{ config, utils, pkgs, ... }:

{

  age.secrets.pppd-env.file = ./. + "/../../../secrets/${config.networking.hostName}/pppd-env.age";


  services.pppd = {
    enable = true;
    peers.dtagdsl = {
      config = ''
        plugin pppoe.so dtagdsl
        user "''${DTAG_PPP_USER}"
        password "''${DTAG_PPP_PASS}"
        hide-password
        ifname ppp-dtagdsl
        persist

        maxfail 0
        holdoff 5

        noipdefault

        lcp-echo-interval 20
        lcp-echo-failure 3

        mtu 1492
        defaultroute
        replacedefaultroute
        +ipv6
      '';
    };
  };

  environment.etc."ppp/peers/dtagdsl".enable = false;

  systemd.services."pppd-dtagdsl".serviceConfig = let
    preStart = ''
      mkdir -p /etc/ppp/peers

      # Created files only readable by root
      umask u=rw,g=,o=

      # Copy config and substitute env-vars
      rm -f /etc/ppp/peers/dtagdsl
      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl
    '';

    preStartFile = utils.systemdUtils.lib.makeJobScript { name = "pppd-dtagdsl-pre-start"; text = preStart; enableStrictShellChecks = true; };
  in {
    EnvironmentFile = config.age.secrets.pppd-env.path;
    ExecStartPre = [
      # "+" marks script to be executed without priviledge restrictions
      "+${preStartFile}"
    ];
  };  

}