{
  config,
  pkgs,
  inputs,
  system,
  ...
}: let
  inherit
    (inputs.nixpkgs-nixos-unstable.legacyPackages."${system}")
    tailscale
    ;
in {
  environment.systemPackages = [tailscale];
  services.tailscale = {
    enable = true;
    package = tailscale;
    authKeyFile = "/run/secrets/tailscale-key-${config.networking.hostName}";
    extraUpFlags = ["--stateful-filtering"];
  };
  systemd.services.tailscaled = {
    serviceConfig.LogLevelMax = "notice";
  };

  networking.firewall = {
    trustedInterfaces = ["tailscale0"];
    allowedUDPPorts = [config.services.tailscale.port];
  };
  sops.secrets."tailscale-key-${config.networking.hostName}" = {
    sopsFile = ./keys.sops.yaml;
    restartUnits = ["tailscaled-autoconnect.service"];
  };
}