{ config, pkgs, lib, ... }:
{
  age.secrets = {
    dyport-auth = {
      file = ../../../../secrets/thinkpad/dyport-auth.age;
    };
  };
  networking = {
    supplicant = {
      "LAN" = {
        userControlled.enable = true;
        driver = "wired";
        configFile.path = pkgs.writeText "supplicant-lan.conf" ''
          ctrl_interface=/run/wpa_supplicant
          ap_scan=0
          network={
            ssid="apb-ifsr"
          	key_mgmt=IEEE8021X
          	eap=TTLS
          	anonymous_identity="rose159e@apb-ifsr"
          	ca_cert="/etc/ssl/certs/ca-certificates.crt"
          	domain_suffix_match="radius-tud.zih.tu-dresden.de"
          	identity="rose159e@apb-ifsr"
          	password=ext:TUD_AUTH
          	phase2="auth=PAP"
          	disabled=1
          }
          network={
          	ssid="zih-ma"
          	key_mgmt=IEEE8021X
          	eap=TTLS
          	anonymous_identity="rose159e@zih-ma"
          	ca_cert="/etc/ssl/certs/ca-certificates.crt"
          	domain_suffix_match="radius-tud.zih.tu-dresden.de"
          	identity="rose159e@zih-ma"
          	password=ext:TUD_AUTH
          	phase2="auth=PAP"
          	disabled=1
          }
          ext_password_backend=file:${config.age.secrets.dyport-auth.path}
        '';
        # configFile.path = config.age.secrets.dyport-auth.path;
      };
    };
    wireless.networks = {
      eduroam = {
        auth = ''
          eap=TTLS
          anonymous_identity="anonymous@tu-dresden.de"
          ca_cert="/etc/ssl/certs/ca-certificates.crt"
          domain_suffix_match="radius-eduroam.zih.tu-dresden.de"
          identity="rose159e@tu-dresden.de"
          password=ext:EDUROAM_AUTH
          phase2="auth=PAP"
          bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db 7c:5a:1c:02:3d:8b 82:5a:1c:02:3d:8b
        '';
        extraConfig = ''
          scan_ssid=1
        '';
        authProtocols = [ "WPA-EAP" ];
      };
      agdsn = {
        auth = ''
          eap=TTLS
          anonymous_identity="wifi@agdsn.de"
          ca_cert="/etc/ssl/certs/ca-certificates.crt"
          domain_suffix_match="radius.agdsn.de"
          identity="r5"
          password=ext:AGDSN_WIFI_AUTH
          phase2="auth=PAP"
          bssid_ignore=b8:3a:5a:8b:96:c2
        '';
        authProtocols = [ "WPA-EAP" ];
      };
      agdsn-office = {
        priority = 5;
        auth = ''
          eap=TTLS
          anonymous_identity="wifi@agdsn.de"
          ca_cert="/etc/ssl/certs/ca-certificates.crt"
          domain_suffix_match="radius.agdsn.de"
          identity="r5"
          proto=WPA2
          password=ext:AGDSN_AUTH
          phase2="auth=PAP"
        '';
        extraConfig = "disabled=1";
        authProtocols = [ "WPA-EAP" ];
      };
      agdsn_fritzbox = {
        psk = "ext:AGDSN_FRITZBOX_PSK";
        authProtocols = [ "WPA-PSK" ];
      };
      FSR = {
        psk = "ext:FSR_PSK";
        authProtocols = [ "WPA-PSK" ];
        extraConfig = "disabled=1";
      };
      "RoboLab Playground" = {
        psk = "ext:ROBOLAB_PSK";
        authProtocols = [ "WPA-PSK" ];
      };
    };
  };
  systemd.services = {
    # fix systemd dependencies for supplicant services
    "supplicant-lan@" = {
      wantedBy = lib.mkForce [ ];
    };
  };
}