{
  config,
  lib,
  ...
}: let
  cfg = config.sils.tailscale;
in {
  options.sils.tailscale = {
    enable = lib.mkEnableOption "Tailscale";
    openFirewall = true;
    role = lib.mkOption {
      type = lib.types.enum [
        "client"
        "server"
      ];
    };
  };
  config = lib.mkIf cfg.enable {
    services.tailscale = {
      enable = true;
      authKeyFile = config.age.secrets.tailscale.path;
      useRoutingFeatures = cfg.role;
      extraDaemonFlags = [
        "--no-logs-no-support"
      ];
      extraSetFlags = [
        "--accept-routes"
      ];
    };
    networking.firewall = {
      trustedInterfaces = ["tailscale0"];
      allowedUDPPorts = [config.services.tailscale.port];
      checkReversePath = "loose";
    };
    systemd = {
      services.tailscaled.serviceConfig.Environment = [
        "TS_DEBUG_FIREWALL_MODE=nftables"
      ];
      network.wait-online.enable = false;
    };
    boot.initrd.systemd.network.wait-online.enable = false;

    environment.persistence."/srv".directories = [
      {
        directory = "/var/lib/tailscale";
        user = "root";
        group = "root";
        mode = "0700";
      }
    ];
  };
}