{ config, ... }:
let
  domain = "headscale.hoyer.xyz";
in
{
  services = {
    headscale = {
      enable = true;
      address = "0.0.0.0";
      port = 8080;
      settings = {
        server_url = "https://${domain}";
        dns = {
          base_domain = "hoyer.tail";
        };
        oidc = {
          allowed_domains = [ "hoyer.xyz" ];
          client_id = "UgQYtXftYvB9ua4cuyZ9NBvaknQfN76pPnf50pDhqghdb87g9tFcuSMiTLVje3R7";
          client_secret_path = "/var/lib/headscale/client_secret";
          issuer = "https://nc.hoyer.xyz";
        };
      };
    };

    nginx.virtualHosts.${domain} = {
      useACMEHost = "hoyer.xyz";
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.headscale.port}";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
          proxy_set_header Host $server_name;
          proxy_redirect http:// https://;
          proxy_buffering off;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
        '';
      };
    };
  };

  environment.systemPackages = [ config.services.headscale.package ];
}