/*

  Name:     https://en.wikipedia.org/wiki/Ash_(Alien)
  Why:      Infilitrate into the network
  Type:     VM
  Hardware: -
  From:     2023
  Role:     Wireguard (VPN) Server
  Notes:    Thius vpn is for admin use only, to give access to all the servers via ssh

*/

{ pkgs, lib, nodes, ... }:
let
  # name of the server, sets teh hostname and record for it
  name      = "ash";
  ip_pub    = "193.1.99.75";
  ip_priv   = "172.20.20.5";
  # hostname  = "${name}.skynet.ie";
  hostname  = ip_pub;

in {
  imports = [
    # applications for this particular server
    ../applications/firewall.nix
    ../applications/dns.nix
  ];

  deployment = {
    targetHost = hostname;
    targetPort = 22;
    targetUser = "root";
  };

  # these two are to be able to add the rules for firewall and dns
  # open the firewall for this
  skynet_firewall.forward = [
    "ip daddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept"
  ];

  skynet_dns.records = {
    external = [
      "${name}       A       ${ip_pub}"
    ];
    cname = [
      #may asw ell add a cname for this
      "wg           CNAME   ${name}"
    ];
  };


  age.secrets.wireguard.file = ../secrets/wireguard.age;

  networking = {
    nat = {
      enable = true;
      externalInterface = "eth0";
      internalInterfaces = ["wg0"];
    };

    firewall = {
      allowedTCPPorts = [22];
      allowedUDPPorts = [8000];
      interfaces.wg0 = {
        allowedTCPPorts = [53];
        allowedUDPPorts = [53];
      };
    };

    wireguard.interfaces.wg0 = {
      # may need to change this to the same base as the full network
      ips = ["172.20.21.0/24"];
      listenPort = 8000;
      privateKeyFile = "/run/agenix/wireguard";

      peers = [
        { # silver - Brendan
          publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ=";
          allowedIPs = [ "172.20.21.2/32" ];
        }
      ];

    };
  };

  environment.systemPackages = [
    # needed to generate keys
    pkgs.wireguard-tools
  ];

}