{ config, lib, ... }:
let
  cfg = config.custom.networking.idacloudWg;
in
{
  options.custom.networking.idacloudWg.enable = lib.mkEnableOption "Idacloud WireGuard";

  config = lib.mkIf cfg.enable {
    sops = {
      secrets = {
        priv-idacloud-wg = {
          sopsFile = ../../secrets/idacloud.yaml;
          restartUnits = [ "wg-quick-wg0.service" ];
        };
        psk-laptop-idacloud-wg = {
          sopsFile = ../../secrets/idacloud.yaml;
          restartUnits = [ "wg-quick-wg0.service" ];
        };
      };
    };

    networking = {
      firewall.allowedUDPPorts = [ 51822 ];

      wg-quick.interfaces = {
        wg0 = {
          address = [ "10.1.0.1/24" ];
          privateKeyFile = config.sops.secrets.priv-idacloud-wg.path;
          listenPort = 51822;

          peers = [
            # Laptop
            {
              publicKey = "qJl6XBAGlmGHLre+RoCLUsZUrOrDgGoinREHFiw29ys=";
              presharedKeyFile = config.sops.secrets.psk-laptop-idacloud-wg.path;
              allowedIPs = [ "10.1.0.2/32" ];
            }
            # Phone
            #          {
            #            publicKey = "TODO";
            #            presharedKeyFile = "/root/wireguard-keys/psk2";
            #            presharedKeyFile = config.sops.secrets.psk-phone-idacloud-wg.path;
            #            allowedIPs = [ "10.1.0.3/32" ];
            #          }
          ];
        };
      };
    };
  };
}