diff --git a/deployments/tailscale/cluster-secret-store.yaml b/deployments/tailscale/cluster-secret-store.yaml
new file mode 100644
index 0000000..9d4fa5d
--- /dev/null
+++ b/deployments/tailscale/cluster-secret-store.yaml
@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: orion-vault
+  namespace: vault
+spec:
+  provider:
+    vault:
+      server: "http://vault.vault.svc.cluster.local:8200"
+      path: "secret"
+      auth:
+        agentAuth:
+          path: "kubernetes"
+      namespace: "vault"
diff --git a/deployments/tailscale/external-secret.yaml b/deployments/tailscale/external-secret.yaml
new file mode 100644
index 0000000..7a13d02
--- /dev/null
+++ b/deployments/tailscale/external-secret.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: tailscale-auth
+  namespace: tailscale
+  labels:
+    app: tailscale
+    managed-by: orion
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: orion-vault
+    kind: ClusterSecretStore
+  target:
+    name: tailscale-auth
+    creationPolicy: Owner
+    template:
+      type: Opaque
+  data:
+  - secretKey: TS_AUTH_KEY
+    remoteRef:
+      key: secret/data/tailscale
+      property: TS_AUTH_KEY