3 files changed, 91 insertions, 16 deletions

diff --git a/flake.lock b/flake.lock
index bf001cc..0e557ea 100644
--- a/flake.lock
+++ b/flake.lock
@@ -114,6 +114,22 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -179,6 +195,28 @@
         "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
       }
     },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "namescale",
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "headplane": {
       "inputs": {
         "devshell": "devshell",
@@ -226,14 +264,15 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1760768972,
-        "narHash": "sha256-bNnfcWlRJ8HWxzyjMyFz0zb7RNyZ2NJdGPIu03Ds3lY=",
+        "lastModified": 1766292981,
+        "narHash": "sha256-9gI7101QbxiRRcnJX3qg4lCdLMfyWsHgnaF2sUiDUnA=",
         "owner": "sinanmohd",
         "repo": "namescale",
-        "rev": "12e26359e79cd3c88508b0f770d0e5136e53b176",
+        "rev": "4c261f660b5bd89b0864f997b2735971696e67a5",
         "type": "github"
       },
       "original": {
@@ -341,6 +380,22 @@
     },
     "nixpkgs_3": {
       "locked": {
+        "lastModified": 1759070547,
+        "narHash": "sha256-JVZl8NaVRYb0+381nl7LvPE+A774/dRpif01FKLrYFQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "647e5c14cbd5067f44ac86b74f014962df460840",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
         "lastModified": 1764667669,
         "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
         "owner": "NixOs",
@@ -355,6 +410,26 @@
         "type": "github"
       }
     },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "gitignore": "gitignore",
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1760663237,
+        "narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "alina": "alina",
@@ -363,7 +438,7 @@
         "home-manager": "home-manager",
         "namescale": "namescale",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
         "sops-nix": "sops-nix"
       }
     },
diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix
index 39007a4..077aa8b 100644
--- a/os/kay/modules/network/headscale.nix
+++ b/os/kay/modules/network/headscale.nix
@@ -29,7 +29,6 @@ let
       ];
     };
     tagOwners = {
-      "tag:namescale" = [ "group:owner" ];
       "tag:internal" = [ "group:owner" ];
       "tag:bud_clients" = [ "group:bud" ];
       "tag:cusat" = [ "group:owner" ];
@@ -55,7 +54,7 @@ let
       {
         action = "accept";
         src = [ "*" ];
-        dst = [ "tag:namescale:${toString config.services.namescale.settings.port}" ];
+        dst = [ "namescale@:53" ];
       }
       {
         action = "accept";
@@ -100,6 +99,7 @@ in
     # server
     "headplane/cookie_secret".owner = config.services.headscale.user;
     "headplane/preauth_key".owner = config.services.headscale.user;
+    "namescale/preauth_key" = { };
     "headscale/noise_private_key".owner = config.services.headscale.user;
     "headscale/derp_private_key".owner = config.services.headscale.user;
     # client
@@ -134,7 +134,8 @@ in
           base_domain = "tsnet.${config.global.userdata.domain}";
           override_local_dns = false;
           nameservers.split."${config.services.headscale.settings.dns.base_domain}" = [
-            config.services.namescale.settings.host
+            "100.64.0.12"
+            "fd7a:115c:a1e0::c"
           ];
         };
         derp = {
@@ -184,17 +185,14 @@ in
         "--login-server=${url}"
         "--advertise-exit-node"
         "--advertise-routes=192.168.43.0/24,192.168.38.0/24"
-        "--advertise-tags=tag:internal,tag:namescale"
+        "--advertise-tags=tag:internal"
       ];
     };
 
     namescale = {
       enable = true;
-      settings = {
-        host = "100.64.0.6";
-        port = 53;
-        base_domain = config.services.headscale.settings.dns.base_domain;
-      };
+      environmentFile = config.sops.secrets."namescale/preauth_key".path;
+      settings.tsnet.coordination_server_url = url;
     };
   };
 }
diff --git a/os/kay/secrets.yaml b/os/kay/secrets.yaml
index e16e01f..52a081d 100644
--- a/os/kay/secrets.yaml
+++ b/os/kay/secrets.yaml
@@ -17,6 +17,8 @@ mail.sinanmohd.com:
 headplane:
     cookie_secret: ENC[AES256_GCM,data:ZhUYeusYNPSkuA+CEHHmeRlCB3Y030J+1EpPs88coFs=,iv:Ck3CfLtkwskkwo8Ind+CuLtVARjHI4y3mZITfzCKPso=,tag:yhupLPeAyfBF6LtNqbJs2g==,type:str]
     preauth_key: ENC[AES256_GCM,data:XBtitZ0fb8mU7Z7aSP+RxUSDvyxqcfKYiq4bLa9WnKef1xEnQK0+l7QfrQAVRyqI,iv:G82b9GcdTTLF/+jVh4nx6Fu7mnMmKarF6Rc+AabaLwE=,tag:x7HMaJknnrA/SjTfYu6B4w==,type:str]
+namescale:
+    preauth_key: ENC[AES256_GCM,data:tnPC+1YyFnQYFU6cqRUz70HaaExIgzQ/t9qHdukAsMPgDlxihLMpeIQcTfhPJYnMOBi734/ao9JTdNACjA==,iv:H5kWlzbbCtvx4Bb13sYPhwdmKBfs2iznjwSbxYhW8ws=,tag:bT5qj1F3+hO+B4Qvb9n0ow==,type:str]
 headscale:
     noise_private_key: ENC[AES256_GCM,data:pqh0alokNqQsG9Ghi/qZl3lEi45om8GV4uron4a5JriLrR/QiRKcZQFbMK2u1m4wLwAw57ugN/jXynATlW15vUWw4SAU+PtC,iv:j74JLjGDGbmN65YfARYisSa20ExBXVPUm+QKU4qk4rw=,tag:UUgthumk2/a4xJ14Ucok+A==,type:str]
     derp_private_key: ENC[AES256_GCM,data:EMt3RtQzqIY4i5S2S1kK0kxu0wMt3/bBcpaEc3YP0Cmj8F4yZECOaDUYk4dM2QsfmoP84plktAqIrM4MSiY94lQpqRoCvTru,iv:NU/nVFQxBQTou0mf5xvLmlda8hzJfoCRiU1vCgJGyyc=,tag:IEDCDy6ifL+ulYzp7qr3vg==,type:str]
@@ -45,7 +47,7 @@ sops:
             bGRaOE1Mc3VqVnYyd0xIVGl5ckpqRFkKpT2gTC4lf9HRQNJDykdGjPdfH+V8og7X
             XHq1XqIRoRbulZifuZlmzN/RWMPIoBYkXeHfqaMjmTz5HIBcnO/t9g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-14T07:00:06Z"
-    mac: ENC[AES256_GCM,data:HoxBmhIWBaapyqQfpmd1tAOJMxaLELzjFBjzlJPvMWXyioXiyPxHtb8lMEPgrlafeD5CLWi2MMw5NXElmtX4SZ8Ngh4cPhF00uQeXm9FqyTYSPPhakctg1ZxB+5h/++JywjOlbPooiP+3Iua0z8wQGWzVgSKj6DVeplDvqcNjHI=,iv:pQbNCOJUz9xtSGbdhS2ESkD6SkFUKfTRw15baTX7hAo=,tag:Y0JT6Q/FHHFYmp4gQ8krxQ==,type:str]
+    lastmodified: "2025-12-21T04:59:01Z"
+    mac: ENC[AES256_GCM,data:29NqEWR9XTcCxXSD46Gw7xNnvj0sF662vj594Ca4abMPxo+zKLSDXqQsg6KHv9Wgmj28TMvYlpivASbQxw6jvaX9cAvoJHAd7/nJCVnXaawgTJcuuGOUFIvSpdmN4JoamF9seUXkwTjMlCzvRArHhA0JwCcv98APUPRR2FNcw6g=,iv:A1r0/BgMAcue4ENtNMTsGL+Ovgox3XovzDrJaRngbJc=,tag:q11zVu6Lfneecv/fpQ+9sw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0