-- +goose Up

-- 0005 hat schon mal eine wireguard_peers-Tabelle angelegt (Option-A
-- Schema mit peer_type 'server|s2s|roadwarrior' ohne Interface-FK).
-- Wir bauen das Modell hier um: zwei Tabellen mit FK, getrennt nach
-- Modus (server-mode iface mit Peer-Roster vs. client-mode iface mit
-- inline upstream-peer). Da das Feature noch nicht produktiv genutzt
-- wurde (Tabelle leer beim ersten Rollout), droppen wir sie und
-- bauen frisch.

-- +goose StatementBegin
DROP TABLE IF EXISTS wireguard_peers;
-- +goose StatementEnd

-- +goose StatementBegin
CREATE TABLE IF NOT EXISTS wireguard_interfaces (
    id                    BIGSERIAL PRIMARY KEY,
    name                  TEXT NOT NULL UNIQUE,
    mode                  TEXT NOT NULL,
    address_cidr          TEXT NOT NULL,
    listen_port           INTEGER,
    private_key_enc       BYTEA NOT NULL,
    public_key            TEXT NOT NULL,
    peer_endpoint         TEXT,
    peer_public_key       TEXT,
    peer_psk_enc          BYTEA,
    allowed_ips           TEXT,
    persistent_keepalive  INTEGER,
    mtu                   INTEGER,
    role                  TEXT NOT NULL DEFAULT 'wan',
    active                BOOLEAN NOT NULL DEFAULT TRUE,
    description           TEXT,
    created_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    CONSTRAINT wg_iface_mode_check CHECK (mode IN ('server', 'client')),
    CONSTRAINT wg_iface_name_check CHECK (name ~ '^wg[a-z0-9-]{0,13}$'),
    CONSTRAINT wg_iface_server_check CHECK (
        mode <> 'server' OR (listen_port BETWEEN 1 AND 65535)
    ),
    CONSTRAINT wg_iface_client_check CHECK (
        mode <> 'client' OR (peer_endpoint IS NOT NULL AND peer_public_key IS NOT NULL)
    )
);
-- +goose StatementEnd

-- +goose StatementBegin
CREATE TABLE IF NOT EXISTS wireguard_peers (
    id                  BIGSERIAL PRIMARY KEY,
    interface_id        BIGINT NOT NULL REFERENCES wireguard_interfaces(id) ON DELETE CASCADE,
    name                TEXT NOT NULL,
    public_key          TEXT NOT NULL,
    private_key_enc     BYTEA,
    psk_enc             BYTEA,
    allowed_ips         TEXT NOT NULL,
    keepalive           INTEGER,
    last_handshake      TIMESTAMPTZ,
    transfer_rx         BIGINT NOT NULL DEFAULT 0,
    transfer_tx         BIGINT NOT NULL DEFAULT 0,
    enabled             BOOLEAN NOT NULL DEFAULT TRUE,
    description         TEXT,
    created_at          TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at          TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    CONSTRAINT wg_peer_iface_pubkey_unique UNIQUE (interface_id, public_key)
);
-- +goose StatementEnd

-- +goose StatementBegin
CREATE INDEX IF NOT EXISTS idx_wg_peers_iface ON wireguard_peers (interface_id);
-- +goose StatementEnd

-- +goose Down

-- +goose StatementBegin
DROP TABLE IF EXISTS wireguard_peers;
-- +goose StatementEnd

-- +goose StatementBegin
DROP TABLE IF EXISTS wireguard_interfaces;
-- +goose StatementEnd