{ lib, pkgs, config, ... }:
with lib;

let 
cfg = config.custom.mullvad;
secretstore = config._secretstore;
host = config.networking.hostName;


in {

  #define option to enable this 
  options.custom.mullvad.enable = mkEnableOption "Enable SSH";

  config = mkIf cfg.enable {
  networking.wireguard.enable = true;
  services.mullvad-vpn.enable = true;

 sops.secrets.device_json = {
    sopsFile = "${secretstore}/hosts/${host}/mullvad/device.json";
    format = "binary";
  };  
  
  environment.etc."mullvad-vpn/device.conf".source = config.sops.secrets.device_json.path;

  # set some options after every daemon start
  # to avoid accidentally leaving unsafe settings
  systemd.services."mullvad-daemon" = {
    postStart = ''
      while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
      ${pkgs.mullvad}/bin/mullvad lan set allow   #enable local lan access
      ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
      ${pkgs.mullvad}/bin/mullvad relay set location ca mtr
    '';
  };



};
}
    #    secrets = hm_secrets "${secretstore}/user_dotfiles/${username}@${hostName}/keybase/" "${config.xdg.configHome}/keybase/";
# 

# { config, pkgs, ... }:

# {
#   age.secrets.mullvad.file = ../secrets/mullvad.age;

#   networking.wireguard.enable = true;

#   services.mullvad-vpn.enable = true;

#   # set some options after every daemon start
#   # to avoid accidentally leaving unsafe settings
#   systemd.services."mullvad-daemon" = {
#     serviceConfig.LoadCredential =
#       [ "account:${config.age.secrets.mullvad.path}" ];
#     postStart = ''
#       while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
#       account="$(<"$CREDENTIALS_DIRECTORY/account")"
#       current_account="$(${pkgs.mullvad}/bin/mullvad account get | grep "account:" | sed 's/.* //')"
#       if [[ "$current_account" != "$account" ]]; then
#         ${pkgs.mullvad}/bin/mullvad account login "$account"
#       fi
#       ${pkgs.mullvad}/bin/mullvad always-require-vpn set on
#       ${pkgs.mullvad}/bin/mullvad dns set default \
#         --block-ads --block-trackers --block-malware
#       ${pkgs.mullvad}/bin/mullvad lan set allow
#       ${pkgs.mullvad}/bin/mullvad tunnel ipv6 set on
#       ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
#       ${pkgs.mullvad}/bin/mullvad relay set location de dus
#     '';
#   };
# }