{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    mkOption
    types
    ;

  cfg = config.my.services.tailscale;
in {
  options.my.services.tailscale = {
    enable = mkEnableOption "Tailscale";
    useRoutingFeatures = mkOption {
      type = types.enum ["none" "client" "server" "both"];
      default = "none";
    };
  };

  config = mkIf cfg.enable {
    services.tailscale = {
      enable = true;
      package = pkgs.tailscale;
      openFirewall = true;
      useRoutingFeatures = cfg.useRoutingFeatures;
    };

    networking.firewall = {
      trustedInterfaces = [config.services.tailscale.interfaceName];
    };
  };
}