diff --git a/kiosk.nix b/kiosk.nix
index f9808c5..ea9ad55 100644
--- a/kiosk.nix
+++ b/kiosk.nix
@@ -35,4 +35,20 @@ in
     enable = true;
     pulse.enable = true;
   };
+
+  services.tailscale = {
+    enable = true;
+    extraUpFlags = [ "--advertise-tags" "tag:kiosk" ];
+    authKeyFile = ./tailscale-client-secret.key;
+    authKeyParameters.ephemeral = false;
+    openFirewall = true;
+  };
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "yes";
+    };
+  };
 }
diff --git a/tailscale-client-secret.key b/tailscale-client-secret.key
new file mode 100644
index 0000000..a991e7f
Binary files /dev/null and b/tailscale-client-secret.key differ