diff --git a/xen_orchestra_tailscale/.env b/xen_orchestra_tailscale/.env
new file mode 100644
index 0000000..6bfc806
--- /dev/null
+++ b/xen_orchestra_tailscale/.env
@@ -0,0 +1,6 @@
+# Tailscale authorization key
+TS_AUTHKEY=tskey-auth-
+
+# Tailscale tailnet node name
+TAILNET_NAME=orchestra
+TAILNET_SUFFIX=?????.ts.net
\ No newline at end of file
diff --git a/xen_orchestra_tailscale/README.md b/xen_orchestra_tailscale/README.md
new file mode 100644
index 0000000..16ef4ac
--- /dev/null
+++ b/xen_orchestra_tailscale/README.md
@@ -0,0 +1,9 @@
+# Xen Orchestra server on Tailnet
+
+This  configuration gets a Xen Orchestra server running under Docker and exposed on your Tailnet.  Just the think for managing your homelab XCP-ng servers.
+
+Only changes needed are updating Tailscale configuration in `/.env`.
+
+Initial login is `admin@admin.net` with the password `admin`.
+
+Make sure to hit `https://orchestra.????.ts.net` since this isn't configured to listen on port 80.
\ No newline at end of file
diff --git a/xen_orchestra_tailscale/docker-compose.yml b/xen_orchestra_tailscale/docker-compose.yml
new file mode 100644
index 0000000..1316097
--- /dev/null
+++ b/xen_orchestra_tailscale/docker-compose.yml
@@ -0,0 +1,47 @@
+services:
+    tailscale:
+      hostname: ${TAILNET_NAME}
+      image: tailscale/tailscale
+      volumes:
+        - ./data/tailscale:/var/lib/tailscale
+        - ./ts-serve.json:/config/ts-serve.json:ro
+        - /dev/net/tun:/dev/net/tun
+      cap_add:
+        - net_admin
+        - sys_module
+      environment:
+        TS_AUTHKEY: ${TS_AUTHKEY}
+        TS_SERVE_CONFIG: /config/ts-serve.json
+        TS_AUTH_ONCE: true
+        TS_STATE_DIR: /var/lib/tailscale
+        TS_HOST: ${TAILNET_NAME}
+      restart: unless-stopped
+
+    server:
+        restart: always
+        image: ronivay/xen-orchestra:latest
+        stop_grace_period: 1m
+        environment:
+            - HTTP_PORT=80
+        # capabilities are needed for NFS/SMB mount
+        cap_add:
+          - SYS_ADMIN
+          - DAC_READ_SEARCH
+        # additional setting required for apparmor enabled systems. also needed for NFS mount
+        security_opt:
+          - apparmor:unconfined
+        volumes:
+          - ./data/xo-data:/var/lib/xo-server
+          - ./data/redis-data:/var/lib/redis
+        # logging
+        logging: &default_logging
+            driver: "json-file"
+            options:
+                max-size: "1M"
+                max-file: "2"
+        # these are needed for file restore. allows one backup to be mounted at once which will be umounted after some minutes if not used (prevents other backups to be mounted during that)
+        # add loop devices (loop1, loop2 etc) if multiple simultaneous mounts needed.
+        devices:
+          - "/dev/fuse:/dev/fuse"
+          - "/dev/loop-control:/dev/loop-control"
+          - "/dev/loop0:/dev/loop0"
\ No newline at end of file
diff --git a/xen_orchestra_tailscale/ts-serve.json b/xen_orchestra_tailscale/ts-serve.json
new file mode 100644
index 0000000..814245f
--- /dev/null
+++ b/xen_orchestra_tailscale/ts-serve.json
@@ -0,0 +1,16 @@
+{
+    "TCP": {
+        "443": {
+            "HTTPS": true
+        }
+    },
+    "Web": {
+        "${TS_CERT_DOMAIN}:443": {
+            "Handlers": {
+                "/": {
+                    "Proxy": "http://server:80"
+                }
+            }
+        }
+    }
+}
\ No newline at end of file