{ config, lib, ... }:
let
  mkWifiProfile = { type, ssid, username, password, priority ? null }: {
    connection = {
      id = ssid;
      permissions = "";
      type = "wifi";
    } // (if priority != null then {
      autoconnect-priority = priority;
    } else
      { });
    wifi = {
      mac-address-blacklist = "";
      mode = "infrastructure";
      inherit ssid;
    };
    wifi-security = { } // (if type == "wpa-psk" then {
      key-mgmt = type;
      auth-alg = "open";
      psk = password;
    } else if type == "wpa-eap" then {
      key-mgmt = type;
    } else
      { });
    "802-1x" = { } // (if type == "wpa-eap" then {
      eap = "peap";
      identity = username;
      password = password;
      phase2-auth = "mschapv2";
    } else
      { });
    ipv4 = {
      dns-search = "";
      method = "auto";
    };
    ipv6 = {
      addr-gen-mode = "stable-privacy";
      dns-search = "";
      method = "auto";
    };
  };

  # List of WiFi networks
  wifiNetworks = [
    # Add more networks here as needed
    {
      type = "wpa-psk";
      ssid = "SAMPLE_WIFI_NAME";
      password = "SAMPLE_WIFI_PASSWORD";
      priority = 20;
    }
  ];

in {
  options.snowflake.workstation.networking.profiles.enable =
    lib.mkEnableOption "populate WiFi creds";

  config = lib.mkIf config.snowflake.workstation.networking.profiles.enable {
    networking.networkmanager.ensureProfiles.profiles = builtins.listToAttrs
      (map (network: {
        name = network.ssid;
        value = mkWifiProfile {
          type = network.type;
          ssid = network.ssid;
          username = network.username or null;
          password = network.password;
          priority = network.priority or null;
        };
      }) wifiNetworks);
  };
}