{
  pkgs,
  config,
  lib,
  ...
}:
with lib;
let
  cfg = config.eboskma.headscale;
in
{
  options.eboskma.headscale = {
    enable = mkEnableOption "headscale";
    serverUrl = mkOption {
      description = "Server URL";
      type = types.str;
    };
    baseDomain = mkOption {
      description = "Tailscale MagicDNS base domain";
      type = types.str;
      default = null;
    };
  };

  config = mkIf cfg.enable {
    services.headscale = {
      enable = true;
      settings = {
        acl_policy_path = "/var/lib/headscale/acls.hujson";
        dns_config = {
          override_local_dns = true;
          base_domain = cfg.baseDomain;
          nameservers = [
            "10.0.0.254" # Home
            "192.168.4.1" # Horus
            "1.1.1.1"
          ];
          extra_records = [
            {
              name = "frigate.datarift.nl";
              type = "A";
              value = "10.0.0.251";
            }
            {
              name = "pve.datarift.nl";
              type = "A";
              value = "10.0.0.252";
            }
          ];
        };

        server_url = cfg.serverUrl;

        ip_prefixes = [
          "fd7a:115c:a1e0::/48"
          "100.64.0.0/10"
        ];
      };
    };

    services.caddy = {
      enable = true;

      email = "erwin@datarift.nl";

      virtualHosts = {
        "${cfg.serverUrl}" = {
          extraConfig = ''
            reverse_proxy localhost:8080
          '';
        };
      };
    };

    security.acme.acceptTerms = true;

    networking.firewall.allowedTCPPorts = [
      80
      443
    ];

    environment.systemPackages = [ pkgs.headscale ];

    systemd.services.headscale.environment.HEADSCALE_EXPERIMENTAL_FEATURE_SSH = "1";

    users.users.${config.eboskma.var.mainUser}.extraGroups = [ "headscale" ];
  };
}