diff --git a/deployments/tailscale/external-secret.yaml b/deployments/tailscale/external-secret.yaml
new file mode 100644
index 0000000..7a13d02
--- /dev/null
+++ b/deployments/tailscale/external-secret.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: tailscale-auth
+  namespace: tailscale
+  labels:
+    app: tailscale
+    managed-by: orion
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: orion-vault
+    kind: ClusterSecretStore
+  target:
+    name: tailscale-auth
+    creationPolicy: Owner
+    template:
+      type: Opaque
+  data:
+  - secretKey: TS_AUTH_KEY
+    remoteRef:
+      key: secret/data/tailscale
+      property: TS_AUTH_KEY