args@{ config, lib, pkgs, custom-utils, ... }:

let
  ports = import ../ports.nix args;
  listenPort = ports.wireguard-public-ip-tunnel.udp;
  publicKey = "GCmQs7upvDYFueEfqD2yJkkOZg3K7YaGluWWzdjsyTo=";
in
{
  sops.secrets = (
    lib.listToAttrs (map
      (name: lib.nameValuePair "wireguard_key_${name}" {
        sopsFile = ../secrets.yaml;
      })
      [
        "hetzner-ha"
      ]
    )
  );

  #boot.kernel.sysctl = {
  #  "net.ipv4.conf.all.forwarding" = 1;
  #  "net.ipv4.conf.hetzner-ha.proxy_arp" = 1;
  #  "net.ipv4.conf.enp1s0.proxy_arp" = 1;
  #};
  networking.interfaces.hetzner-ha.proxyARP = true;
  networking.interfaces.enp1s0.proxyARP = true;

  networking.wireguard.interfaces = {
    hetzner-ha = {
      ips = [ ];
      privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
      listenPort = listenPort;

      peers = [{
        publicKey = publicKey;
        persistentKeepalive = 25;
        allowedIPs = [
          "159.69.103.126/32"
        ];
      }];
    };
  };

  networking.firewall.allowedUDPPorts = [ listenPort ];
}