{
  nixhelm,
  system,
  config,
  lib,
  ...
}: {
  options.tailscale.enable = lib.mkEnableOption "tailscale";

  config = lib.mkIf config.tailscale.enable {
    kubernetes = {
      helm.releases.tailscale = {
        chart = nixhelm.chartsDerivations.${system}.tailscale.tailscale-operator;
        includeCRDs = true;
        namespace = "tailscale";
      };

      resources.secrets.operator-oauth.stringData = {
        client_id = "ref+sops://secrets.yml#/tailscale/clientID";
        client_secret = "ref+sops://secrets.yml#/tailscale/clientSecret";
      };
    };
  };
}