{
  config,
  lib,
  ...
}: {
  options = {
    services.ollama.exposePort = lib.mkEnableOption "should we expose ollama on tailscale";
  };

  config = lib.mkMerge [
    {
      services.ollama = {
        # TODO: these should match whats set in the users file
        group = "ollama";
        user = "ollama";
      };
    }
    (lib.mkIf config.host.impermanence.enable (lib.mkIf config.services.ollama.enable {
      environment.persistence."/persist/system/root" = {
        enable = true;
        hideMounts = true;
        directories = [
          {
            directory = config.services.ollama.models;
            user = config.services.ollama.user;
            group = config.services.ollama.group;
          }
        ];
      };
      networking.firewall.interfaces.${config.services.tailscale.interfaceName} = let
        ports = [
          config.services.ollama.port
        ];
      in
        lib.mkIf config.services.ollama.exposePort {
          allowedTCPPorts = ports;
          allowedUDPPorts = ports;
        };
    }))
  ];
}