diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix
index c6773e7..e37e464 100644
--- a/hosts/tsuki/configuration.nix
+++ b/hosts/tsuki/configuration.nix
@@ -7,6 +7,7 @@
     # ./services/calibre.nix
     ./services/gitea
     ./services/grafana
+    ./services/headscale.nix
     ./services/hydra.nix
     # ./services/jitsi.nix
     ./services/jupyter.nix
diff --git a/hosts/tsuki/services/headscale.nix b/hosts/tsuki/services/headscale.nix
new file mode 100644
index 0000000..71a2f97
--- /dev/null
+++ b/hosts/tsuki/services/headscale.nix
@@ -0,0 +1,52 @@
+{ pkgs, secrets, config, ... }:
+{
+  services.headscale = {
+    enable = true;
+
+    # TODO: make PR
+    # dataDir = "${config.machineVars.dataDrives.default}/var/headscale";
+
+    serverUrl = "https://vpn.nani.wtf";
+    port = secrets.ports.headscale;
+
+    database = {
+      type = "postgres";
+      user = "headscale";
+      name = "headscale";
+      host = "localhost";
+      port = secrets.ports.postgres;
+      passwordFile = "${config.machineVars.dataDrives.default}/keys/postgres/headscale";
+    };
+
+    dns = {
+      magicDns = true;
+      nameservers = [
+        "1.1.1.1"
+      ];
+    };
+
+    settings = {
+      log.level = "warn";
+      ip_prefixes = [ "10.8.0.0/24" ];
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "headscale" ];
+    ensureUsers = [
+      (rec {
+        name = "headscale";
+        ensurePermissions = {
+          "DATABASE \"${name}\"" = "ALL PRIVILEGES";
+        };
+      })
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [ headscale ];
+
+  services.tailscale.enable = true;
+
+  networking.firewall.checkReversePath = "loose";
+}
diff --git a/hosts/tsuki/services/nginx/default.nix b/hosts/tsuki/services/nginx/default.nix
index 8bb5ce2..93849c1 100644
--- a/hosts/tsuki/services/nginx/default.nix
+++ b/hosts/tsuki/services/nginx/default.nix
@@ -109,7 +109,7 @@
       })
       (proxy ["dyn"] "http://localhost:${s ports.minecraft.dynmap}" {})
       (proxy ["osu"] "http://localhost:${s ports.osuchan}" {})
-      # (host ["vpn"] "" {})
+      (proxy ["vpn"] "http://localhost:${s ports.headscale}" {})
       (proxy ["hydra"] "http://localhost:${s ports.hydra}" {})
     ] ++ (let
       stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix {