{
  config,
  pkgs,
  ...
}:
let
  openfortivpn-addroute = pkgs.writeShellScript "openfortivpn-addroute.sh" ''

    sleep 2
    ${pkgs.iproute2}/bin/ip route add 172.16.0.0/12 dev ppp0
    ${pkgs.iproute2}/bin/ip route del default
    ${pkgs.iproute2}/bin/ip route add default via 192.168.0.254
    ${pkgs.coreutils-full}/bin/cat << EOF > /etc/resolv.conf
    search ville.besancon
    nameserver 172.18.96.1
    nameserver 172.18.96.2
    EOF
  '';
  openfortivpn-delroute = pkgs.writeShellScript "openfortivpn-delroute.sh" ''

    sleep 2
    ${pkgs.coreutils-full}/bin/cat << EOF > /etc/resolv.conf
    nameserver 10.0.0.1
    nameserver 2001:41d0:303:20da::1
    nameserver 217.182.138.218
    nameserver 9.9.9.9
    EOF
  '';

  myMount = description: what: where: {
    inherit description what where;
    type = "cifs";
    options = "credentials=${config.sops.templates."gbmshares-secrets".path},uid=beastie,gid=users";
  };
  myAutoMount = description: where: {
    inherit description where;
    requires = [ "network-online.target" ];
    after = [ "network-online.service" ];
    wantedBy = [ "multi-user.target" ];
    automountConfig = {
      TimeoutIdleSec = 30;
    };
  };
in
{
  sops = {
    secrets = {
      "ldap_GBM/username" = { };
      "ldap_GBM/password" = { };
      "ldap_GBM/domain" = { };
      "openfortivpn/host" = { };
      "openfortivpn/port" = { };
    };
    templates = {
      "openfortivpn.conf" = {
        content = ''
          host = ${config.sops.placeholder."openfortivpn/host"}
          port = ${config.sops.placeholder."openfortivpn/port"}
          username = ${config.sops.placeholder."ldap_GBM/username"}
          password = ${config.sops.placeholder."ldap_GBM/password"}
        '';
        mode = "0600";
        owner = "root";
      };
      "gbmshares-secrets" = {
        content = ''
          username=${config.sops.placeholder."ldap_GBM/username"}
          password=${config.sops.placeholder."ldap_GBM/password"}
          domain=${config.sops.placeholder."ldap_GBM/domain"}
        '';
        mode = "0600";
        owner = "root";
      };
    };
  };
  environment.systemPackages = [
    pkgs.openfortivpn
    pkgs.cifs-utils
  ];
  systemd.services."openfortivpn" = {
    enable = true;
    #wantedBy = lib.mkForce [ ];
    unitConfig = {
      Description = "OpenFortiVPN";
      After = "network-online.target";
      Wants = "network-online.target systemd-networkd-wait-online.service";
      Documentation = [
        "man:openfortivpn(1) https://github.com/adrienverge/openfortivpn#readme https://github.com/adrienverge/openfortivpn/wiki"
      ];
    };
    serviceConfig = {
      Type = "notify";
      PrivateTmp = "true";
      ExecStart = "${pkgs.openfortivpn}/bin/openfortivpn --no-dns -c ${config.sops.templates."openfortivpn.conf".path}";
      ExecStartPost = "${openfortivpn-addroute}";
      ExecStopPost = "${openfortivpn-delroute}";
      Restart = "on-failure";
      #OOMScoreAdjust = "-100";
    };
  };

  systemd.mounts = [
    (myMount "GBM Perso" "//vf-mc2-sfic06.ville.besancon/usr_s$/SALVIJER/Mes Documents"
      "/gbmshares/perso"
    )
    (myMount "GBM Services" "//vf-mc2-sfic06.ville.besancon/08TIC" "/gbmshares/services")
  ];
  systemd.automounts = [
    (myAutoMount "GBM Perso automount" "/gbmshares/perso")
    (myAutoMount "GBM Services automount" "/gbmshares/services")
  ];
}