diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix
index 02bce52..e7e6e0c 100644
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@@ -1,7 +1,9 @@
-{ config, ... }: {
+{ config, lib, ... }: {
   age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
   me.binds."/var/lib/tailscale" = "tailscale";
   networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  networking.firewall.allowedUdpPorts = lib.mkIf config.me.environment == "headless" [ 123 ];
+
   services.tailscale = {
     enable = true;
     authKeyFile = config.age.secrets.tailscale_auth.path;