{ config, pkgs, ... }:

{
  age.secrets.vpn-se-privKey.file = ../secrets/vpn-se-privKey.age;

  # We're creating the wireguard interfaces in network namespaces so that
  # we can use them on demand:
  # * for a command by prefixing it with `sudo ip netns exec <ns>`
  # * for a systemd service by passing its config to joinWgNamespace from helpers.nix

  networking.wireguard = {
    enable = true;

    interfaces.wg-se = {
      interfaceNamespace = "se";
      ips = ["10.128.241.130/32"];
      privateKeyFile = config.age.secrets.vpn-se-privKey.path;

      peers = [
        {
          publicKey = "sb61ho9MhaxhJd6WSrryVmknq0r6oHEW7PP5i4lzAgM=";
          allowedIPs = ["0.0.0.0/0"];
          endpoint = "se.gw.xeovo.com:51820";
        }
      ];
    };
  };

  systemd.services = {
    # The interfaceNamespace configured for the wireguard interface needs to already exist.
    # So we define a service to create it and add a `wants` dependency.
    "netns@" = {
      description = "%I network namespace";
      before = ["network.target"];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
        ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
      };
    };
    wireguard-wg-se.wants = ["netns@se.service"];
  };
}