{
  lib,
  config,
  pkgs,
  ...
}: let
  isEnabled =
    config.azos.snx-rs.enable;
  cfg = config.azos.snx-rs;
in {
  options.azos.snx-rs = {
    enable = lib.mkOption {
      default = true;
      type = lib.types.bool;
    };
    server = lib.mkOption {
      default = "vpn.bgu.ac.il";
      type = lib.types.str;
      description = "VPN server address";
    };
    username = lib.mkOption {
      default = "anerz@vpn";
      type = lib.types.str;
      description = "VPN username";
    };
    loginType = lib.mkOption {
      default = "vpn";
      type = lib.types.str;
      description = "Login type (e.g., vpn, vpn_Microsoft_Authenticator)";
    };
    ignoreServerCert = lib.mkOption {
      default = true;
      type = lib.types.bool;
      description = "Ignore server certificate validation";
    };
  };

  config = lib.mkIf isEnabled {
    home.packages = with pkgs; [
      snx-rs
      (pkgs.writeShellScriptBin "snx-connect" ''
        #!/bin/sh
        sudo ${pkgs.snx-rs}/bin/snx-rs -m command &
        sleep 1
        ${pkgs.snx-rs}/bin/snxctl connect
      '')
      (pkgs.writeShellScriptBin "snx-disconnect" ''
        #!/bin/sh
        ${pkgs.snx-rs}/bin/snxctl disconnect
        pkill -x snx-rs 2>/dev/null || true
      '')
    ];

    home.file.".config/snx-rs/snx-rs.conf" = {
      text = ''
        server ${cfg.server}
        username ${cfg.username}
        login-type ${cfg.loginType}
        ignore-server-cert ${lib.boolToString cfg.ignoreServerCert}
      '';
    };
  };
}