diff --git a/flake.nix b/flake.nix
index 33b30b8..ed2f36e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -20,7 +20,7 @@
     in
     {
       nixosConfigurations = {
-        gateway = kclib.mkHost "gateway" "x86_64-linux";
+        tailscale-proxy = kclib.mkHost "tailscale-proxy" "x86_64-linux";
         entrypoint = kclib.mkHost "entrypoint" "x86_64-linux";
       };
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
diff --git a/hosts/base.nix b/hosts/base.nix
index ba59127..f7ca25d 100644
--- a/hosts/base.nix
+++ b/hosts/base.nix
@@ -2,8 +2,7 @@
   ...
 }:
 {
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
+  nixpkgs.config.allowUnfree = true;
 
   kropcloud = {
     admin = {
@@ -13,6 +12,11 @@
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUnlAjPnMwJYgZb7YuholdTxifOEFnAyXVqI+xFlHw6 krop@lenar"
       ];
     };
+    services = {
+      ssh = {
+        enable = true;
+      };
+    };
   };
 
   system.stateVersion = "24.11";
diff --git a/hosts/gateway.nix b/hosts/gateway.nix
deleted file mode 100644
index b021e28..0000000
--- a/hosts/gateway.nix
+++ /dev/null
@@ -1 +0,0 @@
-{ }: { }
diff --git a/hosts/tailscale-proxy.nix b/hosts/tailscale-proxy.nix
new file mode 100644
index 0000000..aa0449c
--- /dev/null
+++ b/hosts/tailscale-proxy.nix
@@ -0,0 +1,11 @@
+{ ... }:
+{
+  kropcloud = {
+    services = {
+      tailscale = {
+        enable = true;
+        asRouter.enable = true;
+      };
+    };
+  };
+}
diff --git a/lib.nix b/lib.nix
index b763a87..f45f642 100644
--- a/lib.nix
+++ b/lib.nix
@@ -3,17 +3,25 @@
   inputs,
 }:
 {
-  mkHost = name: arch: {
-    nixpkgs.lib.nixosSystem = {
+  mkHost =
+    name: arch:
+    nixpkgs.lib.nixosSystem {
       system = arch;
       modules = [
         ./hosts/base.nix
         ./hosts/${name}.nix
         ./nixosModules
+        (
+          { ... }:
+          {
+            config = {
+              networking.hostName = name;
+            };
+          }
+        )
       ];
       specialArgs = {
         inherit inputs;
       };
     };
-  };
 }
diff --git a/nixosModules/default.nix b/nixosModules/default.nix
index 7335a40..03cdb17 100644
--- a/nixosModules/default.nix
+++ b/nixosModules/default.nix
@@ -1,6 +1,8 @@
-{ }:
+{ ... }:
 {
   imports = [
+    ./services
+    ./networking
     ./users
     ./locale
   ];
diff --git a/nixosModules/networking/default.nix b/nixosModules/networking/default.nix
new file mode 100644
index 0000000..cf6ae06
--- /dev/null
+++ b/nixosModules/networking/default.nix
@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.kropcloud.networking;
+in
+{
+  options.kropcloud.networking = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      description = "Whence to configure networking";
+      default = true;
+      example = false;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking = {
+      nftables.enable = true;
+      firewall = {
+        checkReversePath = "loose";
+      };
+    };
+  };
+}
diff --git a/nixosModules/services/default.nix b/nixosModules/services/default.nix
new file mode 100644
index 0000000..76b5211
--- /dev/null
+++ b/nixosModules/services/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./ssh
+    ./tailscale
+  ];
+}
diff --git a/nixosModules/services/ssh/default.nix b/nixosModules/services/ssh/default.nix
new file mode 100644
index 0000000..ed3cbee
--- /dev/null
+++ b/nixosModules/services/ssh/default.nix
@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.kropcloud.services.ssh;
+in
+{
+  options.kropcloud.services.ssh = {
+    enable = lib.mkEnableOption "Whence to enable sshd service.";
+  };
+  config = lib.mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+      };
+    };
+  };
+}
diff --git a/nixosModules/services/tailscale/default.nix b/nixosModules/services/tailscale/default.nix
new file mode 100644
index 0000000..e51b4f4
--- /dev/null
+++ b/nixosModules/services/tailscale/default.nix
@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.kropcloud.services.tailscale;
+in
+{
+  options.kropcloud.services.tailscale = {
+    enable = lib.mkEnableOption "Whence to enable tailscale service.";
+    asRouter = {
+      enable = lib.mkEnableOption "Whence to configure tailscale as router.";
+      subnet = lib.mkOption {
+        type = lib.types.str;
+        default = "192.168.1.0/24";
+        example = "192.168.1.0/24";
+        description = "The subnet to expose";
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      useRoutingFeatures = lib.mkIf cfg.asRouter.enable "server";
+      extraSetFlags = lib.mkIf cfg.asRouter.enable [ "--advertise-routes=${cfg.asRouter.subnet}" ];
+    };
+  };
+}