diff --git a/kubernetes/apps/networking/nginx/ks.yaml b/kubernetes/apps/networking/nginx/ks.yaml
index c29b924bf..b48014c30 100644
--- a/kubernetes/apps/networking/nginx/ks.yaml
+++ b/kubernetes/apps/networking/nginx/ks.yaml
@@ -55,3 +55,22 @@ spec:
   interval: 30m
   retryInterval: 1m
   timeout: 5m
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-nginx-tailscale
+  namespace: flux-system
+spec:
+  targetNamespace: networking
+  dependsOn:
+    - name: cluster-apps-nginx-certificates
+  path: ./kubernetes/apps/networking/nginx/tailscale
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: k8s-gitops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/kubernetes/apps/networking/nginx/tailscale/helmrelease.yaml b/kubernetes/apps/networking/nginx/tailscale/helmrelease.yaml
new file mode 100644
index 000000000..52af403eb
--- /dev/null
+++ b/kubernetes/apps/networking/nginx/tailscale/helmrelease.yaml
@@ -0,0 +1,86 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app nginx-tailscale
+spec:
+  interval: 30m
+  timeout: 15m
+  chart:
+    spec:
+      chart: ingress-nginx
+      version: 4.10.1
+      sourceRef:
+        kind: HelmRepository
+        name: ingress-nginx-charts
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    fullnameOverride: *app
+    controller:
+      replicaCount: 2
+      allowSnippetAnnotations: true
+      admissionWebhooks:
+        objectSelector:
+          matchExpressions:
+            - key: ingress-class
+              operator: In
+              values:
+                - nginx-tailscale
+      config:
+        client-body-buffer-size: 100M
+        client-body-timeout: 2m
+        client-header-timeout: 2m
+        enable-brotli: true
+        enable-ocsp: true
+        enable-real-ip: true
+        hsts-max-age: 31449600
+        keep-alive-requests: 10000
+        keep-alive: 2m
+        proxy-body-size: 0
+        proxy-buffer-size: 16k
+        proxy-read-timeout: 7d
+        proxy-send-timeout: 7d
+        ssl-protocols: TLSv1.3 TLSv1.2
+        use-forwarded-headers: true
+      extraArgs:
+        default-ssl-certificate: networking/wildcard-tls
+      ingressClass: nginx-tailscale
+      ingressClassResource:
+        name: nginx-tailscale
+        default: false
+        controllerValue: k8s.io/nginx-tailscale
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+          namespace: networking
+          namespaceSelector:
+            any: true
+      resources:
+        requests:
+          cpu: 100m
+        limits:
+          memory: 512Mi
+      service:
+        annotations:
+          external-dns.alpha.kubernetes.io/hostname: tailscale.${PUBLIC_DOMAIN}
+        loadBalancerClass: tailscale
+        externalTrafficPolicy: Local
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/instance: *app
+              app.kubernetes.io/component: controller
+    defaultBackend:
+      enabled: false
diff --git a/kubernetes/apps/networking/nginx/tailscale/kustomization.yaml b/kubernetes/apps/networking/nginx/tailscale/kustomization.yaml
new file mode 100644
index 000000000..5dd7baca7
--- /dev/null
+++ b/kubernetes/apps/networking/nginx/tailscale/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml