{ pkgs, ... }:
{
  # Enable networking and bluetooth
  networking = {
    hostName = "surface";
    networkmanager = {
      enable = true;
      wifi.macAddress = "random";
    };
  };
  systemd.services.NetworkManager-wait-online.enable = false; #disable wait online since it is broken
  hardware.bluetooth.enable = true;

  # Enable encrypted DNS
  services.dnscrypt-proxy2 = {
    enable = true;
    settings = {
      ipv6_servers = true;
      require_dnssec = true;
    };
  };
  systemd.services.dnscrypt-proxy2.serviceConfig = {
    StateDirectory = "dnscrypt-proxy";
  };

  # Enable mullvad vpn
  services.mullvad-vpn.package = pkgs.mullvad-vpn;
  services.mullvad-vpn.enable = true;

  # Enable tailscale
  services.tailscale.enable = true;

  # exclude tailscale IPs from mullvad routing
  networking.nftables = {
    enable = true;
    ruleset = ''
      define TAILNET_DNS = {
        100.100.100.100,
        9.9.9.9
      }
      define TAILNET_IPV4 = {
        100.64.0.0/10
      }
      define TAILNET_IPV6 = {
        fd7a:115c:a1e0::/48
      }
      table inet excludeTraffic {
        chain excludeDns {
          type filter hook output priority -10; policy accept;
          ip daddr $TAILNET_DNS udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          ip daddr $TAILNET_DNS tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
        }
      }
    '';
  };
}