schema
    */
   allowedL3Endpoints: {
     entity: l3EndpointEntity,
@@ -286,8 +254,6 @@ const sharedPeerInputs = {
    *
    * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
    * the corresponding network policy will be created.
-   *
-   * @schema
    */
   allowedL4Endpoints: {
     entity: l4EndpointEntity,
@@ -316,8 +282,6 @@ export const peer = defineUnit({
 
     /**
      * The public key of the WireGuard peer.
-     *
-     * @schema
      */
     publicKey: Type.String(),
   },
@@ -325,8 +289,6 @@ export const peer = defineUnit({
   secrets: {
     /**
      * The pre-shared key which should be used for the peer.
-     *
-     * @schema
      */
     presharedKey: Type.Optional(Type.String()),
   },
@@ -354,8 +316,6 @@ export const peerPatch = defineUnit({
   args: {
     /**
      * The endpoints of the WireGuard peer.
-     *
-     * @schema
      */
     endpoints: Type.Default(Type.Array(Type.String()), []),
 
@@ -371,8 +331,6 @@ export const peerPatch = defineUnit({
      * The allowed endpoints of the WireGuard peer.
      *
      * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
-     *
-     * @schema
      */
     allowedEndpoints: Type.Default(Type.Array(Type.String()), []),
 
@@ -427,8 +385,6 @@ export const identity = defineUnit({
      * The port to listen on.
      *
      * Used by the implementation of the identity and to calculate the endpoint of the peer.
-     *
-     * @schema
      */
     listenPort: Type.Optional(Type.Number()),
 
@@ -438,8 +394,6 @@ export const identity = defineUnit({
      * If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
      *
      * Will take priority over all calculated endpoints and `l4Endpoint` input.
-     *
-     * @schema
      */
     endpoints: Type.Default(Type.Array(Type.String()), []),
   },
@@ -449,8 +403,6 @@ export const identity = defineUnit({
      * The private key of the WireGuard identity.
      *
      * If not provided, the key will be generated automatically.
-     *
-     * @schema
      */
     privateKey: Type.Optional(Type.String()),
 
@@ -458,8 +410,6 @@ export const identity = defineUnit({
      * The part of the pre-shared of the WireGuard identity.
      *
      * Will be generated automatically if not provided.
-     *
-     * @schema
      */
     presharedKeyPart: Type.Optional(Type.String()),
   },
@@ -493,15 +443,11 @@ export const node = defineUnit({
      * The name of the namespace/deployment/statefulset where the WireGuard node will be deployed.
      *
      * By default, the name is `wg-${identity.name}`.
-     *
-     * @schema
      */
     appName: Type.Optional(Type.String()),
 
     /**
      * Whether to expose the WireGuard node to the outside world.
-     *
-     * @schema
      */
     external: Type.Default(Type.Boolean(), false),
 
@@ -520,10 +466,18 @@ export const node = defineUnit({
      * The extra specification of the container which runs the WireGuard node.
      *
      * Will override any overlapping fields.
-     *
-     * @schema
      */
     containerSpec: Type.Optional(Type.Record(Type.String(), Type.Any())),
+
+    /**
+     * List of CIDR blocks that should be blocked from forwarding through this WireGuard node.
+     *
+     * This prevents other peers from reaching these destination CIDRs while still allowing
+     * the peers in those CIDRs to access the internet and other allowed endpoints.
+     *
+     * Useful for peer isolation where you want to prevent cross-peer communication.
+     */
+    forwardRestrictedIps: Type.Default(Type.Array(Type.String()), []),
   },
 
   inputs: {
@@ -587,8 +541,6 @@ export const config = defineUnit({
      * The name of the "default" interface where non-tunneled traffic should go.
      *
      * If not provided, the config will not respect `excludedIps`.
-     *
-     * @schema
      */
     defaultInterface: Type.Optional(Type.String()),
   },