{ config, lib, ... }:

let
  cfg = config.custom.wg0;
in
{
  options = {
    custom.wg0 = {
      enable = lib.mkEnableOption (lib.mdDoc "Wireguard config");

      addresses = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        description = "IP addresses for this machine within VPN.";
      };

      privateKeyFile = lib.mkOption {
        type = lib.types.str;
        example = "/path/to/secret.key";
        description = "Private key file.";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    age.secrets.wireguard-home-pc-key = {
      file = ../secrets/wireguard/home-pc.key.age;
      owner = "systemd-network";
    };
    age.secrets.wireguard-cmdframe-key = {
      file = ../secrets/wireguard/cmdframe.key.age;
      owner = "systemd-network";
    };

    systemd.network = {
      enable = true;
      # TODO cannot push this to public git like this
      netdevs."40-wg0" = {
        netdevConfig = {
          Kind = "wireguard";
          Name = "wg0";
          MTUBytes = "1280";
        };
        wireguardConfig = {
          PrivateKeyFile = cfg.privateKeyFile;
        };
        wireguardPeers = [
          {
            PublicKey = "ZVayNyJeOn848aus5bqYU2ujNxvnYtV3ACoerLtDpg8=";
            AllowedIPs = [
              "198.18.0.0/15"
              "fd00:5ec::/48"
            ];
            # TODO remove endpoint from config
            Endpoint = "gateway.seven.secunet.com:51821";
          }
        ];
      };
      networks."40-wg0" = {
        matchConfig.Name = "wg0";
        address = cfg.addresses;
        networkConfig = {
          IPMasquerade = "ipv4";
        };
      };
    };
  };
}