diff --git a/configuration.nix b/configuration.nix
index c3a7dc1..76b0954 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -58,6 +58,25 @@
     '';
   };
 
+  systemd.services.opencode-tailnet = {
+    description = "Expose OpenCode on the tailnet";
+    after = [ "network-online.target" "tailscaled.service" "tailscale-set-operator.service" ];
+    wants = [ "network-online.target" ];
+    requires = [ "tailscaled.service" "tailscale-set-operator.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      User = "jet";
+      Restart = "always";
+      RestartSec = 5;
+      ExecStartPre = [
+        "${pkgs.tailscale}/bin/tailscale serve --bg 4096"
+      ];
+      ExecStart = "/etc/profiles/per-user/jet/bin/opencode serve --hostname 127.0.0.1 --port 4096";
+      WorkingDirectory = config.users.users.jet.home;
+    };
+  };
+
   time.timeZone = "America/Los_Angeles";
   i18n.defaultLocale = "en_US.UTF-8";
 
diff --git a/home.nix b/home.nix
index 77971f9..0d3470e 100644
--- a/home.nix
+++ b/home.nix
@@ -603,9 +603,7 @@ in
       "dr" = "direnv reload";
       "da" = "direnv allow";
       "nfu" = "nix flake update";
-      "o" =
-        "OPENCODE_PERMISSION='{\"*\":\"allow\",\"external_directory\":\"allow\",\"doom_loop\":\"allow\"}' opencode";
-      "os" = "opencode";
+      "o" = "opencode";
       ".." = "z ..";
       j = "jj";
       jgf = "jj git fetch";
@@ -862,6 +860,11 @@ in
     "$schema" = "https://opencode.ai/config.json";
     autoupdate = false;
     plugin = [ "opencode-with-claude" ];
+    permission = {
+      "*" = "allow";
+      external_directory = "allow";
+      doom_loop = "allow";
+    };
     mcp.linear = {
       type = "remote";
       url = "https://mcp.linear.app/mcp";