{ config, pkgs, lib, ... }:

let
  # Optional: create a runtime directory for pia-manager to store configs
  piaDir = "${config.home.homeDirectory}/.config/pia";
  cfg = config.homeModules.vpnpia;
in

lib.mkIf cfg.enable {
  home.packages = with pkgs; [
    openvpn
    #pia-manager
    wireguard-tools
    jq
    systemd
  ];

  home.file.".config/pia/config.json".text = builtins.toJSON {
    token = "REPLACE_WITH_YOUR_PIA_TOKEN";
    region = "DE Frankfurt";  # Adjust to your preferred location
    protocol = "wireguard";   # or "openvpn_udp"/"openvpn_tcp"
    dns = true;
    port_forward = false;
  };

  systemd.user.services.pia-vpn = {
    Unit = {
      Description = "Private Internet Access VPN";
      After = [ "network.target" ];
    };

    Service = {
      Type = "simple";
      #ExecStart = "${pkgs.pia-manager}/bin/pia-manager up --config ${piaDir}/config.json";
      #ExecStop = "${pkgs.pia-manager}/bin/pia-manager down";
      Restart = "on-failure";
    };

    Install = {
      WantedBy = [ "default.target" ];
    };
  };

  # Enable service on login
  systemd.user.startServices = true;
  
  # Optional: add a shell alias for manual control
  programs.zsh.shellAliases = {
    vpn-up = "systemctl --user start pia-vpn";
    vpn-down = "systemctl --user stop pia-vpn";
    vpn-status = "systemctl --user status pia-vpn";
  };
}