{
  config,
  lib,
  ...
}: {
  options = {
    services.ollama.exposePort = lib.mkEnableOption "should we expose ollama on tailscale";
  };

  config = lib.mkIf config.services.ollama.enable (
    lib.mkMerge [
      {
        services.ollama = {
          # TODO: these should match whats set in the users file
          group = "ollama";
          user = "ollama";
        };
      }
      (lib.mkIf config.services.ollama.exposePort (let
        ports = [
          config.services.ollama.port
        ];
      in {
        services.ollama.host = "0.0.0.0";
        networking.firewall.interfaces.${config.services.tailscale.interfaceName} = {
          allowedTCPPorts = ports;
          allowedUDPPorts = ports;
        };
      }))
    ]
  );
}