{ pkgs, ... }:

{
  services.tailscale.enable = true;

  networking = {
    firewall = {
      allowPing = false;
      enable = true;
      checkReversePath = "loose";
      trustedInterfaces = [ "tailscale0" ];
    };
  };
}