{config, pkgs, lib, ...}:
with lib;
let
  cfg = config.services.tailscale;
  defPath = if config.services.headscale.enable then "${config.services.headscale.settings.server_url}" else null;
in {
  # Configure tailscale to allow specifiying user login and auth path
  options.services.tailscale = {
    authTokenPath = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = "Should tailscale automatically login with the given authtoken file";
    };
    authUrl = mkOption {
      type = types.nullOr types.str;
      default = defPath;
      description = "Server URL of head/tailscale";
    };
  };

  config = let
    waitGen = optional (cfg.authTokenPath == defPath) "headscale-preauth-regen-${name}";
  in {
    systemd.services.tailscale_autologin = mkIf (cfg.enable && cfg.authTokenPath != null) {
      wantedBy = ["tailscaled.service"];
      after = ["tailscaled.service"] ++ waitGen;
      script = ''
        ${pkgs.tailscale}/bin/tailscale up --login-server ${cfg.authUrl} --authkey $(cat ${cfg.authTokenPath})
      '';      
      serviceConfig = {
        Type = "simple";
      };
    };
  };
}