diff --git a/flake.lock b/flake.lock
index 03447f4..91f6bb5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -41,11 +41,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775781825,
-        "narHash": "sha256-L5yKTpR+alrZU2XYYvIxCeCP4LBHU5jhwSj7H1VAavg=",
+        "lastModified": 1776373306,
+        "narHash": "sha256-iAJIzHngGZeLIkjzuuWI6VBsYJ1n89a/Esq0m8R1vjs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e35c39fca04fee829cecdf839a50eb9b54d8a701",
+        "rev": "d401492e2acd4fea42f7705a3c266cea739c9c36",
         "type": "github"
       },
       "original": {
@@ -99,11 +99,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1775710090,
-        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
+        "lastModified": 1776169885,
+        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
+        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
         "type": "github"
       },
       "original": {
diff --git a/nixosConfigurations/asphodel/hardware-configuration.nix b/nixosConfigurations/asphodel/hardware-configuration.nix
index ee0abae..1892610 100644
--- a/nixosConfigurations/asphodel/hardware-configuration.nix
+++ b/nixosConfigurations/asphodel/hardware-configuration.nix
@@ -44,10 +44,6 @@
         };
       };
 
-      postDeviceCommands = lib.mkAfter ''
-        cryptsetup close cryptkey
-      '';
-
       # Support remote unlock. Run `cryptsetup-askpass` to unlock
       network = {
         enable = true;
diff --git a/nixosConfigurations/elysium/hardware-configuration.nix b/nixosConfigurations/elysium/hardware-configuration.nix
index 9f3677b..bea50a0 100644
--- a/nixosConfigurations/elysium/hardware-configuration.nix
+++ b/nixosConfigurations/elysium/hardware-configuration.nix
@@ -59,10 +59,6 @@
         };
       };
 
-      postDeviceCommands = lib.mkAfter ''
-        cryptsetup close cryptkey
-      '';
-
       # Support remote unlock. Run `cryptsetup-askpass` to unlock
       network = {
         enable = true;
diff --git a/nixosConfigurations/erebus/hardware-configuration.nix b/nixosConfigurations/erebus/hardware-configuration.nix
index bebffea..8d74b85 100644
--- a/nixosConfigurations/erebus/hardware-configuration.nix
+++ b/nixosConfigurations/erebus/hardware-configuration.nix
@@ -1,6 +1,5 @@
 {
   config,
-  lib,
   pkgs,
   modulesPath,
   ...
@@ -50,10 +49,6 @@
         };
       };
 
-      postDeviceCommands = lib.mkAfter ''
-        cryptsetup close cryptkey
-      '';
-
       # Support remote unlock. Run `cryptsetup-askpass` to unlock
       network = {
         enable = true;
diff --git a/nixosConfigurations/tartarus/hardware-configuration.nix b/nixosConfigurations/tartarus/hardware-configuration.nix
index e7721a8..37ccda4 100644
--- a/nixosConfigurations/tartarus/hardware-configuration.nix
+++ b/nixosConfigurations/tartarus/hardware-configuration.nix
@@ -2,7 +2,6 @@
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
-  lib,
   pkgs,
   modulesPath,
   ...
@@ -50,10 +49,6 @@
     };
   };
 
-  boot.initrd.postDeviceCommands = lib.mkAfter ''
-    cryptsetup close cryptkey
-  '';
-
   fileSystems = {
     "/" = {
       device = "styx/local/root";
diff --git a/nixosModules/default.nix b/nixosModules/default.nix
index 40fd19f..a14c68b 100644
--- a/nixosModules/default.nix
+++ b/nixosModules/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./_1password.nix
     ./knownHosts.nix
+    ./luks.nix
     ./nixConfig.nix
     ./pihole.nix
     ./tailscale.nix
diff --git a/nixosModules/luks.nix b/nixosModules/luks.nix
new file mode 100644
index 0000000..0340382
--- /dev/null
+++ b/nixosModules/luks.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  boot.initrd.systemd.services = {
+    cryptkey-close = {
+      script = ''
+        set -x
+        systemd-cryptsetup detach cryptkey || echo cannot detach cryptkey
+      '';
+      serviceConfig.Type = "oneshot";
+      wantedBy = [ "initrd-switch-root.target" ];
+    };
+  };
+}
diff --git a/nixosModules/tailscale.nix b/nixosModules/tailscale.nix
index 6dec406..43a1397 100644
--- a/nixosModules/tailscale.nix
+++ b/nixosModules/tailscale.nix
@@ -12,5 +12,12 @@ in
       trustedInterfaces = [ cfg.interfaceName ];
       checkReversePath = "loose";
     };
+
+    # For some reason tailscale started failing at startup and this wires things up to force the tun
+    # module to be enabled
+    systemd.services.tailscaled = {
+      after = [ "modprobe@tun.service" ];
+      wants = [ "modprobe@tun.service" ];
+    };
   };
 }