diff --git a/apps/rego-tunnel/shared/install-host-services.sh b/apps/rego-tunnel/shared/install-host-services.sh
new file mode 100644
index 0000000..56e09ac
--- /dev/null
+++ b/apps/rego-tunnel/shared/install-host-services.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+#
+# Install host-side systemd services for rego-tunnel
+# Run this ONCE on the host after installing the app in Runtipi
+#
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+APP_DATA_DIR="/etc/runtipi/app-data/runtipi/rego-tunnel"
+
+echo "Installing rego-tunnel host services..."
+
+# Create the path watcher unit
+cat << 'EOF' | sudo tee /etc/systemd/system/rego-routing-watcher.path
+[Unit]
+Description=Watch for rego-tunnel routing trigger
+
+[Path]
+PathExists=/etc/runtipi/app-data/runtipi/rego-tunnel/restart-routing
+Unit=rego-routing-watcher.service
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Create the service unit
+cat << EOF | sudo tee /etc/systemd/system/rego-routing-watcher.service
+[Unit]
+Description=Apply rego-tunnel routing rules
+After=docker.service
+
+[Service]
+Type=oneshot
+ExecStart=${SCRIPT_DIR}/host-routing.sh restart
+ExecStartPost=/bin/rm -f ${APP_DATA_DIR}/restart-routing
+ExecStartPost=/bin/bash -c 'echo "trigger cleared at \$(date)" >> ${APP_DATA_DIR}/watcher.log'
+EOF
+
+# Make host-routing.sh executable
+sudo chmod +x "${SCRIPT_DIR}/host-routing.sh"
+
+# Reload systemd and enable the watcher
+sudo systemctl daemon-reload
+sudo systemctl enable --now rego-routing-watcher.path
+
+echo ""
+echo "Done! Services installed:"
+echo "  - rego-routing-watcher.path (watches for trigger file)"
+echo "  - rego-routing-watcher.service (applies routing rules)"
+echo ""
+echo "To check status:"
+echo "  systemctl status rego-routing-watcher.path"
+echo ""
+echo "To manually trigger routing:"
+echo "  touch ${APP_DATA_DIR}/restart-routing"
diff --git a/apps/rego-tunnel/shared/uninstall-host-services.sh b/apps/rego-tunnel/shared/uninstall-host-services.sh
new file mode 100644
index 0000000..b76a920
--- /dev/null
+++ b/apps/rego-tunnel/shared/uninstall-host-services.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+#
+# Uninstall host-side systemd services for rego-tunnel
+#
+set -euo pipefail
+
+echo "Removing rego-tunnel host services..."
+
+# Stop and disable the watcher
+sudo systemctl stop rego-routing-watcher.path 2>/dev/null || true
+sudo systemctl disable rego-routing-watcher.path 2>/dev/null || true
+
+# Remove routing rules
+/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/host-routing.sh stop 2>/dev/null || true
+
+# Remove systemd units
+sudo rm -f /etc/systemd/system/rego-routing-watcher.path
+sudo rm -f /etc/systemd/system/rego-routing-watcher.service
+
+# Reload systemd
+sudo systemctl daemon-reload
+
+echo ""
+echo "Done! Host services removed."