diff --git a/modules/nixos/services/rke2/default.nix b/modules/nixos/services/rke2/default.nix
index 59a6161..440b8bc 100644
--- a/modules/nixos/services/rke2/default.nix
+++ b/modules/nixos/services/rke2/default.nix
@@ -18,6 +18,10 @@ in
       disable = cfg.disable;
     };
 
+    # NOTE: Tailscale & K8s Calico conflict due to FWMask. You need to update the DaemonSet Env with:
+    #   - name: FELIX_IPTABLESMARKMASK
+    #     value: "0xff00ff00"
+
     networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
       # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
       6443 # Kubernetes API
diff --git a/modules/nixos/services/tailscale/default.nix b/modules/nixos/services/tailscale/default.nix
new file mode 100644
index 0000000..5c32703
--- /dev/null
+++ b/modules/nixos/services/tailscale/default.nix
@@ -0,0 +1,27 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.${namespace}.services.tailscale;
+in
+{
+  options.${namespace}.services.tailscale = {
+    enable = mkEnableOption "enable tailscale service";
+    enableRouting = mkEnableOption "enable tailscale routing";
+  };
+
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = if cfg.enableRouting then "server" else "client";
+    };
+
+    boot.kernel.sysctl = mkIf cfg.enableRouting {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+
+    # NOTE: Tailscale & K8s Calico conflict due to FWMask. You need to update the DaemonSet Env with:
+    #   - name: FELIX_IPTABLESMARKMASK
+    #     value: "0xff00ff00"
+  };
+}
diff --git a/systems/x86_64-linux/lin-cloud-kube1/default.nix b/systems/x86_64-linux/lin-cloud-kube1/default.nix
index ebbe460..36674a5 100755
--- a/systems/x86_64-linux/lin-cloud-kube1/default.nix
+++ b/systems/x86_64-linux/lin-cloud-kube1/default.nix
@@ -12,6 +12,8 @@ in
   system.stateVersion = "25.05";
   time.timeZone = "UTC";
 
+  networking.firewall.allowedTCPPorts = [ 443 ];
+
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
@@ -38,6 +40,10 @@ in
 
     services = {
       openssh = enabled;
+      tailscale = {
+        enable = true;
+        enableRouting = true;
+      };
       rke2 = {
         enable = true;
         openFirewall = false;