{ config, pkgs, ... }: {

  sops.secrets.cyberghost_user_pass = {};
  sops.secrets.cyberghost_ca = {};
  sops.secrets.cyberghost_cert = {};
  sops.secrets.cyberghost_key = {};

  environment.systemPackages = with pkgs; [
    openvpn
    networkmanager
    networkmanager-openvpn
  ];

  environment.etc =
    let
      conn = (pkgs.formats.ini { }).generate "cyberghost.nmconnection" {
        connection = {
          id = "cyberghost vpn";
          autoconnect = false;
          type = "vpn";
          uuid = "f47ac10b-58cc-4372-a567-0e02b2c3d479";
        };

        vpn = {
          service-type = "org.freedesktop.NetworkManager.openvpn";
          password-flags = 0;
          auth-user-pass = config.sops.secrets.cyberghost_user_pass.path;
          ca = config.sops.secrets.cyberghost_ca.path;
          cert = config.sops.secrets.cyberghost_cert.path;
          key = config.sops.secrets.cyberghost_key.path;
          comp-lzo = "yes";
        };

        ethernet.auto-negotiate = true;

        ipv4 = {
          may-fail = false;
          method = "auto";
          never-default = false;
          route1 = "10.42.0.0/16,0.0.0.0,100";
          route-data = "10.42.0.0/16,0.0.0.0,100";
          ignore-auto-routes = true;
          ignore-auto-dns = true;
        };

        ipv6 = {
          method = "ignore";
        };
      };

    in
    {
      "NetworkManager/system-connections/${conn.name}" = {
        source = conn;
        mode = "0600";
      };
    };
}