{pkgs, ...}: {
  project.name = "headscale";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  services = {
    headscale.service = {
      image = "headscale/headscale:0.22.3-debug";
      container_name = "headscale";
      restart = "always";
      command = "headscale serve";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.services.headscale.loadbalancer.server.port" = "8080";
        "traefik.http.routers.headscale.service" = "headscale";
        "traefik.http.routers.headscale.entrypoints" = "websecure";
        "traefik.http.routers.headscale.rule" = "Host(`headscale.ghoscht.com`)";
        "traefik.http.routers.headscale.tls" = "true";
        "traefik.http.routers.headscale.tls.certresolver" = "letsencrypt";

        "traefik.http.services.headscale-external.loadbalancer.server.port" = "8080";
        "traefik.http.routers.headscale-external.service" = "headscale-external";
        "traefik.http.routers.headscale-external.rule" = "Host(`headscale.ghoscht.com`)";
        "traefik.http.routers.headscale-external.entrypoints" = "websecure-external";
        "traefik.http.routers.headscale-external.tls" = "true";
        "traefik.http.routers.headscale-external.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/home/ghoscht/.docker/headscale/headscale_config:/etc/headscale"
        "/home/ghoscht/.docker/headscale/headscale_data:/var/lib/headscale"
      ];
      networks = [
        "dmz"
      ];
    };
    headscale-ui.service = {
      image = "ghcr.io/gurucomputing/headscale-ui:2024.02.24-beta1";
      container_name = "headscale-ui";
      restart = "always";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.headscale-ui.entrypoints" = "websecure";
        "traefik.http.routers.headscale-ui.rule" = "PathPrefix(`/web`)&&Host(`headscale.ghoscht.com`)";
        "traefik.http.services.headscale-ui.loadbalancer.server.port" = "80";
        "traefik.http.routers.headscale-ui.tls" = "true";
        "traefik.http.routers.headscale-ui.tls.certresolver" = "letsencrypt";
      };
      networks = [
        "dmz"
      ];
    };
  };
}