{ config, ... }: {
  services.tailscale = {
    enable = true;
    extraUpFlags = [
      "--login-server https://bosco.myrmexia.xyz"
      "--operator defin"
    ];
  };
  systemd.services.tailscaled.after = [ "systemd-networkd-wait-online.service" ];
  networking.firewall = {
    checkReversePath = "loose";
    trustedInterfaces = [ "tailscale0" ];
    allowedUDPPorts = [ config.services.tailscale.port ];
  };
}