{ pkgs, lib, config, ... }:
let
  netns = "riseup";
  inherit (config.services) openvpn;
  inherit (config.security) gnupg;
in
{
services.netns.namespaces.${netns} = {
  nftables = lib.mkBefore ''
    table inet filter {
      include "${../../../../networking/nftables/filter.txt}"
      chain input {
        type filter hook input priority filter
        policy drop
        iifname lo accept
        jump check-tcp
        ct state { established, related } accept
        jump accept-connectivity-input
        jump check-broadcast
        ct state invalid drop
      }
      chain forward {
        type filter hook forward priority filter
        policy drop
        jump accept-connectivity-forward
      }
      chain output {
        type filter hook output priority filter
        policy drop
        oifname lo accept
        ct state { related, established } accept
        jump accept-connectivity-output
      }
    }
  '';
};
services.openvpn.servers.${netns} = {
  netns = netns;
  settings = {
    verb = 3;
    auth-user-pass = gnupg.secrets."openvpn/${netns}/auth-user-pass".path;
    ca = riseup/RiseupCA.pem;
    client = true;
    dev = "ov-${netns}";
    dev-type = "tun";
    persist-tun = true;
    nobind = true;
    persist-key = true;
    tls-client = true;
    remote-cert-tls = "server";
    remote = "198.252.153.226 1194 udp";
    reneg-sec = 0;
    script-security = 2;
    up-restart = true;
  };
};
security.gnupg.secrets."openvpn/${netns}/auth-user-pass" = {
  systemdConfig.before = [ "openvpn-${netns}.service" ];
  systemdConfig.wantedBy = [ "openvpn-${netns}.service" ];
};
networking.nftables.ruleset = ''
  add rule inet filter fw2net udp dport 1194 counter accept comment "OpenVPN"
'';
}