diff --git a/base/programs.nix b/base/programs.nix
index f5667b0..5d69fe2 100644
--- a/base/programs.nix
+++ b/base/programs.nix
@@ -3,7 +3,6 @@
     fish.enable = true;
     less.enable = true;
     mosh.enable = true;
-    tmux.enable = true;
 
     # setcap wrapper for network permissions
     bandwhich.enable = true;
@@ -21,12 +20,12 @@
     inherit
       (pkgs)
       # shell usage
-
-      bat
+      
       fd
       file
       ripgrep
       sd
+      tmux
       tokei
       tree
       wget
@@ -34,25 +33,38 @@
       pciutils
       usbutils
       # development
-
-      agenix
+      
       alejandra
       git
       git-crypt
       git-lfs
       gnumake
       gnupg
+      kakoune
       pinentry-qt
       python3
       vim
       # terminal utilities
       
+      bottom
       dogdns
       du-dust
       htop
       ldns # drill
+      tealdeer
       unzip
       zip
+      # nix pkgs lookup
+      
+      nix-index
+      agenix
+      cachix
+      ;
+
+    inherit
+      (pkgs.llvmPackages_16)
+      bintools
+      clang
       ;
   };
 }
diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix
index f820f69..c6d9c3f 100644
--- a/hosts/boreal/default.nix
+++ b/hosts/boreal/default.nix
@@ -75,10 +75,7 @@
 
     pipewire.enable = true;
 
-    tailscale = {
-      enable = true;
-      useRoutingFeatures = "both";
-    };
+    tailscale.enable = true;
   };
 
   services = {
diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix
index 0e4191b..0cb891b 100644
--- a/hosts/hades/default.nix
+++ b/hosts/hades/default.nix
@@ -133,7 +133,7 @@ in {
 
     tailscale = {
       enable = true;
-      useRoutingFeatures = "server";
+      exitNode = true;
     };
 
     transmission = {
diff --git a/hosts/hephaestus/default.nix b/hosts/hephaestus/default.nix
index 5d4cced..f5cf2e4 100644
--- a/hosts/hephaestus/default.nix
+++ b/hosts/hephaestus/default.nix
@@ -49,11 +49,7 @@
 
   # List services that you want to enable:
   my.services = {
-    tailscale = {
-      enable = true;
-      useRoutingFeatures = "client";
-    };
-
+    tailscale.enable = true;
     pipewire.enable = true;
 
     restic-backup = {
diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix
index 15cf5ce..5a6711d 100644
--- a/hosts/thanatos/default.nix
+++ b/hosts/thanatos/default.nix
@@ -28,10 +28,7 @@ in {
 
   # List services that you want to enable:
   my.services = {
-    tailscale = {
-      enable = true;
-      useRoutingFeatures = "both";
-    };
+    tailscale.enable = true;
   };
 
   services = {
diff --git a/services/tailscale.nix b/services/tailscale.nix
index 6de7cc0..41fe9f8 100644
--- a/services/tailscale.nix
+++ b/services/tailscale.nix
@@ -8,30 +8,34 @@
     (lib)
     mkEnableOption
     mkIf
-    mkOption
-    types
     ;
 
   cfg = config.my.services.tailscale;
 in {
   options.my.services.tailscale = {
     enable = mkEnableOption "Tailscale";
-    useRoutingFeatures = mkOption {
-      type = types.enum [ "none" "client" "server" "both" ];
-      default = "none";
-    };
+
+    # NOTE: still have to do `tailscale up --advertise-exit-node`
+    exitNode = mkEnableOption "Use as exit node";
   };
 
   config = mkIf cfg.enable {
     services.tailscale = {
       enable = true;
       package = pkgs.tailscale;
-      openFirewall = true;
-      useRoutingFeatures = cfg.useRoutingFeatures;
     };
 
     networking.firewall = {
-      trustedInterfaces = [config.services.tailscale.interfaceName];
+      trustedInterfaces = ["tailscale0"];
+      allowedUDPPorts = [config.services.tailscale.port];
+      # needed for exit node usage
+      checkReversePath = mkIf (!cfg.exitNode) "loose";
+    };
+
+    # enable IP forwarding to use as exit node
+    boot.kernel.sysctl = mkIf cfg.exitNode {
+      "net.ipv6.conf.all.forwarding" = true;
+      "net.ipv4.ip_forward" = true;
     };
   };
 }