{
  config,
  lib,
  ...
}: let
  cfg = config.steveej.holo-zerotier;
in {
  options.steveej.holo-zerotier = {
    enable = lib.mkEnableOption "Enable holo-zerotier";
    autostart = lib.mkOption {default = false;};
  };

  config = {
    nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["zerotierone"];

    services.zerotierone = {
      enable = cfg.enable;
      joinNetworks = [
        # moved to the service below as it's now secret
      ];
    };

    systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []);

    systemd.services.zerotieroneSecretNetworks = {
      enable = cfg.enable;
      requiredBy = ["zerotierone.service"];
      partOf = ["zerotierone.service"];

      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = true;

      script = let
        secret = config.sops.secrets.zerotieroneNetworks;
      in ''
        # include the secret's hash to trigger a restart on change
        # ${builtins.hashString "sha256" (builtins.toJSON secret)}

        ${config.systemd.services.zerotierone.preStart}

        rm -rf /var/lib/zerotier-one/networks.d/*.conf
        for network in `grep -v '#' ${secret.path}`; do
          touch /var/lib/zerotier-one/networks.d/''${network}.conf
        done
      '';
    };

    sops.secrets.zerotieroneNetworks = {
      sopsFile = ../../../secrets/work-holo/zerotierone.txt;
      format = "binary";
    };
  };
}