diff --git a/tailscale/auth-secret.yaml b/tailscale/auth-secret.yaml
new file mode 100644
index 0000000..b8302e5
--- /dev/null
+++ b/tailscale/auth-secret.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tailscale-operator-secret
+  namespace: tailscale
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+type: Opaque
+data:
+  # TODO: Fill in the Tailscale auth key (base64 encoded)
+  authkey: PLACEHOLDER
diff --git a/tailscale/deployment.yaml b/tailscale/deployment.yaml
new file mode 100644
index 0000000..dae6204
--- /dev/null
+++ b/tailscale/deployment.yaml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tailscale-operator
+  namespace: tailscale
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: tailscale
+      app.kubernetes.io/component: operator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: tailscale
+        app.kubernetes.io/component: operator
+    spec:
+      serviceAccountName: tailscale-operator
+      securityContext:
+        runAsNonRoot: true
+      containers:
+      - name: operator
+        image: ghcr.io/tailscale/operator:v1.76.0
+        args:
+        - --hostname=$(POD_NAME)
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        envFrom:
+        - secretRef:
+            name: tailscale-operator-secret
+        ports:
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP
+        resources:
+          requests:
+            cpu: 10m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          capabilities:
+            drop:
+              - ALL
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/control-plane
+                operator: Exists
diff --git a/tailscale/namespace.yaml b/tailscale/namespace.yaml
new file mode 100644
index 0000000..521e2db
--- /dev/null
+++ b/tailscale/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
diff --git a/tailscale/rbac.yaml b/tailscale/rbac.yaml
new file mode 100644
index 0000000..8712bbd
--- /dev/null
+++ b/tailscale/rbac.yaml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale-operator
+  namespace: tailscale
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale-operator
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+rules:
+- apiGroups: ['']
+  resources: ['secrets', 'services', 'endpoints']
+  verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+- apiGroups: ['']
+  resources: ['nodes']
+  verbs: ['get', 'list', 'update', 'patch']
+- apiGroups: ['apps']
+  resources: ['daemonsets']
+  verbs: ['get', 'list', 'watch']
+- apiGroups: ['tailscale.com']
+  resources: ['*']
+  verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+- apiGroups: ['coordination.k8s.io']
+  resources: ['leases']
+  verbs: ['get', 'create', 'update']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale-operator
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tailscale-operator
+subjects:
+- kind: ServiceAccount
+  name: tailscale-operator
+  namespace: tailscale
diff --git a/tailscale/service.yaml b/tailscale/service.yaml
new file mode 100644
index 0000000..d31be8f
--- /dev/null
+++ b/tailscale/service.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: tailscale-operator
+  namespace: tailscale
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+spec:
+  type: ClusterIP
+  ports:
+  - name: metrics
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+  selector:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator