{
  config,
  pkgs,
  ...
}: {
  services.tailscale = {
    enable = true;
    useRoutingFeatures = "both";
    authKeyFile = config.age.secrets.tailscale-key.path;
    extraUpFlags = [
      "--login-server=${config.services.headscale.settings.server_url}"
      "--advertise-exit-node"
      "--accept-routes"
    ];
  };

  services.networkd-dispatcher = {
    enable = true;
    rules."50-tailscale" = {
      onState = ["routable"];
      script = ''
        "${pkgs.ethtool} NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ") | -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off
      '';
    };
  };

  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
    "net.ipv6.conf.all.forwarding" = 1;
    "net.core.gro_normal_batch" = 8;
    "net.core.gro_flush_timeout" = 200000;
  };

  networking.firewall = {
    trustedInterfaces = ["tailscale0"];
    allowedUDPPorts = [41641];
    checkReversePath = "loose";
  };

  environment.systemPackages = with pkgs; [
    ethtool
    tailscale
    networkd-dispatcher
  ];
}