{ config, pkgs, lib, ... }: { services.pppd = { enable = true; peers.dtagdsl = { config = '' plugin pppoe.so net-dsl user "''${PPPD_DTAGDSL_USERNAME}" ifname ppp-dtagdsl persist maxfail 0 holdoff 5 noipdefault lcp-echo-interval 20 lcp-echo-failure 3 mtu 1492 hide-password defaultroute +ipv6 debug ''; }; }; environment.etc."ppp/peers/dtagdsl".enable = false; systemd.services."pppd-dtagdsl".serviceConfig = let preStart = '' mkdir -p /etc/ppp/peers # Created files only readable by root umask u=rw,g=,o= # Copy config and substitute username rm -f /etc/ppp/peers/dtagdsl ${pkgs.envsubst}/bin/envsubst -i "${config.environment.etc."ppp/peers/dtagdsl".source}" > /etc/ppp/peers/dtagdsl # Copy login secrets rm -f /etc/ppp/pap-secrets cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/pap-secrets rm -f /etc/ppp/chap-secrets cat ${config.sops.secrets.pppd-dtagdsl-secrets.path} > /etc/ppp/chap-secrets ''; preStartFile = pkgs.writeShellApplication { name = "pppd-dtagdsl-pre-start"; text = preStart; }; in { EnvironmentFile = config.sops.secrets.pppd-dtagdsl-username.path; ExecStartPre = [ # "+" marks script to be executed without priviledge restrictions "+${lib.getExe preStartFile}" ]; }; clerie.firewall.extraForwardMangleCommands = '' ip46tables -t mangle -A forward-mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ''; }