diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix
index b81dbf3..c96fc35 100644
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@@ -123,7 +123,10 @@ in
       enable = true;
     };
 
-    tailscale.enable = true;
+    tailscale = {
+      enable = true;
+      exitNode = true;
+    };
 
     tgv = {
       enable = true;
diff --git a/services/tailscale.nix b/services/tailscale.nix
index 75fef50..cb239df 100644
--- a/services/tailscale.nix
+++ b/services/tailscale.nix
@@ -8,6 +8,9 @@ in
 {
   options.my.services.tailscale = {
     enable = lib.mkEnableOption "Tailscale";
+
+    # NOTE: still have to do `tailscale up --advertise-exit-node`
+    exitNode = lib.mkEnableOption "Use as exit node";
   };
 
   config = mkIf cfg.enable {
@@ -27,7 +30,7 @@ in
     };
 
     # enable IP forwarding to use as exit node
-    boot.kernel.sysctl = {
+    boot.kernel.sysctl = mkIf cfg.exitNode {
       "net.ipv6.conf.all.forwarding" = true;
       "net.ipv4.ip_forward" = true;
     };