{ inputs, pkgs, lib, config, ... }:
let
  netns = "riseup";
  inherit (config.services) openvpn;
  apiUrl = "https://api.black.riseup.net/3/cert";
  key-cert = "/run/openvpn-${netns}/key+cert.pem";
in
{
  services.openvpn.servers.${netns} = {
    inherit netns;
    settings = {
      # curl -Ls https://api.black.riseup.net/3/config/eip-service.json |
      # jq .gateways.'[]'.host
      remote = [
        "vpn01-sea.riseup.net"
        "vpn02-par.riseup.net"
        "vpn03-par.riseup.net"
        "vpn04-ams.riseup.net"
        "vpn05-par.riseup.net"
        "vpn06-ams.riseup.net"
        "vpn07-par.riseup.net"
        "vpn08-par.riseup.net"
        "vpn09-mia.riseup.net"
        "vpn10-mtl.riseup.net"
        "vpn11-par.riseup.net"
        "vpn12-nyc.riseup.net"
        "vpn13-ams.riseup.net"
        "vpn14-par.riseup.net"
        "vpn15-sea.riseup.net"
        "vpn16-sea.riseup.net"
        "vpn17-mia.riseup.net"
        "vpn18-mtl.riseup.net"
        "vpn19-ams.riseup.net"
        "vpn20-par.riseup.net"
      ];
      remote-random = true;
      port = "53";
      proto = "udp";
      ca = pkgs.fetchurl
        {
          url = "https://black.riseup.net/ca.crt";
          hash = "sha256-+kzojhwMbFwcf9W6CzXcCaLzBtgeOgXp19XPrP3ZhFM=";
        } + "";
      key = key-cert;
      cert = key-cert;

      auth = "SHA1";
      client = true;
      dev = "ov-${netns}";
      dev-type = "tun";
      keepalive = "10 30";
      nobind = true;
      persist-key = true;
      persist-tun = true;
      remote-cert-tls = "server";
      reneg-sec = 0;
      script-security = 2;
      tls-cipher = "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
      tls-client = true;
      tun-ipv6 = true;
      up-restart = true;
      verb = 3;
    };
  };
  systemd.services."openvpn-${netns}" = {
    preStart = ''
      (
      set -ex
      ${pkgs.curl}/bin/curl -v -X POST --cacert ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt -o ${key-cert} -Ls ${apiUrl}
      chmod 700 ${key-cert}
      )
    '';
    unitConfig = {
      StartLimitIntervalSec = 0;
    };
    serviceConfig = {
      RuntimeDirectory = [ "openvpn-${netns}" ];
      RuntimeDirectoryMode = "0700";
    };
  };
  environment.systemPackages = [
    pkgs.riseup-vpn
  ];
  networking.nftables.ruleset = ''
    table inet filter {
      chain output-net {
        skuid root ${openvpn.servers.${netns}.settings.proto} dport ${openvpn.servers.${netns}.settings.port} counter accept comment "OpenVPN Riseup"
      }
    }
  '';
  services.netns.namespaces.${netns} = {
    nftables = lib.mkBefore ''
      include "${inputs.julm-nix + "/nixos/profiles/networking/nftables.txt"}"
    '';
  };
}