{
  lib,
  pkgs,
  config,
  ...
}:
with lib; let
  secretstore = config._secretstore;
  host = config.networking.hostName;

  cfg = config.custom.mullvad;

  secret =
    if builtins.pathExists "${secretstore}/hosts/${host}/mullvad/device.json"
    then ./secrets.nix
    else {};
in {
  #define option to enable this
  options.custom.mullvad.enable = mkEnableOption "Enable SSH";

  # imports = [ secret ];

  config = mkIf cfg.enable {
    networking.wireguard.enable = true;
    services.mullvad-vpn.enable = true;

    # set some options after every daemon start
    # to avoid accidentally leaving unsafe settings
    systemd.services."mullvad-daemon" = {
      postStart = ''
        while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
        ${pkgs.mullvad}/bin/mullvad lan set allow   #enable local lan access
        ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
        ${pkgs.mullvad}/bin/mullvad relay set location ca mtr
      '';
    };
  };
}