diff --git a/common/programs/tailnet.nix b/common/programs/tailnet.nix
index 953b408..2372e7a 100644
--- a/common/programs/tailnet.nix
+++ b/common/programs/tailnet.nix
@@ -23,6 +23,11 @@ in
         default = true;
         description = "Whether to use headscale login server.";
       };
+      enableExitNode = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether to enable exit node.";
+      };
     };
 
   config = lib.mkIf cfg.enable {
@@ -35,10 +40,13 @@ in
         config ? age && config.age ? secrets && config.age.secrets ? headscale_auth
       ) config.age.secrets.headscale_auth.path;
       # https://tailscale.com/kb/1241/tailscale-up
-      extraUpFlags = lib.mkIf cfg.useHeadscale [
-        "--login-server=https://headscale.joshuabell.xyz"
-        "--no-logs-support"
-      ];
+      extraUpFlags =
+        lib.mkIf cfg.useHeadscale [
+          "--login-server=https://headscale.joshuabell.xyz"
+          "--no-logs-support"
+        ]
+        ++ (lib.optional cfg.enableExitNode "--advertise-exit-node");
+
     };
     networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
     networking.firewall.checkReversePath = "loose";
diff --git a/hosts/lio/flake.nix b/hosts/lio/flake.nix
index f9f9bd7..c00b32a 100644
--- a/hosts/lio/flake.nix
+++ b/hosts/lio/flake.nix
@@ -66,6 +66,7 @@
                       rustDev.enable = true;
                       uhkAgent.enable = true;
                       tailnet.enable = true;
+                      tailnet.enableExitNode = true;
                       ssh.enable = true;
                       docker.enable = true;
                     };