@highstate/library 0.9.15 → 0.9.18

package/src/wireguard.ts

@@ -1,35 +1,35 @@
-import { defineEntity, defineUnit, Type, type Static, type TObject } from "@highstate/contract"
+import { defineEntity, defineUnit, z } from "@highstate/contract"
 import { omit } from "remeda"
 import { clusterEntity, interfaceEntity, exposableWorkloadEntity } from "./k8s"
 import { l3EndpointEntity, l4EndpointEntity } from "./network"
 import { arrayPatchModeSchema } from "./utils"
 
-export const backendSchema = Type.StringEnum(["wireguard", "amneziawg"])
+export const backendSchema = z.enum(["wireguard", "amneziawg"])
 
-export type Backend = Static<typeof backendSchema>
+export type Backend = z.infer<typeof backendSchema>
 
 export const networkEntity = defineEntity({
   type: "wireguard.network",
 
-  schema: Type.Object({
+  schema: z.object({
     backend: backendSchema,
-    ipv6: Type.Boolean(),
+    ipv6: z.boolean(),
   }),
 })
 
-export const nodeExposePolicySchema = Type.StringEnum(["always", "when-has-endpoint", "never"])
+export const nodeExposePolicySchema = z.enum(["always", "when-has-endpoint", "never"])
 
 export const peerEntity = defineEntity({
   type: "wireguard.peer",
 
-  schema: Type.Object({
-    name: Type.String(),
-    network: Type.Optional(networkEntity.schema),
-    publicKey: Type.String(),
-    address: Type.Optional(Type.String()),
-    allowedIps: Type.Array(Type.String()),
-    endpoints: Type.Array(l4EndpointEntity.schema),
-    allowedEndpoints: Type.Array(Type.Union([l3EndpointEntity.schema, l4EndpointEntity.schema])),
+  schema: z.object({
+    name: z.string(),
+    network: networkEntity.schema.optional(),
+    publicKey: z.string(),
+    address: z.string().optional(),
+    allowedIps: z.string().array(),
+    endpoints: l4EndpointEntity.schema.array(),
+    allowedEndpoints: z.union([l3EndpointEntity.schema, l4EndpointEntity.schema]).array(),
 
     /**
      * The pre-shared key of the WireGuard peer.
@@ -38,18 +38,18 @@ export const peerEntity = defineEntity({
      *
      * Will be ignored if both peers have `presharedKeyPart` set.
      */
-    presharedKey: Type.Optional(Type.String()),
+    presharedKey: z.string().optional(),
 
     /**
      * The pre-shared key part of the WireGuard peer.
      *
      * If both peers have `presharedKeyPart` set, their `presharedKey` will be calculated as XOR of the two parts.
      */
-    presharedKeyPart: Type.Optional(Type.String()),
+    presharedKeyPart: z.string().optional(),
 
-    excludedIps: Type.Array(Type.String()),
-    dns: Type.Array(Type.String()),
-    listenPort: Type.Optional(Type.Number()),
+    excludedIps: z.string().array(),
+    dns: z.string().array(),
+    listenPort: z.number().optional(),
   }),
 
   meta: {
@@ -60,9 +60,9 @@ export const peerEntity = defineEntity({
 export const identityEntity = defineEntity({
   type: "wireguard.identity",
 
-  schema: Type.Object({
+  schema: z.object({
     peer: peerEntity.schema,
-    privateKey: Type.String(),
+    privateKey: z.string(),
   }),
 
   meta: {
@@ -70,10 +70,10 @@ export const identityEntity = defineEntity({
   },
 })
 
-export type Network = Static<typeof networkEntity.schema>
-export type Identity = Static<typeof identityEntity.schema>
-export type Peer = Static<typeof peerEntity.schema>
-export type NodeExposePolicy = Static<typeof nodeExposePolicySchema>
+export type Network = z.infer<typeof networkEntity.schema>
+export type Identity = z.infer<typeof identityEntity.schema>
+export type Peer = z.infer<typeof peerEntity.schema>
+export type NodeExposePolicy = z.infer<typeof nodeExposePolicySchema>
 
 /**
  * The network hols the shared configuration for the WireGuard identities, peers and nodes.
@@ -90,19 +90,15 @@ export const network = defineUnit({
      * 2. `amneziawg` - The censorship-resistant fork of WireGuard.
      *
      * By default, the `wireguard` backend is used.
-     *
-     * @schema
      */
-    backend: Type.Default(backendSchema, "wireguard"),
+    backend: backendSchema.default("wireguard"),
 
     /**
      * The option to enable IPv6 support in the network.
      *
      * By default, IPv6 support is disabled.
-     *
-     * @schema
      */
-    ipv6: Type.Default(Type.Boolean(), false),
+    ipv6: z.boolean().default(false),
   },
 
   outputs: {
@@ -111,8 +107,8 @@ export const network = defineUnit({
 
   meta: {
     description: "The WireGuard network with some shared configuration.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:local-area-network-connect",
     category: "VPN",
   },
@@ -128,28 +124,22 @@ const sharedPeerArgs = {
    * The name of the WireGuard peer.
    *
    * If not provided, the peer will be named after the unit.
-   *
-   * @schema
    */
-  peerName: Type.Optional(Type.String()),
+  peerName: z.string().optional(),
 
   /**
    * The address of the WireGuard interface.
    *
    * The address may be any IPv4 or IPv6 address. CIDR notation is also supported.
-   *
-   * @schema
    */
-  address: Type.Optional(Type.String()),
+  address: z.string().optional(),
 
   /**
    * The convenience option to set `allowedIps` to `0.0.0.0/0, ::/0`.
    *
    * Will be merged with the `allowedIps` if provided.
-   *
-   * @schema
    */
-  exitNode: Type.Default(Type.Boolean(), false),
+  exitNode: z.boolean().default(false),
 
   /**
    * The list of IP ranges to exclude from the tunnel.
@@ -159,10 +149,8 @@ const sharedPeerArgs = {
    * - This list will not be used to generate the allowed IPs for the peer.
    * - Instead, the node will setup extra direct routes to these IPs via default gateway.
    * - This allows to use `0.0.0.0/0, ::/0` in the `allowedIps` (and corresponding fwmark magic) and still have some IPs excluded from the tunnel.
-   *
-   * @schema
    */
-  excludedIps: Type.Default(Type.Array(Type.String()), []),
+  excludedIps: z.string().array().default([]),
 
   /**
    * The convenience option to exclude private IPs from the tunnel.
@@ -179,51 +167,39 @@ const sharedPeerArgs = {
    * - `fe80::/10`
    *
    * Will be merged with `excludedIps` if provided.
-   *
-   * @schema
    */
-  excludePrivateIps: Type.Default(Type.Boolean(), false),
+  excludePrivateIps: z.boolean().default(false),
 
   /**
    * The endpoints of the WireGuard peer.
-   *
-   * @schema
    */
-  endpoints: Type.Default(Type.Array(Type.String()), []),
+  endpoints: z.string().array().default([]),
 
   /**
    * The allowed endpoints of the WireGuard peer.
    *
    * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
-   *
-   * @schema
    */
-  allowedEndpoints: Type.Default(Type.Array(Type.String()), []),
+  allowedEndpoints: z.string().array().default([]),
 
   /**
    * The DNS servers that should be used by the interface connected to the WireGuard peer.
    *
    * If multiple peers define DNS servers, the node will merge them into a single list (but this is discouraged).
-   *
-   * @schema
    */
-  dns: Type.Default(Type.Array(Type.String()), []),
+  dns: z.string().array().default([]),
 
   /**
    * The convenience option to include the DNS servers to the allowed IPs.
    *
    * By default, is `true`.
-   *
-   * @schema
    */
-  includeDns: Type.Default(Type.Boolean(), true),
+  includeDns: z.boolean().default(true),
 
   /**
    * The port to listen on.
-   *
-   * @schema
    */
-  listenPort: Type.Optional(Type.Number()),
+  listenPort: z.number().optional(),
 }
 
 const sharedPeerInputs = {
@@ -231,8 +207,6 @@ const sharedPeerInputs = {
    * The network to use for the WireGuard identity.
    *
    * If not provided, the identity will use default network configuration.
-   *
-   * @schema
    */
   network: {
     entity: networkEntity,
@@ -243,8 +217,6 @@ const sharedPeerInputs = {
    * The L3 endpoints of the identity.
    *
    * Will produce L4 endpoints for each of the provided L3 endpoints.
-   *
-   * @schema
    */
   l3Endpoints: {
     entity: l3EndpointEntity,
@@ -256,8 +228,6 @@ const sharedPeerInputs = {
    * The L4 endpoints of the identity.
    *
    * Will take priority over all calculated endpoints if provided.
-   *
-   * @schema
    */
   l4Endpoints: {
     entity: l4EndpointEntity,
@@ -272,8 +242,6 @@ const sharedPeerInputs = {
    *
    * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
    * the corresponding network policy will be created.
-   *
-   * @schema
    */
   allowedL3Endpoints: {
     entity: l3EndpointEntity,
@@ -286,8 +254,6 @@ const sharedPeerInputs = {
    *
    * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
    * the corresponding network policy will be created.
-   *
-   * @schema
    */
   allowedL4Endpoints: {
     entity: l4EndpointEntity,
@@ -306,7 +272,18 @@ const sharedPeerOutputs = {
   },
 } as const
 
-export type SharedPeerArgs = Static<TObject<typeof sharedPeerArgs>>
+export type SharedPeerArgs = {
+  peerName?: string
+  address?: string
+  exitNode: boolean
+  excludedIps: string[]
+  excludePrivateIps: boolean
+  endpoints: string[]
+  allowedEndpoints: string[]
+  dns: string[]
+  includeDns: boolean
+  listenPort?: number
+}
 
 export const peer = defineUnit({
   type: "wireguard.peer",
@@ -316,19 +293,15 @@ export const peer = defineUnit({
 
     /**
      * The public key of the WireGuard peer.
-     *
-     * @schema
      */
-    publicKey: Type.String(),
+    publicKey: z.string(),
   },
 
   secrets: {
     /**
      * The pre-shared key which should be used for the peer.
-     *
-     * @schema
      */
-    presharedKey: Type.Optional(Type.String()),
+    presharedKey: z.string().optional(),
   },
 
   inputs: sharedPeerInputs,
@@ -336,8 +309,8 @@ export const peer = defineUnit({
 
   meta: {
     description: "The WireGuard peer with the public key.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:badge-account-horizontal",
     category: "VPN",
   },
@@ -354,10 +327,8 @@ export const peerPatch = defineUnit({
   args: {
     /**
      * The endpoints of the WireGuard peer.
-     *
-     * @schema
      */
-    endpoints: Type.Default(Type.Array(Type.String()), []),
+    endpoints: z.string().array().default([]),
 
     /**
      * The mode to use for patching the endpoints.
@@ -365,16 +336,14 @@ export const peerPatch = defineUnit({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    endpointsPatchMode: Type.Default(arrayPatchModeSchema, "prepend"),
+    endpointsPatchMode: arrayPatchModeSchema.default("prepend"),
 
     /**
      * The allowed endpoints of the WireGuard peer.
      *
      * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
-     *
-     * @schema
      */
-    allowedEndpoints: Type.Default(Type.Array(Type.String()), []),
+    allowedEndpoints: z.string().array().default([]),
 
     /**
      * The mode to use for patching the allowed endpoints.
@@ -382,7 +351,7 @@ export const peerPatch = defineUnit({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    allowedEndpointsPatchMode: Type.Default(arrayPatchModeSchema, "prepend"),
+    allowedEndpointsPatchMode: arrayPatchModeSchema.default("prepend"),
 
     ...omit(sharedPeerArgs, ["endpoints", "allowedEndpoints"]),
   },
@@ -403,10 +372,10 @@ export const peerPatch = defineUnit({
   },
 
   meta: {
-    displayName: "WireGuard Peer Patch",
+    title: "WireGuard Peer Patch",
     description: "Patches some properties of the WireGuard peer.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:badge-account-horizontal",
     category: "VPN",
   },
@@ -427,10 +396,8 @@ export const identity = defineUnit({
      * The port to listen on.
      *
      * Used by the implementation of the identity and to calculate the endpoint of the peer.
-     *
-     * @schema
      */
-    listenPort: Type.Optional(Type.Number()),
+    listenPort: z.number().optional(),
 
     /**
      * The endpoint of the WireGuard peer.
@@ -438,10 +405,8 @@ export const identity = defineUnit({
      * If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
      *
      * Will take priority over all calculated endpoints and `l4Endpoint` input.
-     *
-     * @schema
      */
-    endpoints: Type.Default(Type.Array(Type.String()), []),
+    endpoints: z.string().array().default([]),
   },
 
   secrets: {
@@ -449,19 +414,15 @@ export const identity = defineUnit({
      * The private key of the WireGuard identity.
      *
      * If not provided, the key will be generated automatically.
-     *
-     * @schema
      */
-    privateKey: Type.Optional(Type.String()),
+    privateKey: z.string().optional(),
 
     /**
      * The part of the pre-shared of the WireGuard identity.
      *
      * Will be generated automatically if not provided.
-     *
-     * @schema
      */
-    presharedKeyPart: Type.Optional(Type.String()),
+    presharedKeyPart: z.string().optional(),
   },
 
   inputs: sharedPeerInputs,
@@ -473,8 +434,8 @@ export const identity = defineUnit({
 
   meta: {
     description: "The WireGuard identity with the public key.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:account",
     category: "VPN",
   },
@@ -493,17 +454,13 @@ export const node = defineUnit({
      * The name of the namespace/deployment/statefulset where the WireGuard node will be deployed.
      *
      * By default, the name is `wg-${identity.name}`.
-     *
-     * @schema
      */
-    appName: Type.Optional(Type.String()),
+    appName: z.string().optional(),
 
     /**
      * Whether to expose the WireGuard node to the outside world.
-     *
-     * @schema
      */
-    external: Type.Default(Type.Boolean(), false),
+    external: z.boolean().default(false),
 
     /**
      * The policy to use for exposing the WireGuard node.
@@ -514,16 +471,24 @@ export const node = defineUnit({
      *
      * * By default, the `when-has-endpoint` policy is used.
      */
-    exposePolicy: Type.Default(nodeExposePolicySchema, "when-has-endpoint"),
+    exposePolicy: nodeExposePolicySchema.default("when-has-endpoint"),
 
     /**
      * The extra specification of the container which runs the WireGuard node.
      *
      * Will override any overlapping fields.
+     */
+    containerSpec: z.record(z.string(), z.unknown()).optional(),
+
+    /**
+     * List of CIDR blocks that should be blocked from forwarding through this WireGuard node.
      *
-     * @schema
+     * This prevents other peers from reaching these destination CIDRs while still allowing
+     * the peers in those CIDRs to access the internet and other allowed endpoints.
+     *
+     * Useful for peer isolation where you want to prevent cross-peer communication.
      */
-    containerSpec: Type.Optional(Type.Record(Type.String(), Type.Any())),
+    forwardRestrictedIps: z.string().array().default([]),
   },
 
   inputs: {
@@ -567,8 +532,8 @@ export const node = defineUnit({
 
   meta: {
     description: "The WireGuard node running on the Kubernetes.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:server",
     category: "VPN",
   },
@@ -587,10 +552,8 @@ export const config = defineUnit({
      * The name of the "default" interface where non-tunneled traffic should go.
      *
      * If not provided, the config will not respect `excludedIps`.
-     *
-     * @schema
      */
-    defaultInterface: Type.Optional(Type.String()),
+    defaultInterface: z.string().optional(),
   },
 
   inputs: {
@@ -603,10 +566,10 @@ export const config = defineUnit({
   },
 
   meta: {
-    displayName: "WireGuard Config",
+    title: "WireGuard Config",
     description: "Just the WireGuard configuration for the identity and peers.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:settings",
     category: "VPN",
   },
@@ -634,10 +597,10 @@ export const configBundle = defineUnit({
   },
 
   meta: {
-    displayName: "WireGuard Config Bundle",
+    title: "WireGuard Config Bundle",
     description: "The WireGuard configuration bundle for the identity and peers.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:folder-settings-variant",
     category: "VPN",
   },