{ config, lib, ... }:

with lib;

let
  cfg = config.roles.wireguard;
in
{
  options.roles.wireguard = {
    enable = mkEnableOption "Enable WireGuard VPN";
    interfaceName = mkOption {
      type = types.str;
      default = "wg0";
      description = "Name of the WireGuard interface";
    };
    address = mkOption {
      type = types.listOf types.str;
      description = "Address(es) for the WireGuard interface";
    };
    privateKeyFile = mkOption {
      type = types.path;
      description = "Path to a root-owned file containing the WireGuard private key";
    };
    dns = mkOption {
      type = types.listOf types.str;
      default = [];
      description = "DNS servers to use when the tunnel is active";
    };
    peers = mkOption {
      type = types.listOf (types.submodule {
        options = {
          publicKey = mkOption {
            type = types.str;
            description = "Public key of the peer";
          };
          endpoint = mkOption {
            type = types.str;
            description = "Endpoint address of the peer (host:port)";
          };
          allowedIPs = mkOption {
            type = types.listOf types.str;
            description = "List of allowed IP ranges for this peer";
          };
          persistentKeepalive = mkOption {
            type = types.int;
            default = 25;
            description = "Persistent keepalive interval in seconds";
          };
        };
      });
      description = "WireGuard peers";
    };
    autostart = mkOption {
      type = types.bool;
      default = false;
      description = "Whether to start the VPN automatically on boot";
    };
  };

  config = mkIf cfg.enable {
    networking.wg-quick.interfaces.${cfg.interfaceName} = {
      inherit (cfg) address dns autostart peers;
      privateKeyFile = cfg.privateKeyFile;
    };

    systemd.services."wg-quick-${cfg.interfaceName}" = {
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
    };
  };
}