diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix
index 7a93d30c..2e802b01 100644
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@@ -67,6 +67,7 @@
     services = {
       garmin-scraper.enable = true;
       grafana.enable = true;
+      headscale.enable = true;
       mail.enable = true;
       mastodon.enable = true;
       matrix.enable = true;
diff --git a/modules/base/network/default.nix b/modules/base/network/default.nix
index f1ac80ae..12a5a448 100644
--- a/modules/base/network/default.nix
+++ b/modules/base/network/default.nix
@@ -4,5 +4,8 @@
   imports = [
     ./ovh.nix
     ./mobile.nix
+    ./tailscale.nix
   ];
+
+  networking.firewall.checkReversePath = "loose";
 }
diff --git a/modules/base/network/tailscale.nix b/modules/base/network/tailscale.nix
new file mode 100644
index 00000000..97221757
--- /dev/null
+++ b/modules/base/network/tailscale.nix
@@ -0,0 +1,3 @@
+{ ... }: {
+  services.tailscale.enable = true;
+}
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 9b0b7b65..7066700b 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -8,6 +8,7 @@
     ./deluge
     ./garmin-scraper
     ./grafana
+    ./headscale
     ./mail
     ./mastodon
     ./matrix
diff --git a/modules/services/headscale/default.nix b/modules/services/headscale/default.nix
new file mode 100644
index 00000000..262f6897
--- /dev/null
+++ b/modules/services/headscale/default.nix
@@ -0,0 +1,58 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.services.headscale.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.services.headscale.enable {
+    networking.firewall = {
+      allowedTCPPorts = [ 50443 ];
+      allowedUDPPorts = [ 3478 ];
+    };
+    services = {
+      headscale = {
+        enable = true;
+        serverUrl = "https://headscale.vanpetegem.me";
+        privateKeyFile = config.age.secrets."passwords/services/headscale".path;
+        database = {
+          type = "postgres";
+          name = "headscale";
+          user = "headscale";
+          host = "/run/postgresql";
+        };
+        dns = {
+          domains = [ "vanpetegem.internal" ];
+          baseDomain = "vanpetegem.me";
+        };
+      };
+      postgresql = {
+        enable = true;
+        dataDir = "${config.chvp.dataPrefix}/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
+        ensureDatabases = [ "headscale" ];
+        ensureUsers = [{
+          name = "headscale";
+          ensurePermissions = { "DATABASE headscale" = "ALL PRIVILEGES"; };
+        }];
+      };
+    };
+    chvp.services.nginx.hosts = [
+      {
+        fqdn = "headscale.vanpetegem.me";
+        options.locations."/" = {
+          proxyPass = "http://localhost:8080";
+          extraConfig = ''
+            proxy_buffering off;
+            proxy_set_header X-Forwarded-Ssl on;
+          '';
+          proxyWebsockets = true;
+        };
+      }
+    ];
+    age.secrets."passwords/services/headscale" = {
+      file = ../../../secrets/passwords/services/headscale.age;
+      owner = "headscale";
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index ecfd29c8..a664f3e6 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -53,6 +53,8 @@ in
 
   "secrets/passwords/services/acme.age".publicKeys = servers ++ users;
 
+  "secrets/passwords/services/headscale.age".publicKeys = [ lasting-integrity ] ++ users;
+
   "secrets/passwords/services/mastodon/otp.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/mastodon/key.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/mastodon/vapid-public.age".publicKeys = [ lasting-integrity ] ++ users;
diff --git a/secrets/passwords/services/headscale.age b/secrets/passwords/services/headscale.age
new file mode 100644
index 00000000..df751b86
--- /dev/null
+++ b/secrets/passwords/services/headscale.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ bUJdedi6WFknMHBO0yUwDMVNzDfZGpb5WQfWxoRR6ig
+HxaqBOyI9j+tcJzTMWjYVoKbsY68Sl2K+UfN0mikzT0
+-> ssh-ed25519 s9rb8g n2x0kV0upAR85Mykol111tU0V8xcfi0o2MAncV1GyQM
+yJDMGeliaiMpyFmmzF9zsIvua3EBc03TIvKT4LJzwN8
+-> ssh-ed25519 yad4VQ vlx896wSYkhYqOA2ZfJ2cmo0vlmPGl3WH8D52xyKdg0
++sThY/kHvJGZofKLuzOg6ABi5N/c5BEHv9F6exMw3XU
+-> w-grease eksf:Dr4
+aKmCHJS6K12oH85lBRqARdvUz3iEDn/eMjw2QZ4AGnLjdXAjhDgpBpuIak9iZr7u
+KKKtCTzqEkhO5BAG+xlNcXQtPEOZQCV+WvuMMPOdxLxUVNBUcAzjlKgW5quj7FQ
+--- rnya2T3ImTFIVMI5MxxhJ1DXLHJgSKwUMvcV5xkaZeU
+ñ¶ÖIzÓ6’ôÍÊÙýƒ°<ÓgÌ®NœOJ)ï>û/°_Ä¢v{Ì,ò ´´}µÅ’ñ•Öþ¢˜e~'Qµ°íþÒ‘0'¬ÍH'4ÝÞØ9Æaƒ×v
+œ–M™›j¿
\ No newline at end of file