{
  config,
  ...
}:
let
  domain = "kennys.mom"; # domain to use
  derpPort = 3478; # default derp port
in
{
  services = {
    # enable headscale service and configure
    headscale = {
      enable = true;
      address = "0.0.0.0";
      port = 8085;
      settings = {
        dns = {
          override_local_dns = true;
          base_domain = "hs.${domain}";
          magic_dns = true;
          domains = [ "hs.${domain}" ];
          nameservers = {
            global = [
                "1.1.1.1"
                "9.9.9.9"
            ];
          };
        };
        server_url = "https://headscale.${domain}";
        metrics_listen_addr = "127.0.0.1:8095";
        logtail = {
          enabled = false;
        };
        log = {
          level = "warn";
        };
        derp.server = {
          enable = true;
          region_id = 999;
          stun_listen_addr = "0.0.0.0:${toString derpPort}";
        };
        ip_prefixes = [
          "100.64.0.0/10"
          "fd7a:115c:a1e0::/48"
        ];
        grpc_listen_addr = "127.0.0.1:50443";  # Required for Headplane communication
        api_key_path = "/etc/headscale/apikey";  # Add this line
      };
    };

    # reverse proxy with ssl
    nginx = {
      enable = true;
      virtualHosts."headscale.${domain}" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
            proxyWebsockets = true;
            extraConfig = ''
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
            '';
          };
          "/metrics" = {
            proxyPass = "http://${config.services.headscale.settings.metrics_listen_addr}/metrics";
          };
          "/headplane/" = {
            proxyPass = "http://127.0.0.1:8080/";
            proxyWebsockets = true;  # Remove explicit proxy_http_version
            extraConfig = ''
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "Upgrade";
            '';
          };
        };
      };
    };
  };

  # configure ssl certificate options
  security.acme = {
    defaults.email = "dj@monumetric.com";
    acceptTerms = true;
  };

  # punch through firewall
  networking.firewall.allowedUDPPorts = [ derpPort ];
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  # add headscale package to system
  environment.systemPackages = [ config.services.headscale.package ];
}