diff --git a/modules/homelab/tailscale/default.nix b/modules/homelab/tailscale/default.nix
new file mode 100644
index 0000000..801bc8f
--- /dev/null
+++ b/modules/homelab/tailscale/default.nix
@@ -0,0 +1,36 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.system.tailscale;
+  authkey_file = config.sops.secrets."tailscale_authkey".path;
+in {
+  options.system.tailscale = {
+    enable = lib.mkEnableOption "enables tailscale";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = "both";
+      authKeyFile = authkey_file;
+      extraUpFlags = [
+        "--accept-routes=false" # true is equilivant to useRoutingFeatures = "client" (breaks shit)
+        "--accept-dns=true" # explicitly allow resolved
+      ];
+    };
+
+    # network config
+    networking.firewall.trustedInterfaces = ["tailscale0"];
+    networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
+
+    # declare authkey secrets
+    sops.secrets = {
+      "tailscale_authkey" = {
+        owner = "root";
+      };
+    };
+  };
+}