{ config, lib, pkgs, ... }:

{
  # protonvpn uses wireguard tunnels, which break strict reverse path filtering
  # because packets arrive on the tunnel interface but may be routed back differently.
  # "loose" checks that the source is routable through *any* interface (not necessarily
  # the same one), which is sufficient for wireguard while still preventing IP spoofing.
  networking.firewall.checkReversePath = "loose";

  environment.systemPackages = with pkgs; [
    proton-vpn
  ];
}