{ config, lib, pkgs, ... }:

with lib;

let
  trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
in {
  config = {
    systemd.network = {
      netdevs = {
        bifrost = {
          netdevConfig = {
            Name = "bifrost";
            Kind = "wireguard";
          };
          wireguardConfig = {
            PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv";
            ListenPort = 51822;
          };
          wireguardPeers = [
            { wireguardPeerConfig = {
                AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ];
                PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
              };
            }
          ];
        };
      };
      networks = {
        bifrost = {
          name = "bifrost";
          matchConfig = {
            Name = "bifrost";
          };
          address = ["2a03:4000:52:ada:4::/96"];
          routes = [
            { routeConfig = {
                Destination = "2a03:4000:52:ada:4::/80";
              };
            }
          ];
          linkConfig = {
            RequiredForOnline = false;
          };
          networkConfig = {
            LLMNR = false;
            MulticastDNS = false;
          };
        };
      };
    };
    systemd.services."systemd-networkd".serviceConfig.LoadCredential = [
      "bifrost.priv:${config.sops.secrets.bifrost.path}"
    ];
    sops.secrets.bifrost = {
      format = "binary";
      sopsFile = ./surtr.priv;
    };

    systemd.services."bifrost-dscp" = {
      wantedBy = ["sys-subsystem-net-devices-bifrost.device"];
      after = ["sys-subsystem-net-devices-bifrost.device"];
      bindsTo = ["sys-subsystem-net-devices-bifrost.device"];

      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.preserve-dscp}/bin/preserve-dscp bifrost ens3";
        RemainAfterExit = true;
        ExecStop = "${pkgs.preserve-dscp}/bin/preserve-dscp bifrost ens3 --unload";
      };
    };
  };
}