{ pkgs, lib, config, ... }:
let
  types = lib.types;
  hft = config.maid.vpn.hft;
in
{
  options.maid.vpn.hft = {
    enable = lib.mkEnableOption "HFT-OpenVPN server";
    shadowsocksConfigPath = lib.mkOption {
      type = types.str;
      description = "Shadowsocks config path";
    };
    name = lib.mkOption {
      type = types.str;
      description = "Name of the service";
      default = "hft";
    };
    configPath = lib.mkOption {
      type = types.str;
      description = "OpenVPN configuration file";
    };
    passwordFile = lib.mkOption {
      type = types.str;
      description = "OpenVPN certificate password";
    };
    autoStart = lib.mkOption {
      type = types.bool;
      default = false;
      description = "Whether to start VPN on system start or not";
    };
  };

  config =
    lib.mkIf hft.enable {
        services.openvpn.servers."${hft.name}" = {
          autoStart = hft.autoStart;
          updateResolvConf = true;

          config = ''
            config ${hft.configPath}
            askpass ${hft.passwordFile}
          '';
        };

        systemd.services."openvpn-${hft.name}-shadowsocks" = {
          wantedBy = [ "openvpn-${hft.name}.service" ];
          partOf = [ "openvpn-${hft.name}.service" ];
          after = [ "network.target" ];

          description = "Corporate shadowsocks";
          serviceConfig = {
            Type = "Simple";
            ExecStart = ''${pkgs.shadowsocks-rust}/bin/sslocal --config ${hft.shadowsocksConfigPath}'';
          };
        };
  };
}