{ enableNFTables, lib, ... }:
{

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  programs.mtr.enable = true;

  # Fish shell, the best
  programs.fish.enable = true;

  # Tailscale
  services.tailscale = {
    enable = true;
    openFirewall = true;
  };
  # Don't wait for networks on boot, should speed up boot
  systemd.network.wait-online.enable = false;
  boot.initrd.systemd.network.wait-online.enable = false;
  networking.firewall.trustedInterfaces = [ "tailscale0" ];

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    openFirewall = true;
    settings.PasswordAuthentication = false;
  };

  # MOSH, SSH over flakey connections
  programs.mosh.enable = true;
}
// lib.optionalAttrs enableNFTables {
  # Use nftables
  networking.nftables.enable = true;
  # Support native nftables in tailscale
  systemd.services.tailscaled.serviceConfig.Environment = [
    "TS_DEBUG_FIREWALL_MODE=nftables"
  ];
}