Initial prototype for Wireguard based PIA VPN - not quite 'ready' yet

common/network/vpn.nix

@@ -26,6 +26,8 @@ in
       '';
     };
 
+    useOpenVPN = mkEnableOption "Uses OpenVPN instead of wireguard for PIA VPN connection";
+
     config = mkOption {
       type = types.anything;
       default = {};
@@ -41,6 +43,8 @@ in
   };
 
   config = mkIf cfg.enable {
+    pia.wireguard.enable = !cfg.useOpenVPN;
+
     containers.${cfg.containerName} = {
       ephemeral = true;
       autoStart = true;
@@ -59,7 +63,7 @@ in
         }
       )));
 
-      enableTun = true;
+      enableTun = cfg.useOpenVPN;
       privateNetwork = true;
       hostAddress = "172.16.100.1";
       localAddress = "172.16.100.2";
@@ -67,12 +71,13 @@ in
       config = {
         imports = allModules ++ [cfg.config];
 
+        # speeds up evaluation
         nixpkgs.pkgs = pkgs;
 
         networking.firewall.enable = mkForce false;
 
-        pia.enable = true;
-        pia.server = "swiss.privacy.network"; # swiss vpn
+        pia.openvpn.enable = cfg.useOpenVPN;
+        pia.openvpn.server = "swiss.privacy.network"; # swiss vpn
 
         # TODO fix so it does run it's own resolver again
         # run it's own DNS resolver
@@ -85,12 +90,12 @@ in
     # load secrets the container needs
     age.secrets = config.containers.${cfg.containerName}.config.age.secrets;
 
-    # forwarding for vpn container
-    networking.nat.enable = true;
-    networking.nat.internalInterfaces = [
+    # forwarding for vpn container (only for OpenVPN)
+    networking.nat.enable = mkIf cfg.useOpenVPN true;
+    networking.nat.internalInterfaces = mkIf cfg.useOpenVPN [
       "ve-${cfg.containerName}"
     ];
-    networking.ip_forward = true;
+    networking.ip_forward = mkIf cfg.useOpenVPN true;
 
     # assumes only one potential interface
     networking.usePredictableInterfaceNames = false;