{ config, ... }:
{
  services.tailscale = {
    enable = true;
    useRoutingFeatures = "both";
    extraUpFlags = [ "--ssh" ];

    serve = {
      enable = true;
      services = {
        cloud = {
          endpoints = {
            "tcp:443" = "https://localhost:3923";
          };
        };
        jellyfin = {
          endpoints = {
            "tcp:443" = "https://localhost:8096";
          };
        };
        photos = {
          endpoints = {
            "tcp:443" = "https://localhost:2283";
          };
        };
      };
    };
  };

  networking = {
    nftables.enable = true;
    firewall = {
      enable = true;
      trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ];
      allowedUDPPorts = [ config.services.tailscale.port ];
    };
  };

  systemd.services.tailscaled.serviceConfig.Environment = [
    "TS_DEBUG_FIREWALL_MODE=nftables"
  ];
}