{lib, ...}: {
  flake.nixosModules.mullvad = { pkgs, ... }: {
    services.mullvad-vpn = {
      enable = true;
      package = pkgs.mullvad-vpn;
      enableExcludeWrapper = true;
    };

    # allow tailscale traffic through
    networking.nftables.tables.mullvad_tailscale = {
      content = ''
        chain output {
          type route hook output priority 0; policy accept;
          ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
        }
      '';
      family = "inet";
    };

    systemd.services.tailscaled.serviceConfig.Environment = [ "TS_DEBUG_FIREWALL_MODE=nftables" ];
  };
}