nix/shared/commons/mesh.nix

{ config, lib, pkgs, ... }:

let
    # Import nodes
    nodes = import ./../../nodes.nix;
    myPeer = nodes."${config.hostName}";
    myId = myPeer.id;
    myZone = myPeer.zone;

    # And mappings
    mapping = import ./../../mapping.nix;

    buildSecret = zone: id: {
        "wg-private-zone-${toString zone}-id-${toString id}" = {
            file = ./../../secrets/wireguard + ( "/wg-private-zone-" + toString zone + "-id-" + toString id + ".age" );
            owner = "systemd-network";
            group = "systemd-network";
        };
    };
    generatedSecrets = lib.mapAttrsToList (name: node: buildSecret node.zone node.id) nodes;

    # Filter itself out of the peer list
    peerConfigs = lib.filterAttrs (_peerName: peerConfig: (peerConfig.zone != myZone) || (peerConfig.id != myId)) nodes;
    
    interfacePeers = lib.mapAttrsToList (peerName: peerConfig: {
        PublicKey = peerConfig.wg-pub;
        AllowedIPs = [
            "172.19.${toString peerConfig.zone}.${toString peerConfig.id}/32"
            "fc00::${toString peerConfig.zone}:${toString peerConfig.id}/128"
        ] ++ lib.optionals (lib.elem peerName mapping.bastion) [
            "172.19.${toString (peerConfig.zone + 127)}.0/24"
            "fc00:f::${toString (peerConfig.zone + 127)}:0/112"
        ];
        Endpoint = "${builtins.head (builtins.split "/" peerConfig.ip4)}:51820";
        PersistentKeepalive = 25;
    }) peerConfigs;
    
    interfaceConfig = {
        PrivateKeyFile = config.age.secrets."wg-private-zone-${toString myZone}-id-${toString myId}".path;
        ListenPort = 51820;
    };

    # Return route for mgmt traffic
    bastionConfigs = lib.filterAttrs (peerName: _peerConfig: lib.elem peerName mapping.bastion) peerConfigs;

    rtwg4 = map (node: { 
        Gateway = "172.19.${toString node.zone}.${toString node.id}"; 
        Destination = "172.19.${toString (node.zone + 127)}.0/24"; 
    }) (lib.attrValues bastionConfigs);
    
    rtwg6 = map (node: { 
        Gateway = "fc00::${toString node.zone}:${toString node.id}"; 
        Destination = "fc00:f::${toString (node.zone + 127)}:0/112"; 
    }) (lib.attrValues bastionConfigs);
in
{
    age.secrets = lib.lists.foldl' (acc: set: lib.attrsets.recursiveUpdate acc set) {} generatedSecrets;

    # Build Mesh interface
    systemd.network = {
        netdevs."mesh" = {
            netdevConfig = {
                Name = "mesh";
                Kind = "wireguard";
            };
            wireguardConfig = interfaceConfig;
            wireguardPeers = interfacePeers;
        };
        networks."mesh" = {
            matchConfig.Name = "mesh";
            address = [
                "172.19.${toString myZone}.${toString myId}/17"
                "fc00::${toString myZone}:${toString myId}/112"
            ];
            routes = rtwg4 ++ rtwg6;
        };
    };
}