diff --git a/deployments/tailscale/external-secrets/tailscale-auth.yaml b/deployments/tailscale/external-secrets/tailscale-auth.yaml
new file mode 100644
index 0000000..85491a1
--- /dev/null
+++ b/deployments/tailscale/external-secrets/tailscale-auth.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: tailscale-operator
+  namespace: tailscale
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: orion-vault
+    kind: ClusterSecretStore
+  target:
+    name: tailscale-operator
+    creationPolicy: Owner
+  data:
+    - secretKey: auth-key
+      remoteRef:
+        key: secret/Talos Cluster/tailscale
+        property: TS_AUTH_KEY