{ pkgs, lib, ... }:
let
  headscalePort = "6969";
  headscaleDomain = "vpn.mc-fucker.cool";
in
{
  environment = {
    systemPackages = with pkgs; [ headscale wireguard-tools ];
    etc = {
      "headscale/derp-example.yaml".text = ''
        regions:
          900:
            regionid: 900
            regioncode: custom
            regionname: My Region
            nodes:
            - name: 1a
              regionid: 1
              hostname: myderp.mydomain.no
              ipv4: 123.123.123.123
              ipv6: "2604:a880:400:d1::828:b001"
              stunport: 0
              stunonly: false
              derptestport: 0
      '';
    };
  };

  services.headscale = {
    address = "0.0.0.0";
    enable = true;
    port = (lib.strings.toInt headscalePort);
    settings = {
      server_url = "http://${headscaleDomain}:${headscalePort}";
      db_path = "/var/lib/headscale/db.sqlite";
      db_type = "sqlite3";
      ip_prefixes = [ "100.64.0.0/16" ];
      derp.paths = [ "/etc/headscale/derp-example.yaml" ];
      derp.urls = [ "https://controlplane.tailscale.com/derpmap/default" ];
      dns_config.base_domain = headscaleDomain;
      dns_config.nameservers = [ "9.9.9.9" ];
      #dns_config.extra_records = [
      #  {
      #    name = "mc-fucker.cool";
      #    type = "A";
      #    value = "100.64.0.2";
      #  }
      #];
    };
  };

  networking.firewall.allowedTCPPorts = [ (lib.strings.toInt headscalePort) ];
}

# vim: set et ts=2 sw=2 ai: