{
  outputs,
  constants,
  ...
}:

{
  imports = [
    outputs.nixosModules.headscale
  ];

  services.headscale = {
    enable = true;
    address = "127.0.0.1";
    port = constants.services.headscale.port;
    settings = {
      server_url = "https://${constants.services.headscale.fqdn}";
      # dns.base_domain must be different from the server domain
      # Using "tail" for internal Tailscale DNS (e.g., host.tail)
      dns.base_domain = "tail";
    };
  };

  services.nginx.virtualHosts."${constants.services.headscale.fqdn}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString constants.services.headscale.port}";
      proxyWebsockets = true;
    };
  };
}