# Module: Network Configuration
# Description: Network setup with dnscrypt-proxy for encrypted DNS, WiFi networks
#              configuration via wpa_supplicant, and hostname settings
# Services: dnscrypt-proxy (primary + backup), wpa_supplicant
# Security: WiFi credentials stored via sops-nix secrets

{ config, lib, pkgs, customConfig, ... }:

let
  backupToml = pkgs.writeText "dnscrypt-proxy-backup.toml" ''
    listen_addresses = ["127.0.0.2:53"]
    server_names = ["dns0-eu"]
    
    [sources.public-resolvers]
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md']
    cache_file = '/var/lib/dnscrypt-proxy-backup/public-resolvers.md'
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    refresh_delay = 72
  '';

  userHome = "/home/${customConfig.username}";
in

{
  networking.nftables.enable = true;
  networking.firewall = {
    enable = true;
    allowPing = true;
    # allowedTCPPorts = [ ... ]; # keep closed by default
    interfaces.docker0 = {
      allowedUDPPorts = [ 53 ];
      allowedTCPPorts = [ 53 ];
    };
  };

  networking.hostName = customConfig.hostname;
  # Pick only one of the below networking options.
  networking.wireless.enable = true;
  # networking.wireless.userControlled = true;
  # networking.wireless.secretsFile = config.sops.secrets.wifi.path;

  # Load encrypted WiFi networks configuration via wpa_supplicant include files.
  # This is supported by the NixOS module and keeps SSIDs out of the Nix store.
  networking.wireless.extraConfigFiles = lib.mkIf (config.sops.secrets ? wifi-networks) [
    config.sops.secrets.wifi-networks.path
  ];

  networking.wireless.enableHardening = false;

  # systemd.services.wpa_supplicant.after = [ "sops-install-secrets.service" ];
  # systemd.services.wpa_supplicant.requires = [ "sops-install-secrets.service" ];
  
  # You can also define networks in Nix if you prefer (less secure - names visible):
  # networking.wireless.networks = { ... };

  networking.interfaces.lo.ipv4.addresses = [
    { address = "127.0.0.1"; prefixLength = 8; }
    { address = "127.0.0.2"; prefixLength = 8; }
  ];

  networking.nameservers = [ "127.0.0.1" "127.0.0.2" ];

  # networking.networkmanager.dns = "none";
  services.resolved.enable = false;

  services.dnscrypt-proxy = {
    enable = true;
    settings = {
      listen_addresses = [ "127.0.0.1:53" "172.17.0.1:53" ];
      server_names = [ "amaury" ];
      bootstrap_resolvers = [];
      sources = {};
      static = {
    	  "amaury".stamp = "sdns://AgcAAAAAAAAADTgyLjY0LjIzNy4yNDYADWFtYXVyeWpvbHkuZnIUL2Rucy1xdWVyeS9pZC1hbWF1cnk";
      };
      cache = true;
      ignore_system_dns = true;
      timeout = 5000;
    };
  };

  systemd.services."dnscrypt-proxy-backup" = {
    description = "dnscrypt-proxy backup (dns0-eu)";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${backupToml}";
      Restart = "on-failure";
      NoNewPrivileges = true;
      DynamicUser = true;
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
    };
  };

  systemd.services.dnscrypt-proxy.serviceConfig = {
    StateDirectory = "dnscrypt-proxy";
  };
}