{ pkgs, ... }@all: with all; {
  environment.etc = {
    "ssl/certs/tuda-eduroam-root.crt".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2:1.crt";
  };
  sops.secrets = {
    "eduroam/tuda_nmconnection" = {
      mode = "0600";
      owner = "root";
      path = "/etc/NetworkManager/system-connections/eduroam.nmconnection";
    };
  };
  environment.systemPackages = with pkgs; [
    openconnect
    networkmanager-openconnect
  ];
  networking.openconnect = {
    package = pkgs.openconnect;
    interfaces = {
      openconnect0 = {
        autoStart = false;
        certificate = "/home/nx2/tuda-rootcert.crt";
        # extraOptions = { compression = "stateless"; no-dtls = true; no-http-keepalive = true; };
        gateway = "vpn.hrz.tu-darmstadt.de";
        # passwordFile = "/var/lib/secrets/openconnect-passwd";
        # privateKey = "/var/lib/secrets/openconnect_private_key.pem";
        protocol = "anyconnect";
        user = secrets.email.tuda.tuid;
      };
    };
  };
}