{ config, lib, ... }:

with lib;

let
  trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
in {
  config = {
    systemd.network = {
      netdevs = {
        bifrost = {
          netdevConfig = {
            Name = "bifrost";
            Kind = "wireguard";
          };
          wireguardConfig = {
            PrivateKeyFile = config.sops.secrets.bifrost.path;
            ListenPort = 51822;
          };
          wireguardPeers = [
            { wireguardPeerConfig = {
                AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ];
                PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
              };
            }
          ];
        };
      };
      networks = {
        bifrost = {
          name = "bifrost";
          matchConfig = {
            Name = "bifrost";
          };
          address = ["2a03:4000:52:ada:4::/96"];
          routes = [
            { routeConfig = {
                Destination = "2a03:4000:52:ada:4::/80";
              };
            }
          ];
          linkConfig = {
            RequiredForOnline = false;
          };
          networkConfig = {
            LLMNR = false;
            MulticastDNS = false;
          };
        };
      };
    };
    sops.secrets.bifrost = {
      format = "binary";
      sopsFile = ./surtr.priv;
      mode = "0640";
      owner = "root";
      group = "systemd-network";
    };
  };
}