diff --git a/flake.lock b/flake.lock
index af48ee2..8cee96c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,71 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1754433428,
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1758589230,
@@ -18,8 +84,24 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "nixpkgs": "nixpkgs"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 3a54375..f1228c7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,9 +3,15 @@
 
   inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
 
-  outputs = { self, nixpkgs }: {
+  inputs.agenix = {
+    url = "github:ryantm/agenix";
+    inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = { self, nixpkgs, agenix }: {
     nixosConfigurations.homelab = nixpkgs.lib.nixosSystem {
       modules = [
+        agenix.nixosModules.default
         ./configuration.nix
         ./hardware-configuration.nix
         ./networking/host.nix
@@ -13,6 +19,11 @@
         ./users.nix
         ./networking/ssh.nix
         ./networking/adblock.nix
+        ./networking/vpn-host.nix
+        {
+          environment.systemPackages = [ agenix.packages.x86_64-linux.default ];
+          age.secrets.tailscale.file = ./tailscale.age;
+        }
       ];
     };
   };
diff --git a/networking/vpn-host.nix b/networking/vpn-host.nix
new file mode 100644
index 0000000..61ec979
--- /dev/null
+++ b/networking/vpn-host.nix
@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }: {
+  environment.systemPackages = [ pkgs.tailscale ];
+
+  services.tailscale.enable = true;
+
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic oneshot connection to tailscale";
+
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig.Type = "oneshot";
+
+    script = with pkgs; ''
+      sleep 2
+
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      ${tailscale}/bin/tailscale up -authkey ${config.age.secrets.tailscale.path}
+    '';
+  };
+
+  networking.firewall = {
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+    allowedTCPPorts = [ 22 ];
+  };
+}
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..fb0196c
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,8 @@
+let
+  user1 =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICM04gDcfAxf6i51b+jtrWTE3MBumhkzxqH/exINSQgx";
+  machine1 =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINptuT84VNef3qdFdkqj5kbJtnzoenWcOwcWbdOqQxld root@labtop";
+  users = [ user1 machine1 ];
+in { "tailscale.age".publicKeys = users; }
+
diff --git a/tailscale.age b/tailscale.age
new file mode 100644
index 0000000..1e9f635
Binary files /dev/null and b/tailscale.age differ