{ ... }:

{
  services.tailscale.enable = true;

  networking.firewall.trustedInterfaces = [ "tailscale0" ];

  boot.kernel.sysctl = {
    "net.ipv4.conf.tailscale0.rp_filter" = 0;
  };
}