{ config, pkgs, ... }: {
  # Enable tailscale and open port 22 on it
  services.tailscale = {
    enable = true;
    interfaceName = "tailscale0";
    extraUpFlags = [
      "--login-server=https://headscale.sysctl.io"
      "--accept-dns"
      "--accept-routes"
    ];
  };
  networking.firewall.interfaces.tailscale0.allowedTCPPorts = [ 22 ];
}