{ config, pkgs, lib, ...}:

# THIS IS NOT USED
# see tailscale-{inner,outer}.nix instead

let
  cfg = config.services.tailscale;
in

lib.mkIf (!config.virtualisation.isVmVariant)

{
  services.tailscale.enable = true;
  networking.firewall.checkReversePath = "loose";
  networking.firewall.trustedInterfaces = [ cfg.interfaceName ];
  networking.firewall.allowedUDPPorts = [ cfg.port ];

  /** /
  systemd.services."tailscale-autoconnect" = lib.mkIf cfg.enable {
    serviceConfig.Type = "oneshot";
    after = [ "network-pre.target" "tailscale.service" ];
    wants = [ "network-pre.target" "tailscale.service" ];
    wantedBy = [ "tailscale.service" ];
    script = ''
      sleep 60 # Wait for tailscaled to settle

      status="$(${lib.getExe cfg.package} status -json | ${lib.getExe pkgs.jq} -r .BackendState)"
      if [ $status = "Running" ]; then
        exit 0 # already authenticated
      fi

      #${lib.getExe cfg.package} up -authkey tskey-examplekeyhere
    '';
  };
  /**/


  # remote sudo nixos-rebuild switch --flake . -L
  # remote-quick sudo tailscale up --login-server 'https://head.pbsds.net'
  # ssh noximilien.pbsds.net sudo headscale --namespace 'ts' nodes register --key <machine_key>
}