diff --git a/tailscale/daemonset.yaml b/tailscale/daemonset.yaml
new file mode 100644
index 0000000..9f154e3
--- /dev/null
+++ b/tailscale/daemonset.yaml
@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: tailscaled
+  namespace: tailscale
+  labels:
+    app: tailscale
+spec:
+  selector:
+    matchLabels:
+      app: tailscale
+  template:
+    metadata:
+      labels:
+        app: tailscale
+    spec:
+      hostNetwork: true
+      serviceAccountName: tailscale
+      containers:
+        - name: tailscale
+          image: tailscale/tailscale:latest
+          env:
+            - name: TS_KUBE_SECRET
+              value: "tailscale-auth"
+            - name: TS_STATE_DIR
+              value: "/var/lib/tailscale"
+          envFrom:
+            - secretRef:
+                name: tailscale-auth
+          volumeMounts:
+            - name: var-lib-tailscale
+              mountPath: /var/lib/tailscale
+            - name: tailscale-tmp
+              mountPath: /tmp
+            - name: dev-tun
+              mountPath: /dev/net/tun
+              readOnly: true
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["NET_ADMIN", "NET_RAW"]
+          resources:
+            requests:
+              cpu: 50m
+              memory: 100Mi
+            limits:
+              memory: 200Mi
+      volumes:
+        - name: var-lib-tailscale
+          persistentVolumeClaim:
+            claimName: tailscale
+        - name: tailscale-tmp
+          emptyDir: {}
+        - name: dev-tun
+          hostPath:
+            path: /dev/net/tun
diff --git a/tailscale/namespace.yaml b/tailscale/namespace.yaml
new file mode 100644
index 0000000..2096bf5
--- /dev/null
+++ b/tailscale/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale
+  labels:
+    app: tailscale
diff --git a/tailscale/pvc.yaml b/tailscale/pvc.yaml
new file mode 100644
index 0000000..d931fe0
--- /dev/null
+++ b/tailscale/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tailscale
+  namespace: tailscale
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/tailscale/rbac.yaml b/tailscale/rbac.yaml
new file mode 100644
index 0000000..7a28dc1
--- /dev/null
+++ b/tailscale/rbac.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale
+  namespace: tailscale
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "services", "endpoints", "namespaces", "secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["tailnet.tailscale.com"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tailscale
+subjects:
+  - kind: ServiceAccount
+    name: tailscale
+    namespace: tailscale
diff --git a/tailscale/tailnet.yaml b/tailscale/tailnet.yaml
new file mode 100644
index 0000000..825cf49
--- /dev/null
+++ b/tailscale/tailnet.yaml
@@ -0,0 +1,13 @@
+apiVersion: tailnet.tailscale.com/v1alpha1
+kind: Tailnet
+metadata:
+  name: talos-cluster
+  namespace: tailscale
+spec:
+  tagExposes: []
+  dnsMode: "Split"
+  users:
+    - name: cluster-admin
+      selector:
+        matchLabels:
+          tailscale.com/managed: "true"