diff --git a/apps/tailscale/Chart.yaml b/apps/tailscale/Chart.yaml
new file mode 100644
index 00000000..b21d532a
--- /dev/null
+++ b/apps/tailscale/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: tailscale
+version: 0.0.0
+dependencies:
+  - name: app-template
+    version: 3.1.0
+    repository: https://bjw-s.github.io/helm-charts
diff --git a/apps/tailscale/templates/role.yaml b/apps/tailscale/templates/role.yaml
new file mode 100644
index 00000000..42034a80
--- /dev/null
+++ b/apps/tailscale/templates/role.yaml
@@ -0,0 +1,16 @@
+# https://github.com/tailscale/tailscale/blob/main/docs/k8s/role.yaml
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tailscale
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resourceNames: ["tailscale"]
+  resources: ["secrets"]
+  verbs: ["get", "update", "patch"]
diff --git a/apps/tailscale/templates/rolebinding.yaml b/apps/tailscale/templates/rolebinding.yaml
new file mode 100644
index 00000000..e51e383c
--- /dev/null
+++ b/apps/tailscale/templates/rolebinding.yaml
@@ -0,0 +1,15 @@
+# https://github.com/tailscale/tailscale/blob/main/docs/k8s/rolebinding.yaml
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tailscale
+  namespace: {{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: tailscale
+roleRef:
+  kind: Role
+  name: tailscale
+  apiGroup: rbac.authorization.k8s.io
diff --git a/apps/tailscale/templates/secret.yaml b/apps/tailscale/templates/secret.yaml
new file mode 100644
index 00000000..859f8733
--- /dev/null
+++ b/apps/tailscale/templates/secret.yaml
@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: tailscale-auth
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: global-secrets
+  data:
+    - secretKey: TS_AUTHKEY
+      remoteRef:
+        key: external
+        property: tailscale-auth-key
diff --git a/apps/tailscale/templates/serviceaccount.yaml b/apps/tailscale/templates/serviceaccount.yaml
new file mode 100644
index 00000000..18fa15fd
--- /dev/null
+++ b/apps/tailscale/templates/serviceaccount.yaml
@@ -0,0 +1,8 @@
+# https://github.com/tailscale/tailscale/blob/main/docs/k8s/sa.yaml
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale
+  namespace: {{ .Release.Namespace }}
diff --git a/apps/tailscale/values.yaml b/apps/tailscale/values.yaml
new file mode 100644
index 00000000..0a4cb857
--- /dev/null
+++ b/apps/tailscale/values.yaml
@@ -0,0 +1,24 @@
+app-template:
+  serviceAccount:
+    name: tailscale
+  controllers:
+    tailscale:
+      containers:
+        app:
+          image:
+            repository: ghcr.io/tailscale/tailscale
+            tag: latest
+          env:
+            TS_HOSTNAME: homelab-router
+            TS_USERSPACE: false
+            TS_KUBE_SECRET: tailscale
+            TS_ROUTES: 192.168.1.224/27
+            TS_AUTHKEY:
+              valueFrom:
+                secretKeyRef:
+                  name: tailscale-auth
+                  key: TS_AUTHKEY
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN