{ config, lib, namespace, ... }:
let
  inherit (lib) mkIf mkEnableOption;
  cfg = config.${namespace}.services.tailscale;
  rkeCfg = config.${namespace}.services.rke2;
in
{
  options.${namespace}.services.tailscale = {
    enable = mkEnableOption "enable tailscale service";
    enableRouting = mkEnableOption "enable tailscale routing";
  };

  config = mkIf cfg.enable {
    services.tailscale = {
      enable = true;
      useRoutingFeatures = if cfg.enableRouting then "server" else "client";
    };

    boot.kernel.sysctl = mkIf cfg.enableRouting {
      "net.ipv4.ip_forward" = 1;
      "net.ipv6.conf.all.forwarding" = 1;
    };

    # Move Tailscale PostRouting First - In situations where Calico is enabled, this is needed
    # to ensure that Tailscale routes traffic correctly as an exit node.
    networking.firewall.extraCommands = mkIf (rkeCfg.enable && cfg.enableRouting) ''
      iptables -t nat -D POSTROUTING -j ts-postrouting 2>/dev/null || true
      iptables -t nat -I POSTROUTING 1 -j ts-postrouting
    '';
  };
}