{
  config,
  inputs,
  pkgs,
  ...
}:
let
  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
in
{
  sops.secrets = {
    "tailscale-key" = {
      sopsFile = "${sopsFolder}/shared.yaml";
    };
    "netbird-key" = {
      sopsFile = "${sopsFolder}/shared.yaml";
      owner = "netbird-blackbridge";
      group = "netbird-blackbridge";
    };
  };

  services.tailscale = {
    enable = true;
    package = pkgs.unstable.tailscale;
    authKeyFile = config.sops.secrets."tailscale-key".path;
  };

  services.netbird = {
    package = pkgs.unstable.netbird;

    clients.blackbridge = {
      login = {
        enable = true;
        setupKeyFile = config.sops.secrets."netbird-key".path;
      };
      port = 51820;
      openFirewall = true;
      openInternalFirewall = true;
    };
  };
}