{ inputs, config, ... }:

{
  imports = [ inputs.synix.nixosModules.tailscale ];

  services.tailscale = {
    enable = true;
    tailnets = {
      personal = {
        default = true;
        loginServer = "https://hs.sid.ovh";
        authKeyFile = config.sops.secrets."tailscale/personal-key".path;
        enableSSH = true;
        acceptDNS = false; # use coredns
      };
      work = {
        loginServer = "https://headscale.cryodev.xyz";
        enableSSH = true;
        acceptDNS = true;
        authKeyFile = config.sops.secrets."tailscale/work-key".path;
      };
    };
  };

  sops.secrets."tailscale/personal-key" = { };
  sops.secrets."tailscale/work-key" = { };
}