diff --git a/roles/server/caddy.nix b/roles/server/caddy.nix
index 71029b9..439f231 100644
--- a/roles/server/caddy.nix
+++ b/roles/server/caddy.nix
@@ -23,7 +23,9 @@ in {
     extraConfig = ''
       (tailscale) {
         tls internal
-        bind 100.73.96.48
+        # Old tailscale IP
+        # bind 100.73.96.48
+        bind 100.100.0.1
       }
     '';
     virtualHosts = {
@@ -45,10 +47,17 @@ in {
       };
     };
   };
-  services.dnsmasq.settings.cname = [
-    "${manualHostname},everest"
-    "${downloadsHostname},everest"
-  ];
+  services.headscale.settings.dns_config.extra_records = let
+    makeRecords = builtins.map (recordName: {
+      name = recordName;
+      type = "A";
+      value = "100.100.0.1";
+    });
+  in
+    makeRecords [
+      manualHostname
+      downloadsHostname
+    ];
   systemd = {
     services.caddy.after = ["tailscaled.service"];
     # We have somewhat frequent power outages, and our ISP router takes
@@ -58,4 +67,5 @@ in {
     services.caddy.serviceConfig.RestartSec = lib.mkForce "120s";
   };
   programs.rust-motd.settings.service_status.Caddy = "caddy";
+  networking.firewall.allowedTCPPorts = [443 80];
 }
diff --git a/roles/server/default.nix b/roles/server/default.nix
index d1e29aa..bc1a6ea 100755
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@@ -11,8 +11,8 @@
     ./ddclient.nix
     ./beep.nix
     ./tailscale.nix
+    ./headscale.nix
     ./caddy.nix
-    ./dns.nix
     ./rust_motd.nix
     ./minecraft.nix
   ];
diff --git a/roles/server/dns.nix b/roles/server/dns.nix
deleted file mode 100644
index 1e446e5..0000000
--- a/roles/server/dns.nix
+++ /dev/null
@@ -1,42 +0,0 @@
-{...}: {
-  services.dnsmasq = {
-    enable = true;
-
-    # Only using this for tailscale IPs, so better to let tailscale itself deal with it
-    resolveLocalQueries = false;
-
-    settings = {
-      listen-address = ["100.73.96.48"];
-
-      /*
-      Dnsmasq tries to use the tailscale dns server, which is bad cause that points to dnsmasq
-      From the little testing I have done it seems to not cause any issues, but better to be safe
-      than sorry :P
-      */
-      dns-loop-detect = true;
-
-      host-record = [
-        "winmax2,winmax2.tailscale,100.106.73.20"
-        "everest,everest.tailscale,100.73.96.48"
-        "archie,archie.tailscale,100.113.139.93"
-        "steamdeck,steamdeck.tailscale,100.85.48.85"
-        "surfacego,surfacego.tailscale,100.96.92.13"
-      ];
-
-      # If this isn't set a cname that targets a host might return the wrong ip
-      localise-queries = true;
-      ## IPv6 is not a thing in Spain so I'm guaranteed to not use it
-      filter-AAAA = true;
-      domain = "tailscale";
-      domain-needed = true;
-    };
-  };
-
-  programs.rust-motd.settings.service_status.dnsmasq = "dnsmasq";
-
-  # Dnsmasq conflicts with the resolved dns stub listener
-  services.resolved.extraConfig = ''
-    [Resolve]
-    DNSStubListener=no
-  '';
-}
diff --git a/roles/server/forgejo.nix b/roles/server/forgejo.nix
index 65fbf83..52b6847 100644
--- a/roles/server/forgejo.nix
+++ b/roles/server/forgejo.nix
@@ -44,8 +44,14 @@ in {
     };
   };
 
-  # Add a cname for forgejo
-  services.dnsmasq.settings.cname = ["git.everest.tailscale,everest"];
+  # Add a record for forgejo
+  services.headscale.settings.dns_config.extra_records = [
+    {
+      name = "git.everest.tailscale";
+      type = "A";
+      value = "100.100.0.1";
+    }
+  ];
 
   # Set up caddy as the reverse proxy for Forgejo
   services.caddy.virtualHosts.forgejo = {
diff --git a/roles/server/headscale.nix b/roles/server/headscale.nix
new file mode 100644
index 0000000..4575327
--- /dev/null
+++ b/roles/server/headscale.nix
@@ -0,0 +1,24 @@
+{...}: {
+  services.headscale = {
+    enable = true;
+    settings = {
+      server_url = "https://headscale.toast003.xyz";
+      ip_prefixes = [
+        "100.100.0.0/16"
+      ];
+      dns_config = {
+        base_domain = "tailscale";
+        nameservers = ["9.9.9.9"];
+        override_local_dns = true;
+      };
+    };
+  };
+  services.caddy = {
+    virtualHosts.headscale = {
+      hostName = "headscale.toast003.xyz";
+      extraConfig = ''
+        reverse_proxy localhost:8080
+      '';
+    };
+  };
+}
diff --git a/roles/server/syncthing.nix b/roles/server/syncthing.nix
index e6409a9..74caa4b 100755
--- a/roles/server/syncthing.nix
+++ b/roles/server/syncthing.nix
@@ -39,8 +39,14 @@
     AmbientCapabilities = "CAP_CHOWN CAP_FOWNER";
   };
 
-  # Add a cname for syncthing
-  services.dnsmasq.settings.cname = ["sync.everest.tailscale,everest"];
+  # Add a record for syncthing
+  services.headscale.settings.dns_config.extra_records = [
+    {
+      name = "sync.everest.tailscale";
+      type = "A";
+      value = "100.100.0.1";
+    }
+  ];
 
   # Set up caddy as the reverse proxy for syncthing
   services.caddy.virtualHosts.syncthing = {
diff --git a/roles/server/transmission.nix b/roles/server/transmission.nix
index e52f286..a1aafdb 100755
--- a/roles/server/transmission.nix
+++ b/roles/server/transmission.nix
@@ -37,8 +37,14 @@ in {
     '';
   };
 
-  # Add a cname for transmission
-  services.dnsmasq.settings.cname = ["transmission.everest.tailscale,everest"];
+  # Add a record for transmission
+  services.headscale.settings.dns_config.extra_records = [
+    {
+      name = "transmission.everest.tailscale";
+      type = "A";
+      value = "100.100.0.1";
+    }
+  ];
 
   # Set up caddy as the reverse proxy for transmission
   services.caddy.virtualHosts.transmission = {