package models

import "time"

// WireguardInterface is the local end of a WireGuard tunnel — server
// (we listen for peers) or client (we dial out to a fixed peer).
// PrivateKey + PeerPSK never appear in JSON; they are handled inside
// the handler as encrypted blobs (sealed via internal/services/secrets).
type WireguardInterface struct {
	ID                  int64     `gorm:"primaryKey"                 json:"id"`
	Name                string    `gorm:"column:name;uniqueIndex"    json:"name"`
	Mode                string    `gorm:"column:mode"                json:"mode"` // server|client
	AddressCIDR         string    `gorm:"column:address_cidr"        json:"address_cidr"`
	ListenPort          *int      `gorm:"column:listen_port"         json:"listen_port,omitempty"`
	PublicKey           string    `gorm:"column:public_key"          json:"public_key"`
	PeerEndpoint        *string   `gorm:"column:peer_endpoint"       json:"peer_endpoint,omitempty"`
	PeerPublicKey       *string   `gorm:"column:peer_public_key"     json:"peer_public_key,omitempty"`
	AllowedIPs          *string   `gorm:"column:allowed_ips"         json:"allowed_ips,omitempty"`
	PersistentKeepalive *int      `gorm:"column:persistent_keepalive" json:"persistent_keepalive,omitempty"`
	MTU                 *int      `gorm:"column:mtu"                 json:"mtu,omitempty"`
	Role                string    `gorm:"column:role"                json:"role"`
	Active              bool      `gorm:"column:active"              json:"active"`
	Description         *string   `gorm:"column:description"         json:"description,omitempty"`
	CreatedAt           time.Time `gorm:"column:created_at"          json:"created_at"`
	UpdatedAt           time.Time `gorm:"column:updated_at"          json:"updated_at"`

	// PrivateKeyEnc / PeerPSKEnc are loaded from the DB as raw bytes
	// — handler never serialises them. JSON tag uses '-' so they
	// don't leak into responses if a developer accidentally returns
	// the model directly.
	PrivateKeyEnc []byte `gorm:"column:private_key_enc" json:"-"`
	PeerPSKEnc    []byte `gorm:"column:peer_psk_enc"    json:"-"`
}

func (WireguardInterface) TableName() string { return "wireguard_interfaces" }

// WireguardPeer is a single roster entry on a server-mode interface.
// PrivateKey + PSK are encrypted at-rest and never returned in list
// payloads — only via the explicit /config download endpoint, and
// only once we generated the keypair server-side (nullable).
type WireguardPeer struct {
	ID            int64      `gorm:"primaryKey"               json:"id"`
	InterfaceID   int64      `gorm:"column:interface_id"      json:"interface_id"`
	Name          string     `gorm:"column:name"              json:"name"`
	PublicKey     string     `gorm:"column:public_key"        json:"public_key"`
	AllowedIPs    string     `gorm:"column:allowed_ips"       json:"allowed_ips"`
	Keepalive     *int       `gorm:"column:keepalive"         json:"keepalive,omitempty"`
	LastHandshake *time.Time `gorm:"column:last_handshake"    json:"last_handshake,omitempty"`
	TransferRX    int64      `gorm:"column:transfer_rx"       json:"transfer_rx"`
	TransferTX    int64      `gorm:"column:transfer_tx"       json:"transfer_tx"`
	Enabled       bool       `gorm:"column:enabled"           json:"enabled"`
	Description   *string    `gorm:"column:description"       json:"description,omitempty"`
	CreatedAt     time.Time  `gorm:"column:created_at"        json:"created_at"`
	UpdatedAt     time.Time  `gorm:"column:updated_at"        json:"updated_at"`

	PrivateKeyEnc []byte `gorm:"column:private_key_enc" json:"-"`
	PSKEnc        []byte `gorm:"column:psk_enc"         json:"-"`

	// HasPrivateKey is a derived flag for the UI: "is the QR-code
	// download going to work for this peer, or is this a roster row
	// where the operator only pasted a pubkey?"
	HasPrivateKey bool `gorm:"-" json:"has_private_key"`
}

func (WireguardPeer) TableName() string { return "wireguard_peers" }