{
  config,
  pkgs,
  inputs,
  ...

}:
{
  environment.systemPackages = [ config.services.headscale.package ];

  services = {
    headscale = {
      enable = true;
      address = "127.0.0.1";
      port = 8521;

      server_url = "https://hs.notashelf.dev";
      tls_cert_path = null;
      tls_key_path = null;

      ephemeral_node_inactivity_timeout = "30m";
      node_update_check_interval = "10s";
      metrics_listen_addr = "127.0.0.1:8086";
      # logging
      log = {
        format = "text";
        level = "info";
      };

      logtail.enabled = false;
    };
  };

  nginx.virtualHosts."hs.ccnlc.eu" = {
    forceSSL = true;
    enableACME = true;
    quic = true;
    http3 = true;

    locations = {
      "/" = {
        proxyPass = "http://localhost:${toString config.services.headscale.port}";
        proxyWebsockets = true;
      };

      "/metrics" = {
        proxyPass = "http://${toString config.services.headscale.settings.metrics_listen_addr}/metrics";
      };

      # see <https://github.com/gurucomputing/headscale-ui/blob/master/SECURITY.md> before
      # possibly using the web frontend
      "/web" = {
        root = "${inputs.nyxexprs.packages.headscale-ui}/share";
      };
    };

    extraConfig = ''
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    '';
  };
}