diff --git a/modules/services/tailscale/default.nix b/modules/services/tailscale/default.nix
new file mode 100644
index 0000000..d7a7d5e
--- /dev/null
+++ b/modules/services/tailscale/default.nix
@@ -0,0 +1,50 @@
+{
+  options,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.aa.services.tailscale;
+in {
+  options.aa.services.tailscale = with types; {
+    enable = mkEnableOption "tailscale";
+    configureClientRouting = mkOption {
+      type = bool;
+      default = false;
+      description = mdDoc ''
+        Configures tailscale as a client.
+
+        See `options.services.tailscale.useRoutingFeatures` for more information.
+      '';
+    };
+    configureServerRouting = mkOption {
+      type = bool;
+      default = false;
+      description = mdDoc ''
+        Configures tailscale as a server.
+
+        See `options.services.tailscale.useRoutingFeatures` for more information.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [pkgs.tailscale];
+    networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = mkIf (cfg.configureClientRouting || cfg.configureServerRouting) (
+        if (cfg.configureClientRouting && cfg.configureServerRouting)
+        then "both"
+        else
+          (
+            if cfg.configureClientRouting
+            then "client"
+            else "server"
+          )
+      );
+    };
+  };
+}
diff --git a/systems/x86_64-linux/carbon/default.nix b/systems/x86_64-linux/carbon/default.nix
index 29b1d11..c9be65d 100644
--- a/systems/x86_64-linux/carbon/default.nix
+++ b/systems/x86_64-linux/carbon/default.nix
@@ -10,7 +10,6 @@
     # Include the results of the hardware scan.
     ./hardware-configuration-zfs.nix
     ./zfs.nix
-    ./vpn.nix
   ];
 
   aa = {
@@ -27,6 +26,10 @@
     apps.tmux.enable = true;
 
     services.printing.enable = true;
+    services.tailscale = {
+      enable = true;
+      configureClientRouting = true;
+    };
 
     hardware.audio.enable = true;
   };
diff --git a/systems/x86_64-linux/carbon/vpn.nix b/systems/x86_64-linux/carbon/vpn.nix
deleted file mode 100644
index 29ebf1a..0000000
--- a/systems/x86_64-linux/carbon/vpn.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  # enable the tailscale daemon; this will do a
-  # variety of tasks:
-  # 1. create the TUN network device
-  # 2. setup some IP routes to route through the TUN
-  services.tailscale = {
-    enable = true;
-    useRoutingFeatures = "client"; # Make sure to pass `--accept-routes` to `tailscale up`
-  };
-
-  # Let's open the UDP port with which the network is tunneled through
-  networking.firewall.allowedUDPPorts = [41641];
-
-  # Disable SSH access through the firewall Only way into the machine will be
-  # through This may cause a chicken & egg problem since you need to register
-  # a machine first using `tailscale up`
-  # Better to rely on EC2 SecurityGroups
-  # services.openssh.openFirewall = false;
-
-  # Let's make the tailscale binary avilable to all users
-  environment.systemPackages = [pkgs.tailscale];
-
-  # TODO: Enable SSH via tailscale
-}
diff --git a/systems/x86_64-linux/gospel/default.nix b/systems/x86_64-linux/gospel/default.nix
index 1fe4020..4ecaed1 100644
--- a/systems/x86_64-linux/gospel/default.nix
+++ b/systems/x86_64-linux/gospel/default.nix
@@ -10,7 +10,6 @@
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
     ./zfs.nix
-    ./vpn.nix
   ];
 
   aa = {
@@ -33,6 +32,11 @@
       subdomain_name = "gospel";
     };
     services.printing.enable = true;
+    services.tailscale = {
+      enable = true;
+      configureClientRouting = true;
+      configureServerRouting = true;
+    };
 
     hardware.audio.enable = true;
   };
diff --git a/systems/x86_64-linux/gospel/vpn.nix b/systems/x86_64-linux/gospel/vpn.nix
deleted file mode 100644
index 291372a..0000000
--- a/systems/x86_64-linux/gospel/vpn.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  # enable the tailscale daemon; this will do a
-  # variety of tasks:
-  # 1. create the TUN network device
-  # 2. setup some IP routes to route through the TUN
-  services.tailscale = {enable = true;};
-
-  # Let's open the UDP port with which the network is tunneled through
-  networking.firewall.allowedUDPPorts = [41641];
-
-  # Disable SSH access through the firewall Only way into the machine will be
-  # through This may cause a chicken & egg problem since you need to register
-  # a machine first using `tailscale up`
-  # Better to rely on EC2 SecurityGroups
-  # services.openssh.openFirewall = false;
-
-  # Let's make the tailscale binary avilable to all users
-  environment.systemPackages = [pkgs.tailscale];
-}