{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.gortium.wireguard-client;
in
{
  ##### Options #####
  options.gortium.wireguard-client = {
    enable = mkEnableOption "WireGuard VPN client to lazyworkhorse VPN server";

    vpnIp = mkOption {
      type = types.str;
      description = "Assigned VPN IP with CIDR, e.g. \"10.8.0.4/24\"";
      example = "10.8.0.4/24";
    };

    privateKeyFile = mkOption {
      type = types.path;
      description = "Path to the WireGuard private key (age-encrypted, via agenix)";
    };

    presharedKeyFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = "Path to the WireGuard preshared key (optional, age-encrypted)";
    };
  };

  ##### Config #####
  config = mkIf cfg.enable {
    networking.wireguard.interfaces = {
      wg0 = {
        ips = [ cfg.vpnIp ];
        privateKeyFile = cfg.privateKeyFile;

        peers = [
          {
            # Server public key (lazyworkhorse wg-easy)
            publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
            presharedKeyFile = cfg.presharedKeyFile;
            # Split-tunnel: only route the VPN subnet
            allowedIPs = [ "10.8.0.0/24" ];
            endpoint = "vpn.lazyworkhorse.net:51820";
            persistentKeepalive = 25;
          }
        ];
      };
    };

    environment.systemPackages = with pkgs; [ wireguard-tools ];
  };
}