diff --git a/modules/system/homelab/dash.nix b/modules/system/homelab/dash.nix
index 88ca461..cd6a999 100644
--- a/modules/system/homelab/dash.nix
+++ b/modules/system/homelab/dash.nix
@@ -53,14 +53,15 @@
     [ "Proxy" "https://proxy.${homelab.domain}/" ]
   ];
   services = [
-    [ "PocketID" "authentik" "https://auth.proxy.${homelab.domain}" "http://localhost:1411/" ]
+    [ "PocketID" "authentik" "https://auth.${homelab.domain}" "http://localhost:1411/" ]
+    [ "Forgejo" "forgejo" "https://git.${homelab.domain}" "http://localhost:5080/" ]
     [ "AdGuardHome" "adguard" "https://dns.proxy.${homelab.domain}" "http://localhost:8088/" ]
     [ "ApacheHTTPD" "apache" "https://cdn.proxy.${homelab.domain}" "http://localhost:3000/" ]
-    [ "Forgejo" "forgejo" "https://git.proxy.${homelab.domain}" "http://localhost:5080/" ]
-    [ "Dockge" "docker" "https://containers.proxy.${homelab.domain}" "http://localhost:5001/" ]
-    [ "Ollama" "ollama" "https://ai.proxy.${homelab.domain}" "http://localhost:8080/" ]
-    [ "Guacamole" "apacheguacamole" "https://remote.proxy.${homelab.domain}" "http://localhost:8085/guacamole/" ]
     [ "Immich" "immich" "https://gallery.proxy.${homelab.domain}" "http://localhost:2283/" ]
+    [ "VaultWarden" "vaultwarden" "https://pass.proxy.${homelab.domain}" "http://localhost:8060/" ]
+    [ "Ollama" "ollama" "https://ai.proxy.${homelab.domain}" "http://localhost:8080/" ]
+    [ "Dockge" "docker" "https://containers.proxy.${homelab.domain}" "http://localhost:5001/" ]
+    [ "Guacamole" "apacheguacamole" "https://remote.proxy.${homelab.domain}" "http://localhost:8085/guacamole/" ]
   ];
   bookmarks = [
     [ "Tailscale" "tailscale" "https://login.tailscale.com/" ]
@@ -70,7 +71,10 @@
     [ "ZeroTier" "zerotier" "https://my.zerotier.com" ]
   ];
 in {
-  users.users.glance.extraGroups = [ "docker" ];
+  users.users.glance = {
+    extraGroups = [ "docker" ];
+    isSystemUser = true;
+  };
   services.glance = {
     enable = true;
     environmentFile = "/var/lib/glance/.env";
diff --git a/modules/system/homelab/pass.nix b/modules/system/homelab/pass.nix
new file mode 100644
index 0000000..6114a98
--- /dev/null
+++ b/modules/system/homelab/pass.nix
@@ -0,0 +1,12 @@
+{ homelab, ... }: {
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "pass.proxy.${homelab.domain}";
+      SIGNUPS_ALLOWED = true;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8060;
+      ROCKET_LOG = "critical";
+    };
+  };
+}
\ No newline at end of file
diff --git a/modules/system/homelab/proxy.nix b/modules/system/homelab/proxy.nix
index a561530..1f98b01 100644
--- a/modules/system/homelab/proxy.nix
+++ b/modules/system/homelab/proxy.nix
@@ -11,12 +11,14 @@
     # "jkt"        = { dest = "http://localhost:9117"; auth = false; };
     # "media"      = { dest = "http://localhost:8096"; auth = false; };
     
+    "auth"       = { dest = "http://localhost:1411"; auth = false; };
+    "git"        = { dest = "http://localhost:5080"; auth = false; };
+    
     "containers" = { dest = "http://localhost:5001"; auth = false; };
     "gallery"    = { dest = "http://localhost:2283"; auth = false; };
     "remote"     = { dest = "http://localhost:8085"; auth = false; };
-    "auth"       = { dest = "http://localhost:1411"; auth = false; };
+    "pass"       = { dest = "http://localhost:8060"; auth = false; };
     "cdn"        = { dest = "http://localhost:3000"; auth = false; };
-    "git"        = { dest = "http://localhost:5080"; auth = false; };
     "@"          = { dest = "http://localhost:5070"; auth = false; };
   };
 in {
diff --git a/modules/system/homelab/tunnels.nix b/modules/system/homelab/tunnels.nix
new file mode 100644
index 0000000..a12cc15
--- /dev/null
+++ b/modules/system/homelab/tunnels.nix
@@ -0,0 +1,14 @@
+{ homelab, ... }: {
+  services.cloudflared = {
+    enable = true;
+    tunnels.homelab = {
+      credentialsFile = "/mnt/data/cloudflared/homelab.json";
+      default = "http_status:404";
+      ingress = {
+        "git.${homelab.domain}" = "http://localhost:3000";
+        "auth.${homelab.domain}" = "http://localhost:1411";
+        "gallery.${homelab.domain}" = "http://localhost:2284";
+      };
+    };
+  };
+}
\ No newline at end of file
diff --git a/modules/system/server.nix b/modules/system/server.nix
index 29bc8ee..46fcec7 100644
--- a/modules/system/server.nix
+++ b/modules/system/server.nix
@@ -1,12 +1,21 @@
-{ lib, ... }: {
+{ lib, ... }: let
+  ts-flags = [
+    "--advertise-exit-node"
+    "--advertise-routes=10.3.14.0/24,192.168.1.0/24"
+    "--ssh" "--webclient"
+  ];
+in {
   imports = [
+    ./homelab/tunnels.nix
+    ./homelab/mesh.nix
     ./homelab/containers.nix
-    ./homelab/gallery.nix
     ./homelab/remote.nix
+    ./homelab/gallery.nix
     # ./homelab/media.nix # wip
     ./homelab/share.nix
     ./homelab/proxy.nix
     ./homelab/auth.nix
+    ./homelab/pass.nix
     ./homelab/dash.nix
     ./homelab/dns.nix
     ./homelab/git.nix
@@ -16,8 +25,14 @@
     ./base.nix
   ];
 
-  specialisation.safe-mode.configuration = {};
-
+  services.tailscale = {
+    enable = true;
+    authKeyFile = "/mnt/data/tailscale/authkey";
+    useRoutingFeatures = "server";
+    extraUpFlags = ts-flags;
+    extraSetFlags = ts-flags;
+  };
+  
   virtualisation = {
     oci-containers.backend = "docker";
     docker = {