{
  config,
  lib,
  ...
}:
let
  inherit (lib) mkIf;
in
mkIf config.services.headscale.enable {
  environment.systemPackages = [ config.services.headscale.package ];

  services = {
    headscale = {
      address = "127.0.0.1";
      port = 8521;

      settings = {
        server_url = "https://hs.ccnlc.eu";
        tls_cert_path = null;
        tls_key_path = null;
        ip_prefixes = [
          "100.64.0.0/10"
          "fd7a:115c:a1e0::/48"
        ];
        ephemeral_node_inactivity_timeout = "30m";
        node_update_check_interval = "10s";
        metrics_listen_addr = "127.0.0.1:8086";
        # logging
        log = {
          format = "text";
          level = "info";
        };

        logtail.enabled = false;
      };
    };

    nginx.virtualHosts."hs.ccnlc.eu" = {
      forceSSL = true;
      enableACME = true;
      #quic = true;
      http3 = true;

      locations = {
        "/" = {
          proxyPass = "http://localhost:${toString config.services.headscale.port}";
          proxyWebsockets = true;
        };

        "/metrics" = {
          proxyPass = "http://${toString config.services.headscale.settings.metrics_listen_addr}/metrics";
        };
      };

      extraConfig = ''
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
      '';
    };
  };
}