diff --git a/Containerfile b/Containerfile
index 7983d2d1b93..d00df791270 100644
--- a/Containerfile
+++ b/Containerfile
@@ -81,6 +81,8 @@ COPY --from=ghcr.io/ublue-os/bluefin-cli /usr/bin/atuin /usr/bin/atuin
 COPY --from=ghcr.io/ublue-os/bluefin-cli /usr/share/bash-prexec /usr/share/bash-prexec
 
 RUN wget https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-"${FEDORA_MAJOR_VERSION}"/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo -O /etc/yum.repos.d/ublue-os-staging-fedora-"${FEDORA_MAJOR_VERSION}".repo && \
+    wget https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh -O /usr/libexec/brew-install && \
+    chmod +x /usr/libexec/brew-install && \
     /tmp/build.sh && \
     /tmp/image-info.sh && \
     /tmp/fetch-quadlets.sh && \
diff --git a/usr/bin/ublue-nix-install b/usr/bin/ublue-nix-install
deleted file mode 100755
index 3416f2d5f0e..00000000000
--- a/usr/bin/ublue-nix-install
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm
-
-sleep 1
-
-bash <(curl -s https://raw.githubusercontent.com/dnkmmr69420/nix-installer-scripts/main/other-scripts/nix-sudo-path.sh)
-
-echo "Modifying configurations..."
-
-sleep 1
-
-sudo rm -f /etc/profile.d/nix-app-icons.sh ; sudo wget -P /etc/profile.d https://raw.githubusercontent.com/dnkmmr69420/nix-installer-scripts/main/other-files/nix-app-icons.sh
diff --git a/usr/bin/ublue-nix-uninstall b/usr/bin/ublue-nix-uninstall
deleted file mode 100755
index 9b713fec28f..00000000000
--- a/usr/bin/ublue-nix-uninstall
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-/nix/nix-installer uninstall
-
-echo "Removing profile changes..."
-
-sleep 1
-
-sudo rm -f /etc/profile.d/nix-app-icons.sh
diff --git a/usr/lib/systemd/system/ublue-system-flatpak-manager.service b/usr/lib/systemd/system/ublue-system-flatpak-manager.service
index d3e1fe08ff5..85631cbbe7e 100644
--- a/usr/lib/systemd/system/ublue-system-flatpak-manager.service
+++ b/usr/lib/systemd/system/ublue-system-flatpak-manager.service
@@ -6,7 +6,7 @@ After=network-online.target ublue-system-setup.service
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/ublue-system-flatpak-manager
+ExecStart=/usr/libexec/ublue-system-flatpak-manager
 Restart=on-failure
 RestartSec=30
 StartLimitInterval=0
diff --git a/usr/lib/systemd/system/ublue-system-setup.service b/usr/lib/systemd/system/ublue-system-setup.service
index 3e0039dc806..637a5b3b04a 100644
--- a/usr/lib/systemd/system/ublue-system-setup.service
+++ b/usr/lib/systemd/system/ublue-system-setup.service
@@ -6,7 +6,7 @@ Before=systemd-user-sessions.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/bin/ublue-system-setup
+ExecStart=/usr/libexec/ublue-system-setup
 
 [Install]
 WantedBy=multi-user.target
diff --git a/usr/lib/systemd/user/ublue-user-flatpak-manager.service b/usr/lib/systemd/user/ublue-user-flatpak-manager.service
index f900fbca9e6..037fb2eea78 100644
--- a/usr/lib/systemd/user/ublue-user-flatpak-manager.service
+++ b/usr/lib/systemd/user/ublue-user-flatpak-manager.service
@@ -6,7 +6,7 @@ After=network-online.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/ublue-user-flatpak-manager
+ExecStart=/usr/libexec/ublue-user-flatpak-manager
 Restart=on-failure
 RestartSec=30
 StartLimitInterval=0
diff --git a/usr/lib/systemd/user/ublue-user-setup.service b/usr/lib/systemd/user/ublue-user-setup.service
index 5f18765ecaa..336d0a3cdd3 100644
--- a/usr/lib/systemd/user/ublue-user-setup.service
+++ b/usr/lib/systemd/user/ublue-user-setup.service
@@ -3,7 +3,7 @@ Description=Configure system for current user
 
 [Service]
 Type=simple
-ExecStart=/usr/bin/ublue-user-setup
+ExecStart=/usr/libexec/ublue-user-setup
 
 [Install]
 WantedBy=default.target
diff --git a/usr/libexec/ublue-privileged-user-setup b/usr/libexec/ublue-privileged-user-setup
new file mode 100755
index 00000000000..c61a0e93db3
--- /dev/null
+++ b/usr/libexec/ublue-privileged-user-setup
@@ -0,0 +1,7 @@
+#!/usr/bin/bash
+
+# Enable NTP
+timedatectl set-ntp true
+
+# Allow Tailscale Control
+tailscale set --operator="$(getent passwd $PKEXEC_UID | cut -d: -f1)"
diff --git a/usr/bin/ublue-system-flatpak-manager b/usr/libexec/ublue-system-flatpak-manager
similarity index 100%
rename from usr/bin/ublue-system-flatpak-manager
rename to usr/libexec/ublue-system-flatpak-manager
diff --git a/usr/bin/ublue-system-setup b/usr/libexec/ublue-system-setup
similarity index 99%
rename from usr/bin/ublue-system-setup
rename to usr/libexec/ublue-system-setup
index 8ad5e636c4b..c807ed6a839 100755
--- a/usr/bin/ublue-system-setup
+++ b/usr/libexec/ublue-system-setup
@@ -5,7 +5,7 @@ IMAGE_NAME=$(jq -r '."image-name"' < $IMAGE_INFO)
 IMAGE_FLAVOR=$(jq -r '."image-flavor"' < $IMAGE_INFO)
 
 # SCRIPT VERSION
-HWS_VER=1
+HWS_VER=2
 HWS_VER_FILE="/etc/ublue/hws_version"
 HWS_VER_RAN=$(cat $HWS_VER_FILE)
 
diff --git a/usr/bin/ublue-user-flatpak-manager b/usr/libexec/ublue-user-flatpak-manager
similarity index 100%
rename from usr/bin/ublue-user-flatpak-manager
rename to usr/libexec/ublue-user-flatpak-manager
diff --git a/usr/bin/ublue-user-setup b/usr/libexec/ublue-user-setup
similarity index 87%
rename from usr/bin/ublue-user-setup
rename to usr/libexec/ublue-user-setup
index b7242511d09..e5376951442 100755
--- a/usr/bin/ublue-user-setup
+++ b/usr/libexec/ublue-user-setup
@@ -28,9 +28,6 @@ fi
 IMAGE_INFO="/usr/share/ublue-os/image-info.json"
 IMAGE_NAME=$(jq -r '."image-name"' < $IMAGE_INFO)
 
-# Enable NTP
-timedatectl set-ntp true
-
 # Ensure custom ptyxis theme is present
 PTYXIS_THEME_DIR="/usr/etc/skel/.local/share/org.gnome.Ptyxis/palettes"
 PTYXIS_DIR="$HOME/.local/share/org.gnome.Ptyxis/palettes"
@@ -39,6 +36,14 @@ if [[ ! -f "$PTYXIS_DIR/catppuccin-dynamic.palette" ]]; then
   cp "$PTYXIS_THEME_DIR/catppuccin-dynamic.palette" "$PTYXIS_DIR/catppuccin-dynamic.palette"
 fi
 
+# Install brew
+if [[ ! -x /var/home/linuxbrew/.linuxbrew/bin/brew ]]; then
+  NONINTERACTIVE=1 /usr/libexec/brew-install
+fi
+
+# Handle privileged tasks
+pkexec /usr/libexec/ublue-privileged-user-setup
+
 # Prevent future executions
 echo "Writing state file"
 echo $USER_SETUP_VER > $USER_SETUP_VER_FILE
\ No newline at end of file
diff --git a/usr/share/polkit-1/actions/org.ublue.privileged.user.setup.policy b/usr/share/polkit-1/actions/org.ublue.privileged.user.setup.policy
new file mode 100644
index 00000000000..89053086fb1
--- /dev/null
+++ b/usr/share/polkit-1/actions/org.ublue.privileged.user.setup.policy
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+  <vendor>Universal Blue</vendor>
+  <vendor_url>https://github.com/ublue-os/</vendor_url>
+
+  <action id="org.ublue.policykit.privileged.user.setup">
+    <description>Allows certain user configuration tasks to run as root</description>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>yes</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/libexec/ublue-privileged-user-setup</annotate>
+  </action>
+
+</policyconfig>
diff --git a/usr/share/polkit-1/rules.d/20-privileged-ruser.rules b/usr/share/polkit-1/rules.d/20-privileged-ruser.rules
new file mode 100644
index 00000000000..b83d261e22c
--- /dev/null
+++ b/usr/share/polkit-1/rules.d/20-privileged-ruser.rules
@@ -0,0 +1,6 @@
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.ublue.policykit.privileged.user.setup") &&
+         subject.isInGroup("wheel")) {
+        return polkit.Result.YES;
+    }
+});
\ No newline at end of file