diff --git a/ansible/group_vars/prod/vars.yml b/ansible/group_vars/prod/vars.yml
index 039e81b..b80680b 100644
--- a/ansible/group_vars/prod/vars.yml
+++ b/ansible/group_vars/prod/vars.yml
@@ -1,3 +1,7 @@
 prometheus_metrics_password: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/ooni_services/prometheus_metrics_password', profile='oonidevops_user_prod') }}"
+tailscale_authkey: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/tailscale_authkey_devops', profile='oonidevops_user_prod') }}"
+tailscale_tags:
+  - "devops-prod"
+tailscale_oauth_ephemeral: false
 admin_usernames: [ art, mehul ]
 non_admin_usernames: [ ]
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index f8ba6ac..6170ee4 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -28,6 +28,7 @@
     - data2.htz-fsn.prod.ooni.nu
   become: true
   roles:
+    - tailnet
     - oonidata_clickhouse
 
 - name: Deploy oonidata clickhouse hosts (hdd backed)
@@ -35,6 +36,7 @@
     - data3.htz-fsn.prod.ooni.nu
   become: true
   roles:
+    - tailnet
     - oonidata_clickhouse
   vars:
     clickhouse_data_directory: /data/clickhouse
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index 1bd4575..0a2eae7 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -2,3 +2,8 @@
 - src: nginxinc.nginx
 - src: geerlingguy.certbot
 - src: geerlingguy.node_exporter
+- src: artis3n.tailscale
+- src: https://github.com/idealista/clickhouse_role
+  scm: git
+  version: 3.5.1
+  name: idealista.clickhouse_role
diff --git a/ansible/roles/oonidata_clickhouse/meta/requirements.yml b/ansible/roles/oonidata_clickhouse/meta/requirements.yml
deleted file mode 100644
index 53d654a..0000000
--- a/ansible/roles/oonidata_clickhouse/meta/requirements.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-- src: https://github.com/idealista/clickhouse_role
-  scm: git
-  version: 3.5.1
-  name: idealista.clickhouse_role
diff --git a/ansible/roles/tailnet/tasks/main.yml b/ansible/roles/tailnet/tasks/main.yml
new file mode 100644
index 0000000..86bc4b3
--- /dev/null
+++ b/ansible/roles/tailnet/tasks/main.yml
@@ -0,0 +1,4 @@
+- ansible.builtin.include_role:
+    name: artis3n.tailscale
+  tags:
+    - tailnet