diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix
index 23f103a61887..18139b57fdbd 100644
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@@ -77,8 +77,9 @@ in
     nginx = 60;
     chrony = 61;
     smtpd = 63;
-    smtpq = 64;    
+    smtpq = 64;
     supybot = 65;
+    iodined = 66;
 
     # When adding a uid, make sure it doesn't match an existing gid.
 
@@ -139,8 +140,9 @@ in
     nginx = 60;
     systemd-journal = 62;
     smtpd = 63;
-    smtpq = 64;    
+    smtpq = 64;
     supybot = 65;
+    iodined = 66;
 
     # When adding a gid, make sure it doesn't match an existing uid.
 
diff --git a/modules/module-list.nix b/modules/module-list.nix
index 91b9502d33d5..45eee80f694c 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -154,6 +154,7 @@
   ./services/networking/gvpe.nix
   ./services/networking/hostapd.nix
   ./services/networking/ifplugd.nix
+  ./services/networking/iodined.nix
   ./services/networking/ircd-hybrid/default.nix
   ./services/networking/minidlna.nix
   ./services/networking/nat.nix
diff --git a/modules/services/networking/iodined.nix b/modules/services/networking/iodined.nix
new file mode 100644
index 000000000000..1b3473ee0ee1
--- /dev/null
+++ b/modules/services/networking/iodined.nix
@@ -0,0 +1,87 @@
+# NixOS module for iodine, ip over dns daemon
+
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+  cfg = config.services.iodined;
+
+  iodinedUser = "iodined";
+
+in
+
+{
+
+  ### configuration
+
+  options = {
+
+    services.iodined = {
+
+      enable = mkOption {
+        type = types.uniq types.bool;
+        default = false;
+        description = "Enable iodine, ip over dns daemon";
+      };
+
+      client = mkOption {
+        type = types.uniq types.bool;
+        default = false;
+        description = "Start iodine in client mode";
+      };
+
+      ip = mkOption {
+        type = types.uniq types.string;
+        default = "";
+        description = "Assigned ip address or ip range";
+        example = "172.16.10.1/24";
+      };
+
+      domain = mkOption {
+        type = types.uniq types.string;
+        default = "";
+        description = "Domain or subdomain of which nameservers point to us";
+        example = "tunnel.mydomain.com";
+      };
+
+      extraConfig = mkOption {
+        type = types.uniq types.string;
+        default = "";
+        description = "Additional command line parameters";
+        example = "-P mysecurepassword -l 192.168.1.10 -p 23";
+      };
+
+    };
+
+  };
+
+  ### implementation
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.iodine ];
+    boot.kernelModules = [ "tun" ];
+
+    systemd.services.iodined = {
+      description = "iodine, ip over dns daemon";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.ExecStart = "${pkgs.iodine}/sbin/iodined -f -u ${iodinedUser} ${cfg.extraConfig} ${cfg.ip} ${cfg.domain}";
+    };
+
+
+    users.extraUsers = singleton {
+      name = iodinedUser;
+      uid = config.ids.uids.iodined;
+      description = "Iodine daemon user";
+    };
+    users.extraGroups.iodined.gid = config.ids.gids.iodined;
+
+    assertions = [{ assertion = if !cfg.client then cfg.ip != "" else true;
+                    message = "cannot start iodined without ip set";}
+                  { assertion = cfg.domain != "";
+                    message = "cannot start iodined without domain name set";}];
+
+  };
+
+}