{ config, lib, pkgs, ... }:

let
  cfg = config.orbekk.vpn;

  vpn-prefix = "2001:470:8e2e:1000";

  mkConfig = host: ip: {
    ips = [ "${vpn-prefix}::${ip}/128" ];
    publicKey = (builtins.readFile ../secrets/${host}-wireguard-key.pub);
    endpoint = null;
    router = false;
  };

  hosts = {
    dragon = mkConfig "dragon" "d" // {
      endpoint = "dragon.orbekk.com:${toString cfg.listenPort}";
      router = true;
    };
    tiny1 = mkConfig "tiny1" "1001" // {
      endpoint = "tiny1.orbekk.com:${toString cfg.listenPort}";
    };
    firelink = mkConfig "firelink" "2001";
    pincer = mkConfig "pincer" "2002";
    steamdeck = mkConfig "steamdeck" "2003";
  };

  mkPeer = hostConfig: {
    inherit (hostConfig) publicKey endpoint;
    allowedIPs = if hostConfig.router && !cfg.is_server then [ "${vpn-prefix}::/64" ] else hostConfig.ips;
  };

  getPeers = host:
    builtins.map mkPeer (builtins.attrValues (builtins.removeAttrs hosts [host]));
in
{
  options = {
    orbekk.vpn = {
      enable = lib.mkEnableOption "Enable VPN";

      is_server = lib.mkOption {
        type = lib.types.bool;
        default = false;
      };

      listenPort = lib.mkOption {
        type = lib.types.port;
        default = 40422;
        description = "wireguard local port";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];

    age.secrets = {
      "${config.networking.hostName}-wireguard-key".file = ./. + "/../secrets/${config.networking.hostName}-wireguard-key.age";
    };

    networking.networkmanager.unmanaged = [ "vpn" ];

    networking.wireguard = {
      enable = true;
      interfaces.vpn = {
        ips = hosts.${config.networking.hostName}.ips;
        privateKeyFile = "${config.age.secrets."${config.networking.hostName}-wireguard-key".path}";
        allowedIPsAsRoutes = true;
        listenPort = cfg.listenPort;
        peers = getPeers config.networking.hostName;
      };
    };
  };
}