{ lib, config, ... }: let cfg = config.lab.tailscale; in { options = { lab.tailscale.advertiseExitNode = lib.mkOption { type = lib.types.bool; default = false; }; }; config = { services.tailscale = { enable = true; authKeyFile = config.sops.secrets."tailscale/authKey".path; useRoutingFeatures = "server"; openFirewall = true; extraUpFlags = [ "--accept-dns=false" "--hostname=${config.networking.hostName}" ] ++ lib.lists.optional cfg.advertiseExitNode "--advertise-exit-node" ++ lib.lists.optional cfg.advertiseExitNode "--advertise-routes=192.168.30.0/24"; }; sops.secrets."tailscale/authKey" = { }; }; }