{ pkgs, ... }:
{
  environment.etc = {
    "ssl/certs/tuda-eduroam-root.crt".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2:1.crt";
  };
  sops.secrets = {
    "eduroam/tuda_nmconnection" = {
      mode = "0600";
      owner = "root";
      path = "/etc/NetworkManager/system-connections/eduroam.nmconnection";
    };
  };
}