{config, ...}: {
  services.tailscale = {
    enable = true;
    permitCertUid = "962";
  };
  networking.firewall = {
    trustedInterfaces = [ "tailscale0" ];
    allowedUDPPorts = [ config.services.tailscale.port ];
    checkReversePath = "loose";
  };
}