{ config, ... }: {
  services.tailscale.enable = true;
  networking.firewall.checkReversePath = "loose";
  networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
}