diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 39bcbf1..59d049d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -4,7 +4,7 @@ default_install_hook_types:
 
 repos:
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.18.2
+    rev: v8.21.2
     hooks:
       - id: gitleaks
         stages: [pre-commit]
diff --git a/modules/system/polkit.nix b/modules/system/polkit.nix
index 8162e2a..b077658 100644
--- a/modules/system/polkit.nix
+++ b/modules/system/polkit.nix
@@ -6,19 +6,17 @@
 }:
 {
   config = lib.mkIf config.security.polkit.enable {
-    systemd = {
-      user.services.polkit-gnome-authentication-agent-1 = {
-        description = "polkit-gnome-authentication-agent-1";
-        wantedBy = [ "graphical-session.target" ];
-        wants = [ "graphical-session.target" ];
-        after = [ "graphical-session.target" ];
-        serviceConfig = {
-          Type = "simple";
-          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
-          Restart = "on-failure";
-          RestartSec = 1;
-          TimeoutStopSec = 10;
-        };
+    systemd.user.services.polkit-gnome-authentication-agent-1 = {
+      description = "polkit-gnome-authentication-agent-1";
+      wantedBy = [ "graphical-session.target" ];
+      wants = [ "graphical-session.target" ];
+      after = [ "graphical-session.target" ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+        Restart = "on-failure";
+        RestartSec = 1;
+        TimeoutStopSec = 10;
       };
     };
   };
diff --git a/options/services/tailscale.nix b/options/services/tailscale.nix
index 239f72b..3f75f23 100644
--- a/options/services/tailscale.nix
+++ b/options/services/tailscale.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
   inherit (lib)
     mkIf
@@ -22,6 +27,7 @@ in
     server = mkOption {
       type = str;
       default = "https://hs.ccnlc.eu";
+      description = "The coordination server tailscale should be using.";
     };
 
     isExitNode = mkOption {
@@ -48,6 +54,12 @@ in
       type = listOf str;
       default = [ ];
     };
+
+    systemTray = mkOption {
+      type = bool;
+      default = true;
+      description = "Display a system tray icon to interact with tailscale.";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -69,6 +81,21 @@ in
       ];
       useRoutingFeatures = mkIf cfg.isExitNode "server";
     };
-  };
 
+    systemd.user.services.tailscale-system-tray = mkIf cfg.systemTray {
+      description = "tailscale system tray";
+      wantedBy = [ "graphical-session.target" ];
+      wants = [ "graphical-session.target" ];
+      after = [ "graphical-session.target" ];
+      path = [ pkgs.polkit ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "/bin/sh -lc ${pkgs.tailscale-systray}/bin/tailscale-systray";
+        Restart = "on-failure";
+        RestartSec = 1;
+        TimeoutStopSec = 10;
+        IPAddressDeny = "any";
+      };
+    };
+  };
 }