diff --git a/nixos/modules/base/networking/tailscale.nix b/nixos/modules/base/networking/tailscale.nix
index 38fcdc6..7391d8e 100644
--- a/nixos/modules/base/networking/tailscale.nix
+++ b/nixos/modules/base/networking/tailscale.nix
@@ -8,47 +8,30 @@ in
 
 {
   config = mkIf cfg.enable {
-
     services.tailscale = {
       enable = true;
       useRoutingFeatures = mkDefault "both";
-      # permitCertUid = "root";
+      permitCertUid = "root";
       extraUpFlags = cfg.flags.final;
+      authKeyFile = "${config.age.secrets.tailscale-auth.path}";
     };
-
     networking.firewall = {
       allowedUDPPorts = [tailscale.port];
       trustedInterfaces = ["${tailscale.interfaceName}"];
       checkReversePath = "loose";
     };
-
+    users = {
+      groups.tailscaled = {};
+      users.tailscaled = {
+        group = "tailscaled";
+        isSystemUser = true;
+      };
+    };
     systemd.network.wait-online.ignoredInterfaces = ["${tailscale.interfaceName}"];
 
     environment.systemPackages = [ pkgs.tailscale ];
 
     # disable tailscale logging
     systemd.services.tailscaled.serviceConfig.Environment = mkBefore ["TS_NO_LOGS_NO_SUPPORT"];
-
-    systemd.services.tailscale-autoconnect = mkIf cfg.autoconnect {
-      description = "Automatic connection to Tailscale";
-
-      after = [ "network-pre.target" "tailscale.service" ];
-      wants = [ "network-pre.target" "tailscale.service" ];
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig.Type = "oneshot";
-
-      script = /* bash */ ''
-        sleep 2
-
-        status="$(${tailscale.package}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
-
-        if [ $status = "Running" ]; then
-          exit 0
-        fi
-
-        ${tailscale.package}/bin/tailscale up ${toString tailscale.extraUpFlags}
-      '';
-    };
   };
 }
diff --git a/nixos/modules/host/admin.nix b/nixos/modules/host/admin.nix
index 415deab..7eeb6f4 100644
--- a/nixos/modules/host/admin.nix
+++ b/nixos/modules/host/admin.nix
@@ -1,4 +1,4 @@
-{ lib, config, pkgs, inputs, outputs, self, ... }:
+{ lib, config, pkgs, inputs, outputs, self, keys, ... }:
 
 let
   cfg = config.ooknet.host.admin;
@@ -12,7 +12,7 @@ in
       isNormalUser = true;
       shell = pkgs.${cfg.shell};
       initialPassword = "password";
-      openssh.authorizedKeys.keys = [ "${cfg.sshKey}" ];
+      openssh.authorizedKeys.keys = [ (keys.users."${cfg.name}") ];
       extraGroups = [
         "wheel"
         "video"
diff --git a/nixos/options/host.nix b/nixos/options/host.nix
index 6da4f94..2c6a8a1 100644
--- a/nixos/options/host.nix
+++ b/nixos/options/host.nix
@@ -75,8 +75,7 @@ in
         tags = mkOption {
           type = listOf str;
           default = 
-            if tailscale.client then ["tag:client"]
-            else if tailscale.server then ["tag:server"]
+            if tailscale.server then ["tag:server"]
             else [];
           description = "Sets host tag depending on if server/client";
         };
@@ -98,7 +97,7 @@ in
               tailscale.flags.default
               (optionals (tailscale.authkey != null) ["--authkey file:${config.age.secrets.tailscale-auth.path}"])
               (optionals (tailscale.operator != null) ["--operator ${tailscale.operator}"])
-              (optionals (tailscale.tags != []) ["--advertise-tags" (concatStringsSep "," tailscale.tags)])
+              # (optionals (tailscale.tags != []) ["--advertise-tags" (concatStringsSep "," tailscale.tags)])
               (optionals tailscale.server ["--advertise-exit-node"])
             ];
           };