{
  config,
  lib,
  ...
}: {
  options = {
    services.ollama.exposePort = lib.mkEnableOption "should we expose ollama on tailscale";
  };

  config = lib.mkIf config.services.ollama.enable (
    lib.mkMerge [
      {
        services.ollama = {
          # TODO: these should match whats set in the users file
          group = "ollama";
          user = "ollama";
        };
      }
      (lib.mkIf config.services.ollama.exposePort (let
        ports = [
          config.services.ollama.port
        ];
      in {
        services.ollama.host = "0.0.0.0";
        networking.firewall.interfaces.${config.services.tailscale.interfaceName} = {
          allowedTCPPorts = ports;
          allowedUDPPorts = ports;
        };
      }))
      (lib.mkIf config.host.impermanence.enable {
        environment.persistence."/persist/system/root" = {
          enable = true;
          hideMounts = true;
          directories = [
            {
              directory = config.services.ollama.models;
              user = config.services.ollama.user;
              group = config.services.ollama.group;
            }
            {
              directory = "/var/lib/private/ollama";
              user = config.services.ollama.user;
              group = config.services.ollama.group;
              mode = "0700";
              defaultPerms.mode = "0700";
            }
          ];
        };
      })
    ]
  );
}