{
  config,
  lib,
  isrgRootX1Cert,
  ...
}:

with lib;

let
  cfg = config.networking.wireless.c-base;
in
{
  options.networking.wireless.c-base = {
    crew = mkEnableOption "c-base-crew WLAN access" // {
      default = false;
    };
    usePublic = mkOption {
      type = types.bool;
      default = false;
      description = "Enable c-base-public WLAN access (guests)";
    };
    useFreifunk = mkOption {
      type = types.bool;
      default = false;
      description = "Enable berlin.freifunk.net WLAN access";
    };
    credentialsFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to file containing credentials for crew only:
        USERNAME=your-username
        PASSWORD=your-password
      '';
    };
  };

  config = mkMerge [
    {
      assertions = [
        {
          assertion = !(cfg.useFreifunk && cfg.usePublic);
          message = "useFreifunk and usePublic cannot both be enabled";
        }
        {
          assertion = !cfg.crew || (cfg.credentialsFile != null);
          message = "credentialsFile must be set when crew is enabled";
        }
      ];
    }

    (mkIf cfg.crew {
      networking.networkmanager = {
        enable = true;
        ensureProfiles = {
          environmentFiles = [ cfg.credentialsFile ];
          profiles = {
            "c-base-crew" = {
              connection = {
                id = "c-base-crew";
                type = "wifi";
                autoconnect = true;
                autoconnect-priority = 20;
              };
              wifi = {
                ssid = "c-base-crew";
                mode = "infrastructure";
              };
              wifi-security = {
                key-mgmt = "wpa-eap";
              };
              "802-1x" = {
                eap = "peap";
                identity = "$USERNAME";
                password = "$PASSWORD";
                phase2-auth = "mschapv2";
                ca-cert = "${isrgRootX1Cert}";
                domain-suffix-match = "radius.cbrp3.c-base.org";
              };
              ipv4.method = "auto";
              ipv6.method = "auto";
            };
          };
        };
      };
      security.pki.certificateFiles = [ isrgRootX1Cert ];
    })

    (mkIf cfg.usePublic {
      networking.networkmanager.enable = true;
      networking.networkmanager.ensureProfiles.profiles = {
        "c-base-public" = {
          connection = {
            id = "c-base-public";
            type = "wifi";
            autoconnect = true;
            autoconnect-priority = 10;
          };
          wifi = {
            ssid = "c-base-public";
            mode = "infrastructure";
          };
          wifi-security = {
            key-mgmt = "none";
          };
          ipv4.method = "auto";
          ipv6.method = "auto";
        };
      };
    })

    (mkIf cfg.useFreifunk {
      networking.networkmanager.enable = true;
      networking.networkmanager.ensureProfiles.profiles = {
        "berlin-freifunk" = {
          connection = {
            id = "berlin.freifunk.net";
            type = "wifi";
            autoconnect = true;
            autoconnect-priority = 5;
          };
          wifi = {
            ssid = "berlin.freifunk.net";
            mode = "infrastructure";
          };
          wifi-security = {
            key-mgmt = "none";
          };
          ipv4.method = "auto";
          ipv6.method = "auto";
        };
      };
    })
  ];
}