args@{ config, lib, pkgs, custom-utils, ... }:

let
  ports = import ../ports.nix args;
  listenPort = ports.wireguard-public-ip-tunnel.udp;
  remoteHost = "magnesium.jalr.de";
  remotePort = 51000;
  publicKey = "ABZCQfzlHJ1/iNbWFf6jVvdqSmqjxm3w5bpa0SYclBU=";
  externalIp = "159.69.103.126";
  rtTable = {
    id = 1000;
    name = "hetzner-ha";
  };
in
{
  sops.secrets = (
    lib.listToAttrs (map
      (name: lib.nameValuePair "wireguard_key_${name}" {
        sopsFile = ../secrets.yaml;
      })
      [
        "hetzner-ha"
      ]
    )
  );

  networking.iproute2.enable = true;
  networking.iproute2.rttablesExtraConfig = ''
    ${toString rtTable.id} ${rtTable.name}
  '';

  networking.wireguard.interfaces = {
    hetzner-ha = {
      ips = [ "${externalIp}/32" ];
      privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
      listenPort = listenPort;
      table = rtTable.name;
      postSetup = ''
        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} to 192.168.0.0/16 table main priority 10
        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} table ${rtTable.name} priority 20
      '';
      postShutdown = ''
        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} to 192.168.0.0/16 table main priority 10
        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} table ${rtTable.name} priority 20
      '';
      peers = [{
        publicKey = publicKey;
        endpoint = "${remoteHost}:${toString remotePort}";
        persistentKeepalive = 25;
        allowedIPs = [
          "0.0.0.0/0"
        ];
      }];
    };
  };

  networking.firewall.allowedUDPPorts = [ listenPort ];
}