{ config, lib, ... }:

let
  exitNodeFlags = [
    "--advertise-exit-node"
    # "--exit-node-allow-lan-access"
    # "--exit-node-allow-incoming-wan-access"
  ];
in

{
  # exit nodes must be approved in admin interface
  # https://login.tailscale.com/admin/machines
  /* imports = [ ./inner.nix ]; */

  config = lib.mkIf (!config.virtualisation.isVmVariant) {

    # if host is _upgraded_ to exit node, reload with
    #     sudo systemctl start tailscaled-autoconnect
    # or maybe even
    #     sudo systemctl start tailscaled-set
    services.tailscale.useRoutingFeatures = "both";
    services.tailscale.extraSetFlags = exitNodeFlags;
    services.tailscale.extraUpFlags = exitNodeFlags;

    # # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups
    # # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111
    # networking.firewall.checkReversePath = "loose";

  };
}