{ config, lib, ... }:

let
  cfg = config.services.tailscale;

  inherit (lib)
    mkIf
    mkOption
    optional
    types
    ;
in
{
  options.services.tailscale = {
    loginServer = mkOption {
      type = types.str;
      description = "The Tailscale login server to use.";
    };
    enableSSH = mkOption {
      type = types.bool;
      default = false;
      description = "Enable Tailscale SSH functionality.";
    };
    acceptDNS = mkOption {
      type = types.bool;
      default = true;
      description = "Enable Tailscale's MagicDNS and custom DNS configuration.";
    };
  };

  config = mkIf cfg.enable {
    services.tailscale = {
      authKeyFile = config.sops.secrets."tailscale/auth-key".path;
      extraSetFlags = optional cfg.enableSSH "--ssh" ++ optional cfg.acceptDNS "--accept-dns";
      extraUpFlags = [
        "--login-server=${cfg.loginServer}"
      ]
      ++ optional cfg.enableSSH "--ssh"
      ++ optional cfg.acceptDNS "--accept-dns";
    };

    environment.shellAliases = {
      ts = "${cfg.package}/bin/tailscale";
    };

    networking.firewall.trustedInterfaces = [ cfg.interfaceName ];

    sops.secrets."tailscale/auth-key" = { };
  };
}