diff --git a/hosts/modules/roles/work.nix b/hosts/modules/roles/work.nix
index 5fc9e811b..b345f269e 100644
--- a/hosts/modules/roles/work.nix
+++ b/hosts/modules/roles/work.nix
@@ -11,13 +11,20 @@
   config = lib.mkIf config.sane.roles.work {
     ### TAILSCALE
     # first run:
-    # - `tailscale login --hostname $myHostname`
+    # - `sudo tailscale login --hostname $myHostname`
     sane.persist.sys.byStore.private = [
       { user = "root"; group = "root"; mode = "0700"; path = "/var/lib/tailscale"; method = "bind"; }
     ];
     services.tailscale.enable = true;
     # services.tailscale.useRoutingFeatures = "client";
-    services.tailscale.extraSetFlags = [ "--accept-routes" ];
+    services.tailscale.extraSetFlags = [
+      "--accept-routes"
+      # "--operator=colin"  #< this *should* allow non-root control, but fails: <https://github.com/tailscale/tailscale/issues/16080>
+    ];
+    services.tailscale.extraDaemonFlags = [
+      "-verbose" "7"
+    ];
+    # TODO: harden tailscaled
 
     sane.programs.guiApps.suggestedPrograms = [
       "slack"