{
  pkgs,
  options,
  lib,
  ...
}:
let
  mkAcl = src: dst: {
    action = "accept";
    inherit src dst;
  };
  mkSshAcl = src: dst: users: {
    action = "accept";
    inherit src dst users;
  };
in
{
  services.headscale.settings.policy.path = pkgs.writeTextFile {
    name = "headscale-acl.hujson";
    text = builtins.toJSON {
      acls = [
        (mkAcl
          [ "tag:client" ]
          [
            "tag:client:*"
            "tag:server:*"
          ]
        ) # client -> {client, server}

        (mkAcl
          [
            "tag:client"
            "tag:server"
          ]
          [ "tag:backup:${toString options.modules.server.rsync-daemon.port.default}" ]
        )

        (mkAcl
          [
            "tag:guest"
          ]
          [ "paperless.ccnlc.eu:443" "immich.ccnlc.eu:443" ]
        )
      ];

      ssh = [
        (mkSshAcl [ "tag:client" ]
          [
            "tag:server"
            "tag:client"
          ]
          [ "ny" ]
        ) # client -> {client, server}
      ];

      tags = [
        "tag:client"
        "tag:server"
        "tag:backup"
        "tag:guest"
      ];

      tagOwners =
        let
          users = [ "ny" ];
          tags = map (name: "tag:${name}") [
            "server"
            "client"
            "backup"
          ];
        in
        lib.genAttrs tags (_: users);

      autoApprovers = {
        exitNode = [ "*" ];
      };
    };
  };
}