{config, ...}:
let 
  domain = "myrmexia.xyz";
  subDomain = "tailscale.${domain}";
  ipv4 = "100.64.0.";
  ipv6 = "fd7a:115c:a1e0::";
in {
  services = {
    headscale = {
      enable = true;
      address = "0.0.0.0";
      port = 8080;
      settings = { 
        logtail.enabled = false; 
        serverUrl = "https://${subDomain}";
        dns = {
          base_domain = "${domain}";
          extra_records = [
            {
              name = "git.${domain}";
              type = "A";
              value = "${ipv4}3";
            }
            {
              name = "git.${domain}";
              type = "AAAA";
              value = "${ipv6}3";
            }
          ];
        };
        ip_prefixes = [
          "${ipv4}0/10"
          "${ipv6}/48"
        ];
      };
    };

    caddy = {
      enable = true;
      virtualHosts.${subDomain}.extraConfig = ''
        reverse_proxy localhost:${toString config.services.headscale.port}
      '';
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
  environment.systemPackages = [ config.services.headscale.package ];
}