{ config, lib, pkgs, ... }:

let
  cfg = config.orbekk.mullvad;
in
{
  options = {
    orbekk.mullvad = {
      enable = lib.mkEnableOption "Enable VPN";

      listenPort = lib.mkOption {
        type = lib.types.port;
        default = 40421;
        description = "wireguard local port";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];

    networking.wireguard = {
      enable = true;
      interfaces.mullvad = {
        privateKeyFile = "/opt/secret/wireguard/mullvad.private";
        ips = [ "10.74.12.93/32" "fc00:bbbb:bbbb:bb01::b:c5c/128" ];
        allowedIPsAsRoutes = false;
        listenPort = cfg.listenPort;
        peers = [
          # Oslo
          # {
          #   endpoint = "no4-wireguard.relays.mullvad.net:51820";
          #   publicKey = "veeEoYS9a2T6K8WMs/MvRCdNJG580XbhnLfbFjp3B0M=";
          #   allowedIPs = [ "0.0.0.0/0" "::0/0" ];
          # }
          {
            # se-got-wg-004
            endpoint = "185.213.154.69:51820";
            publicKey = "veGD6/aEY6sMfN3Ls7YWPmNgu3AheO7nQqsFT47YSws=";
            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
          }
        ];
      };
    };
  };
}