{ config, pkgs, ... }:
let
  localNetwork = "10.42.96.0/20";
in
{
  # SOPS secrets for CyberGhost credentials
  sops.secrets.cyberghost-auth = {
    mode = "0400";
    owner = "root";
  };
  sops.secrets.cyberghost-ca = {
    mode = "0400";
    owner = "root";
  };
  sops.secrets.cyberghost-cert = {
    mode = "0400";
    owner = "root";
  };
  sops.secrets.cyberghost-key = {
    mode = "0400";
    owner = "root";
  };

  environment.systemPackages = [ pkgs.openvpn ];

  # OpenVPN client service
  services.openvpn.servers.cyberghost = {
    autoStart = true;
    updateResolvConf = true;
    config = ''
      client
      dev tun
      proto udp
      remote 87-1-hu.cg-dialup.net 443
      resolv-retry infinite
      nobind
      persist-key
      persist-tun

      # Authentication
      auth-user-pass ${config.sops.secrets.cyberghost-auth.path}
      ca ${config.sops.secrets.cyberghost-ca.path}
      cert ${config.sops.secrets.cyberghost-cert.path}
      key ${config.sops.secrets.cyberghost-key.path}

      # Security
      data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
      data-ciphers-fallback AES-256-CBC
      auth SHA256
      remote-cert-tls server
      script-security 2

      # Connection
      ping 5
      explicit-exit-notify 2
      route-delay 5

      # Split tunnel: Don't pull routes from server, we'll set our own
      route-nopull

      # Route all traffic through VPN except local network
      route 0.0.0.0 128.0.0.0 vpn_gateway
      route 128.0.0.0 128.0.0.0 vpn_gateway

      # Keep local network route direct
      route ${localNetwork} net_gateway

      verb 4
    '';
  };

  # Kill switch: Block outgoing traffic if VPN is down
  networking.firewall = {
    extraCommands = ''
      # Allow traffic to local network
      iptables -A OUTPUT -d ${localNetwork} -j ACCEPT

      # Allow traffic through VPN tunnel
      iptables -A OUTPUT -o tun+ -j ACCEPT

      # Allow loopback
      iptables -A OUTPUT -o lo -j ACCEPT

      # Allow established connections (for responses)
      iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

      # Allow OpenVPN to establish connection (UDP 443)
      iptables -A OUTPUT -p udp --dport 443 -j ACCEPT

      # Drop all other outgoing internet traffic (kill switch)
      iptables -A OUTPUT ! -d ${localNetwork} -j DROP
    '';

    extraStopCommands = ''
      iptables -D OUTPUT -d ${localNetwork} -j ACCEPT 2>/dev/null || true
      iptables -D OUTPUT -o tun+ -j ACCEPT 2>/dev/null || true
      iptables -D OUTPUT -o lo -j ACCEPT 2>/dev/null || true
      iptables -D OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
      iptables -D OUTPUT -p udp --dport 443 -j ACCEPT 2>/dev/null || true
      iptables -D OUTPUT ! -d ${localNetwork} -j DROP 2>/dev/null || true
    '';
  };
}