diff --git a/hosts/mups/configuration.nix b/hosts/mups/configuration.nix
index 56217ce..ffdd5b9 100644
--- a/hosts/mups/configuration.nix
+++ b/hosts/mups/configuration.nix
@@ -34,6 +34,7 @@ in {
   mods.server.photoprism.enable = true;
 
   mods.server.wireguard.enable = true;
+  mods.server.headscale.enable = false;
 
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix
index 42d897b..54f7544 100644
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@@ -7,6 +7,7 @@
     ./media.nix
     ./sync.nix
     ./wireguard.nix
+    ./headscale.nix
     ./photoprism.nix
   ];
 }
diff --git a/modules/nixos/server/headscale.nix b/modules/nixos/server/headscale.nix
new file mode 100644
index 0000000..d3b6a1a
--- /dev/null
+++ b/modules/nixos/server/headscale.nix
@@ -0,0 +1,62 @@
+{ pkgs, lib, config, ... }: 
+let
+  base = "muon.host";
+  domain = "head.${base}";
+in {
+  options.mods.server.headscale = {
+    enable = lib.mkEnableOption {
+      default = false;
+      description = "enables headscale server";
+    };
+  };
+
+  config = lib.mkIf config.mods.server.headscale.enable {
+    services = {
+      headscale = {
+        enable = true;
+        port = 8085;
+        address = "127.0.0.1";
+        settings = {
+          dns_config = {
+            override_local_dns = true;
+            base_domain = "${base}";
+            magic_dns = true;
+            domains = [ "${domain}" ];
+            nameservers = [
+              "9.9.9.9"
+            ];
+          };
+          server_url = "https://${domain}";
+          metrics_listen_addr = "127.0.0.1:8095";
+          logtail.enabled = false;
+          log.level = "warn";
+          ip_prefixes = [
+            "100.64.0.0/10"
+          ];
+        };
+      };
+
+      nginx.enable = true;
+      nginx.virtualHosts.${domain} = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = {
+            proxyPass = "http://localhost:${toString config.services.headscale.port}";
+            proxyWebsockets = true;
+          };
+          "/metrics" = {
+            proxyPass = "http://${config.services.headscale.settings.metrics_listen_addr}/metrics";
+          };
+        };
+      };
+    };
+
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "acme@muon.host";
+    };
+
+    environment.systemPackages = [ config.services.headscale.package ];
+  };
+}