{
  pkgs,
  config,
  ...
}: {
  config = {
    services.tailscale.enable = true;
    networking.firewall = {
      trustedInterfaces = ["tailscale0"];
      allowedUDPPorts = [41641];
    };

    environment.persistence."/nix/persist".directories = ["/var/lib/tailscale"];
  };
}