{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.networking.shadowsocks;
in
{
  options.my.networking.shadowsocks = {
    enable = lib.mkEnableOption "Enable Shadowsocks relay";
    port = lib.mkOption {
      type = lib.types.int;
      default = 8388;
      description = "Port to listen on";
    };
    passwordFile = lib.mkOption {
      type = lib.types.path;
      default = "/var/lib/shadowsocks/password";
      description = "File with the Shadowsocks relay access password";
    };
  };

  config = lib.mkIf cfg.enable {

    services.shadowsocks = lib.mkIf cfg.enable {
      enable = true;
      passwordFile = cfg.passwordFile;
      port = cfg.port;
    };

    # open shadownsocks port
    networking.firewall.allowedTCPPorts = [ cfg.port ];
  };

}