{
  config = {
    services.headscale.settings.dns_config = {
      override_local_dns = true;
      magic_dns = true;

      # FIX: shan being down takes down entire tailnet
      # 1 -> move dns to dedicated device
      # 2 -> find out if fallback dns's are supported by headscale
      nameservers = [
        "100.64.0.4"
      ];
      extra_records =
        let
          mkRecords = map (sub: {
            name = "${sub}.ccnlc.eu";
            type = "A";
            value = "100.64.0.4";
          });
        in
        [
          {
            name = "ccnlc.eu";
            type = "A";
            value = "100.64.0.4";
          }
          {
            name = "git.ccnlc.eu";
            type = "A";
            value = "100.64.0.3";
          }
        ]
        # Tailscale doesn't seem to support wildcard A/AAAA records
        # - https://github.com/juanfont/headscale/issues/2159#issuecomment-2393406444
        ++ mkRecords [
          "immich"
          "adguard"
          "nextcloud"
          "kitchenowl"
          "navidrome"
          "subsonic"
          "nextcloud"
          "paperless"
          "truenas"
          "fritz"
        ];
    };
  };
}