class profiles::wireguard_server (
  Variant[String,Sensitive[String]] $private_key,
  Array[Hash] $peers,

  String $ifname = 'wg0',
) {
  include ::profiles::wireguard

  networking::networkd_instance { $ifname:
    type    => 'netdev',
    mode    => '0600',
    content => {
      'NetDev'        => {
        'Name'        => $ifname,
        'Kind'        => 'wireguard',
        'Description' => "Wireguard tunnel ${ifname}",
      },
      'WireGuard'     => {
        'ListenPort' => $profiles::wireguard::port,
        'PrivateKey' => $private_key,
      },
      'WireGuardPeer' => $peers,
    }
  }

  networking::networkd_instance { "${ifname}-network":
    type    => 'network',
    content => {
      'Match' => {
        'Name' => $ifname,
      },
      'Route' => {
        'Destination' => $peers.map |$p| { $p['AllowedIPs'] }.flatten,
      }
    }
  }

  ['ip', 'ip6'].each |$provider| {
    firewall { "100 Forward ${provider} wireguard to network":
      table    => 'nat',
      chain    => 'POSTROUTING',
      jump     => 'MASQUERADE',
      outiface => 'br0',
      proto    => 'all',
      provider => "${provider}tables",
    }
  }

  # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA)
  @@firewall { '100 Allow IPv6 traffic to wiregaurd':
    provider    => 'ip6tables',
    proto       => 'udp',
    dport       => $profiles::wireguard::port,
    destination => $facts['ipaddress6'],
    tag         => [ 'router', ],
  }

  # -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40
  @@firewall { '100 PortForward to wiregaurd server':
    provider    => 'iptables',
    proto       => 'udp',
    chain       => 'VSERVER',
    dport       => $profiles::wireguard::port,
    goto        => 'DNAT',
    destination => $facts['ipaddress'],
    tag         => [ 'router', ],
  }
}