diff --git a/nixos/boxes/brix/default.nix b/nixos/boxes/brix/default.nix
index 3cc50923..54854140 100644
--- a/nixos/boxes/brix/default.nix
+++ b/nixos/boxes/brix/default.nix
@@ -6,6 +6,8 @@
     ../../server-security.nix
     ../cli.nix
     ../vpn.nix
+    ../../tailscale.nix
+    ./tailscale-brix.nix
     ./restic-server.nix
     ./i2p.nix
     ./print-server.nix
diff --git a/nixos/boxes/brix/tailscale-brix.nix b/nixos/boxes/brix/tailscale-brix.nix
new file mode 100644
index 00000000..23b51a2d
--- /dev/null
+++ b/nixos/boxes/brix/tailscale-brix.nix
@@ -0,0 +1,29 @@
+{ config, pkgs, inputs, lib, ... }:
+{
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey tskey-abb12c2c0f365cfda4f897c7
+    '';
+  };
+}
diff --git a/nixos/security.nix b/nixos/security.nix
index ade00546..f921f204 100644
--- a/nixos/security.nix
+++ b/nixos/security.nix
@@ -7,6 +7,7 @@
   security.virtualisation.flushL1DataCache = "always";
   security.apparmor.enable = true;
   services.haveged.enable = true;
+  networking.firewall.enable = true;
   boot.kernelParams = [
     "page_poison=1"
     "page_alloc.shuffle=1"
diff --git a/nixos/tailscale.nix b/nixos/tailscale.nix
new file mode 100644
index 00000000..ee467a6c
--- /dev/null
+++ b/nixos/tailscale.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = [ pkgs.tailscale ];
+  services.tailscale.enable = true;
+  networking.firewall = {
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+}