{ config, pkgs, lib, ... }:

{

  services.pppd = {
    enable = true;
    peers.dtagdsl = {
      config = ''
        plugin pppoe.so net-dsl
        user "''${PPPD_DTAGDSL_USERNAME}"
        ifname ppp-dtagdsl
        persist
        maxfail 0
        holdoff 5
        noipdefault
        lcp-echo-interval 20
        lcp-echo-failure 3
        mtu 1492
        hide-password
        defaultroute
        +ipv6
        debug
      '';
    };
  };

  environment.etc."ppp/peers/dtagdsl".enable = false;

  systemd.services."pppd-dtagdsl".serviceConfig = let
    preStart = ''
      mkdir -p /etc/ppp/peers

      # Created files only readable by root
      umask u=rw,g=,o=

      # Copy config and substitute username
      rm -f /etc/ppp/peers/dtagdsl
      ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl

      # Copy login secrets
      rm -f /etc/ppp/pap-secrets
      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets
      rm -f /etc/ppp/chap-secrets
      cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets
    '';

    preStartFile = pkgs.writeShellApplication {
      name = "pppd-dtagdsl-pre-start";
      text = preStart;
    };
  in {
    EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path;
    ExecStartPre = [
      # "+" marks script to be executed without priviledge restrictions
      "+${lib.getExe preStartFile}"
    ];
  };

  clerie.firewall.extraForwardMangleCommands = ''
    ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  '';

}