{ config, lib, pkgs, ... }:

with lib;
let
  wg-keys = config.fudo.secrets.files.wireguard.keys;

  has-key = hostname: _: hasAttr hostname wg-keys;

  keyed-hosts = filterAttrs has-key config.fudo.hosts;

  sites = config.fudo.sites;

  generatePublicKeyPkg = hostname: privkey-file: pkgs.stdenv.mkDerivation {
    name = "wireguard-${hostname}-key.pub";
    phases = "installPhase";
    buildInputs = [ pkgs.wireguard ];
    installPhase = ''
      wg pubkey < ${privkey-file} > $out
    '';
  };

  generatePublicKey = hostname: privkey-file:
    readFile "${generatePublicKeyPkg hostname privkey-file}";

in {
  config = {
    fudo.services.wireguard.networks = {
      fudo-local = {
        network = "10.0.0.0/8";
        captured-network = "10.192.0.0/10";

        external-peers = {
          niten-phone = {
            public-key = "";
            assigned-ip = "10.192.0.100";
          };
        };

        hosts = mapAttrs (hostname: hostOpts: let
          private-key-file = wg-keys.${hostname};
        in {
          inherit private-key-file;
          public-key = generatePublicKey hostname private-key-file;
        }) keyed-hosts;

        sites = {
          seattle = {
            network = sites.seattle.private-network;
            gateway = sites.seattle.local-gateway;
          };

          nuttyclub = {
            network = sites.nuttyclub.private-network;
            gateway = "nutboy3";
          };

          portage = {
            network = sites.portage.private-network;
            gateway = "france";
          };

          worldstream = {
            network = sites.worldstream.private-network;
            gateway = "legatus";
          };

          russell = {
            network = sites.russell.private-network;
            gateway = sites.russell.local-gateway;
          };
        };
      };
    };
  };
}