{ config, lib, pkgs, ... }:

{
  services.headscale = {
    enable = true;
    settings = {
      server_url = "https://headscale.noms.ing";
      listen_addr = "127.0.0.1:8323";

      # oidc = {
      #   only_start_if_oidc_is_available = true;
      #   issuer = "https://idm.cuties.network/oauth2/openid/headscale";
      #   client_id = "headscale";
      #   client_secret_path = "/run/secrets/headscale_oidc_secret";
      #   strip_email_domain = true;
      # };

      dns_config.magic_dns = true;
      dns_config.domains = [ "nodes.headscale.noms.ing" ];
      # dns_config.base_domain = "ts.cuties.network";
    };
  };

  users.users.headscale.extraGroups = [ config.users.groups.keys.name ];
  # sops.secrets.headscale_oidc_secret = {
  #   owner = config.users.users.headscale.name;
  #   sopsFile = ./headscale.sops.yaml;
  # };

  services.nginx.virtualHosts."headscale.noms.ing" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:8323";
      proxyWebsockets = true;
    };
  };

  services.tailscale.enable = true;
}