{
  config,
  lib,
  pkgs,
  ...
}:
{
  networking.firewall.trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ];

  # <https://tailscale.com/kb/1019/subnets/?tab=linux#step-1-install-the-tailscale-client>
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = true;
    "net.ipv6.conf.all.forwarding" = true;
  };

  services = {
    tailscale = {
      enable = true;
      useRoutingFeatures = "both";
      authKeyFile = config.sops.secrets.tailscale_authentication_key.path;
    };

    networkd-dispatcher = {
      enable = true;

      rules."50-tailscale" = {
        onState = [ "routable" ];

        script = ''
          ${lib.getExe pkgs.ethtool} -K enp42s0 rx-udp-gro-forwarding on rx-gro-list off
        '';
      };
    };
  };
}