diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..3550a30
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..726d2d6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+result
+.direnv
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..38b4909
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,42 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1663850217,
+        "narHash": "sha256-tp9nXo1/IdN/xN9m06ryy0QUAEfoN6K56ObM/1QTAjc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ae1dc133ea5f1538d035af41e5ddbc2ebcb67b90",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..aca04cf
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,32 @@
+{
+  description = "A basic Go web server setup";
+
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+    utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, utils }:
+    utils.lib.eachSystem [
+      "x86_64-linux"
+      "aarch64-linux"
+      "x86_64-darwin"
+      "aarch64-darwin"
+    ] (system:
+      let
+        pkgs =
+          import nixpkgs {
+            inherit system;
+            overlays = [
+              (final: prev: {
+                go = prev.go_1_19;
+                buildGoModule = prev.buildGo119Module;
+              })
+            ];
+          };
+      in {
+        devShells.default = pkgs.mkShell {
+          buildInputs = with pkgs; [ go gopls gotools go-tools ];
+        };
+      });
+}
diff --git a/module.go b/module.go
index a22a4bf..772adab 100644
--- a/module.go
+++ b/module.go
@@ -90,6 +90,8 @@ func getListener(_, addr string) (net.Listener, error) {
 
 type TailscaleAuth struct {
 	localclient *tailscale.LocalClient
+
+	AllowTaggedNodes bool `json:"allow_tagged_nodes"`
 }
 
 func (TailscaleAuth) CaddyModule() caddy.ModuleInfo {
@@ -145,7 +147,10 @@ func (ta TailscaleAuth) Authenticate(w http.ResponseWriter, r *http.Request) (ca
 		return user, false, err
 	}
 
-	if len(info.Node.Tags) != 0 {
+	if ta.AllowTaggedNodes && len(info.Node.Tags) != 0 {
+		info.UserProfile.LoginName = strings.Replace(info.Node.Tags[0], ":", "___", -1) + "@tags.in.your.tailnet"
+		info.UserProfile.DisplayName = "A tagged node with tags: " + strings.Join(info.Node.Tags, ", ")
+	} else {
 		return user, false, fmt.Errorf("node %s has tags", info.Node.Hostinfo.Hostname())
 	}