{
  flake.modules.nixos.base =
    { config, lib, ... }:
    {
      options.infra.tailscale = {
        authenticate = lib.mkOption {
          type = lib.types.bool;
          default = false;
          description = "Whether to enable automatic authentication with the authkey.";
        };

        ssh = lib.mkOption {
          type = lib.types.bool;
          default = false;
          description = "Whether to enable Tailscale SSH.";
        };
      };

      config =
        let
          cfg = config.infra.tailscale;

          datadir = "/var/lib/tailscale";
        in
        {
          sops.secrets."services/tailscale/auth_key" = { };

          infra.persist.directories = [ datadir ];

          systemd.services.tailscaled = {
            serviceConfig.StateDirectory = "tailscale";
          };

          services.tailscale = {
            enable = true;
            authKeyFile =
              if cfg.authenticate then config.sops.secrets."services/tailscale/auth_key".path else null;
            extraUpFlags = lib.lists.optional cfg.ssh "--ssh";
            extraDaemonFlags = [
              "--no-logs-no-support"
              "--statedir=${datadir}"
            ];
          };

          virtualisation.vmVariant = {
            # Use an auth key with ephemeral nodes so they get automatically
            # deleted.
            sops.secrets."services/tailscale/auth_key".key = lib.mkForce "services/tailscale/nixos_vm_auth_key";
          };
        };
    };
}