{
  config,
  lib,
  flakeSelf,
  ...
}: let
  tailscaleName = config.services.tailscale.interfaceName;
in {
  sops.secrets.wifiPasswords = {
    sopsFile = "${flakeSelf.inputs.secrets}/wifi-passwords.env";
    format = "dotenv";
  };
  networking.networkmanager = {
    enable = true;
    unmanaged = [
      "interface-name:${tailscaleName}"
    ];
    ensureProfiles = {
      environmentFiles = [config.sops.secrets.wifiPasswords.path];
      profiles = with lib.toast.networkManager; {
        "4g-modem" = mkWifiProfile {
          id = "4G Modem";
          priority = 5;
          ssid = "TP-Link_CCB4";
          wifi-security = {
            auth-alg = "open";
            key-mgmt = "wpa-psk";
            psk = "$MODEM";
          };
        };
        phone = mkWifiProfile {
          id = "Phone";
          priority = 5;
          ssid = "Redmi Note 10 Pro_5197";
          wifi-security = {
            auth-alg = "open";
            key-mgmt = "sae";
            psk = "$PHONE";
          };
        };
        home = mkWifiProfile {
          id = "Home";
          ssid = "MOVISTAR-WIFI6-DC98";
          wifi-security = {
            key-mgmt = "sae";
            psk = "$HOME";
          };
        };
      };
    };
  };
}