{ pkgs, ... }:

{
  services.tailscale = {
    enable = true;
    openFirewall = true;
    useRoutingFeatures = "client";

    disableUpstreamLogging = true;
    disableTaildrop = true;
  };

  environment.systemPackages = with pkgs; [ tailscale ];

  # Enable IP forwarding for subnet routers
  # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

  # TODO: this fixes MagicDNS but breaks DNS resolution on LAN (Pihole)
  # services.resolved.enable = true;
}