{ pkgs, lib, ... }:
let
  headscalePort = "6969";
  headscaleDomain = "vpn.mc-fucker.cool";
in
{
  environment = {
    systemPackages = with pkgs; [ headscale wireguard-tools ];
    etc = {
      "headscale/config.yaml".text = ''
        ---
        disable_check_updates: true
        server_url: http://${headscaleDomain}:${headscalePort}
        listen_addr: 0.0.0.0:${headscalePort}
        ephemeral_node_inactivity_timeout: "30m"
        private_key_path: /etc/nixos/keys/headscale-key
        db_type: sqlite3
        db_path: db.sqlite
        ip_prefixes:
          - 100.64.0.0/16
        derp:
          urls:
            - https://controlplane.tailscale.com/derpmap/default
          paths:
            - /etc/headscale/derp-example.yaml
          auto_update_enabled: true
          update_frequency: 24h
        dns_config:
          magic_dns: true
          base_domain: ${headscaleDomain}
          nameservers:
            - 9.9.9.9
      '';
      "headscale/derp-example.yaml".text = ''
        regions:
          900:
            regionid: 900
            regioncode: custom
            regionname: My Region
            nodes:
            - name: 1a
              regionid: 1
              hostname: myderp.mydomain.no
              ipv4: 123.123.123.123
              ipv6: "2604:a880:400:d1::828:b001"
              stunport: 0
              stunonly: false
              derptestport: 0
      '';
    };
  };

  systemd.services.headscale = {
    description = "Headscale VPN Server";
    wantedBy = [ "multi-user.target" ];
    after = [ "network-online.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.headscale}/bin/headscale serve";
      ExecReload = "/bin/kill -HUP $MAINPID";
      Restart = "on-failure";
      Type = "simple";
    };
  };

  networking.firewall.allowedTCPPorts = [ (lib.strings.toInt headscalePort) ];
}

# vim: set et ts=2 sw=2 ai: