{
  pkgs,
  lib,
  config,
  ...
}:
let
  wifi = ssid: alias: priority: {
    sops.secrets."wifi_${alias}" = { };
    sops.templates."wifi_${alias}.nmconnection" = {
      path = "/etc/NetworkManager/system-connections/wifi_${ssid}.nmconnection";
      owner = "root";
      group = "root";
      mode = "0600";
      content = ''
        [connection]
        id=${ssid}
        type=wifi
        autoconnect=true
        autoconnect-priority=${toString priority}

        [wifi]
        ssid=${ssid}
        mode=infrastructure

        [wifi-security]
        key-mgmt=wpa-psk
        psk=${config.sops.placeholder."wifi_${alias}"}

        [ipv4]
        method=auto

        [ipv6]
        addr-gen-mode=default
        method=auto
      '';
    };
  };
in
lib.mkMerge [
  (wifi "Ziggo966936B" "home" 100)
  {
    sops.secrets.wifi_leiden_identity = { };
    sops.secrets.wifi_leiden_password = { };
    sops.templates."wifi_eduroam.nmconnection" = {
      path = "/etc/NetworkManager/system-connections/eduroam.nmconnection";

      owner = "root";
      group = "root";
      mode = "0600";

      content = ''
        [connection]
        id=eduroam
        type=wifi

        [wifi]
        ssid=eduroam
        mode=infrastructure

        [wifi-security]
        key-mgmt=wpa-eap

        [802-1x]
        eap=peap
        identity=${config.sops.placeholder.wifi_leiden_identity}
        password=${config.sops.placeholder.wifi_leiden_password}
        anonymous-identity=anonymous@leidenuniv.nl
        phase2-auth=mschapv2
        ca-cert=${./leiden.crt}
      '';
    };
  }
  {
    # Run nmcli reload after every switch
    system.activationScripts.nm-reload = {
      text = ''
        ${pkgs.networkmanager}/bin/nmcli connection reload || true
      '';
      deps = [ ];
    };
  }
]