{ config, lib, pkgs, ... }:

let
  inherit (config.services.tailscale) interfaceName; # "tailscale0"
in

# DERP is a relay system that Tailscale uses when a direct connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp

{
  # https://login.tailscale.com/admin/machines

  options.pbsds.tailscale.fqdn = lib.mkOption {
    visible = false; internal = true; readOnly = true;
    default = "${config.networking.hostName}.tail9aac63.ts.net";
  };

  config = lib.mkIf (!config.virtualisation.isVmVariant) {

    services.tailscale.enable = true;

    # the entire 127.0.0.0/8 is loopback, this matches nixos behavior for fqdn
    networking.extraHosts = "127.0.0.2 ${config.pbsds.tailscale.fqdn}";

    # # https://tailscale.com/kb/1085/auth-keys
    # services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-inner.path; # also enables autoconnect
    # sops.secrets.tailscale-authkey-inner.sopsFile = ../../secrets/tailscale-inner.yaml;

    # https://wiki.nixos.org/wiki/Tailscale#DNS
    services.resolved.enable = lib.mkDefault config.networking.networkmanager.enable;

    # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups
    # https://wiki.nixos.org/wiki/Tailscale#No_internet_when_using_exit_node
    # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111
    networking.firewall.checkReversePath = lib.mkDefault "loose";

    # TODO: why do people do this?
    # networking.firewall.trustedInterfaces = [ interfaceName ];

    # done in profiles/sshd/ts-only.nix:
    # networking.firewall.interfaces.${interfaceName} = {
    #   allowedTCPPorts = [ 22 ];
    # };

    # environment.systemPackages = lib.mkMerge [
    #   (lib.mkIf config.services.desktopManager.gnome.enable [
    #     pkgs.ktailctl
    #   ])
    # ];

  };
}