{config, ...}: {
  services = {
    nfs.server = {
      enable = true;
      exports = "/srv/nfs *.tailscale(ro,fsid=root)";
      # NFSv3 uses random ports, so you need to make them static to be able to pass though the firewall
      statdPort = 4000;
      lockdPort = 4001;
      mountdPort = 4002;
    };
  };

  networking.firewall = {
    allowedTCPPorts = [111 2049 4000 40001 4002];
    allowedUDPPorts = [111 2049 4000 40001 4002];
  };
}