{self, ...}: {
  flake.nixosModules.tailscaleServer = {config, ...}: let
    cfg = config.hostOptions.server;
  in {
    imports = [
      self.nixosModules.hostOptions
    ];

    services.tailscale = {
      enable = true;
      useRoutingFeatures = "server";
      extraUpFlags = [
        "--login-server=https://headscale.${cfg.domain}"
        "--advertise-exit-node"
      ];
    };
  };

  flake.nixosModules.headscale = {config, ...}: let
    cfg = config.hostOptions.server;
  in {
    imports = [
      self.nixosModules.hostOptions
    ];

    services.headscale = {
      enable = true;
      port = 8085;
      settings = {
        server_url = "https://headscale.${cfg.domain}";
        dns = {
          magic_dns = false;
          nameservers.global = ["1.1.1.1" "9.9.9.9"];
        };
        prefixes = {
          v4 = "100.64.0.0/10";
          v6 = "fd7a:115c:a1e0::/48";
        };
      };
    };

    services.nginx.virtualHosts."headscale.${cfg.domain}" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8085";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_buffering off;
        '';
      };
    };
  };
}