{
  lib,
  config,
  pkgs,
  ...
}:
with lib;
{
  options.features.network = {
    enable = mkEnableOption "enable network tooling and VPN services";
    netbird = {
      enable = mkOption {
        type = types.bool;
        default = true;
        description = "Enable NetBird service.";
      };
      uiEnable = mkOption {
        type = types.bool;
        default = true;
        description = "Enable NetBird UI component.";
      };
    };
    tailscale = {
      waitForNetbird = mkOption {
        type = types.bool;
        default = true;
        description = "Add netbird ordering to tailscaled unit.";
      };
    };
    tooling = {
      enable = mkOption {
        type = types.bool;
        default = true;
        description = "Install network troubleshooting CLI tools.";
      };
      packages = mkOption {
        type = types.listOf types.package;
        default = with pkgs; [
          dnsutils
          nmap
          ipcalc
        ];
        description = "Packages installed when network tooling is enabled.";
      };
    };
  };

  config = mkIf config.features.network.enable {
    services.netbird = mkIf config.features.network.netbird.enable {
      enable = true;
      ui.enable = config.features.network.netbird.uiEnable;
    };

    systemd.services.tailscaled =
      mkIf (config.features.network.tailscale.waitForNetbird && config.features.network.netbird.enable)
        {
          after = [
            "netbird.service"
            "network-online.target"
          ];
          wants = [
            "netbird.service"
            "network-online.target"
          ];
        };

    environment.systemPackages = mkIf config.features.network.tooling.enable config.features.network.tooling.packages;
  };
}