diff --git a/system/vpn.nix b/system/vpn.nix
index 854e06b..22c6928 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -34,5 +34,12 @@ in {
 
     # some options cannot be set immediately
     ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}
+
+    ${cfg.package}/bin/tailscale cert ${tailnetHost}
   '';
+
+  services.nginx.virtualHosts.${tailnetHost} = {
+    sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.key";
+    sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.crt";
+  };
 }