diff --git a/nix/homelab/kustomize/traefik/chain.yaml b/nix/homelab/kustomize/traefik/chain.yaml
index 03f2a6a..a1a7549 100644
--- a/nix/homelab/kustomize/traefik/chain.yaml
+++ b/nix/homelab/kustomize/traefik/chain.yaml
@@ -7,7 +7,7 @@ spec:
   chain:
     middlewares:
       - name: rfc1918-only
-        namespace: default
+        namespace: kube-system
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
@@ -18,7 +18,7 @@ spec:
   chain:
     middlewares:
       - name: rfc1918-only
-        namespace: default
+        namespace: kube-system
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
@@ -29,7 +29,7 @@ spec:
   chain:
     middlewares:
       - name: rfc1918-only
-        namespace: default
+        namespace: kube-system
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
@@ -40,4 +40,4 @@ spec:
   chain:
     middlewares:
       - name: rfc1918-only
-        namespace: default
+        namespace: kube-system
diff --git a/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml b/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml
index 722df52..d712fa4 100644
--- a/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml
+++ b/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml
@@ -2,7 +2,7 @@ apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: rfc1918-only
-  namespace: default
+  namespace: kube-system
 spec:
   ipAllowList:
     sourceRange:
diff --git a/nix/homelab/nodes/kube/configuration.nix b/nix/homelab/nodes/kube/configuration.nix
index dac5d53..8da751e 100644
--- a/nix/homelab/nodes/kube/configuration.nix
+++ b/nix/homelab/nodes/kube/configuration.nix
@@ -44,6 +44,11 @@
     name = "iqn.2020-08.org.linux-iscsi.initiatorhost:${meta.hostname}";
   };
 
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+  };
+
   security.sudo.wheelNeedsPassword = false;
 
   users.users.luca = {