# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ lib, config, ... }:
let
  generateSnippet = base: args: lib.concatStringsSep "\n" (lib.mapAttrsToList ( ixName: ix: generateSnippetForIX (args // { ixName = ixName; ix = ix; }) ) base );
  generateSnippetForIX = { ixName, ix, ... }@args: ''
    ipv4 table ${ixName}4;
    ipv6 table ${ixName}6;
    protocol pipe ${ixName}pipe_4 {
      table ${ixName}4;
      peer table master4;
      import where ((ro, ${toString ix.local.asn}, ${toString ix.remote.export_community}) ~ bgp_ext_community);
      export all;
    };
    protocol pipe ${ixName}pipe_6 {
      table ${ixName}6;
      peer table master6;
      import where ((ro, ${toString ix.local.asn}, ${toString ix.remote.export_community}) ~ bgp_ext_community);
      export all;
    };
  '' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers;
  enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"}";
  generateSnippetForRouter = { ixName, ix, routerNum, router, ... }: ''
    protocol bgp ${ixName}${toString routerNum}_4 {
      ${enabledSnippet router};
      local ${ix.local.v4} as ${toString ix.local.asn};
      neighbor ${router.v4} as ${toString ix.remote.asn};
      ipv4 {
        table ${ixName}4;
        import all;
        export where ((ro, ${toString ix.local.asn}, 1000) ~ bgp_ext_community);
      };
    };
    protocol bgp ${ixName}${toString routerNum}_6 {
      ${enabledSnippet router};
      local ${ix.local.v6} as ${toString ix.local.asn};
      neighbor ${router.v6} as ${toString ix.remote.asn};
      ipv6 {
        table ${ixName}6;
        import all;
        export where ((ro, ${toString ix.local.asn}, 1000) ~ bgp_ext_community);
      };
    };
  '';

  inherit (lib) mkOption mkAfter types;
in {
  options.services.lukegbgp = {
    enable = mkOption {
      type = types.bool;
      default = false;
    };
    config = mkOption { # lukegbgp.config
      type = with types; submodule {
        options = {
          local = mkOption { # lukegbgp.config.local
            type = submodule {
              options = {
                routerID = mkOption { # lukegbgp.config.local.routerID
                  type = str;
                };
              };
            };
          };
          peering = mkOption { # lukegbgp.config.peering
            type = attrsOf (submodule {
              options = {
                local = mkOption { # lukegbgp.config.peering.<foo>.local
                  type = submodule {
                    options = {
                      asn = mkOption { # lukegbgp.config.peering.<foo>.local.asn
                        type = int;
                      };
                      v4 = mkOption { # lukegbgp.config.peering.<foo>.local.v4
                        type = str;
                      };
                      v6 = mkOption { # lukegbgp.config.peering.<foo>.local.v6
                        type = str;
                      };
                    };
                  };
                };
                remote = mkOption { # lukegbgp.config.peering.<foo>.remote
                  type = submodule {
                    options = {
                      asn = mkOption { # lukegbgp.config.peering.<foo>.remote.asn
                        type = int;
                      };
                      export_community = mkOption { # lukegbgp.config.peering.<foo>.remote.export_community
                        type = int;
                      };
                      routers = mkOption { # lukegbgp.config.peering.<foo>.remote.routers
                        type = listOf (submodule {
                          options = {
                            enabled = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.enabled
                              type = bool;
                              default = true;
                            };
                            v4 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v4
                              type = str;
                            };
                            v6 = mkOption { # lukegbgp.config.peering.<foo>.remote.routers.<n>.v6
                              type = str;
                            };
                          };
                        });
                      };
                    };
                  };
                };
              };
            });
          };
          export = mkOption { # lukegbgp.config.export
            default = { v4 = ["92.118.31.0/24"]; v6 = ["2a09:a440::/48"]; };
            type = submodule {
              options = {
                v4 = mkOption { # lukegbgp.config.export.v4
                  type = listOf str;
                  default = ["92.118.31.0/24"];
                };
                v6 = mkOption { # lukegbgp.config.export.v6
                  type = listOf str;
                  default = ["2a09:a440::/48"];
                };
              };
            };
          };
        };
      };
    };
  };

  config = {
    services.bird2 = lib.mkIf config.services.lukegbgp.enable {
      enable = true;
      config = ''
        router id ${config.services.lukegbgp.config.local.routerID};

        ${generateSnippet config.services.lukegbgp.config.peering {}}

        protocol kernel {
          persist;
          ipv4 {
            import none;
            export all;
          };
        };
        protocol kernel {
          persist;
          ipv6 {
            import none;
            export all;
          };
        };
        protocol device {
        };

        protocol static export4 {
          ipv4 {
            import filter {
              bgp_ext_community.add((ro, 205479, 1000));
              bgp_ext_community.add((ro, 205479, 2000));
              bgp_ext_community.add((ro, 205479, 2001));
              bgp_ext_community.add((ro, 205479, 2002));
              bgp_ext_community.add((ro, 205479, 2003));
              bgp_ext_community.add((ro, 205479, 3000));
              bgp_ext_community.add((ro, 205479, 4000));
              bgp_ext_community.add((ro, 205479, 4001));
              bgp_ext_community.add((ro, 205479, 4002));
              accept;
            };
          };
          ${lib.concatMapStrings (ip: "route ${ip} blackhole;") config.services.lukegbgp.config.export.v4}
        };
        protocol static export6 {
          ipv6 {
            import filter {
              bgp_ext_community.add((ro, 205479, 1000));
              bgp_ext_community.add((ro, 205479, 2000));
              bgp_ext_community.add((ro, 205479, 2001));
              bgp_ext_community.add((ro, 205479, 2002));
              bgp_ext_community.add((ro, 205479, 2003));
              bgp_ext_community.add((ro, 205479, 3000));
              bgp_ext_community.add((ro, 205479, 4000));
              bgp_ext_community.add((ro, 205479, 4001));
              bgp_ext_community.add((ro, 205479, 4002));
              accept;
            };
          };
          ${lib.concatMapStrings (ip: "route ${ip} blackhole;") config.services.lukegbgp.config.export.v6}
        };
      '';
    };

    networking.firewall.allowedTCPPorts = lib.mkIf config.services.lukegbgp.enable (lib.mkAfter [ 179 ]);

    boot.kernel.sysctl = {
      "net.ipv6.conf.default.accept_ra" = 0;
      "net.ipv6.conf.all.accept_ra" = 0;
      "net.ipv6.conf.default.autoconf" = 0;
      "net.ipv6.conf.all.autoconf" = 0;
    };  
  };
}