{
  config,
  pkgs,
  outputs,
  constants,
  ...
}:

{
  imports = [
    outputs.nixosModules.headplane
  ];

  services.headplane = {
    enable = true;
    port = constants.services.headplane.port;
    headscale = {
      url = "http://127.0.0.1:${toString constants.services.headscale.port}";
      public_url = "https://${constants.services.headscale.fqdn}";
    };
    # Secrets for headplane need to be configured via sops
    sops.secrets = {
      "headplane/cookie_secret" = { };
      "headplane/agent_pre_authkey" = { };
    };
  };

  services.nginx.virtualHosts."${constants.services.headplane.fqdn}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString constants.services.headplane.port}";
    };
  };
}