{ config, pkgs, ... }:

let
  domain = "vipienne.giugl.io";
  headscalePkg = pkgs.headscale;
in
{
  environment.systemPackages = [ headscalePkg ];

  architect = {
    firewall = {
      openUDP = [ config.services.tailscale.port ];
    };

    vhost.${domain} = {
      dnsInterfaces = [ "lan" "tailscale" ];
      locations."/" = {
        port = config.services.headscale.port;
        allowWAN = true;
        proxyWebsockets = true;
      };
    };
  };

  services.headscale = {
    enable = true;
    package = headscalePkg;
    port = 1194;

    settings = {
      server_url = "https://${domain}";
      # log.level = "debug";
      dns = {
        magic_dns = false;
        # base_domain = domain;
        override_local_dns = true;
        global = [
          config.architect.networks.tailscale.devices.architect.address
        ];
        nameservers.global = [
          config.architect.networks.tailscale.devices.architect.address
        ];
      };
      logtail.enabled = false;
      prefixes.v4 = config.architect.networks.tailscale.net;
      noise.private_key_path = "/var/lib/headscale/noise_private.key";
    };
  };
}