diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix
index d3aaba8..74c1c64 100644
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@@ -1,5 +1,6 @@
 {
   inputs,
+  config,
   constants,
   lib,
   ...
@@ -15,10 +16,33 @@ in
     inputs.synix.nixosModules.nginx
   ];
 
+  users.users.nginx.extraGroups = [ "tailscale" ];
+  systemd.services.nginx.serviceConfig = {
+    SupplementaryGroups = [ "tailscale" ];
+    Requires = [ "tailscaled.service" ];
+    After = [ "tailscaled.service" ];
+  };
+
+  systemd.services."generate-tailscale-certs-${constants.hosts.sid.domain}" = {
+    wantedBy = [ "multi-user.target" ];
+    before = [ "nginx.service" ];
+    after = [ "tailscaled.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${config.services.tailscale.package}/bin/tailscale cert ${constants.hosts.sid.domain}";
+      User = "root";
+    };
+  };
+
   services.nginx = {
     enable = true;
     openFirewall = true;
     forceSSL = ssl;
+    virtualHosts."${constants.hosts.sid.domain}" = {
+      sslCertificate = "/var/lib/tailscale/certs/${constants.hosts.sid.domain}.crt";
+      sslCertificateKey = "/var/lib/tailscale/certs/${constants.hosts.sid.domain}.key";
+      forceSSL = true;
+    };
     virtualHosts."${constants.services.docs.fqdn}" = mkVirtualHost {
       inherit ssl;
       address = constants.hosts.rx4.ip;