{
  inputs,
  config,
  lib,
  pkgs,
  ...
}:

let
  cfg = config.services.headplane;
  headscale = config.services.headscale;

  inherit (lib)
    mkDefault
    mkIf
    mkOption
    types
    ;
in
{
  imports = [ inputs.headplane.nixosModules.headplane ];

  options.services.headplane = {
    port = mkOption {
      type = types.port;
      default = 3000;
      description = "Port for headplane to listen on";
    };
  };

  config = mkIf cfg.enable {
    nixpkgs.overlays = [
      inputs.headplane.overlays.default
      # Fix upstream pnpm-deps hash mismatch (https://github.com/tale/headplane)
      (final: prev: {
        headplane = prev.headplane.overrideAttrs (old: {
          pnpmDeps = old.pnpmDeps.overrideAttrs {
            outputHash = "sha256-lk/ezsrW6JHh5nXPSstqHUbaMTeOARBGZcBSoG1S5ns=";
          };
        });
      })
    ];

    services.headplane = {
      settings = {
        server = {
          host = mkDefault "127.0.0.1";
          port = mkDefault cfg.port;
          cookie_secret_path = config.sops.secrets."headplane/cookie_secret".path;
        };
        headscale = {
          url = mkDefault "http://127.0.0.1:${toString headscale.port}";
          public_url = mkDefault headscale.settings.server_url;
          config_path = mkDefault "/etc/headscale/config.yaml";
        };
        integration.agent = {
          enabled = mkDefault true;
          pre_authkey_path = config.sops.secrets."headplane/agent_pre_authkey".path;
        };
      };
    };

    sops.secrets =
      let
        owner = headscale.user;
        group = headscale.group;
        mode = "0400";
      in
      {
        "headplane/cookie_secret" = {
          inherit owner group mode;
        };
        "headplane/agent_pre_authkey" = {
          inherit owner group mode;
        };
      };
  };
}