{ config, pkgs, lib, ...}:
let
  cfg = config.services.tailscale;
  inherit (lib) mkIf getExe;
in
{
  services.tailscale.enable = true;
  networking.firewall.checkReversePath = "loose";
  networking.firewall.trustedInterfaces = [ cfg.interfaceName ];
  networking.firewall.allowedUDPPorts = [ cfg.port ];

  /** /
  systemd.services."tailscale-autoconnect" = mkIf cfg.enable {
    serviceConfig.Type = "oneshot";
    after = [ "network-pre.target" "tailscale.service" ];
    wants = [ "network-pre.target" "tailscale.service" ];
    wantedBy = [ "tailscale.service" ];
    script = ''
      sleep 60 # Wait for tailscaled to settle

      status="$(${getExe cfg.package} status -json | ${getExe pkgs.jq} -r .BackendState)"
      if [ $status = "Running" ]; then
        exit 0 # already authenticated
      fi

      #${getExe cfg.package} up -authkey tskey-examplekeyhere
    '';
  };
  /**/


  # remote sudo nixos-rebuild switch --flake . -L
  # remote-quick sudo tailscale up --login-server 'https://head.pbsds.net'
  # ssh noximilien.pbsds.net sudo headscale --namespace 'ts' nodes register --key <machine_key>
}