{ config, lib, pkgs, ... }:

let
  inherit (config.services.tailscale) interfaceName;
in

lib.mkIf (!config.virtualisation.isVmVariant)

# DERP is a relay system that Tailscale uses when a direct connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp

{
  # https://login.tailscale.com/admin/machines

  services.tailscale.enable = true;
  # https://tailscale.com/kb/1085/auth-keys
  services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-outer.path; # also enables autoconnect
  sops.secrets.tailscale-authkey-outer.sopsFile = ../secrets/tailscale-outer.yaml;

  # # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups
  # # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111
  # networking.firewall.checkReversePath = "loose";

  # TODO: why do people do this?
  # networking.firewall.trustedInterfaces = [ interfaceName ];

  # done in profiles/sshd/ts-only.nix:
  # networking.firewall.interfaces.${interfaceName} = {
  #   allowedTCPPorts = [ 22 ];
  # };

  # environment.systemPackages = lib.mkMerge [
  #   (lib.mkIf config.services.desktopManager.gnome.enable [
  #     pkgs.ktailctl
  #   ])
  # ];

}