{
  pkgs,
  config,
  ...
}: {
  config = {
    services.tailscale.enable = true;
    networking.firewall = {
      trustedInterfaces = ["tailscale0"];
      allowedUDPPorts = [41641];
    };

    environment.persistence."/nix/persist".directories = ["/var/lib/tailscale"];

    systemd.services.tailscaled = {
      restartIfChanged = false;
      serviceConfig.ExecStart = [
        ""
        "${config.services.tailscale.package}/bin/tailscaled --state=mem: --port $PORT $FLAGS"
      ];
    };
  };
}