diff --git a/systems/x86_64-linux/attic/headscale-policy.hujson b/systems/x86_64-linux/attic/headscale-policy.hujson
new file mode 100644
index 0000000..06e1fe6
--- /dev/null
+++ b/systems/x86_64-linux/attic/headscale-policy.hujson
@@ -0,0 +1,28 @@
+{
+  "tagOwners": {
+    "tag:llm": ["harald@"],
+  },
+  "hosts": {
+    "halo": "100.64.0.3",
+  },
+  "autoApprovers": {
+    "exitNode": ["tag:llm"],
+  },
+  "acls": [
+    {
+      "action": "accept",
+      "src":    ["tag:llm"],
+      "dst":    ["halo:8000"],
+    },
+    {
+      "action": "accept",
+      "src":    ["harald@"],
+      "dst":    ["harald@:*"],
+    },
+    {
+      "action": "accept",
+      "src":    ["harald@"],
+      "dst":    ["autogroup:internet:*"],
+    },
+  ],
+}
diff --git a/systems/x86_64-linux/attic/headscale.nix b/systems/x86_64-linux/attic/headscale.nix
index 08b1a3c..fe52221 100644
--- a/systems/x86_64-linux/attic/headscale.nix
+++ b/systems/x86_64-linux/attic/headscale.nix
@@ -25,6 +25,10 @@ in
           client_secret_path = "/var/lib/headscale/client_secret";
           issuer = "https://nc.hoyer.xyz";
         };
+        policy = {
+          mode = "file";
+          path = toString ./headscale-policy.hujson;
+        };
       };
     };
 
diff --git a/systems/x86_64-linux/mx/default.nix b/systems/x86_64-linux/mx/default.nix
index 4b0c4a5..8e07450 100644
--- a/systems/x86_64-linux/mx/default.nix
+++ b/systems/x86_64-linux/mx/default.nix
@@ -26,7 +26,11 @@
     ./users.nix
   ];
 
-  services.tailscale.enable = true;
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "server";
+    extraSetFlags = [ "--advertise-exit-node" ];
+  };
 
   metacfg = {
     services.nginxBase.enable = true;