# Headscale is a tailscale-compatible control plane that you can use with all of the clients.
{
  services.headscale = {
    enable = true;
    port = 6900;
    # Set so that anything can access this. Default is localhost only, which is useless
    address = "0.0.0.0";
    # Server URL is the FQDN of this server
    serverUrl = "https://vpn.thehedgehog.me:6900";
    dns = {
      # All domains are .hog domains internally
      baseDomain = "hog";
      # Enable MagicDNS
      # See https://tailscale.com/kb/1081/magicdns/ for more details
      magicDns = true;
      # I inject DNS.sb as my secondary nameserver, and my adblocking server as primary.
      nameservers = [ "45.11.45.11" ];
      # Domains to inject, so I can type "media/" into my search bar and go to "media.main.hog"
      # You can't tell headscale to not create a namespace, so this is the best that I can do
      domains = [ "main.hog" ];
    };
    # Automatic TLS
    tls = {
      letsencrypt = {
        # Set up automatic Let's Encrypt cert pulls
        hostname = "vpn.thehedgehog.me";
      };
    };
    # Disabled since if this goes down, then it's a pain to reconnect to auth
    # OIDC configuration, so I can have my beloved SSO.
    # openIdConnect = {
    #   # Issuer is HedgeCloud auth, my private auth server
    #   issuer = "https://auth.thehedgehog.me/application/o/hedgevpn/";
    #   # All people get assigned to the "main" namespace
    #   domainMap = {
    #     ".*" = "main";
    #   };
    #   # Set client ID for OIDC
    #   clientId = "25066b6b1e72718186f8c0dc20f7892951834b6e";
    #   # Client Secret is in this file
    #   clientSecretFile = "/run/agenix/headscale-oidc-secret";
    # };
    # Misc settings that aren't set in the above sections
    settings = {
      # Set challenge type, forwarded by Caddy
      tls_letsencrypt_challenge_type = "HTTP-01";
      # oidc.strip_email_domain = true;
      # NixOS handles our updates
      disable_check_updates = true;
      ip_prefixes = [
        "4349:3909:beef::/48"
        "100.64.0.0/10"
      ];
      derp = {
        server = {
          enabled = true;
          region_id = 969;
          region_code = "internal";
          region_name = "Internal DERP";
          stun_listen_addr = "0.0.0.0:6869";
        };
      };
    };
  };
  systemd.services.headscale.serviceConfig.CapabilityBoundingSet = [
    "CAP_CHOWN"
    "CAP_NET_BIND_SERVICE"
  ];
  systemd.services.headscale.serviceConfig.AmbientCapabilities = [
    "CAP_CHOWN"
    "CAP_NET_BIND_SERVICE"
  ];
}