{
  inputs,
  config,
  lib,
  pkgs,
  ...
}:

let
  cfg = config.modules.services.tailscale;
  headscale = "https://headscale.vimium.net";
  hostname = config.networking.hostName;
in
{
  options.modules.services.tailscale = {
    enable = lib.mkOption {
      default = false;
      example = true;
    };
    restrictSSH = lib.mkOption {
      default = true;
      example = true;
    };
  };

  config = lib.mkIf cfg.enable {
    age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
      file = "${inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
    };

    environment.systemPackages = [ pkgs.tailscale ];

    services.tailscale = {
      enable = true;
      authKeyFile = config.age.secrets."passwords/services/tailscale/${hostname}-authkey".path;

      extraUpFlags = [
        "--login-server"
        headscale
      ];
    };

    services.openssh.openFirewall = !cfg.restrictSSH;

    networking.firewall = {
      checkReversePath = "loose";
      trustedInterfaces = [ "tailscale0" ];
      allowedUDPPorts = [ config.services.tailscale.port ];
    };
  };
}