{ config, lib, ... }:
let
  cfg = config.custom.homeWg;
  host = config.networking.hostName;
in
{
  options.custom = {
    homeWg = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
      };
      guaSuffix = lib.mkOption {
        type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$");
        default = null;
        description = "IPv6 GUA Suffix for Home WireGuard config";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    sops = {
      secrets = {
        priv-home-wg = {
          sopsFile = ../../secrets/${host}/home-wg.yaml;
          restartUnits = [ "wg-quick-wg0.service" ];
        };
        psk-home-wg = {
          sopsFile = ../../secrets/${host}/home-wg.yaml;
          restartUnits = [ "wg-quick-wg0.service" ];
        };
      };
    };

    networking = {
      wg-quick.interfaces = {
        wg0 = {
          autostart = true;
          address = [ "${config.custom.guaPref}ff::${cfg.guaSuffix}/64" ];
          dns = [
            "${config.custom.guaPref}ff::1"
            "vsinerva.fi"
          ];
          privateKeyFile = config.sops.secrets.priv-home-wg.path;
          listenPort = 51820;

          peers = [
            {
              publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
              presharedKeyFile = config.sops.secrets.psk-home-wg.path;
              allowedIPs = [ "::/0" ];
              endpoint = "home.vsinerva.fi:51820";
            }
          ];
        };
      };
    };

    services.clatd.settings.clat-v6-addr = "${config.custom.guaPref}ff::c${cfg.guaSuffix}";

    systemd.services = {
      "wg-quick-wg0" = {
        wants = [ "network-online.target" ];
        after = [ "network-online.target" ];
      };
      clatd = {
        wants = [ "wg-quick-wg0.service" ];
        after = [ "wg-quick-wg0.service" ];
      };
    };
  };
}