diff --git a/flake.nix b/flake.nix
index 2f1ce4b..1bda364 100644
--- a/flake.nix
+++ b/flake.nix
@@ -67,7 +67,7 @@
   } @ inputs: let
     inherit (utils.lib) mkApp;
     mods = import ./modules {inherit utils;};
-    hosts = import ./hosts {inherit utils;};
+    hosts = import ./hosts {inherit inputs utils;};
     overlay = import ./overlays {inherit inputs;};
   in
     with mods.nixosModules;
diff --git a/hosts/artemis/configuration.nix b/hosts/artemis/configuration.nix
index 5bc5240..efa4676 100644
--- a/hosts/artemis/configuration.nix
+++ b/hosts/artemis/configuration.nix
@@ -1,11 +1,17 @@
 {
+  config,
   pkgs,
   inputs,
   ...
 }: let
   inherit (inputs.self.nixosModules) keys;
 in {
-  services.remote-deploy = {
+  c.services.mesh = {
+    enable = true;
+    exitNode = false;
+    keyFile = config.age.secrets.mesh-conf-cleslie.path;
+  };
+  c.services.remote-deploy = {
     enable = false;
     keys = keys.c;
   };
diff --git a/hosts/artemis/default.nix b/hosts/artemis/default.nix
index f3eb160..1db9d12 100644
--- a/hosts/artemis/default.nix
+++ b/hosts/artemis/default.nix
@@ -1,4 +1,4 @@
-{
+{inputs}: {
   modules = [
     ./hardware-configuration.nix
     ./configuration.nix
diff --git a/hosts/default.nix b/hosts/default.nix
index 570ebdc..d14d2f6 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -1,6 +1,13 @@
-{utils}: let
-  hosts = utils.lib.exportModules [
-    ./artemis
-    ./hermes
-  ];
-in {inherit hosts;}
+{
+  inputs,
+  utils,
+}: let
+  # TODO: function to do this
+  artemis = import ./artemis {inherit inputs;};
+  hermes = import ./hermes {inherit inputs;};
+in {
+  hosts = {
+    inherit artemis;
+    inherit hermes;
+  };
+}
diff --git a/hosts/hermes/configuration.nix b/hosts/hermes/configuration.nix
index b5355d1..8cc5345 100644
--- a/hosts/hermes/configuration.nix
+++ b/hosts/hermes/configuration.nix
@@ -7,7 +7,13 @@
 }: let
   inherit (inputs.self.nixosModules) keys;
 in {
-  services.remote-deploy = {
+  c.services.mesh = {
+    enable = true;
+    exitNode = true;
+    keyFile = config.age.secrets.mesh-conf-infra.path;
+  };
+
+  c.services.remote-deploy = {
     enable = true;
     host = "media.cleslie.uk";
     port = 62480;
diff --git a/hosts/hermes/default.nix b/hosts/hermes/default.nix
index 074c149..ca8050d 100644
--- a/hosts/hermes/default.nix
+++ b/hosts/hermes/default.nix
@@ -1,4 +1,4 @@
-{
+{inputs}: {
   modules = [
     ./hardware-configuration.nix
     ./configuration.nix
@@ -7,6 +7,7 @@
     ./networking.nix
     ./ssh.nix
     ./media.nix
+    ./headscale.nix
   ];
   extraArgs = {};
   specialArgs = {};
diff --git a/hosts/hermes/headscale.nix b/hosts/hermes/headscale.nix
new file mode 100644
index 0000000..d907330
--- /dev/null
+++ b/hosts/hermes/headscale.nix
@@ -0,0 +1,20 @@
+{config, ...}: let
+  domain = "mesh.cleslie.uk";
+in {
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8080;
+      settings = {
+        server_url = "https://${domain}";
+        dns_config = {base_domain = "cleslie.uk";};
+
+        ip_prefixes = "100.64.0.0/10";
+      };
+    };
+    caddy.virtualHosts.${domain}.extraConfig = ''
+      reverse_proxy localhost:${toString config.services.headscale.port}
+    '';
+  };
+}
diff --git a/modules/default.nix b/modules/default.nix
index f8a8af0..0f10192 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -6,12 +6,14 @@
     ./deploy.nix
     ./keys.nix
     ./secret.nix
+    ./tailscale.nix
   ];
   sharedModules = with nixosModules; [
     nix
     hm
     boot
     deploy
+    tailscale
     secret
   ];
 in {inherit nixosModules sharedModules;}
diff --git a/modules/deploy.nix b/modules/deploy.nix
index 9406898..811ab27 100644
--- a/modules/deploy.nix
+++ b/modules/deploy.nix
@@ -5,9 +5,9 @@
   ...
 }:
 with lib; let
-  cfg = config.services.remote-deploy;
+  cfg = config.c.services.remote-deploy;
 in {
-  options.services.remote-deploy = {
+  options.c.services.remote-deploy = {
     enable = mkEnableOption "Enable remote deployment with nixinate.";
     host = mkOption {
       type = types.str;
diff --git a/modules/tailscale.nix b/modules/tailscale.nix
new file mode 100644
index 0000000..cf915c6
--- /dev/null
+++ b/modules/tailscale.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  options,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.c.services.mesh;
+in {
+  options.c.services.mesh = {
+    enable = mkEnableOption "Enable tailscale daemon.";
+    exitNode = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable advertising as an exit node.";
+    };
+    keyFile = mkOption {
+      type = types.path;
+      description = "Path to key file.";
+    };
+  };
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      #authKeyFile = config.age.secrets.mesh-conf.path;
+      authKeyFile = cfg.keyFile;
+      extraUpFlags = ["--login-server" "https://mesh.cleslie.uk"];
+      extraSetFlags = [(mkIf cfg.exitNode "--advertise-exit-node")];
+    };
+    networking.firewall = {
+      #checkReversePath = "loose";
+      trustedInterfaces = [config.services.tailscale.interfaceName];
+    };
+  };
+}
diff --git a/secrets/mesh-conf-cleslie.age b/secrets/mesh-conf-cleslie.age
new file mode 100644
index 0000000..ac1c8f7
--- /dev/null
+++ b/secrets/mesh-conf-cleslie.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 /RyXeg RCXNBh7g6+X5buZJdDCd52elfUAnzgOUfINsdGCAcUg
+0MOZk6dC51NyFWBu/4+6XY9bMgQ9JoCv6ekH9eaghI0
+-> ssh-ed25519 ejjLpg ILRsr6hHJZrX4ssD1hj8FEH8VhqIouHpdLX0phc8qiM
+0G6VMYbLtq+HcYurP8AIT5qCrLbQJQEpyyqNmRrjJ7I
+-> ssh-ed25519 aSaoJQ OVpC763FiqHOaD+uThjZcXgi215AE07aXitPi6Ar3wE
+UGQ4Nnnxi2Z57XPJ+9DCUV+/U7aC+Wuprv4JcEHkFqE
+--- ulRUBJuSDAodVNUVviwGJAYe7l/FOzVNNiQaVzGUWnI
+òÊÈë&‡¬(fsR…v•Kp¬**/-~jž&I-Ô³²/ÄpdEÑÂ$u*öànëÓPnïëïA0Ž–_ìE–ëû‰ÒÏôÿ6·´
\ No newline at end of file
diff --git a/secrets/mesh-conf-infra.age b/secrets/mesh-conf-infra.age
new file mode 100644
index 0000000..5e366a6
Binary files /dev/null and b/secrets/mesh-conf-infra.age differ
diff --git a/secrets/secrets-configuration.nix b/secrets/secrets-configuration.nix
index 96c2c1c..1ac2d3b 100644
--- a/secrets/secrets-configuration.nix
+++ b/secrets/secrets-configuration.nix
@@ -1,5 +1,7 @@
 {
-  age.secrets."wg-conf" = {
-    file = ./wg-conf.age;
+  age.secrets = {
+    "wg-conf".file = ./wg-conf.age;
+    "mesh-conf-cleslie".file = ./mesh-conf-cleslie.age;
+    "mesh-conf-infra".file = ./mesh-conf-infra.age;
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8bed17e..08e52fb 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,6 @@ let
   allSystems = builtins.attrValues systems;
 in {
   "wg-conf.age".publicKeys = keys.c ++ allSystems;
+  "mesh-conf-infra.age".publicKeys = keys.c ++ allSystems;
+  "mesh-conf-cleslie.age".publicKeys = keys.c ++ allSystems;
 }
diff --git a/secrets/wg-conf.age b/secrets/wg-conf.age
index 7ec71f6..8e4bf6e 100644
Binary files a/secrets/wg-conf.age and b/secrets/wg-conf.age differ