# Wireguard VPN client configuration
{ config, pkgs, lib, ... }:

let
  inherit (lib) mkOption mkDefault;

in
{
  options = {
    nixin.wg.client = {
      ipv4 = mkOption { type = lib.types.str; };
      ipv6 = mkOption { type = lib.types.str; };
      allowedIPs = mkOption { type = lib.types.listOf lib.types.str; };
      endpoint = mkOption { type = lib.types.str; };
      endpointKey = mkOption { type = lib.types.str; };
    };
  };

  config = {
    networking = {
      wg-quick.interfaces = {
        wg0 = {
          address = [ config.nixin.wg.client.ipv4 config.nixin.wg.client.ipv6 ];
          dns = [ "80.67.169.12" "80.67.169.40" "2001:910:800::12" "2001:910:800::40" ];
          privateKeyFile = "/var/src/secrets/wg-private.key";

          peers = [
            {
              publicKey = config.nixin.wg.client.endpointKey;
              allowedIPs = config.nixin.wg.client.allowedIPs;
              endpoint = config.nixin.wg.client.endpoint;
              persistentKeepalive = 15;
            }
          ];
        };
      };
    };
  };

}