{ config, lib, pkgs, ... }:

let cfg = config.modules.networking.tailscale;
in {
  options.modules.networking.tailscale = {
    enable = lib.mkOption {
      default = false;
      example = true;
    };
    restrictSSH = lib.mkOption {
      default = true;
      example = true;
    };
  };

  config = lib.mkIf cfg.enable {
    services.tailscale.enable = true;
    services.openssh.openFirewall = !cfg.restrictSSH;
    networking.firewall = {
      checkReversePath = "loose";
      trustedInterfaces = [ "tailscale0" ];
      allowedUDPPorts = [ config.services.tailscale.port ];
    };
  };
}