diff --git a/common/tailscale.nix b/common/tailscale.nix
index a6337d6..16cffcd 100644
--- a/common/tailscale.nix
+++ b/common/tailscale.nix
@@ -1,8 +1,21 @@
+{ config, lib, pkgs, ... }:
+
 {
   services.tailscale = {
     enable = true;
     openFirewall = true;
-    extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ]; # TODO: doesn't work (nixos bug); needs connecting/specifying manually
+    extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ];
     extraDaemonFlags = [ "--no-logs-no-support" ]; # disable telemetry
   };
+
+  systemd.services.tailscaled-autoconnect = {
+    after = [ "tailscaled.service" "network-online.target" ];
+    wants = [ "tailscaled.service" "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.Type = "oneshot";
+    script = ''
+      sleep 2 # wait for tailscaled to settle
+      ${lib.getExe config.services.tailscale.package} up --reset ${lib.escapeShellArgs config.services.tailscale.extraUpFlags}
+    '';
+  };
 }