{ config, lib, ... }:

let
  wgHosts = {
    bree = {
      ip = 40;
      publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
      endpoint = "192.168.1.50";
    };
    argonath = {
      ip = 51;
      publicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w=";
      endpoint = "157.230.146.234";
    };
    rivendell = {
      ip = 60;
      publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
      endpoint = "192.168.1.114";
    };
  };

  wgPort = 51820;
  wgSubnet = "10.100.0";

  currentHostname = config.networking.hostName;
  currentHost =
    wgHosts.${currentHostname}
      or (throw "Host ${currentHostname} not found in wireguard configuration");

  peers = lib.mapAttrsToList (
    _hostname: hostCfg:
    {
      publicKey = hostCfg.publicKey;
      allowedIPs = [ "${wgSubnet}.${toString hostCfg.ip}/32" ];
      persistentKeepalive = 25;
    }
    // lib.optionalAttrs (hostCfg.endpoint != null) {
      endpoint = "${hostCfg.endpoint}:${toString wgPort}";
    }
  ) (lib.filterAttrs (n: _v: n != currentHostname) wgHosts);

in
{
  age.secrets.wireguard.file = ../secrets/${currentHostname}/wireguard.age;

  networking.wireguard = {
    enable = true;
    interfaces.wg0 = {
      ips = [ "${wgSubnet}.${toString currentHost.ip}/32" ];
      listenPort = wgPort;
      privateKeyFile = config.age.secrets.wireguard.path;
      inherit peers;
    };
  };

  networking.firewall.trustedInterfaces = [ "wg0" ];
  networking.firewall.allowedUDPPorts = [ wgPort ];
}