diff --git a/machines/warwick.nix b/machines/warwick.nix
index a53159c..f8c2af6 100644
--- a/machines/warwick.nix
+++ b/machines/warwick.nix
@@ -3,8 +3,11 @@
     arch = "aarch64-linux";
     isRaspberryPi = true;
 
-    nixosModule = {
-      lab.monitoring.server.enable = true;
+    nixosModule = { lib, ... }: {
+      lab = {
+        monitoring.server.enable = true;
+        tailscale.advertiseExitNode = true;
+      };
 
       services.bird2 = {
         enable = false;
diff --git a/nixos-modules/networking/default.nix b/nixos-modules/networking/default.nix
index e07f8c5..df36440 100644
--- a/nixos-modules/networking/default.nix
+++ b/nixos-modules/networking/default.nix
@@ -2,12 +2,10 @@
   config = {
     networking = {
       domain = "dmz";
-      nftables.enable = true;
+      nftables.enable = lib.mkDefault true;
       useDHCP = false;
 
-      firewall = {
-        enable = true;
-      };
+      firewall.enable = lib.mkDefault true;
     };
 
     systemd.network = {
diff --git a/nixos-modules/tailscale.nix b/nixos-modules/tailscale.nix
index 0edd968..796e528 100644
--- a/nixos-modules/tailscale.nix
+++ b/nixos-modules/tailscale.nix
@@ -1,12 +1,26 @@
-{ config, ... }: {
+{ lib, config, ... }:
+let
+  cfg = config.lab.tailscale;
+in
+{
+  options = {
+    lab.tailscale.advertiseExitNode = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
   config = {
     services.tailscale = {
       enable = true;
       authKeyFile = config.sops.secrets."tailscale/authKey".path;
+      useRoutingFeatures = "server";
+      openFirewall = true;
 
       extraUpFlags = [
         "--hostname=${config.networking.hostName}"
-      ];
+      ] ++ lib.lists.optional cfg.advertiseExitNode "--advertise-exit-node"
+      ++ lib.lists.optional cfg.advertiseExitNode "--advertise-routes=192.168.30.0/24";
     };
 
     sops.secrets."tailscale/authKey" = { };