{ config, lib, pkgs, ... }:

let
  cfg = config.orbekk.wireguard;
in
{
  options = {
    orbekk.wireguard = {
      enable = lib.mkEnableOption "Enable VPN";
      enableMullvad = lib.mkEnableOption "Enable Mullvad";
      enableNycmesh = lib.mkEnableOption "Enable NYC Mesh";

      listenPort = lib.mkOption {
        type = lib.types.port;
        default = 40421;
        description = "wireguard local port";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];

    networking.wireguard = {
      enable = true;
      interfaces.mullvad = lib.mkIf cfg.enableMullvad {
        privateKeyFile = "/opt/secret/wireguard/mullvad.private";
        ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ];
        allowedIPsAsRoutes = false;
        listenPort = cfg.listenPort;
        peers = [
          {
            endpoint = "ca10-wireguard.mullvad.net:51820";
            publicKey = "pAVh6WJtyF7ktvavez399L4A615TXOAaUHQgpwJ4EHU=";
            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
          }
        ];
      };

      interfaces.nycmesh = lib.mkIf cfg.enableNycmesh {
        privateKeyFile = "/opt/secret/wireguard/nycmesh.private";
        ips = [ "10.70.73.50/32" ];
        allowedIPsAsRoutes = false;
        listenPort = cfg.listenPort;
        peers = [
          {
            endpoint = "wgvpn.sn1.mesh.nycmesh.net:51822";
            publicKey = "W5AQ3LmNVr2bW/IQrIY1GpyacplGc2lpavoeSzU/KhQ=";
            allowedIPs = [ "0.0.0.0/0" "::0/0" ];
          }
        ];
      };
    };
  };
}