{lib, ...}: {
  resource.tailscale_acl.default = {
    acl = toString (builtins.toJSON {
      tagOwners = let
        me = ["getchoo@github"];
        tags = map (name: "tag:${name}") ["server" "personal"];
      in
        lib.genAttrs tags (_: me);

      acls = let
        mkAcl = action: src: dst: {inherit action src dst;};
      in [
        (mkAcl "accept" ["tag:personal"] ["*:*"])
        (mkAcl "accept" ["tag:server"] ["tag:server:*"])
      ];

      ssh = let
        mkSshAcl = action: src: dst: users: {inherit action src dst users;};
      in [
        (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
      ];
    });
  };
}