diff --git a/constants.nix b/constants.nix
index af7c34a..44b9422 100644
--- a/constants.nix
+++ b/constants.nix
@@ -3,12 +3,15 @@ rec {
   hosts = {
     sid = {
       ip = "100.64.0.6";
+      domain = "sid.tail";
     };
     rx4 = {
       ip = "100.64.0.10";
+      domain = "rx4.tail";
     };
     vde = {
       ip = "100.64.0.1";
+      domain = "vde.tail";
     };
   };
   services = {
diff --git a/hosts/sid/services/headscale.nix b/hosts/sid/services/headscale.nix
index 8d9b55a..adb3296 100644
--- a/hosts/sid/services/headscale.nix
+++ b/hosts/sid/services/headscale.nix
@@ -1,10 +1,9 @@
 {
   inputs,
+  constants,
   ...
 }:
 
-# TODO: use constants.nix
-
 {
   imports = [
     inputs.synix.nixosModules.headplane
@@ -14,20 +13,20 @@
   services.resolved.enable = false;
   networking.resolvconf.enable = false;
 
-  networking.nameservers = [ "100.64.0.6" ];
+  networking.nameservers = [ constants.hosts.sid.ip ];
 
   services.coredns = {
     enable = true;
-    config = ''
+    config = with constants; ''
       .:53 {
-        bind 100.64.0.6
+        bind ${hosts.sid.ip}
         hosts {
-          100.64.0.6 sid.tail
-          100.64.0.6 netdata.sid.tail
-          100.64.0.10 rx4.tail
-          100.64.0.10 dav.rx4.tail
-          100.64.0.10 pw.rx4.tail
-          100.64.0.1 vde.tail
+          ${hosts.sid.ip} sid.tail
+          ${hosts.sid.ip} netdata.sid.tail
+          ${hosts.rx4.ip} rx4.tail
+          ${hosts.rx4.ip} dav.rx4.tail
+          ${hosts.rx4.ip} pw.rx4.tail
+          ${hosts.vde.ip} vde.tail
           fallthrough
         }
         forward . 1.1.1.1
@@ -62,7 +61,7 @@
         nameservers = {
           global = [ "1.1.1.1" ];
           split = {
-            "tail" = [ "100.64.0.6" ];
+            "tail" = [ constants.hosts.sid.ip ];
           };
         };
       };
diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix
index d3aaba8..74c1c64 100644
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@@ -1,5 +1,6 @@
 {
   inputs,
+  config,
   constants,
   lib,
   ...
@@ -15,10 +16,33 @@ in
     inputs.synix.nixosModules.nginx
   ];
 
+  users.users.nginx.extraGroups = [ "tailscale" ];
+  systemd.services.nginx.serviceConfig = {
+    SupplementaryGroups = [ "tailscale" ];
+    Requires = [ "tailscaled.service" ];
+    After = [ "tailscaled.service" ];
+  };
+
+  systemd.services."generate-tailscale-certs-${constants.hosts.sid.domain}" = {
+    wantedBy = [ "multi-user.target" ];
+    before = [ "nginx.service" ];
+    after = [ "tailscaled.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${config.services.tailscale.package}/bin/tailscale cert ${constants.hosts.sid.domain}";
+      User = "root";
+    };
+  };
+
   services.nginx = {
     enable = true;
     openFirewall = true;
     forceSSL = ssl;
+    virtualHosts."${constants.hosts.sid.domain}" = {
+      sslCertificate = "/var/lib/tailscale/certs/${constants.hosts.sid.domain}.crt";
+      sslCertificateKey = "/var/lib/tailscale/certs/${constants.hosts.sid.domain}.key";
+      forceSSL = true;
+    };
     virtualHosts."${constants.services.docs.fqdn}" = mkVirtualHost {
       inherit ssl;
       address = constants.hosts.rx4.ip;