{ pkgs, config, ... }:
{

  networking.firewall = {
    allowedTCPPorts = [
      655
      721
    ];
    allowedUDPPorts = [
      655
      721
    ];
  };

  tinc.private.enable = true;
  tinc.private.ipv4 = "10.23.42.100";

  healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" ''
    ping -c 1 -W 5 ${config.tinc.private.ipv4}
  '';

  #  tinc.secret.enable = true;
  #  tinc.secret.ipv4 = "10.123.42.100";
  #
  #  healthchecks.localCommands.ping-secret = pkgs.writers.writeBash "ping-secret" ''
  #    ping -c 1 -W 5 ${config.tinc.secret.ipv4}
  #  '';

}