{
  lib,
  config,
  ...
}:
{
  # TODO: handle auth declaratively to skip `tailscale up`

  options.tailscale = {
    enable = lib.mkEnableOption "tailscale";
  };

  config = lib.mkIf config.tailscale.enable {
    services.tailscale = {
      enable = true;
      openFirewall = true;
    };
  };
}