{
  pkgs,
  config,
  ...
}: {
  config = {
    services.tailscale.enable = true;
    networking.firewall = {
      trustedInterfaces = ["tailscale0"];
      allowedUDPPorts = [41641];
    };

    environment.persistence."/nix/persist".directories = ["/var/lib/tailscale"];

    # systemd.services.tailscaled = {
    #   restartIfChanged = false;
    #   serviceConfig.ExecStart = [
    #     ""
    #     "${config.services.tailscale.package}/bin/tailscaled --state=mem: --port $PORT $FLAGS"
    #   ];
    # };
  };
}