{
  config,
  hostMeta,
  ...
}:
{
  age.secrets.tailscale-auth = {
    file = ../secrets/tailscale-auth.age;
    owner = "root";
    mode = "0400";
  };

  services.tailscale = {
    enable = true;
    authKeyFile = config.age.secrets.tailscale-auth.path;
    extraUpFlags = [ "--hostname=${hostMeta.tailscaleName}" ];
  };

  networking.firewall.interfaces.tailscale0.allowedTCPPorts =
    if hostMeta.role == "primary" then
      [
        22
        3306
      ]
    else
      [
        22
        873
      ];
  networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
  networking.firewall.checkReversePath = "loose";
}