{ pkgs, config, lib, ... }:

let
  cfg = config.modules.system.vpns;
in
{
  options.modules.system.vpns = {
    enable = lib.mkEnableOption "enables vpns";
  
    # toggle for pia mexico w/ openvpn
    openvpn_pia_mexico = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "enable pia vpn to mexico using openvpn";
    };
    
  };

  config = lib.mkIf cfg.enable {
    
    # enable pia mexico w/ openvpn
    services.openvpn.servers = lib.mkIf cfg.openvpn_pia_mexico { 
      openvpn_pia_mexico = {
        config = ''
          client
          dev tun
          proto udp
          remote 77.81.142.240 1198
          resolv-retry infinite
          nobind
          persist-key
          persist-tun
          cipher aes-128-cbc
          auth sha1
          tls-client
          remote-cert-tls server

          auth-user-pass
          compress
          verb 1
          reneg-sec 0
          crl-verify ${config.sops.secrets."openvpn_pia_mexico_crl".path}
          ca ${config.sops.secrets."openvpn_pia_mexico_crt".path}

          disable-occ
                  '';
#        config = ''
#          config ${config.sops.secrets."openvpn_pia_mexico_config".path}
#          auth-user-pass /run/secrets/openvpn_pia_mexico_auth
#        '';
      };
    };
    sops.secrets = {
      "openvpn_pia_mexico_auth" = {
        owner = "root";
        group = "root";
      };
      "openvpn_pia_mexico_crl" = {
        owner = "root";
        group = "root";
      };
      "openvpn_pia_mexico_crt" = {
        owner = "root";
        group = "root";
      };
      "openvpn_pia_mexico_config" = {
        owner = "root";
        group = "root";
      };
    };
  };
}