{ config, lib, pkgs, repoLocalPath, ... }:

let
  cfg = config.alisceon.wireguardPeer;
in
{
  options.alisceon.wireguardPeer = {
    enable = lib.mkEnableOption "a single WireGuard peer managed by wg-quick";

    interface = lib.mkOption {
      type = lib.types.str;
      default = "wg0";
      description = "WireGuard interface name.";
    };

    configFile = lib.mkOption {
      type = lib.types.str;
      default = "/etc/wireguard/${cfg.interface}.conf";
      defaultText = "/etc/wireguard/<interface>.conf";
      description = ''
        Path to an external wg-quick config file. Keep it root-owned and mode
        0600 so private keys and peer material stay outside Git and the Nix store.
      '';
    };

    autostart = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "Whether to bring the WireGuard interface up at boot.";
    };
  };

  config = lib.mkIf cfg.enable {
    assertions = [
      {
        assertion = lib.hasPrefix "/" cfg.configFile;
        message = "alisceon.wireguardPeer.configFile must be an absolute path outside the repo.";
      }
      {
        assertion = !(lib.hasPrefix repoLocalPath cfg.configFile);
        message = "alisceon.wireguardPeer.configFile must be outside ${repoLocalPath}.";
      }
    ];

    networking.wg-quick.interfaces.${cfg.interface} = {
      inherit (cfg) autostart configFile;
    };

    systemd.services."wg-quick-${cfg.interface}".unitConfig.ConditionPathExists = cfg.configFile;

    environment.systemPackages = [ pkgs.wireguard-tools ];

    systemd.tmpfiles.rules = [
      "d /etc/wireguard 0700 root root -"
    ];
  };
}