{ pkgs, lib, config, ... }:
let
  types = lib.types;
  hft = config.maid.vpn.hft;
in
{
  options.maid.vpn.hft = {
    enable = lib.mkEnableOption "OpenVPN HFT";
    autoStart = lib.mkOption {
      type = types.bool;
      default = false;
      description = "Whether to start VPN on system start";
    };
  };

  config = lib.mkIf hft.enable {
    services.openvpn.servers.hft = {
      autoStart = hft.autoStart;
      updateResolvConf = true;

      config = ''
        config ${config.sops.secrets."work/ovpn".path}
        askpass ${config.sops.secrets."work/password".path}
      '';
    };

    systemd.services.hft-shadowsocks = {
      wantedBy = [ "openvpn-hft.service" ];
      partOf = [ "openvpn-hft.service" ];
      after = [ "network.target" ];

      description = "Shadowsocks to bypass OpenVPN block";
      serviceConfig = {
        Type = "simple";
        ExecStart = ''${pkgs.shadowsocks-rust}/bin/sslocal --config ${config.sops.secrets."work/shadowsocks".path}'';
      };
    };
  };
}