class profiles::wg_exit_node (
  String $iface_name = 'wg0',
  Array[Hash] $peers = [],
) {
  $base = "/etc/systemd/network/20-${iface_name}"

  # TODO
  # iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
  # ip6tables -t nat -A POSTROUTING -o br0 -j MASQUERADE
  #
  # echo 1 > /proc/sys/net/ipv4/ip_forward
  # echo 1 > /proc/sys/net/ipv6/conf/br0/forwarding
  # echo 1 > /proc/sys/net/ipv6/conf/wg0/forwarding

  file { "${base}.netdev":
    content => @("EOF")
    # File managed by Puppet
    [NetDev]
    Name=${iface_name}
    Kind=wireguard
    Description=Wireguard tunnel ${iface_name}

    [WireGuard]
    PrivateKeyFile=/etc/wireguard/gandalf.adrift.space.key
    ListenPort=51820
    | EOF
  }

  file { "${base}.network":
    content => @("EOF")
    # File managed by Puppet
    [Match]
    Name=${iface_name}
    | EOF
  }

  file { [
    "${base}.netdev.d",
    "${base}.network.d",
  ]:
    ensure => directory,
  }

  $peers.each |$peer| {
    $peer_addresses = $peer['peer_address'] ? {
      Array  => $peer['peer_address'],
      String => [$peer['peer_address']],
    }


    file { "${base}.network.d/${peer['name']}.conf":
      content => $peer_addresses.map |$addr| {
        @("EOF")
        [Route]
        Destination=${addr}
        | EOF
      }.join("\n")
    }

    file { "${base}.netdev.d/${peer['name']}.conf":
      content => @("EOF")
      [WireGuardPeer]
      PublicKey=${peer['public_key']}
      AllowedIPs=${peer_addresses.join(', ')}
      | EOF
    }
  }
}