{
  services.tailscale = {
    enable = true;
    useRoutingFeatures = "both";
  };
  networking.firewall = {
    trustedInterfaces = ["tailscale0"];
  };
}