diff --git a/ace/configuration.nix b/ace/configuration.nix
index 00f438a..450bbee 100644
--- a/ace/configuration.nix
+++ b/ace/configuration.nix
@@ -7,7 +7,7 @@
       /home/don/nixos/workstation/configuration.nix
       /home/don/nixos/workstation/home
       /home/don/nixos/workstation/sway.nix
-      /home/don/nixos/workstation/detect-reboot-needed.nix
+      /home/don/nixos/workstation/systemd.nix
     ];
   networking.hostName = "ace"; 
 }
diff --git a/dragon/configuration.nix b/dragon/configuration.nix
index a483c73..6c8f1cd 100644
--- a/dragon/configuration.nix
+++ b/dragon/configuration.nix
@@ -7,7 +7,7 @@
       /home/don/nixos/workstation/configuration.nix
       /home/don/nixos/workstation/home
       /home/don/nixos/workstation/sway.nix
-      /home/don/nixos/workstation/detect-reboot-needed.nix
+      /home/don/nixos/workstation/systemd.nix
     ];
   networking.hostName = "dragon"; 
 }
diff --git a/eve/configuration.nix b/eve/configuration.nix
index 26dd00b..8fcaf34 100644
--- a/eve/configuration.nix
+++ b/eve/configuration.nix
@@ -8,7 +8,7 @@
       /home/don/nixos/workstation/configuration.nix
       /home/don/nixos/workstation/home
       /home/don/nixos/workstation/sway.nix
-      /home/don/nixos/workstation/detect-reboot-needed.nix
+      /home/don/nixos/workstation/systemd.nix
     ];
   networking.hostName = "eve";
 }
diff --git a/loki/configuration.nix b/loki/configuration.nix
index b542c3c..82ae235 100644
--- a/loki/configuration.nix
+++ b/loki/configuration.nix
@@ -9,7 +9,7 @@
       /home/don/nixos/loki/kernel.nix
       /home/don/nixos/workstation/home
       /home/don/nixos/workstation/sway.nix
-      /home/don/nixos/workstation/detect-reboot-needed.nix
+      /home/don/nixos/workstation/systemd.nix
     ];
   networking.hostName = "loki";
 }
diff --git a/pocket2/configuration.nix b/pocket2/configuration.nix
index 642fbdd..62a4d40 100644
--- a/pocket2/configuration.nix
+++ b/pocket2/configuration.nix
@@ -7,7 +7,7 @@
       /home/don/nixos/workstation/configuration.nix
       /home/don/nixos/workstation/home
       /home/don/nixos/workstation/sway.nix
-      /home/don/nixos/workstation/detect-reboot-needed.nix
+      /home/don/nixos/workstation/systemd.nix
     ];
   networking.hostName = "pocket2"; 
 }
diff --git a/smaug/configuration.nix b/smaug/configuration.nix
index 3167f7a..43d62e2 100644
--- a/smaug/configuration.nix
+++ b/smaug/configuration.nix
@@ -8,7 +8,7 @@
       /home/don/nixos/workstation/configuration.nix
       /home/don/nixos/workstation/home
       /home/don/nixos/workstation/sway.nix
-      /home/don/nixos/workstation/detect-reboot-needed.nix
+      /home/don/nixos/workstation/systemd.nix
     ];
   networking.hostName = "smaug"; 
 }
diff --git a/workstation/configuration.nix b/workstation/configuration.nix
index 41242d1..6a8802f 100644
--- a/workstation/configuration.nix
+++ b/workstation/configuration.nix
@@ -245,34 +245,46 @@ in
     lidSwitchExternalPower = "ignore";
     lidSwitchDocked = "ignore";
   };
-  systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
+  systemd.services = {
+    tailscale-autoconnect = {
+      description = "Automatic connection to Tailscale";
 
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
+      # make sure tailscale is running before trying to connect to tailscale
+      after = [ "network-pre.target" "tailscale.service" ];
+      wants = [ "network-pre.target" "tailscale.service" ];
+      wantedBy = [ "multi-user.target" ];
 
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
+      # set this service as a oneshot job
+      serviceConfig.Type = "oneshot";
 
-    # have the job run this shell script
-    script = with pkgs; ''
-      # wait for tailscaled to settle
-      sleep 2
+      # have the job run this shell script
+      script = with pkgs; ''
+        # wait for tailscaled to settle
+        sleep 2
 
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
+        # check if we are already authenticated to tailscale
+        status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+        if [ $status = "Running" ]; then # if so, then do nothing
+          exit 0
+        fi
 
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up --operator=don --authkey tskey-api-kDQcva6CNTRL-kvcJzSix6yLb2dgjr1Pi
-    '';
+        # otherwise authenticate with tailscale
+        ${tailscale}/bin/tailscale up --operator=don --authkey tskey-api-kDQcva6CNTRL-kvcJzSix6yLb2dgjr1Pi
+      '';
+    };
+
+    clean-keychain = {
+      description = "Clean up .keychain on boot";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.coreutils-full}/bin/rm -rf /home/don/.keychain";
+      };
+    };
   };
 
 
+
   # Enable the OpenSSH daemon.
   services.openssh = {
     enable = true;
diff --git a/workstation/systemd.nix b/workstation/systemd.nix
new file mode 100644
index 0000000..2fa4c23
--- /dev/null
+++ b/workstation/systemd.nix
@@ -0,0 +1,75 @@
+{ pkgs, ... }:
+
+let
+  readlink = "${pkgs.coreutils}/bin/readlink";
+  notify-send = "${pkgs.libnotify}/bin/notify-send";
+in {
+  systemd = {
+    services = {
+      tailscale-autoconnect = {
+        description = "Automatic connection to Tailscale";
+  
+        # make sure tailscale is running before trying to connect to tailscale
+        after = [ "network-pre.target" "tailscale.service" ];
+        wants = [ "network-pre.target" "tailscale.service" ];
+        wantedBy = [ "multi-user.target" ];
+  
+        # set this service as a oneshot job
+        serviceConfig.Type = "oneshot";
+  
+        # have the job run this shell script
+        script = with pkgs; ''
+          # wait for tailscaled to settle
+          sleep 2
+  
+          # check if we are already authenticated to tailscale
+          status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+          if [ $status = "Running" ]; then # if so, then do nothing
+            exit 0
+          fi
+  
+          # otherwise authenticate with tailscale
+          ${tailscale}/bin/tailscale up --operator=don --authkey tskey-api-kDQcva6CNTRL-kvcJzSix6yLb2dgjr1Pi
+        '';
+      };
+  
+      clean-keychain = {
+        description = "Clean up .keychain on boot";
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${pkgs.coreutils-full}/bin/rm -rf /home/don/.keychain";
+        };
+      };
+    };
+    user = {
+      services = {
+        detect-reboot-for-upgrade = {
+          script = ''
+            set -eu -o pipefail
+            booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
+            built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
+            if [[ "''${booted}" != "''${built}" ]];
+            then
+              echo "Looks like we need a reboot!"
+              ${notify-send} --urgency=low --icon=system-reboot "Reboot is needed for a NixOS upgrade."
+            fi
+          '';
+          serviceConfig = {
+            Type = "oneshot";
+          };
+        };
+      };
+      timers = {
+        detect-reboot-for-upgrade = {
+          wantedBy = [ "timers.target" ];
+          partOf = [ "detect-reboot-for-upgrade.service" ];
+          timerConfig = {
+            OnCalendar = "hourly";
+            Unit = "detect-reboot-for-upgrade.service";
+          };
+        };
+      };
+    };
+  };
+}