{ config, ... }:
{
  networking.firewall.trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ];

  services.tailscale = {
    enable = true;
    useRoutingFeatures = "both";
  };

  # <https://tailscale.com/kb/1019/subnets/?tab=linux#step-1-install-the-tailscale-client>
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = true;
    "net.ipv6.conf.all.forwarding" = true;
  };
}