diff --git a/modules/nixos/services/tailscale/default.nix b/modules/nixos/services/tailscale/default.nix
new file mode 100644
index 0000000..1cd9b37
--- /dev/null
+++ b/modules/nixos/services/tailscale/default.nix
@@ -0,0 +1,31 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.${namespace}.services.tailscale;
+  rkeCfg = config.${namespace}.services.rke2;
+in
+{
+  options.${namespace}.services.tailscale = {
+    enable = mkEnableOption "enable tailscale service";
+    enableRouting = mkEnableOption "enable tailscale routing";
+  };
+
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = if cfg.enableRouting then "server" else "client";
+    };
+
+    boot.kernel.sysctl = mkIf cfg.enableRouting {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+
+    # Move Tailscale PostRouting First - In situations where Calico is enabled, this is needed
+    # to ensure that Tailscale routes traffic correctly as an exit node.
+    networking.firewall.extraCommands = mkIf (rkeCfg.enable && cfg.enableRouting) ''
+      iptables -t nat -D POSTROUTING -j ts-postrouting 2>/dev/null || true
+      iptables -t nat -I POSTROUTING 1 -j ts-postrouting
+    '';
+  };
+}
diff --git a/systems/x86_64-linux/lin-cloud-kube1/default.nix b/systems/x86_64-linux/lin-cloud-kube1/default.nix
index ebbe460..36674a5 100755
--- a/systems/x86_64-linux/lin-cloud-kube1/default.nix
+++ b/systems/x86_64-linux/lin-cloud-kube1/default.nix
@@ -12,6 +12,8 @@ in
   system.stateVersion = "25.05";
   time.timeZone = "UTC";
 
+  networking.firewall.allowedTCPPorts = [ 443 ];
+
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
@@ -38,6 +40,10 @@ in
 
     services = {
       openssh = enabled;
+      tailscale = {
+        enable = true;
+        enableRouting = true;
+      };
       rke2 = {
         enable = true;
         openFirewall = false;