diff --git a/hosts/andromache/default.nix b/hosts/andromache/default.nix
index 0c540a78..1a915ab4 100644
--- a/hosts/andromache/default.nix
+++ b/hosts/andromache/default.nix
@@ -31,19 +31,20 @@ in
     ../../modules/firewall
     ../../modules/fonts
     ../../modules/gaming
-    ../../modules/networking
+    ../../modules/hcloud
     ../../modules/keyboard
     ../../modules/localization
+    ../../modules/networking
     ../../modules/nvidia
     (import ../../modules/secrets { inherit lib inputs config; })
     ../../modules/ssh
     ../../modules/storage
     ../../modules/stylix
     ../../modules/syncthing
+    ../../modules/tailscale
     ../../modules/users
     ../../modules/wol
     ../../modules/yubikey
-    ../../modules/hcloud
   ];
 
   home-manager.users.${config.host.username} = import ../../home/hosts/andromache {
@@ -62,7 +63,11 @@ in
     inherit (config.host) username;
     nixSigningKey.enable = true;
   };
+
+  tailscale.enable = true;
+
   docker.user = config.host.username;
+
   hcloud = {
     enable = true;
     inherit (config.host) username;
diff --git a/modules/tailscale/default.nix b/modules/tailscale/default.nix
new file mode 100644
index 00000000..1511deb1
--- /dev/null
+++ b/modules/tailscale/default.nix
@@ -0,0 +1,17 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  options.tailscale = {
+    enable = lib.mkEnableOption "tailscale";
+  };
+
+  config = lib.mkIf config.tailscale.enable {
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+    };
+  };
+}