{ config, lib, ... }:

let
  listenPort = ports.wireguard-public-ip-tunnel.udp;
  publicKey = "GCmQs7upvDYFueEfqD2yJkkOZg3K7YaGluWWzdjsyTo=";
  inherit (config.networking) ports;
in
{
  sops.secrets = lib.listToAttrs (map
    (name: lib.nameValuePair "wireguard_key_${name}" {
      sopsFile = ../secrets.yaml;
    })
    [
      "hetzner-ha"
    ]
  );

  #boot.kernel.sysctl = {
  #  "net.ipv4.conf.all.forwarding" = 1;
  #  "net.ipv4.conf.hetzner-ha.proxy_arp" = 1;
  #  "net.ipv4.conf.enp1s0.proxy_arp" = 1;
  #};

  networking = {
    interfaces = {
      hetzner-ha.proxyARP = true;
      enp1s0.proxyARP = true;
    };
    firewall.allowedUDPPorts = [ listenPort ];
    wireguard.interfaces = {
      hetzner-ha = {
        ips = [ ];
        privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
        inherit listenPort;

        peers = [{
          inherit publicKey;
          persistentKeepalive = 25;
          allowedIPs = [
            "159.69.103.126/32"
          ];
        }];
      };
    };
  };
}