{ config, lib, pkgs, ... }:

let
  cfg = config.orbekk.vpn;

  vpn-prefix = "2001:470:8e2e:1000";

  mkConfig = host: ip: {
    ips = [ "${vpn-prefix}::${ip}/128" ];
    publicKey = (builtins.readFile (../secrets + "/${host}-wireguard-key.pub"));
    endpoint = null;
    router = false;
  };

  hosts = {
    dragon = mkConfig "dragon" "d" // {
      endpoint = "dragon.orbekk.com:${toString cfg.listenPort}";
      router = true;
    };
    tiny1 = mkConfig "tiny1" "1001" // {
      endpoint = "tiny1.orbekk.com:${toString cfg.listenPort}";
    };
    firelink = mkConfig "firelink" "2001";
    pincer = mkConfig "pincer" "2002";
    steamdeck = mkConfig "steamdeck" "2003" // {
      ips = [ "${vpn-prefix}::2003/128" "${vpn-prefix}::2004/128" ];
    };
    trygve = mkConfig "trygve" "2004";
  };

  mkPeer = hostConfig: {
    inherit (hostConfig) publicKey endpoint;
    allowedIPs = if hostConfig.router && !cfg.is_server then
      [ "${vpn-prefix}::/64" ]
    else
      hostConfig.ips;
  };

  getPeers = host:
    if host == "dragon" then
      builtins.map mkPeer
      (builtins.attrValues (builtins.removeAttrs hosts [ host ]))
    else
      builtins.map mkPeer [ hosts.dragon ];

in {
  options = {
    orbekk.vpn = {
      enable = lib.mkEnableOption "Enable VPN";

      is_server = lib.mkOption {
        type = lib.types.bool;
        default = false;
      };

      listenPort = lib.mkOption {
        type = lib.types.port;
        default = 40422;
        description = "wireguard local port";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];

    age.secrets = {
      "${config.networking.hostName}-wireguard-key".file = ./.
        + "/../secrets/${config.networking.hostName}-wireguard-key.age";
    };

    networking.networkmanager.unmanaged = [ "vpn" ];

    networking.wireguard = {
      enable = true;
      interfaces.vpn = {
        ips = hosts.${config.networking.hostName}.ips;
        privateKeyFile =
          "${config.age.secrets."${config.networking.hostName}-wireguard-key".path}";
        allowedIPsAsRoutes = true;
        listenPort = cfg.listenPort;
        peers = [
          {
            name = "dragon";
            endpoint = "vpn.orbekk.com:${toString cfg.listenPort}";
            publicKey = "9q8aH3R8YBfP3xiTmN5bNiLQswY5dy3grB/P0vDqP0M=";
            allowedIPs = ["${vpn-prefix}::/64"];
            persistentKeepalive = 60;
          }
        ];
      };
    };
  };
}