nix-config/modules/nixos/tailscale.nix

{ config, ... }:
{
  services.tailscale = {
    enable = true;
    useRoutingFeatures = "both";
    extraUpFlags = [ "--ssh" ];

    # serve = {
    #   enable = true;
    #   services = {
    #     cloud = {
    #       endpoints = {
    #         "tcp:443" = "https://localhost:3923";
    #       };
    #     };
    #     jellyfin = {
    #       endpoints = {
    #         "tcp:443" = "https://localhost:8096";
    #       };
    #     };
    #     photos = {
    #       endpoints = {
    #         "tcp:443" = "https://localhost:2283";
    #       };
    #     };
    #   };
    # };
  };

  networking = {
    nftables.enable = true;
    firewall = {
      enable = true;
      trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ];
      allowedUDPPorts = [ config.services.tailscale.port ];
    };
  };

  systemd.services.tailscaled.serviceConfig.Environment = [
    "TS_DEBUG_FIREWALL_MODE=nftables"
  ];
}