{ user, ...}:
{
  services.tailscale = {
    enable = true;
    # When using this configuration, make sure to create a file at /run/secrets/tailscale
    # with the contents of your Tailscale auth key.
    # Make sure your permissions are set correctly, e.g. 0600.
    # The secret file will be automatically deleted on system reboot.
    # You do not need to recreate it again unless you remove the system from your Tailscale account.
    authKeyFile = "/run/secrets/tailscale";
    # change this to "server" if you are this device as an exit node
    useRoutingFeatures = "client";
    extraUpFlags = [
      "--ssh"
      "--accept-routes"
      "--accept-dns"
      "--operator=${user}"
    ];
  };
}