{
  config,
  lib,
  pkgs,
  ...
}: {
  # to allow me to be an exit node
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;

  services.tailscale = {
    enable = true;
    openFirewall = true;
  };

  # Implicitly trust packets routed over Tailscale
  networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
}