{ config, pkgs, ... }:
{
  services = {
    tailscale.enable = true;
  };

  systemd.services."restart-tailscaled" = {
    description = "Restart tailscaled if there's an error";
    serviceConfig = {
      Type = "oneshot";
      ExecStart = ''/bin/sh -c "tailscale status --json | jq -e '.Health[]' && systemctl restart tailscaled.service || echo 'No health problem detected'"'';
    };
    path = with pkgs; [
      jq
      tailscale
    ];
  };

  systemd.timers."restart-tailscaled" = {
    timerConfig = {
      OnCalendar = "minutely";
    };
    wantedBy = [ "tailscaled.service" ];
  };

  networking.firewall = {
    trustedInterfaces = [ "tailscale0" ];
    allowedUDPPorts = [ config.services.tailscale.port ];
  };

}
# vim: set et ts=2 sw=2 ai: