diff --git a/modules/nixos/base/secrets.nix b/modules/nixos/base/secrets.nix
index e4a2799..14685a1 100644
--- a/modules/nixos/base/secrets.nix
+++ b/modules/nixos/base/secrets.nix
@@ -17,9 +17,7 @@ in {
   age.secrets = {
     tailscale-auth = mkIf tailscale.enable {
       file = "${self}/secrets/tailscale-auth.age";
-      owner = "${admin.name}";
-      group = "users";
-      mode = "400";
+      mode = "444";
     };
     github_key = mkIf admin.homeManager {
       file = "${self}/secrets/github_key.age";
diff --git a/modules/nixos/base/tailscale.nix b/modules/nixos/base/tailscale.nix
index 47a80f2..26ab237 100644
--- a/modules/nixos/base/tailscale.nix
+++ b/modules/nixos/base/tailscale.nix
@@ -24,7 +24,7 @@ in {
     # flags to pass to the auto-connect service
     extraUpFlags = concatLists [
       ["--ssh"]
-      (optionals (admin.name != null) ["--operator ${admin.name}"])
+      ["--operator" "${admin.name}"]
       (optionals host.exitNode ["--advertise-exit-node"])
     ];