diff --git a/configs/common.nix b/configs/common.nix
index 1373f64..49fcc54 100644
--- a/configs/common.nix
+++ b/configs/common.nix
@@ -15,7 +15,10 @@ let
 
   rootPassword = _utils.setupSingleSecret config "rootPassword" { };
   secrets = _utils.setupSharedSecrets config {
-    secrets = [ "userPassword" ];
+    secrets = [
+      "userPassword"
+      "tailscaleKey"
+    ];
   };
 in
 {
@@ -185,6 +188,11 @@ in
     tailscale = {
       enable = true;
       useRoutingFeatures = "both";
+      extraUpFlags = [
+        "--ssh"
+        "--stateful-filtering"
+      ];
+      authKeyFile = secrets.get "tailscaleKey";
     };
   };
 
diff --git a/flake.lock b/flake.lock
index 317048c..269eba4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -92,11 +92,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741352980,
-        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
+        "lastModified": 1740872218,
+        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
+        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741345870,
-        "narHash": "sha256-KTpoO4oaucdFr3oJJBYpGK+aWVVrLvtiT17EQE7Cf4Y=",
+        "lastModified": 1741217763,
+        "narHash": "sha256-g/TrltIjFHIjtzKY5CJpoPANfHQWDD43G5U1a/v5oVg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "04c915bcf1a1eac3519372ff3185beef053fba7c",
+        "rev": "486b066025dccd8af7fbe5dd2cc79e46b88c80da",
         "type": "github"
       },
       "original": {
@@ -161,11 +161,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1741259028,
-        "narHash": "sha256-QWgGXe9Ai8+hSwNEAqLjZoAvLwV3ywDzT+XBpfMOzuU=",
+        "lastModified": 1741001137,
+        "narHash": "sha256-XxWib5eI3rgMPA4VzDHOx89WT76IN/ZNb+votz5gakw=",
         "owner": "nix-community",
         "repo": "lanzaboote",
-        "rev": "3a3ed972151121c8b159eb40e0be21146270e73b",
+        "rev": "cc9786aa8158437facead0d8e21ac0c03be91dc8",
         "type": "github"
       },
       "original": {
@@ -184,11 +184,11 @@
         "treefmt-nix": []
       },
       "locked": {
-        "lastModified": 1741334526,
-        "narHash": "sha256-X1KnK3i5h3lriG5YsKNUu5gV2XWbS75BwPU9IxGvG1w=",
+        "lastModified": 1741244761,
+        "narHash": "sha256-nwP0O2Vnie/e6oJvXOtUxH+s1KM7V7VsaESdPfXakX8=",
         "owner": "soopyc",
         "repo": "mystia",
-        "rev": "5ad3fb05e1bab655a0928a6475888a8670a018a7",
+        "rev": "f6f297ceebebbdf7267cf3ca80d2ef51e44b1373",
         "type": "github"
       },
       "original": {
@@ -220,11 +220,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1741246872,
-        "narHash": "sha256-Q6pMP4a9ed636qilcYX8XUguvKl/0/LGXhHcRI91p0U=",
+        "lastModified": 1741173522,
+        "narHash": "sha256-k7VSqvv0r1r53nUI/IfPHCppkUAddeXn843YlAC5DR0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "10069ef4cf863633f57238f179a0297de84bd8d3",
+        "rev": "d69ab0d71b22fa1ce3dbeff666e6deb4917db049",
         "type": "github"
       },
       "original": {
@@ -276,11 +276,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1741228283,
-        "narHash": "sha256-VzqI+k/eoijLQ5am6rDFDAtFAbw8nltXfLBC6SIEJAE=",
+        "lastModified": 1740364262,
+        "narHash": "sha256-X5EtT29uEtXN2E4bDiDU2HGBdmFHjHf1KbP6iKP0cmg=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "38e9826bc4296c9daf18bc1e6aa299f3e932a403",
+        "rev": "7c5892ad87b90d72668964975eebd4e174ff6204",
         "type": "github"
       },
       "original": {
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e6e9799..2b398e0 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,6 +17,7 @@ let
 in
 {
   "shared/userPassword.age".publicKeys = all;
+  "shared/tailscaleKey.age".publicKeys = all;
   "shared/frpToken.age".publicKeys = all;
   "shared/vmAuthToken.age".publicKeys = all;
 
diff --git a/secrets/shared/tailscaleKey.age b/secrets/shared/tailscaleKey.age
new file mode 100644
index 0000000..1c143fb
--- /dev/null
+++ b/secrets/shared/tailscaleKey.age
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TlI1TGVYQ2ZlaTZ0Ukti
+U0lwenM1ekxDdk0rWi9rc21IeG9XMzFnZlNNClJVeUlkMEVXSE9ZZ2xMblB0MzFB
+TXJldHBIak0vcmgvWHZyc2VYOE10ZzgKLT4gWDI1NTE5IHRpK2FBajgzdURmcGlN
+VkhOWWdydUtvQnQ2M3RNQ0ZSWGdaWEhFRjdXUlEKVTZqK3dRNUpOTHlKRmgxOGV2
+SFRRR0NYNTVrd3JmUGxlR2V0Ni9PTWNncwotPiBYMjU1MTkgMCtQNlNUcXdBNlcv
+aVNtTG1zUVJnTlhROFpPMnFpYnJ2VE1hZUdsK0V4cwp6YjBHM0dxdFNxazQzQ2JB
+UENVdTVhQlZ4UExHeFkxc2NBcnBSamFyMXRrCi0+IFgyNTUxOSBwU0x3OHdZK2M3
+dThsT1RJUXJRT1JwZHBZU2NxTVpZT2YxclUyZ3ErUEVjCldCZm9CTUNVc0VqRjYv
+bXR6NTdxYjRlSFo1c2FXcDBjbFp0RTMrUnNpVFkKLT4gWDI1NTE5IDRDYlYveXFp
+MXRHWDhCT2xYWnp1VG9SeFJoUlBXeVBZMUdSeFoyamhtVlkKd000RGFENDRPcmI4
+MXN6UzZ0NlBjdHhMekE2Y1pleS9KZDUwK1NSZDg3ZwotLS0gakpkcmFXSTFYY3dh
+c3BnNVR6YlNwc0Vhb01tTmJDMXlLNnhMdDNyZmZoZwrs7Ped4A7zJSqVybjIWVMx
+BS8q3idSQVElJMDuyj3u+wPRnk5umxX570vxgljO/McVLvg2/UMFfmG747Ug5jub
+Q/ASEMsQZghPWXQUpfNXSmpfPzg0MNx2dDRyOGnlog==
+-----END AGE ENCRYPTED FILE-----