{ config, pkgs, hostsPath, ... }:

# Source: https://habr.com/ru/companies/xakep/articles/699000/

let
  istalData = import (hostsPath + "/istal/data.secret.nix");
  tatosData = import (hostsPath + "/tatos/data.secret.nix");
  port = tatosData.wireguard.port;

  update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { };
in
{
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1;

  # enable NAT
  networking.nat = {
    enable = true;
    externalInterface = "eth0";
    internalInterfaces = [ "wg0" ];
  };

  networking.firewall.allowedUDPPorts = [ port ];

  systemd.services.geoip-update = {
    script = ''
      set -eu
      ${update_ru_routes}/bin/update_ru_routes > /root/update_routes.log
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "root";
    };
    restartTriggers = [ update_ru_routes ];
  };
  systemd.timers.geoip-update = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnBootSec = "1m";
      OnCalendar = "mon 3:00";
    };
  };

  networking.wg-quick.interfaces = {
    # "wg0" is the network interface name. You can name the interface arbitrarily.
    wg0 = {
      # Determines the IP address and subnet of the server's end of the tunnel interface.
      address = [ "10.20.30.1/32" ];

      # The port that WireGuard listens to. Must be accessible by the client.
      listenPort = port;

      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
      # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
      postUp = ''
        interface=`${pkgs.iproute2}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE
        ${pkgs.iproute2}/bin/ip rule add from ${tatosData.addr} table main
      '';
      preDown = ''
        interface=`${pkgs.iproute2}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE
        ${pkgs.iproute2}/bin/ip rule del from ${tatosData.addr} table main
      '';

      # Path to the private key file.
      privateKeyFile = config.age.secrets.wireguard-tatos-private.path;

      peers = [
        # Istal
        {
          publicKey = istalData.wireguard.publicKey;
          allowedIPs = [ "10.20.30.2/32" "0.0.0.0/0" ];
        }
        # Home
        {
          publicKey = "Gg+p7tysAhu2X841weBiQrqoKXh6kvcmDiCY62rLwQg=";
          allowedIPs = [ "10.20.30.3/32" ];
        }
        # Asus
        {
          publicKey = "mzVH0N3q7UE/XjMwgRks+D8KFuIj91VkOK2ytgjsnkw=";
          allowedIPs = [ "10.20.30.4/32" ];
        }
        # Phone 1 j
        {
          publicKey = "bwKSB61krDPZV9JVw2ChPCImxqjJHQ2vXvWjbqPy/2o=";
          allowedIPs = [ "10.20.30.5/32" ];
        }
        # Phone 2 m
        {
          publicKey = "p1GR0Ax2wrqnnd/coKYA4p0lvhdY9Mkk4iwhPxZfl3I=";
          allowedIPs = [ "10.20.30.6/32" ];
        }
        # Phone 3 n
        {
          publicKey = "IUw38F1ik2y2XoPh3Nd1VVxHz9nfKDfNKyzBaEi0rjc=";
          allowedIPs = [ "10.20.30.7/32" ];
        }
        # Laptop m
        {
          publicKey = "dF5YEeK1nw2V4GNLwg67M+r8NMA315KpueQMk+ZFO1M=";
          allowedIPs = [ "10.20.30.8/32" ];
        }
        # Phone 4 b
        {
          publicKey = "29WekSFGenqbnXoux0kbI9mwx7X5oclEFNz3cMt1Rzc=";
          allowedIPs = [ "10.20.30.9/32" ];
        }
      ];
    };
  };

  age.secrets.wireguard-tatos-private = {
    file = ./wireguard-tatos-private.age;
    mode = "0400";
  };
}