@highstate/library 0.9.4 → 0.9.5

package/dist/index.js

@@ -11,12 +11,13 @@ __export(common_exports, {
   fileContentEntity: () => fileContentEntity,
   fileEntity: () => fileEntity,
   fileMetaEntity: () => fileMetaEntity,
-  l3EndpointEntity: () => l3EndpointEntity,
-  l4EndpointEntity: () => l4EndpointEntity,
   script: () => script,
-  serverEntity: () => serverEntity
+  serverDns: () => serverDns,
+  serverEntity: () => serverEntity,
+  serverOutputs: () => serverOutputs,
+  serverPatch: () => serverPatch
 });
-import { defineEntity as defineEntity2, defineUnit as defineUnit2, Type as Type2 } from "@highstate/contract";
+import { defineEntity as defineEntity4, defineUnit as defineUnit3, Type as Type5 } from "@highstate/contract";
 
 // src/ssh.ts
 var ssh_exports = {};
@@ -26,34 +27,171 @@ __export(ssh_exports, {
   keyPairEntity: () => keyPairEntity,
   keyTypeSchema: () => keyTypeSchema
 });
+import { defineEntity as defineEntity2, defineUnit as defineUnit2, Type as Type2 } from "@highstate/contract";
+
+// src/network.ts
+var network_exports = {};
+__export(network_exports, {
+  endpointFilterSchema: () => endpointFilterSchema,
+  endpointVisibilitySchema: () => endpointVisibilitySchema,
+  l3Endpoint: () => l3Endpoint,
+  l3EndpointEntity: () => l3EndpointEntity,
+  l4Endpoint: () => l4Endpoint,
+  l4EndpointEntity: () => l4EndpointEntity,
+  l4ProtocolSchema: () => l4ProtocolSchema,
+  portInfoSchema: () => portInfoSchema
+});
 import { defineEntity, defineUnit, Type } from "@highstate/contract";
-var keyTypeSchema = Type.Union([
-  //
-  Type.Literal("rsa"),
-  Type.Literal("ed25519")
+var endpointVisibilitySchema = Type.StringEnum([
+  "public",
+  // Reachable from the public internet
+  "external",
+  // Reachable from outside the system boundary, but not public
+  "internal"
+  // Reachable only from within the system or cluster
 ]);
-var keyPairEntity = defineEntity({
+var endpointFilterSchema = Type.Array(endpointVisibilitySchema);
+var l3EndpointEntity = defineEntity({
+  type: "network.l3-endpoint",
+  schema: Type.Intersect([
+    Type.Object({
+      visibility: endpointVisibilitySchema,
+      metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown()))
+    }),
+    Type.Union([
+      Type.Object({
+        type: Type.Literal("hostname"),
+        /**
+         * The hostname of the endpoint in the format of a domain name.
+         */
+        hostname: Type.String()
+      }),
+      Type.Object({
+        type: Type.Literal("ipv4"),
+        /**
+         * The IPv4 address of the endpoint.
+         */
+        address: Type.String()
+      }),
+      Type.Object({
+        type: Type.Literal("ipv6"),
+        /**
+         * The IPv6 address of the endpoint.
+         */
+        address: Type.String()
+      })
+    ])
+  ]),
+  meta: {
+    color: "#4CAF50",
+    description: "The L3 endpoint for some service. May be a domain name or an IP address."
+  }
+});
+var l4ProtocolSchema = Type.StringEnum(["tcp", "udp"]);
+var portInfoSchema = Type.Object({
+  port: Type.Number(),
+  protocol: l4ProtocolSchema
+});
+var l4EndpointEntity = defineEntity({
+  type: "network.l4-endpoint",
+  schema: Type.Intersect([l3EndpointEntity.schema, portInfoSchema]),
+  meta: {
+    color: "#2196F3",
+    description: "The L4 endpoint for some service. Extends an L3 endpoint with a port."
+  }
+});
+var l3Endpoint = defineUnit({
+  type: "network.l3-endpoint",
+  args: {
+    /**
+     * The string representation of the endpoint.
+     *
+     * May be a domain name or an IP address.
+     */
+    endpoint: Type.String(),
+    /**
+     * The visibility of the endpoint.
+     */
+    visibility: Type.Default(endpointVisibilitySchema, "public")
+  },
+  outputs: {
+    endpoint: l3EndpointEntity
+  },
+  meta: {
+    displayName: "L3 Endpoint",
+    description: "An L3 endpoint for some service. May be a domain name or an IP address.",
+    primaryIcon: "mdi:network-outline",
+    primaryIconColor: "#4CAF50",
+    defaultNamePrefix: "endpoint",
+    category: "Network"
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/network/l3-endpoint"
+  }
+});
+var l4Endpoint = defineUnit({
+  type: "network.l4-endpoint",
+  args: {
+    /**
+     * The string representation of the endpoint.
+     *
+     * May be a domain name or an IP address + port/protocol.
+     *
+     * The possible formats are:
+     *
+     * - `endpoint:port` (TCP by default)
+     * - `tcp://endpoint:port`
+     * - `udp://endpoint:port`
+     */
+    endpoint: Type.String(),
+    /**
+     * The visibility of the endpoint.
+     */
+    visibility: Type.Default(endpointVisibilitySchema, "public")
+  },
+  outputs: {
+    endpoint: l4EndpointEntity
+  },
+  meta: {
+    displayName: "L4 Endpoint",
+    description: "An L4 endpoint for some service. Extends an L3 endpoint with a port.",
+    primaryIcon: "mdi:network-outline",
+    primaryIconColor: "#2196F3",
+    defaultNamePrefix: "endpoint",
+    category: "Network"
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/network/l4-endpoint"
+  }
+});
+
+// src/ssh.ts
+var keyTypeSchema = Type2.StringEnum(["ed25519"]);
+var keyPairEntity = defineEntity2({
   type: "ssh.key-pair",
-  schema: Type.Object({
+  schema: Type2.Object({
     type: keyTypeSchema,
-    privateKey: Type.String(),
-    publicKey: Type.String()
+    fingerprint: Type2.String(),
+    publicKey: Type2.String(),
+    privateKey: Type2.String()
   }),
   meta: {
     color: "#2b5797"
   }
 });
-var credentialsSchema = Type.Object({
-  endpoint: Type.Optional(Type.String()),
-  user: Type.Optional(Type.String()),
-  port: Type.Optional(Type.Number()),
-  password: Type.Optional(Type.String()),
-  privateKey: Type.Optional(Type.String())
+var credentialsSchema = Type2.Object({
+  endpoints: Type2.Array(l4EndpointEntity.schema),
+  hostKey: Type2.String(),
+  user: Type2.String(),
+  password: Type2.Optional(Type2.String()),
+  keyPair: Type2.Optional(keyPairEntity.schema)
 });
-var keyPair = defineUnit({
+var keyPair = defineUnit2({
   type: "ssh.key-pair",
   secrets: {
-    privateKey: Type.Optional(Type.String())
+    privateKey: Type2.Optional(Type2.String())
   },
   outputs: {
     keyPair: keyPairEntity
@@ -69,80 +207,291 @@ var keyPair = defineUnit({
   },
   source: {
     package: "@highstate/common",
-    path: "ssh/key-pair"
+    path: "units/ssh/key-pair"
   }
 });
 
-// src/common.ts
-var serverEntity = defineEntity2({
-  type: "common.server",
-  schema: Type2.Object({
-    endpoint: Type2.String(),
-    hostname: Type2.String(),
-    sshCredentials: Type2.Optional(credentialsSchema)
+// src/dns.ts
+var dns_exports = {};
+__export(dns_exports, {
+  createArgs: () => createArgs,
+  inputs: () => inputs,
+  providerEntity: () => providerEntity
+});
+import { defineEntity as defineEntity3, Type as Type4 } from "@highstate/contract";
+
+// src/utils.ts
+import { Type as Type3 } from "@highstate/contract";
+function prefixWith(string, prefix) {
+  return prefix ? `${prefix}${string.charAt(0).toUpperCase()}${string.slice(1)}` : string;
+}
+function prefixKeysWith(prefix, obj) {
+  return Object.fromEntries(
+    Object.entries(obj).map(([key, value]) => [prefixWith(key, prefix), value])
+  );
+}
+var arrayPatchModeSchema = Type3.StringEnum(["prepend", "replace"]);
+
+// src/dns.ts
+var providerEntity = defineEntity3({
+  type: "dns.provider",
+  schema: Type4.Object({
+    name: Type4.String(),
+    type: Type4.String(),
+    data: Type4.Record(Type4.String(), Type4.Unknown()),
+    domain: Type4.String()
   }),
   meta: {
-    color: "#009688"
+    color: "#FF5722"
   }
 });
-var l3EndpointEntity = defineEntity2({
-  type: "common.l3-endpoint",
-  schema: Type2.Object({
-    endpoint: Type2.String()
-  }),
-  meta: {
-    color: "#1B5E20",
-    description: "The L3 endpoint for some service. May be a domain name or an IP address."
+function createArgs(prefix) {
+  return prefixKeysWith(prefix, {
+    /**
+     * The FQDN to register the existing endpoints with.
+     *
+     * Will be inserted at the beginning of the resulting endpoint list.
+     *
+     * Will throw an error if no matching provider is found.
+     *
+     * @schema
+     */
+    fqdn: {
+      ...Type4.Optional(Type4.String()),
+      description: `The FQDN to register the existing endpoints with.
+
+ Will be inserted at the beginning of the resulting endpoint list.
+
+ Will throw an error if no matching provider is found.`
+    },
+    /**
+     * The endpoint filter to filter the endpoints before creating the DNS records.
+     *
+     * Possible values:
+     *
+     * - `public`: Only endpoints exposed to the public internet.
+     * - `external`: Reachable from outside the system but not public (e.g., LAN, VPC).
+     * - `internal`: Reachable only from within the system boundary (e.g., inside a cluster).
+     *
+     * You can select one or more values.
+     *
+     * If no value is provided, the endpoints will be filtered by the most accessible type:
+     *
+     * - If any public endpoints exist, all public endpoints are selected;
+     * - Otherwise, if any external endpoints exist, all external endpoints are selected;
+     * - If neither exist, all internal endpoints are selected.
+     *
+     * @schema
+     */
+    endpointFilter: {
+      ...Type4.Default(endpointFilterSchema, []),
+      description: `The endpoint filter to filter the endpoints before creating the DNS records.
+
+ Possible values:
+
+ - \`public\`: Only endpoints exposed to the public internet.
+ - \`external\`: Reachable from outside the system but not public (e.g., LAN, VPC).
+ - \`internal\`: Reachable only from within the system boundary (e.g., inside a cluster).
+
+ You can select one or more values.
+
+ If no value is provided, the endpoints will be filtered by the most accessible type:
+
+ - If any public endpoints exist, all public endpoints are selected;
+ - Otherwise, if any external endpoints exist, all external endpoints are selected;
+ - If neither exist, all internal endpoints are selected.`
+    },
+    /**
+     * The mode to use for patching the existing endpoints.
+     *
+     * - `prepend`: Prepend the FQDN to the existing endpoints. It will make them prioritized.
+     * - `replace`: Replace the existing endpoints with the FQDN. It will ensure that the only the FQDN is used.
+     *
+     * The default is `prepend`.
+     *
+     * @schema
+     */
+    patchMode: {
+      ...Type4.Default(arrayPatchModeSchema, "prepend"),
+      description: `The mode to use for patching the existing endpoints.
+
+ - \`prepend\`: Prepend the FQDN to the existing endpoints. It will make them prioritized.
+ - \`replace\`: Replace the existing endpoints with the FQDN. It will ensure that the only the FQDN is used.
+
+ The default is \`prepend\`.`
+    }
+  });
+}
+var inputs = {
+  /**
+   * The DNS providers to use to create the DNS records.
+   *
+   * If multiple providers match the domain, all of them will be used and multiple DNS records will be created.
+   *
+   * @schema
+   */
+  dnsProviders: {
+    ...{
+      entity: providerEntity,
+      multiple: true
+    },
+    description: `The DNS providers to use to create the DNS records.
+
+ If multiple providers match the domain, all of them will be used and multiple DNS records will be created.`
   }
-});
-var l4EndpointEntity = defineEntity2({
-  type: "common.l4-endpoint",
-  schema: Type2.Object({
-    endpoint: Type2.String(),
-    port: Type2.Number()
+};
+
+// src/common.ts
+var serverEntity = defineEntity4({
+  type: "common.server",
+  schema: Type5.Object({
+    hostname: Type5.String(),
+    endpoints: Type5.Array(l3EndpointEntity.schema),
+    ssh: Type5.Optional(credentialsSchema)
   }),
   meta: {
-    color: "#F57F17",
-    description: "The L4 endpoint for some service. Extends an L3 endpoint with a port."
+    color: "#009688"
   }
 });
-var existingServer = defineUnit2({
+var serverOutputs = {
+  server: serverEntity,
+  endpoints: {
+    entity: l3EndpointEntity,
+    multiple: true
+  }
+};
+var existingServer = defineUnit3({
   type: "common.existing-server",
   args: {
-    endpoint: Type2.String(),
-    sshUser: Type2.Optional(Type2.String({ default: "root" })),
-    sshPort: Type2.Optional(Type2.Number({ default: 22 }))
+    /**
+     * The endpoint of the server.
+     *
+     * Takes precedence over the `endpoint` input.
+     */
+    endpoint: Type5.Optional(Type5.String()),
+    /**
+     * The SSH user to use for connecting to the server.
+     */
+    sshUser: Type5.Default(Type5.String(), "root"),
+    /**
+     * The SSH port to use for connecting to the server.
+     */
+    sshPort: Type5.Default(Type5.Number(), 22)
   },
   secrets: {
-    sshPassword: Type2.Optional(Type2.String()),
-    sshPrivateKey: Type2.Optional(Type2.String())
+    sshPassword: Type5.Optional(Type5.String()),
+    sshPrivateKey: Type5.Optional(Type5.String())
   },
   inputs: {
     sshKeyPair: {
       entity: keyPairEntity,
       required: false
+    },
+    endpoint: {
+      entity: l3EndpointEntity,
+      required: false
     }
   },
-  outputs: {
-    server: serverEntity
-  },
+  outputs: serverOutputs,
   meta: {
     displayName: "Existing Server",
     description: "An existing server that can be used in the configuration.",
     primaryIcon: "mdi:server",
-    defaultNamePrefix: "server"
+    defaultNamePrefix: "server",
+    category: "Infrastructure"
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/existing-server"
+  }
+});
+var serverPatch = defineUnit3({
+  type: "common.server-patch",
+  args: {
+    /**
+     * The endpoints of the server.
+     *
+     * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
+     *
+     * The same server may also be represented by multiple entries (e.g. a node with private and public IP).
+     *
+     * @schema
+     */
+    endpoints: {
+      ...Type5.Default(Type5.Array(Type5.String()), []),
+      description: `The endpoints of the server.
+
+ The entry may represent real node endpoint or virtual endpoint (like a load balancer).
+
+ The same server may also be represented by multiple entries (e.g. a node with private and public IP).`
+    },
+    /**
+     * The mode to use for patching the endpoints.
+     *
+     * - `prepend`: prepend the new endpoints to the existing ones (default);
+     * - `replace`: replace the existing endpoints with the new ones.
+     */
+    endpointsPatchMode: Type5.Default(arrayPatchModeSchema, "prepend")
+  },
+  inputs: {
+    server: serverEntity,
+    endpoints: {
+      entity: l3EndpointEntity,
+      required: false,
+      multiple: true
+    }
+  },
+  outputs: {
+    server: serverEntity,
+    endpoints: {
+      entity: l3EndpointEntity,
+      multiple: true
+    }
+  },
+  meta: {
+    displayName: "Server Patch",
+    description: "Patches some properties of the server.",
+    primaryIcon: "mdi:server",
+    secondaryIcon: "fluent:patch-20-filled",
+    category: "Infrastructure"
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/server-patch"
+  }
+});
+var serverDns = defineUnit3({
+  type: "common.server-dns",
+  args: createArgs(),
+  inputs: {
+    server: serverEntity,
+    ...inputs
+  },
+  outputs: {
+    server: serverEntity,
+    endpoints: {
+      entity: l3EndpointEntity,
+      multiple: true
+    }
+  },
+  meta: {
+    displayName: "Server DNS",
+    description: "Creates DNS records for the server and updates endpoints.",
+    primaryIcon: "mdi:server",
+    secondaryIcon: "mdi:dns",
+    category: "Infrastructure"
   },
   source: {
     package: "@highstate/common",
-    path: "existing-server"
+    path: "units/server-dns"
   }
 });
-var script = defineUnit2({
+var script = defineUnit3({
   type: "common.script",
   args: {
-    script: Type2.String({ language: "shell" }),
-    updateScript: Type2.Optional(Type2.String({ language: "shell" })),
-    deleteScript: Type2.Optional(Type2.String({ language: "shell" }))
+    script: Type5.String({ language: "shell" }),
+    updateScript: Type5.Optional(Type5.String({ language: "shell" })),
+    deleteScript: Type5.Optional(Type5.String({ language: "shell" }))
   },
   inputs: {
     server: serverEntity
@@ -153,36 +502,37 @@ var script = defineUnit2({
   meta: {
     displayName: "Shell Script",
     description: "Run a shell script on the server.",
-    primaryIcon: "mdi:bash"
+    primaryIcon: "mdi:bash",
+    category: "Infrastructure"
   },
   source: {
     package: "@highstate/common",
-    path: "script"
+    path: "units/script"
   }
 });
-var fileMetaEntity = defineEntity2({
+var fileMetaEntity = defineEntity4({
   type: "common.file-meta",
-  schema: Type2.Object({
-    name: Type2.String(),
-    size: Type2.Number(),
-    isBinary: Type2.Optional(Type2.Boolean()),
-    isExecutable: Type2.Optional(Type2.Boolean())
+  schema: Type5.Object({
+    name: Type5.String(),
+    size: Type5.Number(),
+    mode: Type5.Number(),
+    isBinary: Type5.Optional(Type5.Boolean())
   }),
   meta: {
     color: "#FF5722",
     description: "Metadata for a file."
   }
 });
-var fileContentEntity = defineEntity2({
+var fileContentEntity = defineEntity4({
   type: "common.file-content",
-  schema: Type2.Union([
-    Type2.Object({
-      type: Type2.Literal("inline"),
-      content: Type2.String()
+  schema: Type5.Union([
+    Type5.Object({
+      type: Type5.Literal("inline"),
+      content: Type5.String()
     }),
-    Type2.Object({
-      type: Type2.Literal("remote"),
-      url: Type2.String()
+    Type5.Object({
+      type: Type5.Literal("remote"),
+      url: Type5.String()
     })
   ]),
   meta: {
@@ -190,9 +540,9 @@ var fileContentEntity = defineEntity2({
     description: "The content of a file."
   }
 });
-var fileEntity = defineEntity2({
+var fileEntity = defineEntity4({
   type: "common.file",
-  schema: Type2.Object({
+  schema: Type5.Object({
     meta: fileMetaEntity.schema,
     content: fileContentEntity.schema
   }),
@@ -211,43 +561,43 @@ __export(proxmox_exports, {
   imageEntity: () => imageEntity,
   virtualMachine: () => virtualMachine
 });
-import { defineEntity as defineEntity3, defineUnit as defineUnit3, Type as Type3 } from "@highstate/contract";
-var clusterEntity = defineEntity3({
+import { defineEntity as defineEntity5, defineUnit as defineUnit4, Type as Type6 } from "@highstate/contract";
+var clusterEntity = defineEntity5({
   type: "proxmox.cluster",
-  schema: Type3.Object({
-    endpoint: Type3.String(),
-    insecure: Type3.Optional(Type3.Boolean()),
-    username: Type3.Optional(Type3.String()),
-    defaultNodeName: Type3.String(),
-    defaultDatastoreId: Type3.String(),
-    password: Type3.Optional(Type3.String()),
-    apiToken: Type3.Optional(Type3.String())
+  schema: Type6.Object({
+    endpoint: Type6.String(),
+    insecure: Type6.Optional(Type6.Boolean()),
+    username: Type6.Optional(Type6.String()),
+    defaultNodeName: Type6.String(),
+    defaultDatastoreId: Type6.String(),
+    password: Type6.Optional(Type6.String()),
+    apiToken: Type6.Optional(Type6.String())
   }),
   meta: {
     color: "#e56901"
   }
 });
-var imageEntity = defineEntity3({
+var imageEntity = defineEntity5({
   type: "proxmox.image",
-  schema: Type3.Object({
-    id: Type3.String()
+  schema: Type6.Object({
+    id: Type6.String()
   }),
   meta: {
     color: "#e56901"
   }
 });
-var connection = defineUnit3({
+var connection = defineUnit4({
   type: "proxmox.connection",
   args: {
-    endpoint: Type3.String(),
-    insecure: Type3.Optional(Type3.Boolean()),
-    username: Type3.Optional(Type3.String()),
-    defaultNodeName: Type3.Optional(Type3.String()),
-    defaultDatastoreId: Type3.Optional(Type3.String())
+    endpoint: Type6.String(),
+    insecure: Type6.Optional(Type6.Boolean()),
+    username: Type6.Optional(Type6.String()),
+    defaultNodeName: Type6.Optional(Type6.String()),
+    defaultDatastoreId: Type6.Optional(Type6.String())
   },
   secrets: {
-    password: Type3.Optional(Type3.String()),
-    apiToken: Type3.Optional(Type3.String())
+    password: Type6.Optional(Type6.String()),
+    apiToken: Type6.Optional(Type6.String())
   },
   outputs: {
     proxmoxCluster: clusterEntity
@@ -257,21 +607,20 @@ var connection = defineUnit3({
     description: "The connection to an existing Proxmox cluster.",
     category: "Proxmox",
     primaryIcon: "simple-icons:proxmox",
-    primaryIconColor: "#e56901",
-    secondaryIcon: "codicon:vm"
+    primaryIconColor: "#e56901"
   },
   source: {
     package: "@highstate/proxmox",
     path: "connection"
   }
 });
-var image = defineUnit3({
+var image = defineUnit4({
   type: "proxmox.image",
   args: {
-    url: Type3.String(),
-    nodeName: Type3.Optional(Type3.String()),
-    sha256: Type3.Optional(Type3.String()),
-    datastoreId: Type3.Optional(Type3.String())
+    url: Type6.String(),
+    nodeName: Type6.Optional(Type6.String()),
+    sha256: Type6.Optional(Type6.String()),
+    datastoreId: Type6.Optional(Type6.String())
   },
   inputs: {
     proxmoxCluster: clusterEntity
@@ -292,10 +641,13 @@ var image = defineUnit3({
     path: "image"
   }
 });
-var existingImage = defineUnit3({
+var existingImage = defineUnit4({
   type: "proxmox.existing-image",
   args: {
-    id: Type3.String()
+    id: Type6.String()
+  },
+  inputs: {
+    proxmoxCluster: clusterEntity
   },
   outputs: {
     image: imageEntity
@@ -313,23 +665,26 @@ var existingImage = defineUnit3({
     path: "existing-image"
   }
 });
-var virtualMachine = defineUnit3({
+var virtualMachine = defineUnit4({
   type: "proxmox.virtual-machine",
   args: {
-    nodeName: Type3.Optional(Type3.String()),
-    cpuType: Type3.Optional(Type3.String({ default: "host" })),
-    cores: Type3.Optional(Type3.Number({ default: 1 })),
-    sockets: Type3.Optional(Type3.Number({ default: 1 })),
-    memory: Type3.Optional(Type3.Number({ default: 512 })),
-    ipv4: Type3.Optional(Type3.String()),
-    ipv4Gateway: Type3.Optional(Type3.String()),
-    dns: Type3.Optional(Type3.Array(Type3.String())),
-    datastoreId: Type3.Optional(Type3.String()),
-    diskSize: Type3.Optional(Type3.Number({ default: 8 })),
-    bridge: Type3.Optional(Type3.String({ default: "vmbr0" })),
-    sshPort: Type3.Optional(Type3.Number({ default: 22 })),
-    sshUser: Type3.Optional(Type3.String({ default: "root" })),
-    waitForAgent: Type3.Optional(Type3.Boolean({ default: true }))
+    nodeName: Type6.Optional(Type6.String()),
+    cpuType: Type6.Optional(Type6.String({ default: "host" })),
+    cores: Type6.Optional(Type6.Number({ default: 1 })),
+    sockets: Type6.Optional(Type6.Number({ default: 1 })),
+    memory: Type6.Optional(Type6.Number({ default: 512 })),
+    ipv4: Type6.Optional(Type6.String()),
+    ipv4Gateway: Type6.Optional(Type6.String()),
+    dns: Type6.Optional(Type6.Array(Type6.String())),
+    datastoreId: Type6.Optional(Type6.String()),
+    diskSize: Type6.Optional(Type6.Number({ default: 8 })),
+    bridge: Type6.Optional(Type6.String({ default: "vmbr0" })),
+    sshPort: Type6.Optional(Type6.Number({ default: 22 })),
+    sshUser: Type6.Optional(Type6.String({ default: "root" })),
+    waitForAgent: Type6.Optional(Type6.Boolean({ default: true }))
+  },
+  secrets: {
+    sshPassword: Type6.Optional(Type6.String())
   },
   inputs: {
     proxmoxCluster: clusterEntity,
@@ -339,12 +694,7 @@ var virtualMachine = defineUnit3({
       required: false
     }
   },
-  secrets: {
-    sshPassword: Type3.Optional(Type3.String())
-  },
-  outputs: {
-    server: serverEntity
-  },
+  outputs: serverOutputs,
   meta: {
     displayName: "Proxmox Virtual Machine",
     description: "The virtual machine on a Proxmox cluster.",
@@ -365,224 +715,298 @@ __export(k8s_exports, {
   accessPoint: () => accessPoint,
   accessPointEntity: () => accessPointEntity,
   certManager: () => certManager,
+  clusterDns: () => clusterDns,
   clusterEntity: () => clusterEntity2,
-  clusterInfoSchema: () => clusterInfoSchema,
-  containerSchema: () => containerSchema,
+  clusterInfoProperties: () => clusterInfoProperties,
+  clusterInputs: () => clusterInputs,
+  clusterOutputs: () => clusterOutputs,
+  clusterPatch: () => clusterPatch,
+  clusterQuirksSchema: () => clusterQuirksSchema,
+  cniSchema: () => cniSchema,
   deploymentEntity: () => deploymentEntity,
-  deploymentSpecSchema: () => deploymentSpecSchema,
   dns01TlsIssuer: () => dns01TlsIssuer,
   existingCluster: () => existingCluster,
+  exposableWorkloadEntity: () => exposableWorkloadEntity,
+  externalServiceTypeSchema: () => externalServiceTypeSchema,
+  fallbackKubeApiAccessSchema: () => fallbackKubeApiAccessSchema,
   gatewayApi: () => gatewayApi,
   gatewayEntity: () => gatewayEntity,
   interfaceEntity: () => interfaceEntity,
   internalIpsPolicySchema: () => internalIpsPolicySchema,
-  labelSelectorSchema: () => labelSelectorSchema,
   metadataSchema: () => metadataSchema,
   persistentVolumeClaimEntity: () => persistentVolumeClaimEntity,
+  resourceSchema: () => resourceSchema,
+  scheduleOnMastersPolicyArgs: () => scheduleOnMastersPolicyArgs,
+  scheduleOnMastersPolicySchema: () => scheduleOnMastersPolicySchema,
   serviceEntity: () => serviceEntity,
-  servicePortSchema: () => servicePortSchema,
-  serviceSpecSchema: () => serviceSpecSchema,
   serviceTypeSchema: () => serviceTypeSchema,
-  sharedClusterArgs: () => sharedClusterArgs,
   statefulSetEntity: () => statefulSetEntity,
   tlsIssuerEntity: () => tlsIssuerEntity,
   tunDevicePolicySchema: () => tunDevicePolicySchema
 });
-import { defineEntity as defineEntity5, defineUnit as defineUnit5, Type as Type5 } from "@highstate/contract";
+import { defineEntity as defineEntity6, defineUnit as defineUnit5, Type as Type7 } from "@highstate/contract";
 import { Literal } from "@sinclair/typebox";
-
-// src/dns.ts
-var dns_exports = {};
-__export(dns_exports, {
-  providerEntity: () => providerEntity,
-  record: () => record
+var fallbackKubeApiAccessSchema = Type7.Object({
+  serverIp: Type7.String(),
+  serverPort: Type7.Number()
 });
-import { defineEntity as defineEntity4, defineUnit as defineUnit4, Type as Type4 } from "@highstate/contract";
-var providerEntity = defineEntity4({
-  type: "dns.provider",
-  schema: Type4.Object({
-    name: Type4.String(),
-    type: Type4.String(),
-    data: Type4.Record(Type4.String(), Type4.Unknown()),
-    domain: Type4.String()
-  }),
-  meta: {
-    color: "#FF5722"
-  }
-});
-var record = defineUnit4({
-  type: "common.dns-record",
-  args: {
-    name: Type4.String(),
-    type: Type4.String(),
-    value: Type4.String(),
-    ttl: Type4.Optional(Type4.Number())
-  },
-  inputs: {
-    dnsProvider: providerEntity
-  },
-  meta: {
-    displayName: "DNS Record",
-    description: "A DNS record to create.",
-    primaryIcon: "mdi:server",
-    defaultNamePrefix: "record"
-  },
-  source: {
-    package: "@highstate/common",
-    path: "dns/record"
-  }
-});
-
-// src/k8s.ts
-var tunDevicePolicySchema = Type5.Union([
-  Type5.Object({
+var tunDevicePolicySchema = Type7.Union([
+  Type7.Object({
     type: Literal("host")
   }),
-  Type5.Object({
+  Type7.Object({
     type: Literal("plugin"),
-    resourceName: Type5.String(),
-    resourceValue: Type5.String()
+    resourceName: Type7.String(),
+    resourceValue: Type7.String()
   })
 ]);
-var clusterInfoSchema = Type5.Object({
-  id: Type5.String(),
-  name: Type5.String(),
-  cni: Type5.Optional(Type5.String()),
-  externalIps: Type5.Array(Type5.String()),
-  fqdn: Type5.Optional(Type5.String()),
-  kubeApiServerIp: Type5.Optional(Type5.String()),
-  kubeApiServerPort: Type5.Optional(Type5.Number()),
+var externalServiceTypeSchema = Type7.StringEnum(["NodePort", "LoadBalancer"]);
+var scheduleOnMastersPolicySchema = Type7.StringEnum(["always", "when-no-workers", "never"]);
+var cniSchema = Type7.StringEnum(["cilium", "other"]);
+var clusterQuirksSchema = Type7.Object({
+  /**
+   * The IP and port of the kube-apiserver available from the cluster.
+   *
+   * Will be used to create fallback network policy in CNIs which does not support allowing access to the kube-apiserver.
+   *
+   * @schema
+   */
+  fallbackKubeApiAccess: {
+    ...Type7.Optional(fallbackKubeApiAccessSchema),
+    description: `The IP and port of the kube-apiserver available from the cluster.
+
+ Will be used to create fallback network policy in CNIs which does not support allowing access to the kube-apiserver.`
+  },
   /**
    * Specifies the policy for using the tun device inside containers.
    *
    * If not provided, the default policy is `host` which assumes just mounting /dev/net/tun from the host.
    *
    * For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
+   *
+   * @schema
    */
-  tunDevicePolicy: Type5.Optional(tunDevicePolicySchema)
-});
-var serviceTypeSchema = Type5.StringEnum(["NodePort", "LoadBalancer", "ClusterIP"]);
-var metadataSchema = Type5.Object({
-  namespace: Type5.Optional(Type5.String()),
-  name: Type5.String(),
-  labels: Type5.Optional(Type5.Record(Type5.String(), Type5.String())),
-  annotations: Type5.Optional(Type5.Record(Type5.String(), Type5.String()))
-});
-var servicePortSchema = Type5.Object({
-  name: Type5.Optional(Type5.String()),
-  port: Type5.Optional(Type5.Number()),
-  targetPort: Type5.Optional(Type5.Union([Type5.Number(), Type5.String()])),
-  protocol: Type5.Optional(Type5.String())
-});
-var serviceSpecSchema = Type5.Object({
-  type: Type5.Optional(Type5.String()),
-  selector: Type5.Record(Type5.String(), Type5.String()),
-  ports: Type5.Array(servicePortSchema),
-  clusterIP: Type5.Optional(Type5.String()),
-  clusterIPs: Type5.Optional(Type5.Array(Type5.String())),
-  externalIPs: Type5.Optional(Type5.Array(Type5.String()))
-});
-var serviceEntity = defineEntity5({
-  type: "k8s.service",
-  schema: Type5.Object({
-    type: Type5.Literal("k8s.service"),
-    clusterInfo: clusterInfoSchema,
-    metadata: metadataSchema,
-    spec: serviceSpecSchema
-  }),
-  meta: {
-    color: "#2196F3"
-  }
-});
-var clusterEntity2 = defineEntity5({
-  type: "k8s.cluster",
-  schema: Type5.Object({
-    info: clusterInfoSchema,
-    kubeconfig: Type5.String()
-  }),
-  meta: {
-    color: "#2196F3"
+  tunDevicePolicy: {
+    ...Type7.Optional(tunDevicePolicySchema),
+    description: `Specifies the policy for using the tun device inside containers.
+
+ If not provided, the default policy is \`host\` which assumes just mounting /dev/net/tun from the host.
+
+ For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.`
+  },
+  /**
+   * The service type to use for external services.
+   *
+   * If not provided, the default service type is `NodePort` since `LoadBalancer` may not be available.
+   *
+   * @schema
+   */
+  externalServiceType: {
+    ...Type7.Optional(externalServiceTypeSchema),
+    description: `The service type to use for external services.
+
+ If not provided, the default service type is \`NodePort\` since \`LoadBalancer\` may not be available.`
   }
 });
-var internalIpsPolicySchema = Type5.StringEnum(["always", "public", "never"]);
-var sharedClusterArgs = {
+var clusterInfoProperties = {
   /**
-   * The list of external IPs of the cluster nodes allowed to be used for external access.
+   * The unique identifier of the cluster.
    *
-   * If not provided, will be automatically detected by querying the cluster nodes.
+   * Should be defined as a UUID of the `kube-system` namespace which is always present in the cluster.
    *
    * @schema
    */
-  externalIps: {
-    ...Type5.Optional(Type5.Array(Type5.String())),
-    description: `The list of external IPs of the cluster nodes allowed to be used for external access.
+  id: {
+    ...Type7.String(),
+    description: `The unique identifier of the cluster.
 
- If not provided, will be automatically detected by querying the cluster nodes.`
+ Should be defined as a UUID of the \`kube-system\` namespace which is always present in the cluster.`
+  },
+  /**
+   * The name of the cluster.
+   *
+   * @schema
+   */
+  name: {
+    ...Type7.String(),
+    description: `The name of the cluster.`
   },
   /**
-   * The policy for using internal IPs of the nodes as external IPs.
+   * The name of the CNI plugin used by the cluster.
    *
-   * - `always`: always use internal IPs as external IPs;
-   * - `public`: use internal IPs as external IPs only if they are (theoretically) routable from the public internet **(default)**;
-   * - `never`: never use internal IPs as external IPs.
+   * Supported values are:
+   * - `cilium`
+   * - `other`
    *
    * @schema
    */
-  internalIpsPolicy: {
-    ...{ ...internalIpsPolicySchema, default: "public" },
-    description: `The policy for using internal IPs of the nodes as external IPs.
+  cni: {
+    ...cniSchema,
+    description: `The name of the CNI plugin used by the cluster.
 
- - \`always\`: always use internal IPs as external IPs;
- - \`public\`: use internal IPs as external IPs only if they are (theoretically) routable from the public internet **(default)**;
- - \`never\`: never use internal IPs as external IPs.`
+ Supported values are:
+ - \`cilium\`
+ - \`other\``
   },
   /**
-   * The FQDN to register the cluster nodes with.
+   * The endpoints of the cluster nodes.
+   *
+   * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
    *
-   * If provided and `registerFqdn` is set to `true`, the corresponding DNS provider must be provided to set up the DNS records.
+   * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
    *
    * @schema
    */
-  fqdn: {
-    ...Type5.Optional(Type5.String()),
-    description: `The FQDN to register the cluster nodes with.
+  endpoints: {
+    ...Type7.Array(l3EndpointEntity.schema),
+    description: `The endpoints of the cluster nodes.
+
+ The entry may represent real node endpoint or virtual endpoint (like a load balancer).
 
- If provided and \`registerFqdn\` is set to \`true\`, the corresponding DNS provider must be provided to set up the DNS records.`
+ The same node may also be represented by multiple entries (e.g. a node with private and public IP).`
+  },
+  /**
+   * The endpoints of the API server.
+   *
+   * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
+   *
+   * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
+   */
+  apiEndpoints: Type7.Array(l4EndpointEntity.schema),
+  /**
+   * The external IPs of the cluster nodes allowed to be used for external access.
+   *
+   * @schema
+   */
+  externalIps: {
+    ...Type7.Array(Type7.String()),
+    description: `The external IPs of the cluster nodes allowed to be used for external access.`
   },
   /**
-   * Whether to register the cluster nodes with the provided FQDN.
+   * The extra quirks of the cluster to improve compatibility.
+   *
+   * @schema
+   */
+  quirks: {
+    ...Type7.Optional(clusterQuirksSchema),
+    description: `The extra quirks of the cluster to improve compatibility.`
+  }
+};
+var serviceTypeSchema = Type7.StringEnum(["NodePort", "LoadBalancer", "ClusterIP"]);
+var metadataSchema = Type7.Object({
+  name: Type7.String(),
+  namespace: Type7.String(),
+  labels: Type7.Optional(Type7.Record(Type7.String(), Type7.String())),
+  annotations: Type7.Optional(Type7.Record(Type7.String(), Type7.String()))
+});
+var resourceSchema = Type7.Object({
+  clusterId: Type7.String(),
+  metadata: metadataSchema
+});
+var serviceEntity = defineEntity6({
+  type: "k8s.service",
+  schema: Type7.Object({
+    type: Type7.Literal("k8s.service"),
+    ...resourceSchema.properties,
+    endpoints: Type7.Array(l4EndpointEntity.schema)
+  }),
+  meta: {
+    color: "#2196F3"
+  }
+});
+var clusterEntity2 = defineEntity6({
+  type: "k8s.cluster",
+  schema: Type7.Object({
+    ...clusterInfoProperties,
+    kubeconfig: Type7.String()
+  }),
+  meta: {
+    color: "#2196F3"
+  }
+});
+var internalIpsPolicySchema = Type7.StringEnum(["always", "public", "never"]);
+var scheduleOnMastersPolicyArgs = {
+  /**
+   * The policy for scheduling workloads on master nodes.
    *
-   * By default, `true`.
+   * - `always`: always schedule workloads on master nodes regardless of the number of workers;
+   * - `when-no-workers`: schedule workloads on master nodes only if there are no workers (default);
+   * - `never`: never schedule workloads on master nodes.
    *
    * @schema
    */
-  registerFqdn: {
-    ...Type5.Boolean({ default: true }),
-    description: `Whether to register the cluster nodes with the provided FQDN.
+  scheduleOnMastersPolicy: {
+    ...Type7.Default(scheduleOnMastersPolicySchema, "when-no-workers"),
+    description: `The policy for scheduling workloads on master nodes.
 
- By default, \`true\`.`
+ - \`always\`: always schedule workloads on master nodes regardless of the number of workers;
+ - \`when-no-workers\`: schedule workloads on master nodes only if there are no workers (default);
+ - \`never\`: never schedule workloads on master nodes.`
+  }
+};
+var clusterInputs = {
+  masters: {
+    entity: serverEntity,
+    multiple: true
+  },
+  workers: {
+    entity: serverEntity,
+    multiple: true,
+    required: false
+  }
+};
+var clusterOutputs = {
+  k8sCluster: clusterEntity2,
+  apiEndpoints: {
+    entity: l4EndpointEntity,
+    multiple: true
+  },
+  endpoints: {
+    entity: l3EndpointEntity,
+    multiple: true
   }
 };
 var existingCluster = defineUnit5({
   type: "k8s.existing-cluster",
   args: {
-    ...sharedClusterArgs,
     /**
-     * The policy for using the tun device inside containers.
-     *
-     * If not provided, the default policy is `host` which assumes just mounting /dev/net/tun from the host.
+     * The list of external IPs of the cluster nodes allowed to be used for external access.
      *
-     * For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
+     * If not provided, will be automatically detected by querying the cluster nodes.
      *
      * @schema
      */
-    tunDevicePolicy: {
-      ...Type5.Optional(tunDevicePolicySchema),
-      description: `The policy for using the tun device inside containers.
+    externalIps: {
+      ...Type7.Optional(Type7.Array(Type7.String())),
+      description: `The list of external IPs of the cluster nodes allowed to be used for external access.
 
- If not provided, the default policy is \`host\` which assumes just mounting /dev/net/tun from the host.
+ If not provided, will be automatically detected by querying the cluster nodes.`
+    },
+    /**
+     * The policy for using internal IPs of the nodes as external IPs.
+     *
+     * - `always`: always use internal IPs as external IPs;
+     * - `public`: use internal IPs as external IPs only if they are (theoretically) routable from the public internet **(default)**;
+     * - `never`: never use internal IPs as external IPs.
+     *
+     * @schema
+     */
+    internalIpsPolicy: {
+      ...Type7.Default(internalIpsPolicySchema, "public"),
+      description: `The policy for using internal IPs of the nodes as external IPs.
 
- For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.`
+ - \`always\`: always use internal IPs as external IPs;
+ - \`public\`: use internal IPs as external IPs only if they are (theoretically) routable from the public internet **(default)**;
+ - \`never\`: never use internal IPs as external IPs.`
+    },
+    /**
+     * The extra quirks of the cluster to improve compatibility.
+     *
+     * @schema
+     */
+    quirks: {
+      ...Type7.Optional(clusterQuirksSchema),
+      description: `The extra quirks of the cluster to improve compatibility.`
     }
   },
   secrets: {
@@ -594,55 +1018,155 @@ var existingCluster = defineUnit5({
      * @schema
      */
     kubeconfig: {
-      ...Type5.Record(Type5.String(), Type5.Any()),
+      ...Type7.Record(Type7.String(), Type7.Any()),
       description: `The kubeconfig of the cluster to use for connecting to the cluster.
 
  Will be available for all components using \`cluster\` output of this unit.`
     }
   },
-  outputs: {
-    cluster: clusterEntity2
+  outputs: clusterOutputs,
+  meta: {
+    displayName: "Existing Cluster",
+    description: "An existing Kubernetes cluster.",
+    primaryIcon: "devicon:kubernetes",
+    category: "Kubernetes"
+  },
+  source: {
+    package: "@highstate/k8s",
+    path: "units/existing-cluster"
+  }
+});
+var clusterPatch = defineUnit5({
+  type: "k8s.cluster-patch",
+  args: {
+    /**
+     * The endpoints of the API server.
+     *
+     * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
+     *
+     * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
+     *
+     * @schema
+     */
+    apiEndpoints: {
+      ...Type7.Default(Type7.Array(Type7.String()), []),
+      description: `The endpoints of the API server.
+
+ The entry may represent real node endpoint or virtual endpoint (like a load balancer).
+
+ The same node may also be represented by multiple entries (e.g. a node with private and public IP).`
+    },
+    /**
+     * The mode to use for patching the API endpoints.
+     *
+     * - `prepend`: prepend the new endpoints to the existing ones (default);
+     * - `replace`: replace the existing endpoints with the new ones.
+     */
+    apiEndpointsPatchMode: Type7.Default(arrayPatchModeSchema, "prepend"),
+    /**
+     * The endpoints of the cluster nodes.
+     *
+     * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
+     *
+     * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
+     *
+     * @schema
+     */
+    endpoints: {
+      ...Type7.Default(Type7.Array(Type7.String()), []),
+      description: `The endpoints of the cluster nodes.
+
+ The entry may represent real node endpoint or virtual endpoint (like a load balancer).
+
+ The same node may also be represented by multiple entries (e.g. a node with private and public IP).`
+    },
+    /**
+     * The mode to use for patching the endpoints.
+     *
+     * - `prepend`: prepend the new endpoints to the existing ones (default);
+     * - `replace`: replace the existing endpoints with the new ones.
+     */
+    endpointsPatchMode: Type7.Default(arrayPatchModeSchema, "prepend")
+  },
+  inputs: {
+    k8sCluster: clusterEntity2,
+    apiEndpoints: {
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true
+    },
+    endpoints: {
+      entity: l3EndpointEntity,
+      required: false,
+      multiple: true
+    }
+  },
+  outputs: clusterOutputs,
+  meta: {
+    displayName: "Cluster Patch",
+    description: "Patches some properties of the cluster.",
+    primaryIcon: "devicon:kubernetes",
+    secondaryIcon: "fluent:patch-20-filled",
+    category: "Kubernetes"
+  },
+  source: {
+    package: "@highstate/k8s",
+    path: "units/cluster-patch"
+  }
+});
+var clusterDns = defineUnit5({
+  type: "cluster-dns",
+  args: {
+    ...createArgs(),
+    ...createArgs("api")
+  },
+  inputs: {
+    k8sCluster: clusterEntity2,
+    ...inputs
   },
+  outputs: clusterOutputs,
   meta: {
-    displayName: "Existing Cluster",
-    description: "An existing Kubernetes cluster.",
-    primaryIcon: "mdi:kubernetes"
+    displayName: "Cluster DNS",
+    description: "Creates DNS records for the cluster and updates endpoints.",
+    primaryIcon: "devicon:kubernetes",
+    secondaryIcon: "mdi:dns",
+    category: "Kubernetes"
   },
   source: {
     package: "@highstate/k8s",
-    path: "units/existing-cluster"
+    path: "units/cluster-dns"
   }
 });
-var gatewayEntity = defineEntity5({
+var gatewayEntity = defineEntity6({
   type: "k8s.gateway",
-  schema: Type5.Object({
-    clusterInfo: clusterInfoSchema,
-    gatewayClassName: Type5.String(),
-    httpListenerPort: Type5.Number(),
-    httpsListenerPort: Type5.Number(),
-    ip: Type5.String(),
-    service: Type5.Optional(serviceEntity.schema)
+  schema: Type7.Object({
+    clusterId: Type7.String(),
+    gatewayClassName: Type7.String(),
+    httpListenerPort: Type7.Number(),
+    httpsListenerPort: Type7.Number(),
+    endpoints: Type7.Array(l3EndpointEntity.schema)
   }),
   meta: {
     color: "#4CAF50"
   }
 });
-var tlsIssuerEntity = defineEntity5({
+var tlsIssuerEntity = defineEntity6({
   type: "k8s.tls-issuer",
-  schema: Type5.Object({
-    clusterInfo: clusterInfoSchema,
-    clusterIssuerName: Type5.String()
+  schema: Type7.Object({
+    clusterId: Type7.String(),
+    clusterIssuerName: Type7.String()
   }),
   meta: {
     color: "#f06292"
   }
 });
-var accessPointEntity = defineEntity5({
+var accessPointEntity = defineEntity6({
   type: "k8s.access-point",
-  schema: Type5.Object({
+  schema: Type7.Object({
+    clusterId: Type7.String(),
     gateway: gatewayEntity.schema,
     tlsIssuer: tlsIssuerEntity.schema,
-    dnsProviders: Type5.Array(providerEntity.schema)
+    dnsProviders: Type7.Array(providerEntity.schema)
   }),
   meta: {
     color: "#F57F17"
@@ -664,7 +1188,8 @@ var accessPoint = defineUnit5({
   meta: {
     displayName: "Access Point",
     description: "An access point which can be used to connect to services.",
-    primaryIcon: "mdi:access-point"
+    primaryIcon: "mdi:access-point",
+    category: "Kubernetes"
   },
   source: {
     package: "@highstate/k8s",
@@ -682,7 +1207,8 @@ var certManager = defineUnit5({
   meta: {
     displayName: "Cert Manager",
     description: "A certificate manager for managing TLS certificates.",
-    primaryIcon: "simple-icons:letsencrypt"
+    primaryIcon: "simple-icons:letsencrypt",
+    category: "Kubernetes"
   },
   source: {
     package: "@highstate/k8s",
@@ -700,7 +1226,7 @@ var dns01TlsIssuer = defineUnit5({
      * @schema
      */
     domains: {
-      ...Type5.Optional(Type5.Array(Type5.String())),
+      ...Type7.Optional(Type7.Array(Type7.String())),
       description: `The top-level domains to filter the DNS01 challenge for.
 
  If not provided, will use all domains passed to the DNS providers.`
@@ -719,70 +1245,58 @@ var dns01TlsIssuer = defineUnit5({
   meta: {
     displayName: "DNS01 Issuer",
     description: "A TLS issuer for issuing certificate using DNS01 challenge.",
-    primaryIcon: "mdi:certificate"
+    primaryIcon: "mdi:certificate",
+    category: "Kubernetes"
   },
   source: {
     package: "@highstate/k8s",
     path: "units/dns01-issuer"
   }
 });
-var containerSchema = Type5.Object({
-  name: Type5.String(),
-  image: Type5.String()
-});
-var labelSelectorSchema = Type5.Object({
-  matchLabels: Type5.Record(Type5.String(), Type5.String())
-});
-var deploymentSpecSchema = Type5.Object({
-  replicas: Type5.Number(),
-  selector: labelSelectorSchema,
-  template: Type5.Object({
-    metadata: metadataSchema,
-    spec: Type5.Object({
-      containers: Type5.Array(containerSchema)
-    })
-  })
-});
-var deploymentEntity = defineEntity5({
+var deploymentEntity = defineEntity6({
   type: "k8s.deployment",
-  schema: Type5.Object({
-    type: Type5.Literal("k8s.deployment"),
-    clusterInfo: clusterInfoSchema,
-    metadata: metadataSchema,
-    service: Type5.Optional(serviceEntity.schema)
+  schema: Type7.Object({
+    type: Type7.Literal("k8s.deployment"),
+    ...resourceSchema.properties,
+    service: Type7.Optional(serviceEntity.schema)
   }),
   meta: {
     color: "#4CAF50"
   }
 });
-var statefulSetEntity = defineEntity5({
+var statefulSetEntity = defineEntity6({
   type: "k8s.stateful-set",
-  schema: Type5.Object({
-    type: Type5.Literal("k8s.stateful-set"),
-    clusterInfo: clusterInfoSchema,
-    metadata: metadataSchema,
-    service: Type5.Optional(serviceEntity.schema)
+  schema: Type7.Object({
+    type: Type7.Literal("k8s.stateful-set"),
+    ...resourceSchema.properties,
+    service: serviceEntity.schema
   }),
   meta: {
     color: "#FFC107"
   }
 });
-var persistentVolumeClaimEntity = defineEntity5({
+var exposableWorkloadEntity = defineEntity6({
+  type: "k8s.exposable-workload",
+  schema: Type7.Union([deploymentEntity.schema, statefulSetEntity.schema]),
+  meta: {
+    color: "#4CAF50"
+  }
+});
+var persistentVolumeClaimEntity = defineEntity6({
   type: "k8s.persistent-volume-claim",
-  schema: Type5.Object({
-    type: Type5.Literal("k8s.persistent-volume-claim"),
-    clusterInfo: clusterInfoSchema,
-    metadata: metadataSchema
+  schema: Type7.Object({
+    type: Type7.Literal("k8s.persistent-volume-claim"),
+    ...resourceSchema.properties
   }),
   meta: {
     color: "#FFC107"
   }
 });
-var interfaceEntity = defineEntity5({
+var interfaceEntity = defineEntity6({
   type: "k8s.interface",
-  schema: Type5.Object({
-    name: Type5.String(),
-    deployment: deploymentEntity.schema
+  schema: Type7.Object({
+    name: Type7.String(),
+    workload: exposableWorkloadEntity.schema
   }),
   meta: {
     color: "#2196F3",
@@ -800,8 +1314,10 @@ var gatewayApi = defineUnit5({
   meta: {
     displayName: "Gateway API",
     description: "Installs the Gateway API CRDs to the cluster.",
-    primaryIcon: "mdi:kubernetes",
-    primaryIconColor: "#4CAF50"
+    primaryIcon: "devicon:kubernetes",
+    secondaryIcon: "mdi:api",
+    secondaryIconColor: "#4CAF50",
+    category: "Kubernetes"
   },
   source: {
     package: "@highstate/k8s",
@@ -814,55 +1330,26 @@ var talos_exports = {};
 __export(talos_exports, {
   cluster: () => cluster,
   clusterEntity: () => clusterEntity3,
-  cniSchema: () => cniSchema,
+  cniSchema: () => cniSchema2,
   csiSchema: () => csiSchema
 });
-import { defineEntity as defineEntity6, defineUnit as defineUnit6, Type as Type6 } from "@highstate/contract";
-var clusterEntity3 = defineEntity6({
+import { defineEntity as defineEntity7, defineUnit as defineUnit6, Type as Type8 } from "@highstate/contract";
+var clusterEntity3 = defineEntity7({
   type: "talos.cluster",
-  schema: Type6.Object({
-    clientConfiguration: Type6.String(),
-    machineSecrets: Type6.String()
+  schema: Type8.Object({
+    clientConfiguration: Type8.String(),
+    machineSecrets: Type8.String()
   }),
   meta: {
     color: "#2d2d2d"
   }
 });
-var cniSchema = Type6.StringEnum(["none", "cilium", "flannel"]);
-var csiSchema = Type6.StringEnum(["none", "local-path-provisioner"]);
+var cniSchema2 = Type8.StringEnum(["none", "cilium", "flannel"]);
+var csiSchema = Type8.StringEnum(["none", "local-path-provisioner"]);
 var cluster = defineUnit6({
   type: "talos.cluster",
   args: {
-    /**
-     * Allow scheduling workloads on the master nodes.
-     *
-     * If no workers are specified, this option is ignored and the master nodes are used as workers.
-     *
-     * By default, this option is set to false.
-     *
-     * @schema
-     */
-    scheduleOnMasters: {
-      ...Type6.Default(Type6.Boolean(), false),
-      description: `Allow scheduling workloads on the master nodes.
-
- If no workers are specified, this option is ignored and the master nodes are used as workers.
-
- By default, this option is set to false.`
-    },
-    /**
-     * The endpoint of the cluster.
-     *
-     * By default, the first master node's endpoint is used.
-     *
-     * @schema
-     */
-    endpoint: {
-      ...Type6.Optional(Type6.String()),
-      description: `The endpoint of the cluster.
-
- By default, the first master node's endpoint is used.`
-    },
+    ...scheduleOnMastersPolicyArgs,
     /**
      * The name of the cluster.
      *
@@ -871,7 +1358,7 @@ var cluster = defineUnit6({
      * @schema
      */
     clusterName: {
-      ...Type6.Optional(Type6.String()),
+      ...Type8.Optional(Type8.String()),
       description: `The name of the cluster.
 
  By default, the name of the instance is used.`
@@ -889,7 +1376,7 @@ var cluster = defineUnit6({
      * @schema
      */
     cni: {
-      ...Type6.Default(cniSchema, "cilium"),
+      ...Type8.Default(cniSchema2, "cilium"),
       description: `The CNI plugin to use.
 
  The following options are available:
@@ -909,7 +1396,7 @@ var cluster = defineUnit6({
      * @schema
      */
     csi: {
-      ...Type6.Default(csiSchema, "local-path-provisioner"),
+      ...Type8.Default(csiSchema, "local-path-provisioner"),
       description: `The CSI plugin to use.
 
  The following options are available:
@@ -923,7 +1410,7 @@ var cluster = defineUnit6({
      * @schema
      */
     sharedConfigPatch: {
-      ...Type6.Optional(Type6.Record(Type6.String(), Type6.Any())),
+      ...Type8.Optional(Type8.Record(Type8.String(), Type8.Any())),
       description: `The shared configuration patch.
  It will be applied to all nodes.`
     },
@@ -934,7 +1421,7 @@ var cluster = defineUnit6({
      * @schema
      */
     masterConfigPatch: {
-      ...Type6.Optional(Type6.Record(Type6.String(), Type6.Any())),
+      ...Type8.Optional(Type8.Record(Type8.String(), Type8.Any())),
       description: `The master configuration patch.
  It will be applied to all master nodes.`
     },
@@ -945,7 +1432,7 @@ var cluster = defineUnit6({
      * @schema
      */
     workerConfigPatch: {
-      ...Type6.Optional(Type6.Record(Type6.String(), Type6.Any())),
+      ...Type8.Optional(Type8.Record(Type8.String(), Type8.Any())),
       description: `The worker configuration patch.
  It will be applied to all worker nodes.`
     },
@@ -956,27 +1443,11 @@ var cluster = defineUnit6({
      *
      * By default, this option is set to true.
      */
-    enableTunDevicePlugin: Type6.Default(Type6.Boolean(), true),
-    ...sharedClusterArgs
-  },
-  inputs: {
-    masters: {
-      entity: serverEntity,
-      multiple: true
-    },
-    workers: {
-      entity: serverEntity,
-      multiple: true,
-      required: false
-    },
-    dnsProviders: {
-      entity: providerEntity,
-      required: false,
-      multiple: true
-    }
+    enableTunDevicePlugin: Type8.Default(Type8.Boolean(), true)
   },
+  inputs: clusterInputs,
   outputs: {
-    k8sCluster: clusterEntity2,
+    ...clusterOutputs,
     talosCluster: clusterEntity3
   },
   meta: {
@@ -1001,71 +1472,67 @@ __export(wireguard_exports, {
   configBundle: () => configBundle,
   identity: () => identity,
   identityEntity: () => identityEntity,
-  k8sNodeEntity: () => k8sNodeEntity,
   network: () => network,
   networkEntity: () => networkEntity,
   node: () => node,
+  nodeExposePolicySchema: () => nodeExposePolicySchema,
   peer: () => peer,
   peerEntity: () => peerEntity,
-  presharedKeyModeSchema: () => presharedKeyModeSchema
+  peerPatch: () => peerPatch
 });
-import { defineEntity as defineEntity7, defineUnit as defineUnit7, Type as Type7 } from "@highstate/contract";
-var backendSchema = Type7.StringEnum(["wireguard", "amneziawg"]);
-var presharedKeyModeSchema = Type7.StringEnum(["none", "global", "secure"]);
-var networkEntity = defineEntity7({
+import { defineEntity as defineEntity8, defineUnit as defineUnit7, Type as Type9 } from "@highstate/contract";
+import { omit } from "remeda";
+var backendSchema = Type9.StringEnum(["wireguard", "amneziawg"]);
+var networkEntity = defineEntity8({
   type: "wireguard.network",
-  schema: Type7.Object({
-    backend: Type7.Optional(backendSchema),
-    presharedKeyMode: presharedKeyModeSchema,
-    globalPresharedKey: Type7.Optional(Type7.String()),
-    ipv6: Type7.Optional(Type7.Boolean())
+  schema: Type9.Object({
+    backend: backendSchema,
+    ipv6: Type9.Boolean()
   })
 });
-var identityEntity = defineEntity7({
-  type: "wireguard.identity",
-  schema: Type7.Object({
-    name: Type7.String(),
-    network: Type7.Optional(networkEntity.schema),
-    address: Type7.Optional(Type7.String()),
-    privateKey: Type7.String(),
-    presharedKeyPart: Type7.Optional(Type7.String()),
-    k8sServices: Type7.Array(serviceEntity.schema),
-    exitNode: Type7.Boolean(),
-    listenPort: Type7.Optional(Type7.Number()),
-    externalIp: Type7.Optional(Type7.String()),
-    endpoint: Type7.Optional(Type7.String()),
-    fqdn: Type7.Optional(Type7.String())
+var nodeExposePolicySchema = Type9.StringEnum(["always", "when-has-endpoint", "never"]);
+var peerEntity = defineEntity8({
+  type: "wireguard.peer",
+  schema: Type9.Object({
+    name: Type9.String(),
+    network: Type9.Optional(networkEntity.schema),
+    publicKey: Type9.String(),
+    address: Type9.Optional(Type9.String()),
+    allowedIps: Type9.Array(Type9.String()),
+    endpoints: Type9.Array(l4EndpointEntity.schema),
+    allowedEndpoints: Type9.Array(Type9.Union([l3EndpointEntity.schema, l4EndpointEntity.schema])),
+    /**
+     * The pre-shared key of the WireGuard peer.
+     *
+     * If one of two peers has `presharedKey` set, the other peer must have `presharedKey` set too and they must be equal.
+     *
+     * Will be ignored if both peers have `presharedKeyPart` set.
+     */
+    presharedKey: Type9.Optional(Type9.String()),
+    /**
+     * The pre-shared key part of the WireGuard peer.
+     *
+     * If both peers have `presharedKeyPart` set, their `presharedKey` will be calculated as XOR of the two parts.
+     */
+    presharedKeyPart: Type9.Optional(Type9.String()),
+    excludedIps: Type9.Array(Type9.String()),
+    dns: Type9.Array(Type9.String()),
+    listenPort: Type9.Optional(Type9.Number())
   }),
   meta: {
-    color: "#F44336"
+    color: "#673AB7"
   }
 });
-var peerEntity = defineEntity7({
-  type: "wireguard.peer",
-  schema: Type7.Object({
-    name: Type7.String(),
-    network: Type7.Optional(networkEntity.schema),
-    publicKey: Type7.String(),
-    address: Type7.Optional(Type7.String()),
-    allowedIps: Type7.Array(Type7.String()),
-    endpoint: Type7.Optional(Type7.String()),
-    presharedKeyPart: Type7.Optional(Type7.String()),
-    excludedIps: Type7.Optional(Type7.Array(Type7.String())),
-    dns: Type7.Optional(Type7.Array(Type7.String()))
+var identityEntity = defineEntity8({
+  type: "wireguard.identity",
+  schema: Type9.Object({
+    peer: peerEntity.schema,
+    privateKey: Type9.String()
   }),
   meta: {
-    color: "#673AB7"
+    color: "#F44336"
   }
 });
-var k8sNodeEntity = defineEntity7({
-  type: "wireguard.node",
-  schema: Type7.Object({
-    network: Type7.String(),
-    address: Type7.String(),
-    endpoint: Type7.Optional(Type7.String()),
-    peers: Type7.Array(Type7.String())
-  })
-});
 var network = defineUnit7({
   type: "wireguard.network",
   args: {
@@ -1081,7 +1548,7 @@ var network = defineUnit7({
      * @schema
      */
     backend: {
-      ...Type7.Default(backendSchema, "wireguard"),
+      ...Type9.Default(backendSchema, "wireguard"),
       description: `The backend to use for the WireGuard network.
 
  Possible values are:
@@ -1089,35 +1556,6 @@ var network = defineUnit7({
  2. \`amneziawg\` - The censorship-resistant fork of WireGuard.
 
  By default, the \`wireguard\` backend is used.`
-    },
-    /**
-     * The option which defines how to handle pre-shared keys between peers.
-     *
-     * 1. `none` - No pre-shared keys will be used.
-     * 2. `global` - A single pre-shared key will be used for all peer pairs in the network.
-     * 3. `secure` - Each peer pair will have its own pre-shared key.
-     * In this case, each identity generates `presharedKeyPart` and the actual pre-shared key
-     * for each peer pair will be computed as `xor(peer1.presharedKeyPart, peer2.presharedKeyPart)`.
-     *
-     * If the whole network is managed by the HighState, the `secure` mode is recommended.
-     *
-     * By default, the `none` mode is used.
-     *
-     * @schema
-     */
-    presharedKeyMode: {
-      ...Type7.Optional(presharedKeyModeSchema),
-      description: `The option which defines how to handle pre-shared keys between peers.
-
- 1. \`none\` - No pre-shared keys will be used.
- 2. \`global\` - A single pre-shared key will be used for all peer pairs in the network.
- 3. \`secure\` - Each peer pair will have its own pre-shared key.
- In this case, each identity generates \`presharedKeyPart\` and the actual pre-shared key
- for each peer pair will be computed as \`xor(peer1.presharedKeyPart, peer2.presharedKeyPart)\`.
-
- If the whole network is managed by the HighState, the \`secure\` mode is recommended.
-
- By default, the \`none\` mode is used.`
     },
     /**
      * The option to enable IPv6 support in the network.
@@ -1127,29 +1565,12 @@ var network = defineUnit7({
      * @schema
      */
     ipv6: {
-      ...Type7.Optional(Type7.Boolean()),
+      ...Type9.Default(Type9.Boolean(), false),
       description: `The option to enable IPv6 support in the network.
 
  By default, IPv6 support is disabled.`
     }
   },
-  secrets: {
-    /**
-     * The global pre-shared key to use for all peer pairs in the network.
-     *
-     * Will be used only if `presharedKeyMode` is set to `global`.
-     * Will be generated automatically if not provided.
-     *
-     * @schema
-     */
-    globalPresharedKey: {
-      ...Type7.Optional(Type7.String()),
-      description: `The global pre-shared key to use for all peer pairs in the network.
-
- Will be used only if \`presharedKeyMode\` is set to \`global\`.
- Will be generated automatically if not provided.`
-    }
-  },
   outputs: {
     network: networkEntity
   },
@@ -1157,7 +1578,8 @@ var network = defineUnit7({
     description: "The WireGuard network with some shared configuration.",
     primaryIcon: "simple-icons:wireguard",
     primaryIconColor: "#88171a",
-    secondaryIcon: "mdi:local-area-network-connect"
+    secondaryIcon: "mdi:local-area-network-connect",
+    category: "VPN"
   },
   source: {
     package: "@highstate/wireguard",
@@ -1173,7 +1595,7 @@ var sharedPeerArgs = {
    * @schema
    */
   peerName: {
-    ...Type7.Optional(Type7.String()),
+    ...Type9.Optional(Type9.String()),
     description: `The name of the WireGuard peer.
 
  If not provided, the peer will be named after the unit.`
@@ -1186,20 +1608,11 @@ var sharedPeerArgs = {
    * @schema
    */
   address: {
-    ...Type7.Optional(Type7.String()),
+    ...Type9.Optional(Type9.String()),
     description: `The address of the WireGuard interface.
 
  The address may be any IPv4 or IPv6 address. CIDR notation is also supported.`
   },
-  /**
-   * The list of allowed IPs for the peer.
-   *
-   * @schema
-   */
-  allowedIps: {
-    ...Type7.Optional(Type7.Array(Type7.String())),
-    description: `The list of allowed IPs for the peer.`
-  },
   /**
    * The convenience option to set `allowedIps` to `0.0.0.0/0, ::/0`.
    *
@@ -1208,7 +1621,7 @@ var sharedPeerArgs = {
    * @schema
    */
   exitNode: {
-    ...Type7.Optional(Type7.Boolean()),
+    ...Type9.Default(Type9.Boolean(), false),
     description: `The convenience option to set \`allowedIps\` to \`0.0.0.0/0, ::/0\`.
 
  Will be merged with the \`allowedIps\` if provided.`
@@ -1225,7 +1638,7 @@ var sharedPeerArgs = {
    * @schema
    */
   excludedIps: {
-    ...Type7.Optional(Type7.Array(Type7.String())),
+    ...Type9.Default(Type9.Array(Type9.String()), []),
     description: `The list of IP ranges to exclude from the tunnel.
 
  Implementation notes:
@@ -1253,7 +1666,7 @@ var sharedPeerArgs = {
    * @schema
    */
   excludePrivateIps: {
-    ...Type7.Optional(Type7.Boolean()),
+    ...Type9.Default(Type9.Boolean(), false),
     description: `The convenience option to exclude private IPs from the tunnel.
 
  For IPv4, the private IPs are:
@@ -1270,13 +1683,26 @@ var sharedPeerArgs = {
  Will be merged with \`excludedIps\` if provided.`
   },
   /**
-   * The endpoint of the WireGuard peer.
+   * The endpoints of the WireGuard peer.
+   *
+   * @schema
+   */
+  endpoints: {
+    ...Type9.Default(Type9.Array(Type9.String()), []),
+    description: `The endpoints of the WireGuard peer.`
+  },
+  /**
+   * The allowed endpoints of the WireGuard peer.
+   *
+   * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
    *
    * @schema
    */
-  endpoint: {
-    ...Type7.Optional(Type7.String()),
-    description: `The endpoint of the WireGuard peer.`
+  allowedEndpoints: {
+    ...Type9.Default(Type9.Array(Type9.String()), []),
+    description: `The allowed endpoints of the WireGuard peer.
+
+ The non \`hostname\` endpoints will be added to the \`allowedIps\` of the peer.`
   },
   /**
    * The DNS servers that should be used by the interface connected to the WireGuard peer.
@@ -1286,7 +1712,7 @@ var sharedPeerArgs = {
    * @schema
    */
   dns: {
-    ...Type7.Optional(Type7.Array(Type7.String())),
+    ...Type9.Default(Type9.Array(Type9.String()), []),
     description: `The DNS servers that should be used by the interface connected to the WireGuard peer.
 
  If multiple peers define DNS servers, the node will merge them into a single list (but this is discouraged).`
@@ -1299,38 +1725,121 @@ var sharedPeerArgs = {
    * @schema
    */
   includeDns: {
-    ...Type7.Optional(Type7.Boolean({ default: true })),
+    ...Type9.Default(Type9.Boolean(), true),
     description: `The convenience option to include the DNS servers to the allowed IPs.
 
  By default, is \`true\`.`
+  },
+  /**
+   * The port to listen on.
+   *
+   * @schema
+   */
+  listenPort: {
+    ...Type9.Optional(Type9.Number()),
+    description: `The port to listen on.`
   }
 };
-var sharedInterfaceArgs = {
+var sharedPeerInputs = {
   /**
-   * The port to listen on.
+   * The network to use for the WireGuard identity.
    *
-   * Will override the `listenPort` of the identity if provided.
+   * If not provided, the identity will use default network configuration.
    *
    * @schema
    */
-  listenPort: {
-    ...Type7.Optional(Type7.Number()),
-    description: `The port to listen on.
+  network: {
+    ...{
+      entity: networkEntity,
+      required: false
+    },
+    description: `The network to use for the WireGuard identity.
 
- Will override the \`listenPort\` of the identity if provided.`
+ If not provided, the identity will use default network configuration.`
   },
   /**
-   * The DNS servers that should be used by the interface connected to the WireGuard node.
+   * The L3 endpoints of the identity.
    *
-   * Will be merged with the DNS servers of the peers.
+   * Will produce L4 endpoints for each of the provided L3 endpoints.
    *
    * @schema
    */
-  dns: {
-    ...Type7.Optional(Type7.Array(Type7.String())),
-    description: `The DNS servers that should be used by the interface connected to the WireGuard node.
+  l3Endpoints: {
+    ...{
+      entity: l3EndpointEntity,
+      multiple: true,
+      required: false
+    },
+    description: `The L3 endpoints of the identity.
+
+ Will produce L4 endpoints for each of the provided L3 endpoints.`
+  },
+  /**
+   * The L4 endpoints of the identity.
+   *
+   * Will take priority over all calculated endpoints if provided.
+   *
+   * @schema
+   */
+  l4Endpoints: {
+    ...{
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true
+    },
+    description: `The L4 endpoints of the identity.
+
+ Will take priority over all calculated endpoints if provided.`
+  },
+  /**
+   * The L3 endpoints to add to the allowed IPs of the identity.
+   *
+   * `hostname` endpoints will be ignored.
+   *
+   * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
+   * the corresponding network policy will be created.
+   *
+   * @schema
+   */
+  allowedL3Endpoints: {
+    ...{
+      entity: l3EndpointEntity,
+      multiple: true,
+      required: false
+    },
+    description: `The L3 endpoints to add to the allowed IPs of the identity.
+
+ \`hostname\` endpoints will be ignored.
+
+ If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
+ the corresponding network policy will be created.`
+  },
+  /**
+   * The L4 endpoints to add to the allowed IPs of the identity.
+   *
+   * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
+   * the corresponding network policy will be created.
+   *
+   * @schema
+   */
+  allowedL4Endpoints: {
+    ...{
+      entity: l4EndpointEntity,
+      multiple: true,
+      required: false
+    },
+    description: `The L4 endpoints to add to the allowed IPs of the identity.
 
- Will be merged with the DNS servers of the peers.`
+ If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
+ the corresponding network policy will be created.`
+  }
+};
+var sharedPeerOutputs = {
+  peer: peerEntity,
+  endpoints: {
+    entity: l4EndpointEntity,
+    required: false,
+    multiple: true
   }
 };
 var peer = defineUnit7({
@@ -1343,68 +1852,99 @@ var peer = defineUnit7({
      * @schema
      */
     publicKey: {
-      ...Type7.Optional(Type7.String()),
+      ...Type9.String(),
       description: `The public key of the WireGuard peer.`
     }
   },
-  inputs: {
+  secrets: {
     /**
-     * The network to use for the WireGuard peer.
-     *
-     * If not provided, the peer will use default network configuration.
+     * The pre-shared key which should be used for the peer.
      *
      * @schema
      */
-    network: {
-      ...{
-        entity: networkEntity,
-        required: false
-      },
-      description: `The network to use for the WireGuard peer.
-
- If not provided, the peer will use default network configuration.`
-    },
+    presharedKey: {
+      ...Type9.Optional(Type9.String()),
+      description: `The pre-shared key which should be used for the peer.`
+    }
+  },
+  inputs: sharedPeerInputs,
+  outputs: sharedPeerOutputs,
+  meta: {
+    description: "The WireGuard peer with the public key.",
+    primaryIcon: "simple-icons:wireguard",
+    primaryIconColor: "#88171a",
+    secondaryIcon: "mdi:badge-account-horizontal",
+    category: "VPN"
+  },
+  source: {
+    package: "@highstate/wireguard",
+    path: "peer"
+  }
+});
+var peerPatch = defineUnit7({
+  type: "wireguard.peer-patch",
+  args: {
     /**
-     * The existing WireGuard peer to extend.
+     * The endpoints of the WireGuard peer.
      *
      * @schema
      */
-    peer: {
-      ...{
-        entity: peerEntity,
-        required: false
-      },
-      description: `The existing WireGuard peer to extend.`
+    endpoints: {
+      ...Type9.Default(Type9.Array(Type9.String()), []),
+      description: `The endpoints of the WireGuard peer.`
     },
     /**
-     * The L4 endpoint of the peer.
+     * The mode to use for patching the endpoints.
+     *
+     * - `prepend`: prepend the new endpoints to the existing ones (default);
+     * - `replace`: replace the existing endpoints with the new ones.
+     */
+    endpointsPatchMode: Type9.Default(arrayPatchModeSchema, "prepend"),
+    /**
+     * The allowed endpoints of the WireGuard peer.
      *
-     * Will take priority over all calculated endpoints if provided.
+     * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
      *
      * @schema
      */
-    l4Endpoint: {
-      ...{
-        entity: l4EndpointEntity,
-        required: false
-      },
-      description: `The L4 endpoint of the peer.
+    allowedEndpoints: {
+      ...Type9.Default(Type9.Array(Type9.String()), []),
+      description: `The allowed endpoints of the WireGuard peer.
 
- Will take priority over all calculated endpoints if provided.`
-    }
+ The non \`hostname\` endpoints will be added to the \`allowedIps\` of the peer.`
+    },
+    /**
+     * The mode to use for patching the allowed endpoints.
+     *
+     * - `prepend`: prepend the new endpoints to the existing ones (default);
+     * - `replace`: replace the existing endpoints with the new ones.
+     */
+    allowedEndpointsPatchMode: Type9.Default(arrayPatchModeSchema, "prepend"),
+    ...omit(sharedPeerArgs, ["endpoints", "allowedEndpoints"])
+  },
+  inputs: {
+    peer: peerEntity,
+    ...sharedPeerInputs
   },
   outputs: {
-    peer: peerEntity
+    peer: peerEntity,
+    endpoints: {
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true
+    }
   },
   meta: {
-    description: "The WireGuard peer with the public key.",
+    displayName: "WireGuard Peer Patch",
+    description: "Patches some properties of the WireGuard peer.",
     primaryIcon: "simple-icons:wireguard",
     primaryIconColor: "#88171a",
-    secondaryIcon: "mdi:badge-account-horizontal"
+    secondaryIcon: "mdi:badge-account-horizontal",
+    category: "VPN"
   },
   source: {
     package: "@highstate/wireguard",
-    path: "peer"
+    path: "peer-patch"
   }
 });
 var identity = defineUnit7({
@@ -1419,74 +1959,27 @@ var identity = defineUnit7({
      * @schema
      */
     listenPort: {
-      ...Type7.Optional(Type7.Number()),
-      description: `The port to listen on.
-
- Used by the implementation of the identity and to calculate the endpoint of the peer.`
-    },
-    /**
-     * The external IP address of the WireGuard identity.
-     *
-     * Used by the implementation of the identity and to calculate the endpoint of the peer.
-     *
-     * @schema
-     */
-    externalIp: {
-      ...Type7.Optional(Type7.String()),
-      description: `The external IP address of the WireGuard identity.
+      ...Type9.Optional(Type9.Number()),
+      description: `The port to listen on.
 
  Used by the implementation of the identity and to calculate the endpoint of the peer.`
     },
     /**
      * The endpoint of the WireGuard peer.
      *
-     * By default, the endpoint is calculated as `externalIp:listenPort`.
-     *
      * If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
      *
      * Will take priority over all calculated endpoints and `l4Endpoint` input.
      *
      * @schema
      */
-    endpoint: {
-      ...Type7.Optional(Type7.String()),
+    endpoints: {
+      ...Type9.Default(Type9.Array(Type9.String()), []),
       description: `The endpoint of the WireGuard peer.
 
- By default, the endpoint is calculated as \`externalIp:listenPort\`.
-
  If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
 
  Will take priority over all calculated endpoints and \`l4Endpoint\` input.`
-    },
-    /**
-     * The FQDN of the WireGuard identity.
-     * Will be used as endpoint for the peer.
-     *
-     * If `dnsProvider` is provided, external IP is available and `registerFqdn` is set to `true`, and FQDN is provided explicitly (not obtained from the k8s cluster),
-     * the FQDN will be registered with the DNS provider.
-     *
-     * @schema
-     */
-    fqdn: {
-      ...Type7.Optional(Type7.String()),
-      description: `The FQDN of the WireGuard identity.
- Will be used as endpoint for the peer.
-
- If \`dnsProvider\` is provided, external IP is available and \`registerFqdn\` is set to \`true\`, and FQDN is provided explicitly (not obtained from the k8s cluster),
- the FQDN will be registered with the DNS provider.`
-    },
-    /**
-     * Whether to register the FQDN of the identity with the matching DNS providers.
-     *
-     * By default, `true`.
-     *
-     * @schema
-     */
-    registerFqdn: {
-      ...Type7.Default(Type7.Boolean(), true),
-      description: `Whether to register the FQDN of the identity with the matching DNS providers.
-
- By default, \`true\`.`
     }
   },
   secrets: {
@@ -1498,7 +1991,7 @@ var identity = defineUnit7({
      * @schema
      */
     privateKey: {
-      ...Type7.Optional(Type7.String()),
+      ...Type9.Optional(Type9.String()),
       description: `The private key of the WireGuard identity.
 
  If not provided, the key will be generated automatically.`
@@ -1511,105 +2004,23 @@ var identity = defineUnit7({
      * @schema
      */
     presharedKeyPart: {
-      ...Type7.Optional(Type7.String()),
+      ...Type9.Optional(Type9.String()),
       description: `The part of the pre-shared of the WireGuard identity.
 
  Will be generated automatically if not provided.`
     }
   },
-  inputs: {
-    /**
-     * The network to use for the WireGuard identity.
-     *
-     * If not provided, the identity will use default network configuration.
-     *
-     * @schema
-     */
-    network: {
-      ...{
-        entity: networkEntity,
-        required: false
-      },
-      description: `The network to use for the WireGuard identity.
-
- If not provided, the identity will use default network configuration.`
-    },
-    /**
-     * The list of Kubernetes services to expose the WireGuard identity.
-     *
-     * Their IP addresses will be added to the `allowedIps` of the identity and passed to the node to set up network policies.
-     *
-     * @schema
-     */
-    k8sServices: {
-      ...{
-        entity: serviceEntity,
-        multiple: true,
-        required: false
-      },
-      description: `The list of Kubernetes services to expose the WireGuard identity.
-
- Their IP addresses will be added to the \`allowedIps\` of the identity and passed to the node to set up network policies.`
-    },
-    /**
-     * The Kubernetes cluster associated with the identity.
-     *
-     * If provided, will be used to obtain the external IP or FQDN of the identity.
-     *
-     * @schema
-     */
-    k8sCluster: {
-      ...{
-        entity: clusterEntity2,
-        required: false
-      },
-      description: `The Kubernetes cluster associated with the identity.
-
- If provided, will be used to obtain the external IP or FQDN of the identity.`
-    },
-    /**
-     * The L4 endpoint of the identity.
-     *
-     * Will take priority over all calculated endpoints if provided.
-     *
-     * @schema
-     */
-    l4Endpoint: {
-      ...{
-        entity: l4EndpointEntity,
-        required: false
-      },
-      description: `The L4 endpoint of the identity.
-
- Will take priority over all calculated endpoints if provided.`
-    },
-    /**
-     * The DNS providers to register the FQDN of the identity with.
-     *
-     * @schema
-     */
-    dnsProviders: {
-      ...{
-        entity: providerEntity,
-        required: false,
-        multiple: true
-      },
-      description: `The DNS providers to register the FQDN of the identity with.`
-    }
-  },
+  inputs: sharedPeerInputs,
   outputs: {
     identity: identityEntity,
-    peer: peerEntity,
-    l4Endpoint: {
-      entity: l4EndpointEntity,
-      required: false
-    }
+    ...sharedPeerOutputs
   },
   meta: {
     description: "The WireGuard identity with the public key.",
     primaryIcon: "simple-icons:wireguard",
     primaryIconColor: "#88171a",
-    secondaryIcon: "mdi:account"
+    secondaryIcon: "mdi:account",
+    category: "VPN"
   },
   source: {
     package: "@highstate/wireguard",
@@ -1619,22 +2030,38 @@ var identity = defineUnit7({
 var node = defineUnit7({
   type: "wireguard.node",
   args: {
-    appName: Type7.Optional(Type7.String()),
-    serviceType: Type7.Optional(serviceTypeSchema),
-    ...sharedInterfaceArgs,
     /**
-     * The external IP address of the WireGuard node.
+     * The name of the namespace/deployment/statefulset where the WireGuard node will be deployed.
      *
-     * Will override the `externalIp` of the identity if provided.
+     * By default, the name is `wg-${identity.name}`.
      *
      * @schema
      */
-    externalIp: {
-      ...Type7.Optional(Type7.String()),
-      description: `The external IP address of the WireGuard node.
+    appName: {
+      ...Type9.Optional(Type9.String()),
+      description: `The name of the namespace/deployment/statefulset where the WireGuard node will be deployed.
 
- Will override the \`externalIp\` of the identity if provided.`
+ By default, the name is \`wg-\${identity.name}\`.`
     },
+    /**
+     * Whether to expose the WireGuard node to the outside world.
+     *
+     * @schema
+     */
+    external: {
+      ...Type9.Default(Type9.Boolean(), false),
+      description: `Whether to expose the WireGuard node to the outside world.`
+    },
+    /**
+     * The policy to use for exposing the WireGuard node.
+     *
+     * - `always` - The node will be exposed and the service will be created.
+     * - `when-has-endpoint` - The node will be exposed only if the provided idenity has at least one endpoint.
+     * - `never` - The node will not be exposed and the service will not be created.
+     *
+     * * By default, the `when-has-endpoint` policy is used.
+     */
+    exposePolicy: Type9.Default(nodeExposePolicySchema, "when-has-endpoint"),
     /**
      * The extra specification of the container which runs the WireGuard node.
      *
@@ -1643,7 +2070,7 @@ var node = defineUnit7({
      * @schema
      */
     containerSpec: {
-      ...Type7.Optional(Type7.Record(Type7.String(), Type7.Any())),
+      ...Type9.Optional(Type9.Record(Type9.String(), Type9.Any())),
       description: `The extra specification of the container which runs the WireGuard node.
 
  Will override any overlapping fields.`
@@ -1652,12 +2079,8 @@ var node = defineUnit7({
   inputs: {
     identity: identityEntity,
     k8sCluster: clusterEntity2,
-    deployment: {
-      entity: deploymentEntity,
-      required: false
-    },
-    statefulSet: {
-      entity: statefulSetEntity,
+    workload: {
+      entity: exposableWorkloadEntity,
       required: false
     },
     interface: {
@@ -1671,24 +2094,26 @@ var node = defineUnit7({
     }
   },
   outputs: {
-    deployment: {
-      entity: deploymentEntity,
-      required: false
-    },
     interface: {
       entity: interfaceEntity,
       required: false
     },
-    service: {
-      entity: serviceEntity,
+    peer: {
+      entity: peerEntity,
       required: false
+    },
+    endpoints: {
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true
     }
   },
   meta: {
     description: "The WireGuard node running on the Kubernetes.",
     primaryIcon: "simple-icons:wireguard",
     primaryIconColor: "#88171a",
-    secondaryIcon: "mdi:server"
+    secondaryIcon: "mdi:server",
+    category: "VPN"
   },
   source: {
     package: "@highstate/wireguard",
@@ -1698,7 +2123,6 @@ var node = defineUnit7({
 var config = defineUnit7({
   type: "wireguard.config",
   args: {
-    ...sharedInterfaceArgs,
     /**
      * The name of the "default" interface where non-tunneled traffic should go.
      *
@@ -1707,7 +2131,7 @@ var config = defineUnit7({
      * @schema
      */
     defaultInterface: {
-      ...Type7.Optional(Type7.String()),
+      ...Type9.Optional(Type9.String()),
       description: `The name of the "default" interface where non-tunneled traffic should go.
 
  If not provided, the config will not respect \`excludedIps\`.`
@@ -1726,7 +2150,8 @@ var config = defineUnit7({
     description: "Just the WireGuard configuration for the identity and peers.",
     primaryIcon: "simple-icons:wireguard",
     primaryIconColor: "#88171a",
-    secondaryIcon: "mdi:settings"
+    secondaryIcon: "mdi:settings",
+    category: "VPN"
   },
   source: {
     package: "@highstate/wireguard",
@@ -1752,7 +2177,8 @@ var configBundle = defineUnit7({
     description: "The WireGuard configuration bundle for the identity and peers.",
     primaryIcon: "simple-icons:wireguard",
     primaryIconColor: "#88171a",
-    secondaryIcon: "mdi:folder-settings-variant"
+    secondaryIcon: "mdi:folder-settings-variant",
+    category: "VPN"
   },
   source: {
     package: "@highstate/wireguard",
@@ -1765,7 +2191,11 @@ var apps_exports = {};
 __export(apps_exports, {
   backupModeSchema: () => backupModeSchema,
   codeServer: () => codeServer,
+  createArgs: () => createArgs2,
+  createInputs: () => createInputs,
   deployment: () => deployment,
+  endpointFilter: () => endpointFilter,
+  explicitEndpointFilterSchema: () => explicitEndpointFilterSchema,
   grocy: () => grocy,
   kubernetesDashboard: () => kubernetesDashboard,
   mariadb: () => mariadb,
@@ -1778,13 +2208,18 @@ __export(apps_exports, {
   postgresql: () => postgresql,
   postgresqlDatabase: () => postgresqlDatabase,
   postgresqlEntity: () => postgresqlEntity,
+  recordSet: () => recordSet,
+  sharedArgs: () => sharedArgs,
   syncthing: () => syncthing,
   traefikGateway: () => traefikGateway,
   vaultwarden: () => vaultwarden
 });
 
 // src/apps/mariadb.ts
-import { defineEntity as defineEntity9, defineUnit as defineUnit9, Type as Type9 } from "@highstate/contract";
+import { defineEntity as defineEntity10, defineUnit as defineUnit9, Type as Type12 } from "@highstate/contract";
+
+// src/apps/shared.ts
+import { Type as Type11 } from "@highstate/contract";
 
 // src/restic.ts
 var restic_exports = {};
@@ -1792,16 +2227,16 @@ __export(restic_exports, {
   repo: () => repo,
   repoEntity: () => repoEntity
 });
-import { defineEntity as defineEntity8, defineUnit as defineUnit8, Type as Type8 } from "@highstate/contract";
-var repoEntity = defineEntity8({
+import { defineEntity as defineEntity9, defineUnit as defineUnit8, Type as Type10 } from "@highstate/contract";
+var repoEntity = defineEntity9({
   type: "restic.repo",
-  schema: Type8.Object({
-    password: Type8.String(),
-    remoteDomains: Type8.Array(Type8.String()),
-    type: Type8.Literal("rclone"),
-    rcloneConfig: Type8.String(),
-    remoteName: Type8.String(),
-    basePath: Type8.String()
+  schema: Type10.Object({
+    password: Type10.String(),
+    remoteEndpoints: Type10.Array(Type10.String()),
+    type: Type10.Literal("rclone"),
+    rcloneConfig: Type10.String(),
+    remoteName: Type10.String(),
+    basePath: Type10.String()
   }),
   meta: {
     color: "#e56901"
@@ -1810,12 +2245,12 @@ var repoEntity = defineEntity8({
 var repo = defineUnit8({
   type: "restic.repo",
   args: {
-    remoteDomains: Type8.Optional(Type8.Array(Type8.String())),
-    basePath: Type8.Optional(Type8.String())
+    remoteDomains: Type10.Optional(Type10.Array(Type10.String())),
+    basePath: Type10.Optional(Type10.String())
   },
   secrets: {
-    password: Type8.Optional(Type8.String()),
-    rcloneConfig: Type8.String({ multiline: true })
+    password: Type10.Optional(Type10.String()),
+    rcloneConfig: Type10.String({ multiline: true })
   },
   outputs: {
     repo: repoEntity
@@ -1824,7 +2259,8 @@ var repo = defineUnit8({
     displayName: "Restic Repo",
     description: "Holds the configuration for a Restic repository and its remote storage.",
     primaryIconColor: "#e56901",
-    primaryIcon: "material-symbols:backup"
+    primaryIcon: "material-symbols:backup",
+    category: "Infrastructure"
   },
   source: {
     package: "@highstate/restic",
@@ -1832,39 +2268,126 @@ var repo = defineUnit8({
   }
 });
 
+// src/apps/shared.ts
+var extraArgsDefinitions = {
+  fqdn: {
+    schema: Type11.String()
+  },
+  endpoints: {
+    schema: Type11.Array(Type11.String()),
+    required: false
+  },
+  external: {
+    schema: Type11.Boolean(),
+    required: false
+  }
+};
+var eagerExtraInputDefinitions = {
+  accessPoint: {
+    entity: accessPointEntity
+  },
+  resticRepo: {
+    entity: repoEntity,
+    required: false
+  },
+  dnsProviders: {
+    entity: providerEntity,
+    required: false,
+    multiple: true
+  },
+  volume: {
+    entity: persistentVolumeClaimEntity,
+    required: false
+  }
+};
+var extraInputDefinitions = {
+  ...eagerExtraInputDefinitions
+};
+function createArgs2(defaultAppName, extraArgs) {
+  const base = {
+    appName: Type11.Default(Type11.String(), defaultAppName)
+  };
+  const dynamicArgs = {};
+  if (Array.isArray(extraArgs)) {
+    for (const name of extraArgs) {
+      dynamicArgs[name] = extraArgsDefinitions[name];
+    }
+  } else {
+    const { required, optional } = extraArgs ?? {};
+    for (const name of required ?? []) {
+      dynamicArgs[name] = {
+        ...extraArgsDefinitions[name],
+        required: true
+      };
+    }
+    for (const name of optional ?? []) {
+      dynamicArgs[name] = {
+        ...extraArgsDefinitions[name],
+        required: false
+      };
+    }
+  }
+  return {
+    ...base,
+    ...dynamicArgs
+  };
+}
+function createInputs(inputs2) {
+  const base = {
+    k8sCluster: clusterEntity2
+  };
+  const dynamicInputs = {};
+  if (Array.isArray(inputs2)) {
+    for (const name of inputs2) {
+      dynamicInputs[name] = extraInputDefinitions[name];
+    }
+  } else {
+    const { required, optional } = inputs2 ?? {};
+    for (const name of required ?? []) {
+      dynamicInputs[name] = {
+        ...extraInputDefinitions[name],
+        required: true
+      };
+    }
+    for (const name of optional ?? []) {
+      dynamicInputs[name] = {
+        ...extraInputDefinitions[name],
+        required: false
+      };
+    }
+  }
+  return {
+    ...base,
+    ...dynamicInputs
+  };
+}
+function createSource(path) {
+  return {
+    package: "@highstate/apps",
+    path
+  };
+}
+var databaseSchema = Type11.Object({
+  endpoints: Type11.Array(l4EndpointEntity.schema),
+  service: Type11.Optional(serviceEntity.schema),
+  rootPassword: Type11.String()
+});
+
 // src/apps/mariadb.ts
-var mariadbEntity = defineEntity9({
+var mariadbEntity = defineEntity10({
   type: "apps.mariadb",
-  schema: Type9.Object({
-    service: Type9.Optional(serviceEntity.schema),
-    host: Type9.String(),
-    port: Type9.Number(),
-    rootPassword: Type9.String()
-  }),
+  schema: databaseSchema,
   meta: {
     color: "#f06292"
   }
 });
 var mariadb = defineUnit9({
   type: "apps.mariadb",
-  args: {
-    fqdn: Type9.Optional(Type9.String()),
-    appName: Type9.Optional(Type9.String())
-  },
+  args: createArgs2("mariadb", ["external"]),
   secrets: {
-    rootPassword: Type9.Optional(Type9.String())
-  },
-  inputs: {
-    k8sCluster: clusterEntity2,
-    resticRepo: {
-      entity: repoEntity,
-      required: false
-    },
-    dnsProvider: {
-      entity: providerEntity,
-      required: false
-    }
+    rootPassword: Type12.Optional(Type12.String())
   },
+  inputs: createInputs(["resticRepo"]),
   outputs: {
     mariadb: mariadbEntity,
     service: serviceEntity
@@ -1873,72 +2396,51 @@ var mariadb = defineUnit9({
     displayName: "MariaDB",
     description: "The MariaDB database deployed on Kubernetes.",
     primaryIcon: "simple-icons:mariadb",
-    secondaryIcon: "mdi:database"
+    secondaryIcon: "mdi:database",
+    category: "Databases"
   },
-  source: {
-    package: "@highstate/apps",
-    path: "mariadb/app"
-  }
+  source: createSource("mariadb/app")
 });
+extraInputDefinitions.mariadb = {
+  entity: mariadbEntity,
+  displayName: "MariaDB"
+};
 var mariadbDatabase = defineUnit9({
   type: "apps.mariadb.database",
   args: {
-    database: Type9.Optional(Type9.String()),
-    username: Type9.Optional(Type9.String())
+    database: Type12.Optional(Type12.String()),
+    username: Type12.Optional(Type12.String())
   },
+  inputs: createInputs(["mariadb"]),
   secrets: {
-    password: Type9.Optional(Type9.String())
-  },
-  inputs: {
-    k8sCluster: clusterEntity2,
-    mariadb: mariadbEntity
+    password: Type12.Optional(Type12.String())
   },
   meta: {
     displayName: "MariaDB Database",
     description: "The virtual MariaDB database created on the MariaDB instance. Works only for MariaDB instances deployed on Kubernetes.",
     primaryIcon: "simple-icons:mariadb",
-    secondaryIcon: "mdi:database-plus"
+    secondaryIcon: "mdi:database-plus",
+    category: "Databases"
   },
-  source: {
-    package: "@highstate/apps",
-    path: "mariadb/database"
-  }
+  source: createSource("mariadb/database")
 });
 
 // src/apps/postgresql.ts
-import { defineEntity as defineEntity10, defineUnit as defineUnit10, Type as Type10 } from "@highstate/contract";
-var postgresqlEntity = defineEntity10({
+import { defineEntity as defineEntity11, defineUnit as defineUnit10, Type as Type13 } from "@highstate/contract";
+var postgresqlEntity = defineEntity11({
   type: "apps.postgresql",
-  schema: Type10.Object({
-    service: Type10.Optional(serviceEntity.schema),
-    host: Type10.String(),
-    port: Type10.Number(),
-    rootPassword: Type10.String()
-  }),
+  schema: databaseSchema,
   meta: {
     color: "#336791"
   }
 });
 var postgresql = defineUnit10({
   type: "apps.postgresql",
-  args: {
-    fqdn: Type10.Optional(Type10.String()),
-    appName: Type10.Optional(Type10.String())
-  },
+  args: createArgs2("postgresql", ["external"]),
   secrets: {
-    rootPassword: Type10.Optional(Type10.String())
-  },
-  inputs: {
-    k8sCluster: clusterEntity2,
-    resticRepo: {
-      entity: repoEntity,
-      required: false
-    },
-    dnsProvider: {
-      entity: providerEntity,
-      required: false
-    }
+    rootPassword: Type13.Optional(Type13.String())
   },
+  inputs: createInputs(["resticRepo", "dnsProviders"]),
   outputs: {
     postgresql: postgresqlEntity,
     service: serviceEntity
@@ -1947,77 +2449,259 @@ var postgresql = defineUnit10({
     displayName: "PostgreSQL",
     description: "The PostgreSQL database deployed on Kubernetes.",
     primaryIcon: "simple-icons:postgresql",
-    secondaryIcon: "mdi:database"
+    secondaryIcon: "mdi:database",
+    category: "Databases"
   },
-  source: {
-    package: "@highstate/apps",
-    path: "postgresql/app"
-  }
+  source: createSource("postgresql/app")
 });
+extraInputDefinitions.postgresql = {
+  entity: postgresqlEntity,
+  displayName: "PostgreSQL"
+};
 var postgresqlDatabase = defineUnit10({
   type: "apps.postgresql.database",
   args: {
-    database: Type10.Optional(Type10.String()),
-    username: Type10.Optional(Type10.String())
+    database: Type13.Optional(Type13.String()),
+    username: Type13.Optional(Type13.String())
   },
   secrets: {
-    password: Type10.Optional(Type10.String())
-  },
-  inputs: {
-    k8sCluster: clusterEntity2,
-    postgresql: postgresqlEntity
+    password: Type13.Optional(Type13.String())
   },
+  inputs: createInputs(["postgresql"]),
   meta: {
     displayName: "PostgreSQL Database",
     description: "The virtual PostgreSQL database created on the PostgreSQL instance. Works only for PostgreSQL instances deployed on Kubernetes.",
     primaryIcon: "simple-icons:postgresql",
-    secondaryIcon: "mdi:database-plus"
+    secondaryIcon: "mdi:database-plus",
+    category: "Databases"
   },
-  source: {
-    package: "@highstate/apps",
-    path: "postgresql/database"
-  }
+  source: createSource("postgresql/database")
 });
 
 // src/apps/vaultwarden.ts
-import { defineUnit as defineUnit11, Type as Type11 } from "@highstate/contract";
+import { defineUnit as defineUnit11, Type as Type14 } from "@highstate/contract";
 var vaultwarden = defineUnit11({
   type: "apps.vaultwarden",
+  args: createArgs2("vaultwarden", ["fqdn"]),
+  secrets: {
+    mariadbPassword: Type14.Optional(Type14.String())
+  },
+  inputs: createInputs(["accessPoint", "mariadb"]),
+  meta: {
+    displayName: "Vaultwarden",
+    description: "The Vaultwarden password manager deployed on Kubernetes.",
+    primaryIcon: "simple-icons:vaultwarden",
+    category: "Security"
+  },
+  source: createSource("vaultwarden")
+});
+
+// src/apps/mongodb.ts
+import { defineEntity as defineEntity12, defineUnit as defineUnit12, Type as Type15 } from "@highstate/contract";
+var mongodbEntity = defineEntity12({
+  type: "apps.mongodb",
+  schema: databaseSchema,
+  meta: {
+    color: "#13aa52"
+  }
+});
+var mongodb = defineUnit12({
+  type: "apps.mongodb",
+  args: createArgs2("mongodb", ["external"]),
+  secrets: {
+    rootPassword: Type15.Optional(Type15.String())
+  },
+  inputs: createInputs(["resticRepo"]),
+  outputs: {
+    mongodb: mongodbEntity,
+    service: serviceEntity
+  },
+  meta: {
+    displayName: "MongoDB",
+    description: "The MongoDB instance deployed on Kubernetes.",
+    primaryIcon: "simple-icons:mongodb",
+    secondaryIcon: "mdi:database",
+    category: "Databases"
+  },
+  source: createSource("mongodb/app")
+});
+extraInputDefinitions.mongodb = {
+  entity: mongodbEntity,
+  displayName: "MongoDB"
+};
+var mongodbDatabase = defineUnit12({
+  type: "apps.mongodb.database",
+  args: {
+    database: Type15.Optional(Type15.String()),
+    username: Type15.Optional(Type15.String())
+  },
+  secrets: {
+    password: Type15.Optional(Type15.String())
+  },
+  inputs: createInputs(["mongodb"]),
+  meta: {
+    displayName: "MongoDB Database",
+    description: "The virtual MongoDB database created on the MongoDB instance. Works only for MongoDB instances deployed on Kubernetes.",
+    primaryIcon: "simple-icons:mongodb",
+    secondaryIcon: "mdi:database-plus",
+    category: "Databases"
+  },
+  source: createSource("mongodb/database")
+});
+
+// src/apps/network.ts
+import { defineUnit as defineUnit13, Type as Type16 } from "@highstate/contract";
+var explicitEndpointFilterSchema = Type16.StringEnum(["public", "external", "internal"]);
+var endpointFilter = defineUnit13({
+  type: "apps.endpoint-filter",
   args: {
-    fqdn: Type11.String(),
-    appName: Type11.Optional(Type11.String())
+    /**
+     * The filter to apply to the endpoints.
+     *
+     * - `public`: Only public endpoints accessible from the internet.
+     * - `external`: Only external endpoints (e.g. NodePort, LoadBalancer) accessible from outside the cluster, but not from the internet.
+     * - `internal`: Only internal endpoints (e.g. ClusterIP) accessible from within the cluster.
+     */
+    filter: Type16.Default(explicitEndpointFilterSchema, "public")
   },
   inputs: {
-    mariadb: mariadbEntity,
-    accessPoint: accessPointEntity,
-    k8sCluster: clusterEntity2
+    l3Endpoints: {
+      entity: l3EndpointEntity,
+      multiple: true,
+      required: false
+    },
+    l4Endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true,
+      required: false
+    }
+  },
+  outputs: {
+    l3Endpoints: {
+      entity: l3EndpointEntity,
+      multiple: true
+    },
+    l4Endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
+  },
+  meta: {
+    displayName: "Endpoint Filter",
+    description: "Explicitly filter endpoints by their accessibility.",
+    primaryIcon: "mdi:network-outline",
+    primaryIconColor: "#FF9800",
+    secondaryIcon: "mdi:filter-outline",
+    category: "Network"
+  },
+  source: createSource("endpoint-filter")
+});
+
+// src/apps/dns.ts
+import { defineUnit as defineUnit14, Type as Type17 } from "@highstate/contract";
+var endpointFilterSchema2 = Type17.StringEnum(["all", "public", "external", "internal"]);
+var recordSet = defineUnit14({
+  type: "apps.dns-record-set",
+  args: {
+    /**
+     * The name of the DNS record.
+     *
+     * If not provided, will use the name of the unit.
+     */
+    recordName: Type17.Optional(Type17.String()),
+    /**
+     * The type of the DNS record.
+     *
+     * If not specified, will use the default type for the provider.
+     */
+    type: Type17.Optional(Type17.String()),
+    /**
+     * The values of the DNS record.
+     */
+    values: Type17.Array(Type17.String()),
+    /**
+     * The TTL of the DNS record.
+     */
+    ttl: Type17.Optional(Type17.Number()),
+    /**
+     * The priority of the DNS record.
+     */
+    priority: Type17.Optional(Type17.Number()),
+    /**
+     * Whether the DNS record is proxied.
+     *
+     * Available only for public IPs and some DNS providers like Cloudflare.
+     */
+    proxied: Type17.Optional(Type17.Boolean()),
+    /**
+     * The filter to apply to the endpoints.
+     *
+     * - `all`: All endpoints.
+     * - `public`: Only public endpoints accessible from the internet (default).
+     * - `external`: Only external endpoints (e.g. NodePort, LoadBalancer) accessible from outside the cluster, but not from the internet.
+     * - `internal`: Only internal endpoints (e.g. ClusterIP) accessible from within the cluster.
+     */
+    endpointFilter: Type17.Default(endpointFilterSchema2, "public")
+  },
+  inputs: {
+    dnsProviders: {
+      entity: providerEntity,
+      multiple: true
+    },
+    l3Endpoints: {
+      entity: l3EndpointEntity,
+      required: false,
+      multiple: true
+    },
+    l4Endpoints: {
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true
+    }
   },
-  secrets: {
-    mariadbPassword: Type11.Optional(Type11.String())
+  outputs: {
+    /**
+     * The single L3 endpoint representing created DNS records.
+     */
+    l3Endpoint: l3EndpointEntity,
+    /**
+     * Multiple L4 endpoints representing created DNS records for each unique port/protocol combination from the input L4 endpoints.
+     */
+    l4Endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
   },
   meta: {
-    displayName: "Vaultwarden",
-    description: "The Vaultwarden password manager deployed on Kubernetes.",
-    primaryIcon: "simple-icons:vaultwarden"
+    displayName: "DNS Record Set",
+    description: "A set of DNS records to be created.",
+    primaryIcon: "mdi:server",
+    defaultNamePrefix: "record",
+    category: "Network"
   },
-  source: {
-    package: "@highstate/apps",
-    path: "vaultwarden"
-  }
+  source: createSource("dns-record-set")
 });
+var sharedArgs = {
+  /**
+   * The FQDN to register the cluster nodes with.
+   *
+   * @schema
+   */
+  fqdn: {
+    ...Type17.Optional(Type17.String()),
+    description: `The FQDN to register the cluster nodes with.`
+  }
+};
 
 // src/apps/traefik.ts
-import { defineUnit as defineUnit12, Type as Type12 } from "@highstate/contract";
-var traefikGateway = defineUnit12({
+import { defineUnit as defineUnit15, Type as Type18 } from "@highstate/contract";
+var traefikGateway = defineUnit15({
   type: "apps.traefik-gateway",
   args: {
-    appName: Type12.Optional(Type12.String()),
-    className: Type12.Optional(Type12.String()),
-    serviceType: Type12.Optional(serviceTypeSchema)
-  },
-  inputs: {
-    k8sCluster: clusterEntity2
+    ...createArgs2("traefik", ["external"]),
+    className: Type18.Optional(Type18.String())
   },
+  inputs: createInputs(),
   outputs: {
     gateway: gatewayEntity,
     service: serviceEntity
@@ -2025,7 +2709,8 @@ var traefikGateway = defineUnit12({
   meta: {
     displayName: "Traefik Gateway",
     description: "A Traefik gateway for routing traffic to services.",
-    primaryIcon: "simple-icons:traefikproxy"
+    primaryIcon: "simple-icons:traefikproxy",
+    category: "Network"
   },
   source: {
     package: "@highstate/apps",
@@ -2034,250 +2719,128 @@ var traefikGateway = defineUnit12({
 });
 
 // src/apps/kubernetes-dashboard.ts
-import { defineUnit as defineUnit13, Type as Type13 } from "@highstate/contract";
-var kubernetesDashboard = defineUnit13({
+import { defineUnit as defineUnit16 } from "@highstate/contract";
+var kubernetesDashboard = defineUnit16({
   type: "apps.kubernetes-dashboard",
-  args: {
-    fqdn: Type13.String(),
-    appName: Type13.Optional(Type13.String())
-  },
-  inputs: {
-    k8sCluster: clusterEntity2,
-    accessPoint: accessPointEntity
-  },
+  args: createArgs2("kubernetes-dashboard", ["fqdn"]),
+  inputs: createInputs(["accessPoint"]),
   meta: {
     displayName: "Kubernetes Dashboard",
     description: "The Kubernetes Dashboard deployed on Kubernetes.",
-    primaryIcon: "simple-icons:kubernetes",
-    secondaryIcon: "mdi:dashboard"
+    primaryIcon: "devicon:kubernetes",
+    secondaryIcon: "material-symbols:dashboard",
+    category: "Kubernetes"
   },
-  source: {
-    package: "@highstate/apps",
-    path: "kubernetes-dashboard"
-  }
+  source: createSource("kubernetes-dashboard")
 });
 
 // src/apps/grocy.ts
-import { defineUnit as defineUnit14, Type as Type14 } from "@highstate/contract";
-var grocy = defineUnit14({
+import { defineUnit as defineUnit17 } from "@highstate/contract";
+var grocy = defineUnit17({
   type: "apps.grocy",
-  args: {
-    fqdn: Type14.String(),
-    appName: Type14.Optional(Type14.String())
-  },
-  inputs: {
-    resticRepo: {
-      entity: repoEntity,
-      required: false
-    },
-    accessPoint: accessPointEntity,
-    k8sCluster: clusterEntity2
-  },
+  args: createArgs2("grocy", ["fqdn"]),
+  inputs: createInputs(["accessPoint", "resticRepo"]),
   meta: {
     displayName: "Grocy",
     description: "Grocy is a web-based self-hosted groceries & household management solution for your home.",
-    primaryIcon: "simple-icons:grocy"
+    primaryIcon: "simple-icons:grocy",
+    category: "Productivity"
   },
-  source: {
-    package: "@highstate/apps",
-    path: "grocy"
-  }
+  source: createSource("grocy")
 });
 
 // src/apps/maybe.ts
-import { defineUnit as defineUnit15, Type as Type15 } from "@highstate/contract";
-var maybe = defineUnit15({
+import { defineUnit as defineUnit18, Type as Type19 } from "@highstate/contract";
+var maybe = defineUnit18({
   type: "apps.maybe",
-  args: {
-    fqdn: Type15.String(),
-    appName: Type15.Optional(Type15.String())
-  },
-  inputs: {
-    postgresql: postgresqlEntity,
-    accessPoint: accessPointEntity,
-    k8sCluster: clusterEntity2,
-    resticRepo: {
-      entity: repoEntity,
-      required: false
-    }
-  },
+  args: createArgs2("maybe", ["fqdn"]),
   secrets: {
-    postgresqlPassword: Type15.Optional(Type15.String()),
-    secretKey: Type15.Optional(Type15.String())
+    postgresqlPassword: Type19.Optional(Type19.String()),
+    secretKey: Type19.Optional(Type19.String())
   },
+  inputs: createInputs(["accessPoint", "resticRepo", "postgresql"]),
   meta: {
     displayName: "Maybe",
     description: "The OS for your personal finances.",
-    primaryIcon: "arcticons:finance-manager"
-  },
-  source: {
-    package: "@highstate/apps",
-    path: "maybe"
-  }
-});
-
-// src/apps/mongodb.ts
-import { defineEntity as defineEntity11, defineUnit as defineUnit16, Type as Type16 } from "@highstate/contract";
-var mongodbEntity = defineEntity11({
-  type: "apps.mongodb",
-  schema: Type16.Object({
-    service: Type16.Optional(serviceEntity.schema),
-    host: Type16.String(),
-    port: Type16.Number(),
-    rootPassword: Type16.String()
-  }),
-  meta: {
-    color: "#13aa52"
-  }
-});
-var mongodb = defineUnit16({
-  type: "apps.mongodb",
-  args: {
-    fqdn: Type16.Optional(Type16.String()),
-    appName: Type16.Optional(Type16.String()),
-    serviceType: Type16.Optional(serviceTypeSchema)
-  },
-  secrets: {
-    rootPassword: Type16.Optional(Type16.String())
-  },
-  inputs: {
-    k8sCluster: clusterEntity2,
-    resticRepo: {
-      entity: repoEntity,
-      required: false
-    },
-    dnsProvider: {
-      entity: providerEntity,
-      required: false
-    }
-  },
-  outputs: {
-    mongodb: mongodbEntity,
-    service: serviceEntity
-  },
-  meta: {
-    displayName: "MongoDB",
-    description: "The MongoDB instance deployed on Kubernetes.",
-    primaryIcon: "simple-icons:mongodb",
-    secondaryIcon: "mdi:database"
-  },
-  source: {
-    package: "@highstate/apps",
-    path: "mongodb/app"
-  }
-});
-var mongodbDatabase = defineUnit16({
-  type: "apps.mongodb.database",
-  args: {
-    database: Type16.Optional(Type16.String()),
-    username: Type16.Optional(Type16.String())
-  },
-  secrets: {
-    password: Type16.Optional(Type16.String())
-  },
-  inputs: {
-    k8sCluster: clusterEntity2,
-    mongodb: mongodbEntity
-  },
-  meta: {
-    displayName: "MongoDB Database",
-    description: "The virtual MongoDB database created on the MongoDB instance. Works only for MongoDB instances deployed on Kubernetes.",
-    primaryIcon: "simple-icons:mongodb",
-    secondaryIcon: "mdi:database-plus"
+    primaryIcon: "arcticons:finance-manager",
+    category: "Finance"
   },
-  source: {
-    package: "@highstate/apps",
-    path: "mongodb/database"
-  }
+  source: createSource("maybe")
 });
 
 // src/apps/deployment.ts
-import { defineUnit as defineUnit17, Type as Type17 } from "@highstate/contract";
-var deployment = defineUnit17({
+import { defineUnit as defineUnit19, Type as Type20 } from "@highstate/contract";
+var deployment = defineUnit19({
   type: "apps.deployment",
   args: {
-    appName: Type17.Optional(Type17.String()),
-    fqdn: Type17.Optional(Type17.String()),
-    serviceType: Type17.Optional(serviceTypeSchema),
-    image: Type17.Optional(Type17.String()),
-    port: Type17.Optional(Type17.Number()),
-    replicas: Type17.Optional(Type17.Number()),
-    dataPath: Type17.Optional(Type17.String()),
-    env: Type17.Optional(Type17.Record(Type17.String(), Type17.Any())),
-    mariadbEnvMapping: Type17.Optional(Type17.Record(Type17.String(), Type17.Any())),
-    postgresqlEnvMapping: Type17.Optional(Type17.Record(Type17.String(), Type17.Any())),
-    mongodbEnvMapping: Type17.Optional(Type17.Record(Type17.String(), Type17.Any())),
-    manifest: Type17.Optional(Type17.Record(Type17.String(), Type17.Any())),
-    serviceManifest: Type17.Optional(Type17.Record(Type17.String(), Type17.Any())),
-    httpRouteManifest: Type17.Optional(Type17.Record(Type17.String(), Type17.Any()))
-  },
-  inputs: {
-    k8sCluster: clusterEntity2,
-    mariadb: {
-      entity: mariadbEntity,
-      required: false
-    },
-    postgresql: {
-      entity: postgresqlEntity,
-      required: false
-    },
-    mongodb: {
-      entity: mongodbEntity,
-      required: false
-    },
-    resticRepo: {
-      entity: repoEntity,
-      required: false
-    },
-    dnsProvider: {
-      entity: providerEntity,
-      required: false
-    }
+    appName: Type20.Optional(Type20.String()),
+    fqdn: Type20.Optional(Type20.String()),
+    serviceType: Type20.Optional(serviceTypeSchema),
+    image: Type20.Optional(Type20.String()),
+    port: Type20.Optional(Type20.Number()),
+    replicas: Type20.Optional(Type20.Number()),
+    dataPath: Type20.Optional(Type20.String()),
+    env: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
+    mariadbEnvMapping: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
+    postgresqlEnvMapping: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
+    mongodbEnvMapping: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
+    manifest: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
+    serviceManifest: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
+    httpRouteManifest: Type20.Optional(Type20.Record(Type20.String(), Type20.Any()))
   },
+  secrets: {
+    mariadbPassword: Type20.Optional(Type20.String()),
+    postgresqlPassword: Type20.Optional(Type20.String()),
+    mongodbPassword: Type20.Optional(Type20.String())
+  },
+  inputs: createInputs([
+    "accessPoint",
+    "mariadb",
+    "postgresql",
+    "mongodb",
+    "resticRepo",
+    "dnsProviders"
+  ]),
   outputs: {
     deployment: deploymentEntity,
     service: serviceEntity
   },
-  secrets: {
-    mariadbPassword: Type17.Optional(Type17.String()),
-    postgresqlPassword: Type17.Optional(Type17.String()),
-    mongodbPassword: Type17.Optional(Type17.String())
-  },
   meta: {
     displayName: "Kubernetes Deployment",
     description: "A generic Kubernetes deployment with optional service and gateway routes.",
-    primaryIcon: "mdi:kubernetes",
-    secondaryIcon: "mdi:cube-outline"
+    primaryIcon: "devicon:kubernetes",
+    secondaryIcon: "mdi:cube-outline",
+    category: "Kubernetes"
   },
-  source: {
-    package: "@highstate/apps",
-    path: "deployment"
-  }
+  source: createSource("deployment")
 });
 
 // src/apps/syncthing.ts
-import { defineUnit as defineUnit18, Type as Type18 } from "@highstate/contract";
-var backupModeSchema = Type18.Union([Type18.Literal("metadata"), Type18.Literal("full")]);
-var syncthing = defineUnit18({
+import { defineUnit as defineUnit20, Type as Type21 } from "@highstate/contract";
+var backupModeSchema = Type21.StringEnum(["state", "full"]);
+var syncthing = defineUnit20({
   type: "apps.syncthing",
   args: {
-    fqdn: Type18.String(),
-    deviceFqdn: Type18.Optional(Type18.String()),
-    appName: Type18.Optional(Type18.String()),
-    backupMode: Type18.Optional({ ...backupModeSchema, default: "metadata" })
-  },
-  inputs: {
-    accessPoint: accessPointEntity,
-    k8sCluster: clusterEntity2,
-    resticRepo: {
-      entity: repoEntity,
-      required: false
-    },
-    volume: {
-      entity: persistentVolumeClaimEntity,
-      required: false
-    }
+    ...createArgs2("syncthing", ["fqdn"]),
+    /**
+     * The FQDN of the Syncthing instance used to sync with other devices.
+     *
+     * The `fqdn` argument unlike this one points to the gateway and used to
+     * access the Syncthing Web UI.
+     */
+    deviceFqdn: Type21.Optional(Type21.String()),
+    /**
+     * The backup mode to use for the Syncthing instance.
+     *
+     * - `state`: Only the state is backed up. When the instance is restored, it will
+     * sync files from the other devices automatically.
+     * - `full`: A full backup is created including all files.
+     *
+     * The default is `state`.
+     */
+    backupMode: Type21.Default(backupModeSchema, "state")
   },
+  inputs: createInputs(["accessPoint", "resticRepo", "dnsProviders", "volume"]),
   outputs: {
     service: serviceEntity,
     volume: persistentVolumeClaimEntity
@@ -2285,38 +2848,22 @@ var syncthing = defineUnit18({
   meta: {
     displayName: "Syncthing",
     description: "The Syncthing instance deployed on Kubernetes.",
-    primaryIcon: "simple-icons:syncthing"
+    primaryIcon: "simple-icons:syncthing",
+    category: "File Sync"
   },
-  source: {
-    package: "@highstate/apps",
-    path: "syncthing"
-  }
+  source: createSource("syncthing")
 });
 
 // src/apps/code-server.ts
-import { defineUnit as defineUnit19, Type as Type19 } from "@highstate/contract";
-var codeServer = defineUnit19({
+import { defineUnit as defineUnit21, Type as Type22 } from "@highstate/contract";
+var codeServer = defineUnit21({
   type: "apps.code-server",
-  args: {
-    fqdn: Type19.String(),
-    appName: Type19.Optional(Type19.String())
-  },
+  args: createArgs2("code-server", ["fqdn"]),
   secrets: {
-    password: Type19.Optional(Type19.String()),
-    sudoPassword: Type19.Optional(Type19.String())
-  },
-  inputs: {
-    accessPoint: accessPointEntity,
-    k8sCluster: clusterEntity2,
-    resticRepo: {
-      entity: repoEntity,
-      required: false
-    },
-    volume: {
-      entity: persistentVolumeClaimEntity,
-      required: false
-    }
+    password: Type22.Optional(Type22.String()),
+    sudoPassword: Type22.Optional(Type22.String())
   },
+  inputs: createInputs(["accessPoint", "resticRepo", "dnsProviders", "volume"]),
   outputs: {
     statefulSet: statefulSetEntity,
     volume: persistentVolumeClaimEntity
@@ -2324,7 +2871,8 @@ var codeServer = defineUnit19({
   meta: {
     displayName: "Code Server",
     description: "The Code Server instance deployed on Kubernetes.",
-    primaryIcon: "material-icon-theme:vscode"
+    primaryIcon: "material-icon-theme:vscode",
+    category: "Development"
   },
   source: {
     package: "@highstate/apps",
@@ -2337,11 +2885,11 @@ var cloudflare_exports = {};
 __export(cloudflare_exports, {
   connection: () => connection2
 });
-import { defineUnit as defineUnit20, Type as Type20 } from "@highstate/contract";
-var connection2 = defineUnit20({
+import { defineUnit as defineUnit22, Type as Type23 } from "@highstate/contract";
+var connection2 = defineUnit22({
   type: "cloudflare.connection",
   secrets: {
-    apiToken: Type20.String()
+    apiToken: Type23.String()
   },
   outputs: {
     dnsProvider: providerEntity
@@ -2349,7 +2897,8 @@ var connection2 = defineUnit20({
   meta: {
     displayName: "Cloudflare Connection",
     description: "Creates a new Cloudflare connection for one zone.",
-    primaryIcon: "simple-icons:cloudflare"
+    primaryIcon: "simple-icons:cloudflare",
+    category: "Cloudflare"
   },
   source: {
     package: "@highstate/cloudflare",
@@ -2362,25 +2911,39 @@ var k3s_exports = {};
 __export(k3s_exports, {
   cluster: () => cluster2
 });
-import { defineUnit as defineUnit21 } from "@highstate/contract";
-import { Type as Type21 } from "@sinclair/typebox";
-var cluster2 = defineUnit21({
+import { defineUnit as defineUnit23, Type as Type24 } from "@highstate/contract";
+var cluster2 = defineUnit23({
   type: "k3s.cluster",
   args: {
-    ...sharedClusterArgs,
-    config: Type21.Optional(Type21.Record(Type21.String(), Type21.Any()))
-  },
-  inputs: {
-    server: serverEntity,
-    dnsProviders: {
-      entity: providerEntity,
-      required: false,
-      multiple: true
+    /**
+     * The K3S configuration to pass to each server or agent in the cluster.
+     *
+     * See: https://docs.k3s.io/installation/configuration
+     *
+     * @schema
+     */
+    config: {
+      ...Type24.Optional(Type24.Record(Type24.String(), Type24.Any())),
+      description: `The K3S configuration to pass to each server or agent in the cluster.
+
+ See: https://docs.k3s.io/installation/configuration`
+    },
+    /**
+     * The configuration of the registries to use for the K3S cluster.
+     *
+     * See: https://docs.k3s.io/installation/private-registry
+     *
+     * @schema
+     */
+    registries: {
+      ...Type24.Optional(Type24.Record(Type24.String(), Type24.Any())),
+      description: `The configuration of the registries to use for the K3S cluster.
+
+ See: https://docs.k3s.io/installation/private-registry`
     }
   },
-  outputs: {
-    k8sCluster: clusterEntity2
-  },
+  inputs: clusterInputs,
+  outputs: clusterOutputs,
   meta: {
     displayName: "K3s Cluster",
     description: "The K3s cluster created on top of the server.",
@@ -2397,27 +2960,20 @@ var cluster2 = defineUnit21({
 // src/mullvad.ts
 var mullvad_exports = {};
 __export(mullvad_exports, {
-  endpointType: () => endpointType,
   peer: () => peer2
 });
-import { defineUnit as defineUnit22, Type as Type22 } from "@highstate/contract";
-var endpointType = Type22.Union([
-  Type22.Literal("fqdn"),
-  Type22.Literal("ipv4"),
-  Type22.Literal("ipv6")
-]);
-var peer2 = defineUnit22({
+import { defineUnit as defineUnit24, Type as Type25 } from "@highstate/contract";
+var peer2 = defineUnit24({
   type: "mullvad.peer",
   args: {
-    hostname: Type22.Optional(Type22.String()),
-    endpointType: Type22.Optional({ ...endpointType, default: "fqdn" }),
+    hostname: Type25.Optional(Type25.String()),
     /**
      * Whether to include Mullvad DNS servers in the peer configuration.
      *
      * @schema
      */
     includeDns: {
-      ...Type22.Default(Type22.Boolean(), true),
+      ...Type25.Default(Type25.Boolean(), true),
       description: `Whether to include Mullvad DNS servers in the peer configuration.`
     }
   },
@@ -2434,14 +2990,18 @@ var peer2 = defineUnit22({
   },
   outputs: {
     peer: peerEntity,
-    l4Endpoint: l4EndpointEntity
+    endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true
+    }
   },
   meta: {
     displayName: "Mullvad Peer",
     description: "The Mullvad WireGuard peer fetched from the Mullvad API.",
     primaryIcon: "simple-icons:mullvad",
     secondaryIcon: "cib:wireguard",
-    secondaryIconColor: "#88171a"
+    secondaryIconColor: "#88171a",
+    category: "VPN"
   },
   source: {
     package: "@highstate/mullvad",
@@ -2456,18 +3016,18 @@ __export(timeweb_exports, {
   connectionEntity: () => connectionEntity,
   virtualMachine: () => virtualMachine2
 });
-import { defineEntity as defineEntity12, defineUnit as defineUnit23, Type as Type23 } from "@highstate/contract";
-var connectionEntity = defineEntity12({
+import { defineEntity as defineEntity13, defineUnit as defineUnit25, Type as Type26 } from "@highstate/contract";
+var connectionEntity = defineEntity13({
   type: "timeweb.connection",
-  schema: Type23.Object({
-    name: Type23.String(),
-    apiToken: Type23.String()
+  schema: Type26.Object({
+    name: Type26.String(),
+    apiToken: Type26.String()
   })
 });
-var connection3 = defineUnit23({
+var connection3 = defineUnit25({
   type: "timeweb.connection",
   secrets: {
-    apiToken: Type23.String()
+    apiToken: Type26.String()
   },
   outputs: {
     connection: connectionEntity
@@ -2475,19 +3035,20 @@ var connection3 = defineUnit23({
   meta: {
     displayName: "Timeweb Connection",
     description: "Creates a new Timeweb connection.",
-    primaryIcon: "material-symbols:cloud"
+    primaryIcon: "material-symbols:cloud",
+    category: "Timeweb"
   },
   source: {
     package: "@highstate/timeweb",
     path: "connection"
   }
 });
-var virtualMachine2 = defineUnit23({
+var virtualMachine2 = defineUnit25({
   type: "timeweb.virtual-machine",
   args: {
-    presetId: Type23.Optional(Type23.Number()),
-    osId: Type23.Optional(Type23.Number()),
-    availabilityZone: Type23.String()
+    presetId: Type26.Optional(Type26.Number()),
+    osId: Type26.Optional(Type26.Number()),
+    availabilityZone: Type26.String()
   },
   inputs: {
     connection: connectionEntity,
@@ -2497,7 +3058,7 @@ var virtualMachine2 = defineUnit23({
     }
   },
   secrets: {
-    sshPrivateKey: Type23.Optional(Type23.String())
+    sshPrivateKey: Type26.Optional(Type26.String())
   },
   outputs: {
     server: serverEntity
@@ -2506,7 +3067,8 @@ var virtualMachine2 = defineUnit23({
     displayName: "Timeweb Virtual Machine",
     description: "Creates a new Timeweb virtual machine.",
     primaryIcon: "material-symbols:cloud",
-    secondaryIcon: "codicon:vm"
+    secondaryIcon: "codicon:vm",
+    category: "Timeweb"
   },
   source: {
     package: "@highstate/timeweb",
@@ -2524,11 +3086,11 @@ __export(nixos_exports, {
   remoteFlake: () => remoteFlake,
   system: () => system
 });
-import { defineEntity as defineEntity13, defineUnit as defineUnit24, Type as Type24 } from "@highstate/contract";
-var inlineModuleEntity = defineEntity13({
+import { defineEntity as defineEntity14, defineUnit as defineUnit26, Type as Type27 } from "@highstate/contract";
+var inlineModuleEntity = defineEntity14({
   type: "nixos.inline-module",
-  schema: Type24.Object({
-    code: Type24.String()
+  schema: Type27.Object({
+    code: Type27.String()
   }),
   meta: {
     displayName: "NixOS Inline Module",
@@ -2536,10 +3098,10 @@ var inlineModuleEntity = defineEntity13({
     color: "#5277c3"
   }
 });
-var inlineModule = defineUnit24({
+var inlineModule = defineUnit26({
   type: "nixos.inline-module",
   args: {
-    code: Type24.String({ language: "nix" })
+    code: Type27.String({ language: "nix" })
   },
   inputs: {
     files: {
@@ -2556,17 +3118,18 @@ var inlineModule = defineUnit24({
     description: "Creates a NixOS module from inline code.",
     primaryIcon: "simple-icons:nixos",
     primaryIconColor: "#7ebae4",
-    secondaryIcon: "mdi:file-code"
+    secondaryIcon: "mdi:file-code",
+    category: "NixOS"
   },
   source: {
     package: "@highstate/nixos",
     path: "inline-module"
   }
 });
-var flakeEntity = defineEntity13({
+var flakeEntity = defineEntity14({
   type: "nixos.flake",
-  schema: Type24.Object({
-    url: Type24.String()
+  schema: Type27.Object({
+    url: Type27.String()
   }),
   meta: {
     displayName: "NixOS Flake",
@@ -2574,10 +3137,10 @@ var flakeEntity = defineEntity13({
     color: "#5277c3"
   }
 });
-var remoteFlake = defineUnit24({
+var remoteFlake = defineUnit26({
   type: "nixos.remote-flake",
   args: {
-    url: Type24.String()
+    url: Type27.String()
   },
   outputs: {
     flake: flakeEntity
@@ -2588,17 +3151,18 @@ var remoteFlake = defineUnit24({
     primaryIcon: "simple-icons:nixos",
     primaryIconColor: "#7ebae4",
     secondaryIcon: "simple-icons:git",
-    secondaryIconColor: "#f1502f"
+    secondaryIconColor: "#f1502f",
+    category: "NixOS"
   },
   source: {
     package: "@highstate/nixos",
     path: "flake"
   }
 });
-var inlineFlake = defineUnit24({
+var inlineFlake = defineUnit26({
   type: "nixos.inline-flake",
   args: {
-    code: Type24.String({ language: "nix" })
+    code: Type27.String({ language: "nix" })
   },
   inputs: {
     flakes: {
@@ -2625,17 +3189,18 @@ var inlineFlake = defineUnit24({
     description: "Creates a NixOS flake from inline code.",
     primaryIcon: "simple-icons:nixos",
     primaryIconColor: "#7ebae4",
-    secondaryIcon: "mdi:file-code"
+    secondaryIcon: "mdi:file-code",
+    category: "NixOS"
   },
   source: {
     package: "@highstate/nixos",
     path: "inline-flake"
   }
 });
-var system = defineUnit24({
+var system = defineUnit26({
   type: "nixos.system",
   args: {
-    system: Type24.Optional(Type24.String())
+    system: Type27.Optional(Type27.String())
   },
   inputs: {
     flake: flakeEntity,
@@ -2654,7 +3219,8 @@ var system = defineUnit24({
     description: "Creates a NixOS system on top of any server.",
     primaryIcon: "simple-icons:nixos",
     primaryIconColor: "#7ebae4",
-    secondaryIcon: "codicon:vm"
+    secondaryIcon: "codicon:vm",
+    category: "NixOS"
   },
   source: {
     package: "@highstate/nixos",
@@ -2667,11 +3233,11 @@ var sops_exports = {};
 __export(sops_exports, {
   secrets: () => secrets
 });
-import { defineUnit as defineUnit25, Type as Type25 } from "@highstate/contract";
-var secrets = defineUnit25({
+import { defineUnit as defineUnit27, Type as Type28 } from "@highstate/contract";
+var secrets = defineUnit27({
   type: "sops.secrets",
   args: {
-    secrets: Type25.Record(Type25.String(), Type25.Any())
+    secrets: Type28.Record(Type28.String(), Type28.Any())
   },
   inputs: {
     servers: {
@@ -2686,7 +3252,8 @@ var secrets = defineUnit25({
   meta: {
     displayName: "SOPS Secrets",
     description: "Encrypts secrets using SOPS for the specified servers.",
-    primaryIcon: "mdi:file-lock"
+    primaryIcon: "mdi:file-lock",
+    category: "Secrets"
   },
   source: {
     package: "@highstate/sops",
@@ -2697,21 +3264,21 @@ var secrets = defineUnit25({
 // src/obfuscators/index.ts
 var obfuscators_exports = {};
 __export(obfuscators_exports, {
+  deobfuscatorSpec: () => deobfuscatorSpec,
+  obfuscatorSpec: () => obfuscatorSpec,
   phantun: () => phantun_exports
 });
 
-// src/obfuscators/phantun.ts
-var phantun_exports = {};
-__export(phantun_exports, {
-  deobfuscator: () => deobfuscator,
-  obfuscator: () => obfuscator
-});
-import { defineUnit as defineUnit26 } from "@highstate/contract";
-
 // src/obfuscators/shared.ts
-import { Type as Type26 } from "@sinclair/typebox";
+import { Type as Type29 } from "@highstate/contract";
 var deobfuscatorSpec = {
   args: {
+    /**
+     * The name of the namespace and deployment to deploy the deobfuscator on.
+     *
+     * By default, calculated as `deobfs-{type}-{name}`.
+     */
+    appName: Type29.Optional(Type29.String()),
     /**
      * The L4 endpoint to forward deobfuscated traffic to.
      *
@@ -2719,11 +3286,24 @@ var deobfuscatorSpec = {
      *
      * @schema
      */
-    targetEndpoint: {
-      ...Type26.Optional(Type26.String()),
+    targetEndpoints: {
+      ...Type29.Default(Type29.Array(Type29.String()), []),
       description: `The L4 endpoint to forward deobfuscated traffic to.
 
  Will take precedence over the \`targetEndpoint\` input.`
+    },
+    /**
+     * Whether to expose the deobfuscator service by "NodePort" or "LoadBalancer".
+     *
+     * By default, the service is not exposed and only accessible from within the cluster.
+     *
+     * @schema
+     */
+    external: {
+      ...Type29.Default(Type29.Boolean(), false),
+      description: `Whether to expose the deobfuscator service by "NodePort" or "LoadBalancer".
+
+ By default, the service is not exposed and only accessible from within the cluster.`
     }
   },
   inputs: {
@@ -2737,41 +3317,72 @@ var deobfuscatorSpec = {
       description: `The Kubernetes cluster to deploy the deobfuscator on.`
     },
     /**
-     * The L4 endpoint to forward deobfuscated traffic to.
+     * The L4 endpoints to forward deobfuscated traffic to.
+     *
+     * Will select the most appropriate endpoint based on the environment.
      *
      * @schema
      */
-    targetEndpoint: {
-      ...l4EndpointEntity,
-      description: `The L4 endpoint to forward deobfuscated traffic to.`
+    targetEndpoints: {
+      ...{
+        entity: l4EndpointEntity,
+        required: false,
+        multiple: true
+      },
+      description: `The L4 endpoints to forward deobfuscated traffic to.
+
+ Will select the most appropriate endpoint based on the environment.`
     }
   },
   outputs: {
     /**
-     * The L4 endpoint of the deobfuscator accepting obfuscated traffic.
+     * The L4 endpoints of the deobfuscator accepting obfuscated traffic.
      *
      * @schema
      */
-    endpoint: {
-      ...l4EndpointEntity,
-      description: `The L4 endpoint of the deobfuscator accepting obfuscated traffic.`
+    endpoints: {
+      ...{
+        entity: l4EndpointEntity,
+        required: false,
+        multiple: true
+      },
+      description: `The L4 endpoints of the deobfuscator accepting obfuscated traffic.`
     }
   }
 };
 var obfuscatorSpec = {
   args: {
+    /**
+     * The name of the namespace and deployment to deploy the obfuscator on.
+     *
+     * By default, calculated as `obfs-{type}-{name}`.
+     */
+    appName: Type29.Optional(Type29.String()),
     /**
      * The endpoint of the deobfuscator to pass obfuscated traffic to.
      *
-     * Will take precedence over the `l4Endpoint` input.
+     * Will take precedence over the `endpoint` input.
      *
      * @schema
      */
-    endpoint: {
-      ...Type26.Optional(Type26.String()),
+    endpoints: {
+      ...Type29.Default(Type29.Array(Type29.String()), []),
       description: `The endpoint of the deobfuscator to pass obfuscated traffic to.
 
- Will take precedence over the \`l4Endpoint\` input.`
+ Will take precedence over the \`endpoint\` input.`
+    },
+    /**
+     * Whether to expose the obfuscator service by "NodePort" or "LoadBalancer".
+     *
+     * By default, the service is not exposed and only accessible from within the cluster.
+     *
+     * @schema
+     */
+    external: {
+      ...Type29.Default(Type29.Boolean(), false),
+      description: `Whether to expose the obfuscator service by "NodePort" or "LoadBalancer".
+
+ By default, the service is not exposed and only accessible from within the cluster.`
     }
   },
   inputs: {
@@ -2785,54 +3396,70 @@ var obfuscatorSpec = {
       description: `The Kubernetes cluster to deploy the obfuscator on.`
     },
     /**
-     * The L4 endpoint of the deobfuscator to pass obfuscated traffic to.
+     * The L4 endpoints of the deobfuscator to pass obfuscated traffic to.
+     *
+     * Will select the most appropriate endpoint based on the environment.
      *
      * @schema
      */
-    endpoint: {
+    endpoints: {
       ...{
         entity: l4EndpointEntity,
-        required: false
+        required: false,
+        multiple: true
       },
-      description: `The L4 endpoint of the deobfuscator to pass obfuscated traffic to.`
+      description: `The L4 endpoints of the deobfuscator to pass obfuscated traffic to.
+
+ Will select the most appropriate endpoint based on the environment.`
     }
   },
   outputs: {
     /**
-     * The L4 endpoint accepting unobfuscated traffic.
+     * The L4 endpoints accepting unobfuscated traffic.
      *
      * @schema
      */
-    entryEndpoint: {
-      ...l4EndpointEntity,
-      description: `The L4 endpoint accepting unobfuscated traffic.`
+    entryEndpoints: {
+      ...{
+        entity: l4EndpointEntity,
+        multiple: true
+      },
+      description: `The L4 endpoints accepting unobfuscated traffic.`
     }
   }
 };
 
 // src/obfuscators/phantun.ts
-var deobfuscator = defineUnit26({
+var phantun_exports = {};
+__export(phantun_exports, {
+  deobfuscator: () => deobfuscator,
+  obfuscator: () => obfuscator
+});
+import { defineUnit as defineUnit28 } from "@highstate/contract";
+var deobfuscator = defineUnit28({
   type: "obfuscators.phantun.deobfuscator",
   ...deobfuscatorSpec,
   meta: {
     displayName: "Phantun Deobfuscator",
     description: "The Phantun Deobfuscator deployed on Kubernetes.",
     primaryIcon: "mdi:network-outline",
-    secondaryIcon: "mdi:hide"
+    secondaryIcon: "mdi:hide",
+    category: "Obfuscators"
   },
   source: {
     package: "@highstate/obfuscators",
     path: "phantun/deobfuscator"
   }
 });
-var obfuscator = defineUnit26({
+var obfuscator = defineUnit28({
   type: "obfuscators.phantun.obfuscator",
   ...obfuscatorSpec,
   meta: {
     displayName: "Phantun Obfuscator",
     description: "The Phantun Obfuscator deployed on Kubernetes.",
     primaryIcon: "mdi:network-outline",
-    secondaryIcon: "mdi:hide"
+    secondaryIcon: "mdi:hide",
+    category: "Obfuscators"
   },
   source: {
     package: "@highstate/obfuscators",
@@ -2841,14 +3468,17 @@ var obfuscator = defineUnit26({
 });
 export {
   apps_exports as apps,
+  arrayPatchModeSchema,
   cloudflare_exports as cloudflare,
   common_exports as common,
   dns_exports as dns,
   k3s_exports as k3s,
   k8s_exports as k8s,
   mullvad_exports as mullvad,
+  network_exports as network,
   nixos_exports as nixos,
   obfuscators_exports as obfuscators,
+  prefixKeysWith,
   proxmox_exports as proxmox,
   restic_exports as restic,
   sops_exports as sops,