{
  lib,
  config,
  pkgs,
  ...
}:
with lib;
let
  cfg = config.my.networking.tailscale;
in
{

  # If tailscaled activated on a unprivileged container this must be set on the Proxmox host.
  # https://tailscale.com/kb/1130/lxc-unprivileged
  # lxc.cgroup2.devices.allow: c 10:200 rwm
  # lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

  options.my.networking.tailscale = {
    enable = mkEnableOption "Enable Tailscale module";

    authKeyFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      example = "/run/secrets/tailscale_key";
      description = ''
        A file containing the auth key.
      '';
    };

    exitNode = mkOption {
      type = types.str;
      default = "";
      example = "server-name";
      description = ''
        The tailscale IP of the optional exit node.
      '';
    };

    extraUpFlags = mkOption {
      description = ''
        Extra flags to pass to {command}`tailscale up`. Only applied if `authKeyFile` is specified.". The exit node set with `exitNode` are already applied.
      '';
      type = types.listOf types.str;
      default = [ ];
      example = [ "--ssh" ];
    };

  };

  config = mkIf cfg.enable {
    services.tailscale = {
      enable = true;
      authKeyFile = cfg.authKeyFile;
      useRoutingFeatures = if cfg.exitNode == "" then "none" else "both";
      extraUpFlags = [ "--exit-node=${cfg.exitNode}" ] ++ cfg.extraUpFlags;
    };
  };

}