{ config, lib, ... }:

with lib;

let
  trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
in {
  config = {
    systemd.network = {
      netdevs = {
        bifrost = {
          netdevConfig = {
            Name = "bifrost";
            Kind = "wireguard";
          };
          wireguardConfig = {
            PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv";
            ListenPort = 51822;
          };
          wireguardPeers = [
            { wireguardPeerConfig = {
                AllowedIPs = [ "::/0" ];
                PublicKey = trim (readFile ../../../surtr/bifrost/surtr.pub);
                PersistentKeepalive = 5;
                Endpoint = "2a03:4000:52:ada:::51822";
              };
            }
          ];
        };
      };
      networks = {
        bifrost = {
          name = "bifrost";
          matchConfig = {
            Name = "bifrost";
          };
          address = ["2a03:4000:52:ada:4:1::/96"];
          routes = [
            { routeConfig = {
                Destination = "2a03:4000:52:ada:4::/80";
              };
            }
            { routeConfig = {
                Gateway = "2a03:4000:52:ada:4::";
                GatewayOnLink = true;
                Table = "bifrost";
              };
            }
            { routeConfig = {
                Destination = "2a03:4000:52:ada:4::/80";
                GatewayOnLink = true;
                Table = "bifrost";
              };
            }
            { routeConfig = {
                Destination = "2a03:4000:52:ada:4:1::/96";
                GatewayOnLink = true;
                Table = "bifrost";
              };
            }
          ];
          routingPolicyRules = [
            { routingPolicyRuleConfig = {
                Table = "bifrost";
                From = "2a03:4000:52:ada:4:1::/96";
                Priority = 1;
              };
            }
          ];
          linkConfig = {
            RequiredForOnline = false;
          };
          networkConfig = {
            LLMNR = false;
            MulticastDNS = false;
          };
        };
      };

      config.routeTables.bifrost = 1026;
    };
    systemd.services."systemd-networkd".serviceConfig.LoadCredential = [
      "bifrost.priv:${config.sops.secrets.bifrost.path}"
    ];
    sops.secrets.bifrost = {
      format = "binary";
      sopsFile = ./vidhar.priv;
    };
  };
}