{ ... }: {
  # Enable tailscale and open port 22 on it
  services.tailscale = {
    enable = true;
    interfaceName = "tailscale0";
    extraUpFlags = [
      "--login-server=https://headscale.sysctl.io"
      "--accept-dns"
      "--accept-routes"
    ];
  };
  networking.firewall.interfaces.tailscale0.allowedTCPPorts = [ 22 ];

  # This allows using an exit-node
  networking.firewall.checkReversePath = "loose";

  # Because of the split DNS, hosts forget which IP 
  # (external or internal) is promtail/loki.  
  # Setting them manually here helps.
  networking.extraHosts = ''
    100.64.0.14 influx.sysctl.io
    100.64.0.14 loki.sysctl.io
  '';
}