diff --git a/options/custom/settings/containers/headscale.nix b/options/custom/settings/containers/headscale.nix
new file mode 100644
index 0000000..395726e
--- /dev/null
+++ b/options/custom/settings/containers/headscale.nix
@@ -0,0 +1,67 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.custom.settings.containers.headscale;
+in
+{
+  options.custom.settings.containers.headscale.enable = mkOption { default = false; };
+
+  config = mkIf cfg.enable {
+    age.secrets =
+      let
+        secret = filename: {
+          file = "${inputs.self}/secrets/${filename}";
+        };
+      in
+      {
+        "${config.custom.profile}/headscale/.env" = secret "${config.custom.profile}/headscale/.env";
+      };
+
+    #?? arion-headscale pull
+    environment.shellAliases.arion-headscale = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.headscale.settings.out.dockerComposeYaml}";
+
+    virtualisation.arion.projects.headscale = {
+      serviceName = "headscale";
+
+      settings.services = {
+        # https://headscale.net/
+        # https://github.com/juanfont/headscale
+        # BUG: Does not support generic DoH/DoT
+        # https://github.com/juanfont/headscale/issues/1312
+        headscale.service = {
+          command = "serve";
+          container_name = "headscale";
+          env_file = [ config.age.secrets."${config.custom.profile}/headscale/.env".path ];
+          image = "headscale/headscale:v0.23.0-beta.4";
+          restart = "unless-stopped";
+
+          ports = [
+            "9999:9999"
+            "9090:9090"
+          ];
+
+          volumes = [
+            "${config.custom.settings.containers.directory}/headscale/config:/etc/headscale"
+            "${config.custom.settings.containers.directory}/headscale/data:/var/lib/headscale"
+
+            # Minimum config.yaml
+            # https://github.com/juanfont/headscale/blob/main/config-example.yaml
+            # https://github.com/juanfont/headscale/blob/main/integration/hsic/config.go
+            "${pkgs.writeText "config.yaml" ''
+              noise:
+                private_key_path: /var/lib/headscale/noise_private.key
+            ''}:/etc/headscale/config.yaml"
+          ];
+        };
+      };
+    };
+  };
+}
diff --git a/profiles/server/default.nix b/profiles/server/default.nix
index 98a8539..9cf39a6 100644
--- a/profiles/server/default.nix
+++ b/profiles/server/default.nix
@@ -55,6 +55,7 @@
         coturn.enable = true;
         forgejo.enable = true;
         foundryvtt.enable = true;
+        #// headscale.enable = true;
         mastodon.enable = true;
         nextcloud.enable = true;
         redlib.enable = true;
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 89b89e3..aef5be3 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -73,6 +73,7 @@ in
   "server/forgejo/.env".publicKeys = server;
   "server/forgejo/db.env".publicKeys = server;
   "server/foundryvtt/.env".publicKeys = server;
+  "server/headscale/.env".publicKeys = server;
   "server/mastodon/.env".publicKeys = server;
   "server/mastodon/db.env".publicKeys = server;
   "server/matrix-conduit/conduwuit.toml".publicKeys = server;
diff --git a/secrets/server/headscale/.env b/secrets/server/headscale/.env
new file mode 100644
index 0000000..a884889
Binary files /dev/null and b/secrets/server/headscale/.env differ