Merge pull request #242703 from jwygoda/tailscaled-autoconnect

        When set to `server` or `both`, IP forwarding will be enabled.

      '';

    };

    authKeyFile = mkOption {

      type = types.nullOr types.path;

      default = null;

      example = "/run/secrets/tailscale_key";

      description = lib.mdDoc ''

        A file containing the auth key.

      '';

    };

  };

  config = mkIf cfg.enable {

      stopIfChanged = false;

    };

    systemd.services.tailscaled-autoconnect = mkIf (cfg.authKeyFile != null) {

      after = ["tailscale.service"];

      wants = ["tailscale.service"];

      wantedBy = [ "multi-user.target" ];

      serviceConfig = {

        Type = "oneshot";

      };

      script = with pkgs; ''

        status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)

        if [[ $status != Connected* ]]; then

          ${pkgs.tailscale}/bin/tailscale up --auth-key 'file:${cfg.authKeyFile}'

        fi

      '';

    };

    boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") {

      "net.ipv4.conf.all.forwarding" = mkOverride 97 true;

      "net.ipv6.conf.all.forwarding" = mkOverride 97 true;