{ pkgs, ... }:

{
  # VSTech VPN (with DNS for bgs.local domain)
  services.openvpn.servers.vstech = {
    config = ''
      client
      remote 51.83.143.81
      proto udp
      port 649
      dev tun
      topology subnet
      ca /home/lusia/VSTech-vpn/ca.crt
      cert /home/lusia/VSTech-vpn/Klient251.crt
      key /home/lusia/VSTech-vpn/Klient251.inline
      tls-crypt /home/lusia/VSTech-vpn/ta.key

      auth sha512
      data-ciphers aes-256-cbc
      data-ciphers-fallback aes-256-cbc
      key-direction 1
      keepalive 10 120
    '';
    updateResolvConf = false;

    up = ''
      ${pkgs.systemd}/bin/resolvectl dns $dev 10.10.10.1
      ${pkgs.systemd}/bin/resolvectl domain $dev bgs.local
    '';

    down = ''
      ${pkgs.systemd}/bin/resolvectl revert $dev
    '';
  };

  # CAT VPN
  services.openvpn.servers.cat = {
    config = ''
      client
      remote 79.133.193.211
      proto tcp
      port 1194
      dev tun
      topology subnet
      ca /home/lusia/vpn/ca.crt
      cert /home/lusia/vpn/client18.crt
      key /home/lusia/vpn/client18.key

      auth sha256
      data-ciphers AES-256-CBC
      key-direction 1
    '';
    updateResolvConf = true;
  };
}