{
  config,
  pkgs,
  outputs,
  constants,
  ...
}:

{
  imports = [
    outputs.nixosModules.tailscale
  ];

  services.tailscale = {
    enable = true;
    # Connect to our own headscale instance
    loginServer = "https://${constants.services.headscale.fqdn}";
    # Allow SSH access over Tailscale
    enableSSH = true;
    # Use MagicDNS names
    acceptDNS = true;

    # Auth key for automated enrollment
    authKeyFile = config.sops.secrets."tailscale/auth-key".path;
  };

  sops.secrets."tailscale/auth-key" = { };
}