{ pkgs, ... }@all: with all; {
  environment.etc = {
    "ssl/certs/tuda-eduroam-root.crt".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2:1.crt";
  };
  sops.secrets = {
    "eduroam/tuda_nmconnection" = {
      mode = "0600";
      owner = "root";
      path = "/etc/NetworkManager/system-connections/eduroam.nmconnection";
    };
  };
  environment.systemPackages = with pkgs; [
    openconnect
    networkmanager-openconnect
    (pkgs.writeShellScriptBin "connect_to_tuda" ''
      sudo $(grep ExecStart /etc/systemd/system/openconnect-tuda.service | cut -c 11-)
    '')
  ];
  networking.openconnect = {
    package = pkgs.openconnect;
    interfaces = {
      tuda = {
        autoStart = false;
        gateway = "vpn.hrz.tu-darmstadt.de";
        protocol = "anyconnect";
        user = secrets.email.tuda.tuid;
      };
    };
  };
}