diff --git a/flake.nix b/flake.nix
index 9e538b3..657aae3 100755
--- a/flake.nix
+++ b/flake.nix
@@ -61,6 +61,26 @@
           ];
         };
 
+        controller = nixpkgs.lib.nixosSystem {
+          specialArgs = { inherit inputs outputs username; };
+          modules = [
+            ./hosts/controller
+            ./modules/nixos/headscale.nix
+
+            home-manager.nixosModules.home-manager
+            {
+              home-manager.useUserPackages = true;
+              home-manager.extraSpecialArgs = { inherit inputs outputs username; };
+              home-manager.users.${username} = {
+                imports = [
+                  ./modules/home-manager
+                  ./home/tux
+                ];
+              };
+            }
+          ];
+        };
+
         wsl = nixpkgs.lib.nixosSystem {
           specialArgs = { inherit inputs outputs username; };
           modules = [
diff --git a/hosts/controller/default.nix b/hosts/controller/default.nix
new file mode 100644
index 0000000..4bb1a41
--- /dev/null
+++ b/hosts/controller/default.nix
@@ -0,0 +1,80 @@
+{ config, outputs, lib, pkgs, inputs, username, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  nixpkgs = {
+    overlays = [
+      outputs.overlays.additions
+      outputs.overlays.modifications
+      outputs.overlays.unstable-packages
+      outputs.overlays.nur
+    ];
+
+    config = {
+      allowUnfree = true;
+      joypixels.acceptLicense = true;
+    };
+  };
+
+  nix = {
+    settings = {
+      experimental-features = "nix-command flakes";
+      auto-optimise-store = true;
+    };
+  };
+
+  boot = {
+    kernelPackages = pkgs.linuxPackages_zen;
+    initrd.systemd.enable = true;
+
+    loader = {
+      grub.device = "/dev/sda";
+      timeout = 1;
+    };
+  };
+
+  networking = {
+    hostName = "controller";
+  };
+
+  security = {
+    sudo.wheelNeedsPassword = false;
+  };
+
+  programs = {
+    zsh.enable = true;
+    nix-ld.enable = true;
+    dconf.enable = true;
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+      };
+    };
+  };
+
+  users = {
+    defaultUserShell = pkgs.zsh;
+    users.${username} = {
+      initialPassword = "${username}";
+      isNormalUser = true;
+      extraGroups = [ "networkmanager" "wheel" "storage" ];
+      openssh.authorizedKeys.keys = [
+        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+OzPUe2ECPC929DqpkM39tl/vdNAXfsRnmrGfR+X3D 0xtux@pm.me''
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs;[
+  ];
+
+  fonts.packages = with pkgs; [ (nerdfonts.override { fonts = [ "FiraCode" "JetBrainsMono" ]; }) ];
+
+  system.stateVersion = "23.11";
+}
diff --git a/hosts/controller/hardware-configuration.nix b/hosts/controller/hardware-configuration.nix
new file mode 100644
index 0000000..be94086
--- /dev/null
+++ b/hosts/controller/hardware-configuration.nix
@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/b5a9a9f6-be72-4520-b2ac-439d0479a34b";
+      fsType = "ext4";
+    };
+
+  fileSystems."/efi" =
+    {
+      device = "systemd-1";
+      fsType = "autofs";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/modules/nixos/headscale.nix b/modules/nixos/headscale.nix
new file mode 100644
index 0000000..6878aaa
--- /dev/null
+++ b/modules/nixos/headscale.nix
@@ -0,0 +1,61 @@
+{ config, lib, pkgs, ... }: {
+
+  security = {
+    acme = {
+      defaults.email = "0xtux@pm.me";
+      acceptTerms = true;
+    };
+  };
+
+  services = {
+    headscale = {
+      enable = true;
+      port = 8080;
+      address = "0.0.0.0";
+      settings = {
+        dns_config = {
+          override_local_dns = true;
+          base_domain = "0xtux.com";
+          magic_dns = true;
+          nameservers = [
+            "1.1.1.1"
+          ];
+        };
+        server_url = "https://hs.0xtux.com";
+        metrics_listen_addr = "0.0.0.0:8095";
+        logtail = {
+          enabled = false;
+        };
+        log = {
+          level = "warn";
+        };
+        ip_prefixes = [
+          "100.64.0.0/10"
+          "fd7a:115c:a1e0::/48"
+        ];
+      };
+    };
+
+    nginx = {
+      enable = true;
+      virtualHosts = {
+        "hs.0xtux.com" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/" = {
+              proxyPass = "http://localhost:${toString config.services.headscale.port}";
+              proxyWebsockets = true;
+            };
+            "/metrics" = {
+              proxyPass = "http://${config.services.headscale.settings.metrics_listen_addr}/metrics";
+            };
+          };
+        };
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  environment.systemPackages = with pkgs;[ headscale ];
+}