diff --git a/Makefile b/Makefile
index bfbf945..b6f96b1 100644
--- a/Makefile
+++ b/Makefile
@@ -60,6 +60,10 @@ $(TF_ROOT_DIRS_VALIDATE):
 	@$(eval DIR:=$(subst -validate,,$@))
 	terraform -chdir=$(DIR) validate -no-color $(ARGS)
 
-.PHONY: fmt validate build build-x86 bootstrap init \
+trust-ca:
+	@curl -k https://localhost:15000/intermediates/0 > /tmp/pebble.crt && \
+      sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /tmp/pebble.crt
+
+.PHONY: fmt validate build build-x86 bootstrap init trust-ca \
   $(TF_ROOT_DIRS) $(TF_ROOT_DIRS_DESTROY) $(TF_ROOT_DIRS_INIT) \
   $(TF_ROOT_DIRS_CONSOLE) $(TF_ROOT_DIRS_FMT) $(TF_ROOT_DIRS_VALIDATE)
diff --git a/README.md b/README.md
index 2881c89..5c01225 100644
--- a/README.md
+++ b/README.md
@@ -220,3 +220,11 @@ See any assets :
 ```bash
 kubectl get all -A
 ```
+
+### Tailscale
+
+Retrieve kubeconfig :
+
+```bash
+tailscale configure kubeconfig
+```
diff --git a/main.tf b/main.tf
index bf4cf39..c442579 100644
--- a/main.tf
+++ b/main.tf
@@ -36,7 +36,7 @@ module "ingress-nginx" {
 
 module "tailscale" {
   source                 = "./tf-modules-k8s/tailscale"
-  tailscale_oauth_client = var.tailscale_oauth_client.id
+  tailscale_oauth_client = var.tailscale_oauth_client
 }
 
 module "internal_ca" {
@@ -88,7 +88,6 @@ module "paas_config" {
   paas_hostname            = local.paas_hostname
   paas_token               = module.paas.token
   dex_hostname             = local.dex_hostname
-  dex_client_id            = module.dex.dex_client_id
   dex_client_secret        = module.dex.dex_client_secret
   github_team              = var.github_team
   tls_skip_verify          = var.cert_manager_letsencrypt_env == "local"
diff --git a/nixos-darwin/configuration.nix b/nixos-darwin/configuration.nix
index bd49f9f..3869618 100644
--- a/nixos-darwin/configuration.nix
+++ b/nixos-darwin/configuration.nix
@@ -66,10 +66,6 @@
     remember_owner = 0
   '';
   security.pki.installCACerts = true;
-  security.pki.certificateFiles = [
-    "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-    ./pebble/cert.crt
-  ];
   environment.etc."pebble/config.json".text = builtins.toJSON {
     pebble = {
       listenAddress = "0.0.0.0:14000";
diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index 961f01b..21bbe54 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -149,7 +149,7 @@ in {
     useNetworkd = true;
     useDHCP = true;
     firewall = {
-      trustedInterfaces = [ "tailscale0" ];
+      trustedInterfaces = [ "tailscale0" "cni0" ];
       enable = true;
       allowedTCPPorts = lib.mkDefault [80 443 22 6443];
       allowedUDPPorts = [ config.services.tailscale.port ];
diff --git a/nixos/tailscale-deploy.nix b/nixos/tailscale-deploy.nix
index 451bfb2..df1e604 100644
--- a/nixos/tailscale-deploy.nix
+++ b/nixos/tailscale-deploy.nix
@@ -2,8 +2,9 @@
 
 let manifests = [{
   file = config.sops.templates."tailscale.yaml".path;
-  toWait = "deployment/operator";
+  toWait = "deployment.apps/operator";
   namespace = "tailscale";
+  condition = "Available";
 }];
 in {
   services.tailscale.authKeyFile = config.sops.secrets.tailscale.path;
@@ -11,16 +12,16 @@ in {
 
   system.activationScripts.tailscaleOperator.deps = [ "renderSecrets" ];
   system.activationScripts.tailscaleOperator.text = "mkdir -p /var/lib/rancher/k3s/server/manifests;" +
-    lib.strings.concatMapStrings (manifest: ''
-      cp -fp ${manifest.file} /var/lib/rancher/k3s/server/manifests;
-          ${pkgs.k3s}/bin/k3s kubectl rollout status ${manifest.toWait} -n ${manifest.file} --timeout=5m;
+    lib.strings.concatMapStrings (manifest: with manifest; ''
+      cp -fp ${file} /var/lib/rancher/k3s/server/manifests;
+      ${pkgs.k3s}/bin/kubectl wait --for=condition=${condition} ${toWait} -n ${namespace} --timeout=2m;
     '') manifests;
 
   sops.secrets.tailscale = {};
   sops.secrets.tailscale_oauth_client_id = {};
   sops.secrets.tailscale_oauth_client_secret = {};
+
   sops.templates."tailscale.yaml".content = ''
-    ---
     apiVersion: v1
     kind: Namespace
     metadata:
@@ -33,12 +34,15 @@ in {
       name: tailscale
       namespace: kube-system
     spec:
-      chart: https://pkgs.tailscale.com/helmcharts/tailscale-operator
+      repo: https://pkgs.tailscale.com/helmcharts
+      chart: tailscale-operator
       targetNamespace: tailscale
-      set:
-        oauth.clientId: ${config.sops.placeholder.tailscale_oauth_client_id}
-        oauth.clientSecret: ${config.sops.placeholder.tailscale_oauth_client_secret}
-        apiServerProxyConfig.mode: "true"
+      valuesContent: |
+        oauth:
+          clientId: ${config.sops.placeholder.tailscale_oauth_client_id}
+          clientSecret: ${config.sops.placeholder.tailscale_oauth_client_secret}
+        apiServerProxyConfig:
+          mode: "true"
       waitForJobs: true
       waitForHelm: true
   '';
diff --git a/nixos/temporary-configuration.nix b/nixos/temporary-configuration.nix
index 19ab8d2..6462967 100755
--- a/nixos/temporary-configuration.nix
+++ b/nixos/temporary-configuration.nix
@@ -1 +1 @@
-{...}: { networking.hostName = "k3s-paas-master-0";}
+{...}: {}
diff --git a/terraform.tf b/terraform.tf
index cfec1fa..6224632 100644
--- a/terraform.tf
+++ b/terraform.tf
@@ -20,18 +20,16 @@ terraform {
 }
 
 provider "kubernetes" {
-  host        = "https://${var.vm_ip}:6443"
   config_path = "~/.kube/config"
   exec {
     api_version = "client.authentication.k8s.io/v1beta1"
-    args        = ["zizou@localhost", "-p", "2222", "sudo", "cat", "/etc/rancher/k3s/k3s.yaml", ">", "~/.kube/config"]
-    command     = "ssh"
+    args        = ["configure", "kubeconfig", "tailscale-operator"]
+    command     = "tailscale"
   }
 }
 
 provider "helm" {
   kubernetes {
-    host        = "https://${var.vm_ip}:6443"
     config_path = "~/.kube/config"
   }
 }
diff --git a/tf-modules-k8s/tailscale/variables.tf b/tf-modules-k8s/tailscale/variables.tf
index 98beea4..b92a154 100644
--- a/tf-modules-k8s/tailscale/variables.tf
+++ b/tf-modules-k8s/tailscale/variables.tf
@@ -7,6 +7,4 @@ variable "tailscale_oauth_client" {
     id     = string
     secret = string
   })
-  nullable = true
-  default = null
 }
diff --git a/tf-modules-k8s/waypoint-config/variables.tf b/tf-modules-k8s/waypoint-config/variables.tf
index 2c91ab7..d72f3f9 100644
--- a/tf-modules-k8s/waypoint-config/variables.tf
+++ b/tf-modules-k8s/waypoint-config/variables.tf
@@ -16,6 +16,7 @@ variable "dex_hostname" {
 variable "dex_client_id" {
   description = "Client ID for DEX"
   type        = string
+  default = "dex-k3s-paas"
 }
 
 variable "dex_client_secret" {
diff --git a/tf-root-vm/tf-modules-cloud/libvirt/main.tf b/tf-root-vm/tf-modules-cloud/libvirt/main.tf
index 4ac8b49..3ed7eba 100644
--- a/tf-root-vm/tf-modules-cloud/libvirt/main.tf
+++ b/tf-root-vm/tf-modules-cloud/libvirt/main.tf
@@ -82,7 +82,7 @@ resource "libvirt_domain" "machine" {
   }
 
   provisioner "local-exec" {
-    command = "ssh-keygen -R localhost:22 && ssh-keygen -R 127.0.0.1:22"
+    command = "ssh-keygen -R localhost && ssh-keygen -R 127.0.0.1"
   }
 }
 
diff --git a/tf-root-vm/tf-modules-cloud/tailscale/main.tf b/tf-root-vm/tf-modules-cloud/tailscale/main.tf
index e3fe3a2..7642c51 100644
--- a/tf-root-vm/tf-modules-cloud/tailscale/main.tf
+++ b/tf-root-vm/tf-modules-cloud/tailscale/main.tf
@@ -29,16 +29,16 @@ resource "tailscale_acl" "as_json" {
       },
       {
         "action" : "accept",
-        "src" : ["autogroup:member"],
-        "dst" : ["tag:all"],
+        "src" : ["tag:all", "autogroup:member"],
+        "dst" : ["tag:all", "tag:k8s-operator"],
         "users" : ["autogroup:nonroot"]
       },
       {
-        "action" : "accept",
-        "src" : ["tag:all"],
-        "dst" : ["tag:all"],
+        "action": "accept",
+        "src": ["autogroup:member"],
+        "dst": ["tag:k8s-operator"],
         "users" : ["autogroup:nonroot"]
-      }
+      },
     ],
     nodeAttrs = [
       {
@@ -52,7 +52,7 @@ resource "tailscale_acl" "as_json" {
       "tag:k8s"          = ["tag:k8s-operator"]
     }
     grants = [{
-      src = ["autogroup:member"]
+      src = ["tag:all"]
       dst = ["tag:k8s-operator"]
       app = {
         "tailscale.com/cap/kubernetes" = [{
diff --git a/tf-root-vm/tf-modules-nix/deploy/main.tf b/tf-root-vm/tf-modules-nix/deploy/main.tf
index 5c266f1..d9d23fe 100644
--- a/tf-root-vm/tf-modules-nix/deploy/main.tf
+++ b/tf-root-vm/tf-modules-nix/deploy/main.tf
@@ -122,6 +122,11 @@ resource local_file "additional_nixos_vars" {
   provisioner "local-exec" {
     command = "git update-index --assume-unchanged ${local_file.additional_nixos_vars.filename}"
   }
+
+  provisioner "local-exec" {
+    when = "destroy"
+    command = "git update-index --skip-worktree  ${local_file.additional_nixos_vars.filename}"
+  }
 }
 
 data "external" "instantiate" {
@@ -154,6 +159,13 @@ resource "null_resource" "deploy" {
   }
 }
 
+resource "terraform_data" "reset_tmp_config" {
+  depends_on = [ null_resource.deploy ]
+  provisioner "local-exec" {
+    command = "echo '{...}: {}' > ${local_file.additional_nixos_vars.filename}"
+  }
+}
+
 output "hostname" {
   depends_on = [null_resource.deploy]
   value      = var.node_hostname