{
  pkgs,
  config,
  lib,
  ...
}: let
  cfg = config.system.tailscale;
  authkey_file = config.sops.secrets."tailscale_authkey".path;
in {
  options.system.tailscale = {
    enable = lib.mkEnableOption "enables tailscale";
  };

  config = lib.mkIf cfg.enable {
    services.tailscale = {
      enable = true;
      useRoutingFeatures = "both";
      authKeyFile = authkey_file;
      extraUpFlags = [
        "--accept-routes=false" # true is equilivant to useRoutingFeatures = "client" (breaks shit)
        "--accept-dns=true" # explicitly allow resolved
      ];
    };

    # network config
    networking.firewall.trustedInterfaces = ["tailscale0"];
    networking.firewall.allowedUDPPorts = [config.services.tailscale.port];

    # declare authkey secrets
    sops.secrets = {
      "tailscale_authkey" = {
        owner = "root";
      };
    };
  };
}