{ config, lib, pkgs, ... }:

{
  services.tailscale = {
    extraDaemonFlags = [
      "--no-logs-no-support"
    ];

    extraSetFlags = [
      "--ssh=false"
    ];
    useRoutingFeatures = "server";
  };

  networking.firewall = lib.mkIf config.services.tailscale.enable {
    allowedTCPPorts = [ 443 ];
    allowedUDPPorts = [ 41641 3478 ];
  };
}