diff --git a/configuration.nix b/configuration.nix
index 3bd406f..1fdb19e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -56,6 +56,8 @@
     helix
     wget
     git
+
+    juanfont-headscale.headscale # install to allow debugging/control of headscale using the CLI
   ];
 
   # List services that you want to enable:
@@ -119,6 +121,14 @@
           default = [ "ads" ];
         };
       };
+      customDNS = {
+        rewrite = {
+          "cockpit.samsehu.perli.casa" = "samsehu.perli.casa";
+        };
+        mapping = {
+          "samsehu.perli.casa" = "100.64.0.3";
+        };
+      };
     };
   };
 
@@ -175,6 +185,7 @@
     '';
 
     virtualHosts."lldap.samsehu.perli.casa".extraConfig = ''
+      bind 100.64.0.3
       reverse_proxy localhost:17170
     '';
 
@@ -183,6 +194,7 @@
     '';
 
     virtualHosts."cockpit.samsehu.perli.casa".extraConfig = ''
+      bind 100.64.0.3
       reverse_proxy localhost:9090
     '';
 
@@ -198,8 +210,10 @@
   # Headscale for access to the network while away from home
   services.headscale = {
     enable = true;
+    package = pkgs.juanfont-headscale.headscale;
     settings = {
       server_url = "https://headscale.samsehu.perli.casa";
+      base_domain = "perli.casa";
       listen_addr = "127.0.0.1:64639";
       metrics_listen_addr = "127.0.0.1:64640";
       tls_cert_path = null;
@@ -208,7 +222,37 @@
       dns_config = {
         nameservers = [ "127.0.0.1" ];
         magic_dns = true;
+        # extra_records = [
+        #   { name = "cockpit.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
+        #   { name = "lldap.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; }
+        # ];
       };
+
+      acl_policy_path = pkgs.writeText "acl_policy.hujson" ''
+        {
+          "groups": {
+            "group:admin": [
+              "geemili",
+              "desttinghim",
+            ],
+          },
+          "acls": [
+            {
+              "action": "accept",
+              "src": ["group:admin"],
+              "dst": ["*:*"],
+            }
+          ],
+          "ssh": [
+            {
+              "action": "accept",
+              "src": ["autogroup:member"],
+              "dst": ["autogroup:self"],
+              "users": ["autogroup:nonroot"],
+            },
+          ],
+        }
+      '';
     };
   };
 
diff --git a/flake.lock b/flake.lock
index 069554c..7bd8ecf 100644
--- a/flake.lock
+++ b/flake.lock
@@ -45,6 +45,24 @@
         "type": "github"
       }
     },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -66,6 +84,28 @@
         "type": "github"
       }
     },
+    "juanfont-headscale": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1702219574,
+        "narHash": "sha256-sz+uQyyq/5YYDe5I44x5x2nvd48swAhNlInB8KZYvDo=",
+        "owner": "juanfont",
+        "repo": "headscale",
+        "rev": "6049ec758ca46b5c6ee7abba4f3d472fb1e2ffa6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "juanfont",
+        "ref": "v0.23.0-alpha2",
+        "repo": "headscale",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1703467016,
@@ -85,6 +125,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "juanfont-headscale": "juanfont-headscale",
         "nixpkgs": "nixpkgs"
       }
     },
@@ -102,6 +143,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 2256a83..f8e3d3b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,16 +5,26 @@
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-  };
-
-  outputs = { self, nixpkgs, agenix }: {
-    nixosConfigurations.samsehu = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        ./agenix-config-module.nix
-        ./configuration.nix
-        agenix.nixosModules.default
-      ];
+    juanfont-headscale = {
+      url = "github:juanfont/headscale/v0.23.0-alpha2";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
   };
+
+  outputs = { self, nixpkgs, agenix, juanfont-headscale }:
+    let
+      overlay-juanfont-headscale = final: prev: {
+        juanfont-headscale = juanfont-headscale.packages.${prev.system};
+      };
+    in {
+      nixosConfigurations.samsehu = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ({config, pkgs, ...}: { nixpkgs.overlays = [ overlay-juanfont-headscale ]; })
+          ./agenix-config-module.nix
+          ./configuration.nix
+          agenix.nixosModules.default
+        ];
+      };
+  };
 }