{ config, lib, pkgs, ... }:

with lib;
with lib.my;
let cfg = config.modules.networking.tailscale;
in {
  options.modules.networking.tailscale = {
    enable = mkBoolOpt false;
    restrictSSH = mkBoolOpt true;
  };

  config = mkIf cfg.enable {
    services.tailscale.enable = true;
    services.openssh.openFirewall = !cfg.restrictSSH;
    networking.firewall = {
      checkReversePath = "loose";
      trustedInterfaces = [ "tailscale0" ];
      allowedUDPPorts = [ config.services.tailscale.port ];
    };
  };
}