{lib, ...}: {
  flake.nixosModules.mullvad = {pkgs, ...}: {
    services.mullvad-vpn = {
      enable = true;
      package = pkgs.mullvad-vpn;
      enableExcludeWrapper = true;
    };

    services.resolved.enable = true;

    # allow tailscale traffic through
    networking.nftables.enable = true;
    networking.nftables.tables.mullvad_tailscale = {
      content = ''
        chain output {
          type route hook output priority -100; policy accept;
          ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
        }
      '';
      family = "inet";
    };

    systemd.services.tailscaled.serviceConfig.Environment = ["TS_DEBUG_FIREWALL_MODE=nftables"];
  };
}