add headscale specific node

modules/nixos/services/headscale/default.nix

@@ -0,0 +1,46 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.${namespace}.services.headscale;
+  inherit (lib.${namespace}) mkBoolOpt;
+in
+{
+  options.${namespace}.services.headscale = {
+    enable = mkEnableOption "enable headscale service";
+    openFirewall = mkBoolOpt false "Open firewall";
+  };
+
+  options.services.headscale.settings.dns.nameservers.split = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+    default = { };
+    description = ''
+      Split DNS configuration mapping domains to specific nameservers.
+      Each key is a domain suffix, and the value is a list of nameservers
+      to use for that domain.
+    '';
+    example = {
+      "internal.company.com" = [ "10.0.0.1" "10.0.0.2" ];
+      "dev.local" = [ "192.168.1.1" ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      settings = {
+        server_url = "https://headscale.reichard.io";
+        dns = {
+          base_domain = "reichard.dev";
+          nameservers.split = {
+            "va.reichard.io" = [ "10.0.20.20" ];
+          };
+        };
+      };
+    };
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ 8080 ];
+    };
+  };
+}

systems/aarch64-linux/lin-o1-headscale/default.nix

@@ -32,6 +32,10 @@ in
 
     services = {
       openssh = enabled;
+      headscale = {
+        enable = true;
+        openFirewall = true;
+      };
       tailscale = {
         enable = true;
         enableRouting = true;