{ config, lib, pkgs, ... }:
let
  secrets = config.sops.secrets;
in
{
  sops.secrets."work/ovpn".sopsFile = ../../secrets/work.yaml;
  sops.secrets."work/password".sopsFile = ../../secrets/work.yaml;

  services.openvpn.servers.hft = {
    autoStart = false;
    updateResolvConf = true;

    config = ''
      config ${secrets."work/ovpn".path}
      askpass ${secrets."work/password".path}
    '';
  };
  systemd.services.openvpn-hft.requires = ["yor-proxy.service"];
}