{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.openconnect;
in {
  options.nixfiles.modules.openconnect.enable =
    mkEnableOption "OpenConnect VPN";

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = config.networking.networkmanager.enable;
        message = "NetworkManager is required";
      }
    ];

    # Spent three days trying to make this work but still getting "No SSO
    # handler" even on the HEAD version that 100% has SSO support baked in.
    # It's all so tiresome[1]... aaand KDE is not supported[2].
    #
    # I fucking hate AnyConnect, truly an example of how shit is is non-free
    # software. SAML also sucks balls. I also hate my company for using this
    # shit, guess I have no other choice but to use the absolute dogshit laptop
    # they gave me.
    #
    # [1]: https://gitlab.gnome.org/GNOME/NetworkManager-openconnect
    # [1]: https://gitlab.com/openconnect/openconnect/-/issues/424
    # [2]: https://groups.google.com/g/linux.debian.bugs.dist/c/lK8u-LMY7n4
    # [2]: https://bugs.kde.org/show_bug.cgi?id=448153

    networking.networkmanager.plugins = with pkgs; [
      ((networkmanager-openconnect.override {
          withGnome = false;
          openconnect = openconnect.overrideAttrs (_: _: {
            version = "unstable-2022-10-23";
            src = fetchFromGitLab {
              owner = "openconnect";
              repo = "openconnect";
              rev = "acdfc753f7885b2a539f99036ac41ba1b78cc7ae";
              hash = "sha256-ub+Z4WFD77h5YMQTb+TLc7EyY2KjBWglF1QVTirCHJM=";
            };
          });
        })
        .overrideAttrs (_: super: {
          version = "unstable-2022-09-10";
          src = fetchFromGitLab {
            domain = "gitlab.gnome.org";
            owner = "GNOME";
            repo = "NetworkManager-openconnect";
            rev = "3c1590786518e9acca33c250660ad21cae565acd";
            hash = "sha256-YTUN46QHsHkXPAhImPG/MMLMqjlSRknapVO8u43nnWk=";
          };
          buildInputs =
            super.buildInputs
            ++ [
              (webkitgtk_4_1.override {
                inherit (gnome) libsoup;
              })
            ];
          nativeBuildInputs =
            super.nativeBuildInputs
            ++ [
              autoreconfHook
            ];
          postPatch = ''
            substituteInPlace configure.ac \
              --replace "PKG_CHECK_MODULES(LIBSECRET, libsecret-1 >= 0.18)" ""
          '';
          preAutoreconf = ''
            autoupdate
          '';
          preConfigure = ''
            NOCONFIGURE=x ./autogen.sh
            touch gtk4/nm-openconnect-dialog.ui
          '';
        }))
    ];
  };
}