{ pkgs, lib, config, ... }:
let
  types = lib.types;
  hft = config.maid.vpn.hft;
  proxies = config.maid.proxies;
in
{
  options.maid.vpn.hft = {
    enable = lib.mkEnableOption "OpenVPN HFT";
    autoStart = lib.mkOption {
      type = types.bool;
      default = false;
      description = "Whether to start VPN on system start";
    };
  };

  config = lib.mkIf hft.enable {
    assertions = [
      { assertion = proxies.yor.enable;
        message = "HFT OpenVPN requires shadowsocks server to bypass DPI";
      }
    ];

    services.openvpn.servers.hft = {
      autoStart = hft.autoStart;
      updateResolvConf = true;

      config = ''
        config ${config.sops.secrets."work/ovpn".path}
        askpass ${config.sops.secrets."work/password".path}
      '';
    };

    systemd.services.openvpn-hft.requires = [
      "yor-proxy.service"
    ];
  };
}