diff --git a/common/fragments/headscale.nix b/common/fragments/headscale.nix
new file mode 100644
index 0000000..7bde8c1
--- /dev/null
+++ b/common/fragments/headscale.nix
@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  services.headscale = {
+    enable = true;
+    port = 52812;
+    settings.server_url = "https://hs.technogothic.net";
+    settings.dns_config = {
+      nameservers = [
+        "94.140.14.14"
+        "94.140.15.15"
+      ]; # AdGuard Public DNS
+      base_domain = "thorns.home.arpa";
+    };
+  };
+}
diff --git a/hosts/bloodletting/configuration.nix b/hosts/bloodletting/configuration.nix
index a43c9bf..3014fb3 100644
--- a/hosts/bloodletting/configuration.nix
+++ b/hosts/bloodletting/configuration.nix
@@ -11,6 +11,7 @@
     ../../common/fragments/fail2ban.nix
     ../../common/fragments/frq-friend.nix
     ../../common/fragments/grafana.nix
+    ../../common/fragments/headscale.nix
     ../../common/fragments/hedgedoc.nix
     ../../common/fragments/mastodon-ebooks.nix
     ../../common/fragments/mastodon.nix
@@ -257,6 +258,16 @@
         extraConfig = "proxy_ssl_server_name on;";
       };
     };
+
+    virtualHosts."hs.technogothic.net" = {
+      useACMEHost = "technogothic.net";
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
   };
 
   # This value determines the NixOS release from which the default