{ config, ... }:

let
  ports = import ../Cloud/Ports.nix;
  domain = "headscale.simatime.com";
in {
  services.headscale = {
    enable = true;
    address = "0.0.0.0";
    port = ports.headscale;
    settings = { dns.base_domain = "simatime.com"; };
  };

  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
    enableAcme = true;
    locations."/" = {
      proxyPass = "http://localhost:${toString ports.headscale}";
      proxyWebsockets = true;
    };
  };

  environment.systemPackages = [ config.services.headscale.package ];

  services.tailscale.enable = true;

  networking.firewall = {
    checkReversePath = "loose";
    trustedInterfaces = [ "tailscale0" ];
    allowedUDPPorts = [ config.services.tailscale.port ];
  };

}