{ config, lib, pkgs, ... }:

lib.mkIf config.module.tailscale.enable {
  services.tailscale = {
    enable = true;
    extraDaemonFlags = [
      "--no-logs-no-support"
    ];

    extraSetFlags = [
      "--ssh=false"
    ];
    useRoutingFeatures = "server";
  };

  networking.firewall = {
    allowedTCPPorts = [ 443 ];
    allowedUDPPorts = [ 41641 3478 ];
  };
}