{ config, pkgs, ... }:

{
  age.secrets.vpn-se-privKey.file = ../secrets/vpn-se-privKey.age;
  age.secrets.vpn-se-presharedKey.file = ../secrets/vpn-se-presharedKey.age;

  # We're creating the wireguard interfaces in network namespaces so that
  # we can use them on demand:
  # * for a command by prefixing it with `sudo ip netns exec <ns>`
  # * for a systemd service by passing its config to joinWgNamespace from lib.nix

  networking.wireguard = {
    enable = true;

    interfaces.wg-se = {
      interfaceNamespace = "se";
      ips = ["10.148.171.71/32"];
      privateKeyFile = config.age.secrets.vpn-se-privKey.path;

      peers = [
        {
          publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
          presharedKeyFile = config.age.secrets.vpn-se-presharedKey.path;
          allowedIPs = ["0.0.0.0/0"];
          endpoint = "se3.vpn.airdns.org:1637";
        }
      ];
    };
  };

  systemd.services = {
    # The interfaceNamespace configured for the wireguard interface needs to already exist.
    # So we define a service to create it and add a `wants` dependency.
    "netns@" = {
      description = "%I network namespace";
      before = ["network.target"];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
        ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
      };
    };
    wireguard-wg-se.wants = ["netns@se.service"];
  };
}