{config, ...}:
let 
  domain = "myrmexia.xyz";
  subDomain = "tailscale.${domain}";
  ipv4 = "100.64.0.";
  ipv6 = "fd7a:115c:a1e0::";
in {
  services = {
    headscale = {
      enable = true;
      address = "0.0.0.0";
      port = 8080;
      settings = { 
        logtail.enabled = false; 
        server_url = "https://${subDomain}";
        dns = {
          base_domain = "${subDomain}";
          extra_records = [
            {
              name = "git.${domain}";
              type = "A";
              value = "${ipv4}3";
            }
            {
              name = "git.${domain}";
              type = "AAAA";
              value = "${ipv6}3";
            }
          ];
        };
        prefixes = {
          v4 = "${ipv4}0/10";
          v6 = "${ipv6}/48";
        };
      };
    };

    caddy = {
      enable = true;
      virtualHosts.${subDomain}.extraConfig = ''
        reverse_proxy localhost:${toString config.services.headscale.port}
      '';
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
  environment.systemPackages = [ config.services.headscale.package ];
}