diff --git a/hosts/noximilien/default.nix b/hosts/noximilien/default.nix
index 33f8693..f9a5483 100644
--- a/hosts/noximilien/default.nix
+++ b/hosts/noximilien/default.nix
@@ -25,6 +25,8 @@
 
     ../../profiles/services/tmate-server.nix # opens port 42244
 
+    ../../profiles/vpn-pbsds/headscale.nix
+
     ../../profiles/http # enables nginx+acme, defines mkDomain
     ../../profiles/http/index
     ../../profiles/http/services/cinny.nix
diff --git a/profiles/http/index/default.nix b/profiles/http/index/default.nix
index e480e50..475ca8d 100644
--- a/profiles/http/index/default.nix
+++ b/profiles/http/index/default.nix
@@ -14,6 +14,8 @@ let
     docs          = "Various documentation";
     element       = pkgs.element-web.meta.description;
     shlink        = "Url shortener";
+
+    head          = pkgs.headscale.meta.description;
   };
 in
 {
diff --git a/profiles/vpn-pbsds/headscale.nix b/profiles/vpn-pbsds/headscale.nix
new file mode 100644
index 0000000..c25d0b4
--- /dev/null
+++ b/profiles/vpn-pbsds/headscale.nix
@@ -0,0 +1,75 @@
+{ lib, pkgs, config, ... }:
+let
+  cfg = config.services.headscale;
+  server-url = "head.pbsds.net";
+  derpPort = 3478;
+  inherit (lib) mkIf;
+in
+{
+  environment.systemPackages = mkIf cfg.enable [ cfg.package ];
+
+  services.headscale = {
+    enable  = true;
+    address = "127.0.0.1";
+    port    = 4987;
+
+    # https://github.com/juanfont/headscale/blob/main/config-example.yaml
+    # https://search.nixos.org/options?query=services.headscale.settings
+    settings = {
+      server_url = "https://${server-url}:443";
+      logtail.enabled = false;
+      log.level = "warn";
+
+      # https://tailscale.com/kb/1054/dns
+      dns_config.override_local_dns = true; # force clients to use our dns
+      #dns_config.nameservers = [ "1.1.1.1" ];
+      dns_config.magic_dns = true; # put our dns first in search
+      dns_config.domains = [ "ts.pbsds.net" ]; # search domains to inject into clients
+      dns_config.base_domain = "pbsds.net"; # clients become {hostname}.namespace.{base_domain}
+
+      # List of IP prefixes to allocate tailaddresses from.
+      ip_prefixes = [
+        "100.64.0.0/10"
+        "fd7a:115c:a1e0::/48"
+      ];
+
+      # DERP is a relay system that Tailscale uses when a direct connection cannot be established.
+      # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
+      # headscale needs a list of DERP servers that can be presented to the clients.
+      derp.server.enable = true; # run embedded DERP server
+      derp.server.region_id = 999;
+      derp.server.stun_listen_addr = "0.0.0.0:${toString derpPort}"; # UDP
+      #derp.server.private_key_path # autogenerated if it's missing.
+      #derp.urls = [] # List of externally available DERP maps
+    };
+  };
+
+  systemd.services."headscale-provisioning" = mkIf cfg.enable {
+    serviceConfig.Type = "oneshot";
+    after = [ "headscale.service" ];
+    wantedBy = [ "headscale.service" ];
+    script = ''
+      sleep 60 # Wait for headscale to be ready
+      "${lib.getExe cfg.package}/bin/headscale namespaces create ts || true
+    '';
+  };
+
+  # The DERP server
+  networking.firewall.allowedUDPPorts = mkIf (cfg.enable && cfg.settings.derp.server.enable) [ derpPort ];
+
+  # https reverse proxy
+
+  networking.firewall.allowedTCPPorts = mkIf cfg.enable [ 80 443 ];
+
+  services.nginx.enable = mkIf cfg.enable true;
+  services.nginx.virtualHosts."${server-url}" = mkIf cfg.enable {
+    forceSSL = true; # addSSL = true;
+    enableACME = true; #useACMEHost = acmeDomain;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString cfg.port}";
+      proxyWebsockets = true;
+    };
+    #locations."/metrics".proxyPass = "http://${cfg.settings.metrics_listen_addr}/metrics";
+  };
+
+}
diff --git a/profiles/vpn-pbsds/tailscale.nix b/profiles/vpn-pbsds/tailscale.nix
new file mode 100644
index 0000000..6bd7e3c
--- /dev/null
+++ b/profiles/vpn-pbsds/tailscale.nix
@@ -0,0 +1,12 @@
+{ config, ...}:
+{
+  services.tailscale.enable = true;
+  networking.firewall.checkReversePath = "loose";
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
+
+  # remote-set X
+  # tailscale up --login-server 'https://head.pbsds.net'
+  # ssh noximilien.pbsds.net headscale --namespace <namespace_name> nodes register --key <machine_key>
+
+}
diff --git a/users/pbsds/default.nix b/users/pbsds/default.nix
index 0c26da4..8f9a38e 100644
--- a/users/pbsds/default.nix
+++ b/users/pbsds/default.nix
@@ -48,6 +48,8 @@
       # TODO: NAS stuff
     ] ++ lib.optionals config.virtualisation.docker.enable [
       "docker"
+    ] ++ lib.optionals config.services.headscale.enable [
+      config.services.headscale.group
     ];
 
     initialHashedPassword = "$6$yNgxTHcP1UYkNwuZ$1sBehnKgPjVnDe0tSV8kyfynWpfjDzuohZX6SoTrMnYFa3/aiMOtI6JppYevl.M6qYhBIT0XBvL6TqSSFWn8B/";