{ config, lib, ... }:
{
  # https://login.tailscale.com/admin/machines

  imports = [ ./shared.nix ];

  config = lib.mkIf (!config.virtualisation.isVmVariant) {

    # https://tailscale.com/kb/1085/auth-keys
    services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-inner.path; # also enables autoconnect
    sops.secrets.tailscale-authkey-inner.sopsFile = ../../secrets/tailscale-inner.yaml;

    # # systemd-resolved will by default read /etc/hosts
    # networking.extraHosts = "100.113.27.44 cache-proxy.pbsds.net"; # noximilien over tailscale

  };
}