nix-config/modules/TLMS/wg.nix

{ lib, config, self, ... }:
let
  cfg = config.deployment-TLMS.net.wg;
in {
    options.deployment-TLMS.net.wg = with lib; {

      ownEndpoint.host = mkOption {
        type = types.nullOr types.str;
        default = null;
      };
      ownEndpoint.port = mkOption {
        type = types.port;
        default = 51820;
      };

      publicKey = mkOption {
        type = types.str;
        default = "";
        description = "own public key";
      };
      privateKeyFile = mkOption {
        type = types.either types.str types.path;
      };
      addr4 = mkOption {
        type = types.nullOr types.str;
        default = null;
      };

      prefix4 = mkOption {
        type = types.int;
        default = 24;
        description = "network prefix";
      };

      extraPeers = mkOption {
        description = "extra peers that are not part of the deployment";
        type = types.listOf (types.submodule {
          options.addr4 = mkOption {
            type = types.str;
            description = "ip _without_ a network prefix";
          };
          options.publicKey = mkOption {
            type = types.str;
            description = "public key";
          };
        });
      };
    };

    config = let
      # move out as options?
      dvbwg-name = "wg-ddvb";
      keepalive = 25;

      # helpers
      peer-systems = (lib.filter (x: (x.config.deployment-TLMS.net.wg.addr4 != cfg.addr4) && (!isNull x.config.deployment-TLMS.net.wg.addr4))
      (lib.attrValues self.nixosConfigurations));

      endpoint =
        let
          ep = (lib.filter (x:
          x.config.deployment-TLMS.net.wg.addr4 != cfg.addr4
          && (!isNull x.config.deployment-TLMS.net.wg.ownEndpoint.host))
          (lib.attrValues self.nixosConfigurations));
        in
        assert lib.assertMsg (lib.length ep == 1) "there should be exactly one endpoint"; ep;

         peers = map (x: {
          wireguardPeerConfig = {
            PublicKey = x.config.deployment-TLMS.net.wg.publicKey;
            AllowedIPs = [ "${x.config.deployment-TLMS.net.wg.addr4}/32" ];
            PersistentKeepalive = keepalive;
          };
        }) peer-systems;

        ep = [ {
          wireguardPeerConfig =
            let x = lib.elemAt endpoint 0; in {
            PublicKey = x.config.deployment-TLMS.net.wg.publicKey;
            AllowedIPs = [ "${x.config.deployment-TLMS.net.wg.addr4}/${toString cfg.prefix4}" ];
            Endpoint = with x.config.deployment-TLMS.net.wg.ownEndpoint; "${host}:${toString port}";
            PersistentKeepalive = keepalive;
          };
        } ];

      # stuff proper
      dvbwg-netdev = {
        Kind = "wireguard";
        Name = dvbwg-name;
        Description = "TLMS enterprise, highly available, biocomputing-neural-network maintained, converged network";
      };

      dvbwg-wireguard = {
        PrivateKeyFile = cfg.privateKeyFile;
      } //
        (if !isNull cfg.ownEndpoint.host then { ListenPort = cfg.ownEndpoint.port; } else {});

      expeers = map (x: {
        wireguardPeerConfig = {
          PublicKey = x.publicKey;
          AllowedIPs = [ "${x.addr4}/32" ];
          PersistentKeepalive = keepalive;
        };
      }) cfg.extraPeers;

      peerconf = if isNull cfg.ownEndpoint.host then ep else (peers ++ expeers);
    in
    lib.mkIf (!isNull cfg.addr4) {
      networking.wireguard.enable = true;

      networking.firewall.trustedInterfaces = [ dvbwg-name ];

      systemd.network.netdevs."30-${dvbwg-name}" = {
        netdevConfig = dvbwg-netdev;
        wireguardConfig = dvbwg-wireguard;
        wireguardPeers = peerconf;
      };
    systemd.network.networks."30-${dvbwg-name}" = {
      matchConfig.Name = dvbwg-name;
      networkConfig = {
        Address = "${cfg.addr4}/${toString cfg.prefix4}";
      };
    };
  };
}