# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ lib, config, ... }:
let
  serverHostName = "yuzuru";
  serverPort = 51820;
  peers = {
    yuzuru = {
      subnets = [ ];
      publicKey = "mWm92aZybisoLtd11g4XqwUZvQGVxMfPW9/za3/1/0Y=";
    };
    shinobu = {
      subnets = [ "2001:470:73b9::/56" ];
      publicKey = "c8lnzMWFeTzQmXwNV0DlD2ROJqBcDL0F9WN5u4lVeFQ=";
    };
  };

  cfg = config.sbruder.wireguard.he;
  enableServer = config.networking.hostName == serverHostName;
in
{
  options.sbruder.wireguard.he.enable = lib.mkEnableOption "WireGuard tunnel wg-he";

  config = lib.mkIf cfg.enable {
    sops.secrets.wg-he-private-key = {
      owner = config.users.users.systemd-network.name;
      sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
    };

    systemd.network = {
      enable = true;
      netdevs = {
        wg-he = {
          netdevConfig = {
            Kind = "wireguard";
            Name = "wg-he";
          };
          wireguardConfig = {
            PrivateKeyFile = config.sops.secrets.wg-he-private-key.path;
          } // (lib.optionalAttrs enableServer {
            ListenPort = serverPort;
          });
          wireguardPeers =
            if enableServer
            then
              map
                ({ publicKey, subnets }: {
                  wireguardPeerConfig = {
                    PublicKey = publicKey;
                    AllowedIPs = subnets;
                  };
                })
                (lib.attrValues
                  (lib.filterAttrs
                    (n: v: n != config.networking.hostName)
                    peers))
            else
              lib.singleton {
                wireguardPeerConfig = {
                  PublicKey = peers."${serverHostName}".publicKey;
                  AllowedIPs = "::/0";
                  Endpoint = "85.215.73.203:${toString serverPort}";
                  PersistentKeepalive = 25;
                };
              };
        };
      } // (lib.optionalAttrs enableServer {
        he = {
          netdevConfig = {
            Name = "he";
            Kind = "sit";
            MTUBytes = "1480";
          };
          tunnelConfig = {
            Remote = "216.66.80.30"; # tserv1.fra1.he.net
            Local = "85.215.73.203";
            TTL = 255;
          };
        };
      });
      networks = {
        wg-he = {
          name = "wg-he";
          networkConfig = lib.optionalAttrs enableServer {
            IPForward = "ipv6";
          };
          routes = lib.singleton {
            routeConfig.Destination = "2001:470:73b9::/48";
          };
        };
      } // (lib.optionalAttrs enableServer {
        he = {
          name = "he";
          address = lib.singleton "2001:470:1f0a:5db::2/64";
          gateway = lib.singleton "2001:470:1f0a:5db::1";
          routingPolicyRules = lib.singleton {
            routingPolicyRuleConfig = {
              From = "2001:470:73b9::/48";
              Table = "0x73b9";
            };
          };
          routes = lib.singleton {
            routeConfig = {
              Gateway = "2001:470:1f0a:5db::1";
              Table = "0x73b9";
            };
          };
        };
        # FIXME interface name is hardcoded
        eth0 = {
          networkConfig.Tunnel = "he";
        };
      });
    };

    networking.firewall.allowedUDPPorts = lib.optional enableServer serverPort;
  };
}