diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix
index dfb5422a1e9a..f308b7e33114 100644
--- a/nixos/modules/services/networking/tailscale.nix
+++ b/nixos/modules/services/networking/tailscale.nix
@@ -29,12 +29,7 @@ in {
       description = lib.mdDoc "Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.";
     };
 
-    package = mkOption {
-      type = types.package;
-      default = pkgs.tailscale;
-      defaultText = literalExpression "pkgs.tailscale";
-      description = lib.mdDoc "The package to use for tailscale";
-    };
+    package = lib.mkPackageOptionMD pkgs "tailscale" {};
 
     useRoutingFeatures = mkOption {
       type = types.enum [ "none" "client" "server" "both" ];
@@ -58,6 +53,13 @@ in {
         A file containing the auth key.
       '';
     };
+
+    extraUpFlags = mkOption {
+      description = lib.mdDoc "Extra flags to pass to {command}`tailscale up`.";
+      type = types.listOf types.str;
+      default = [];
+      example = ["--ssh"];
+    };
   };
 
   config = mkIf cfg.enable {
@@ -98,10 +100,10 @@ in {
       serviceConfig = {
         Type = "oneshot";
       };
-      script = with pkgs; ''
+      script = ''
         status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)
         if [[ $status != Connected* ]]; then
-          ${pkgs.tailscale}/bin/tailscale up --auth-key 'file:${cfg.authKeyFile}'
+          ${cfg.package}/bin/tailscale up --auth-key 'file:${cfg.authKeyFile}' ${escapeShellArgs cfg.extraUpFlags}
         fi
       '';
     };