{ pkgs, ... }:
{
  services.tailscale.enable = true;

  # Pinned to 1.96.5. 1.98.0 regressed split-DNS handling under work-vpn: the
  # netmap's "resolve <tailnet>.ts.net locally via MagicDNS" hint is dropped
  # when translated into systemd-resolved config, so *.ts.net queries get sent
  # to a public resolver (199.247.155.53) that the corporate VPN's port-53
  # egress filter blocks.
  services.tailscale.package = pkgs.tailscale.overrideAttrs (_: rec {
    version = "1.96.5";
    src = pkgs.fetchFromGitHub {
      owner = "tailscale";
      repo = "tailscale";
      tag = "v${version}";
      hash = "sha256-vYYb+2OtuXftjGGG0zWJesHccrClB8YZpclv9KzNN/c=";
    };
    vendorHash = "sha256-rhuWEEN+CtumVxOw6Dy/IRxWIrZ2x6RJb6ULYwXCQc4=";
  });

  networking.firewall = {
    checkReversePath = "loose";
    allowedUDPPorts = [ 41641 ];
  };
}