diff --git a/tailscale/repo.sls b/tailscale/repo.sls
new file mode 100644
index 0000000..31e3162
--- /dev/null
+++ b/tailscale/repo.sls
@@ -0,0 +1,87 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+#
+#
+
+{% if salt['pillar.get']('update_proxy:caching') %}
+{% set proxy = 'cacher' %}
+{% endif %}
+
+{% if grains['nodename'] != 'dom0' %}
+{% if grains['os_family']|lower == 'debian' %}
+{% if grains['nodename']|lower != 'host' %}
+{% if proxy  == 'cacher' %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
+
+/etc/apt/sources.list:
+  file.replace:
+    - name: /etc/apt/sources.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endif %}
+
+requirements_installed:
+  pkg.installed:
+    - refresh: True
+    - pkgs:
+      - qubes-core-agent-networking
+      - qubes-core-agent-passwordless-root
+      - iproute2
+      - libnotify-bin
+      - lsb-release
+      - xz-utils
+
+/etc/apt/sources.list.d/tailscale.list:
+  file.managed:
+    - source:
+      - salt://tailscale/tailscale.list
+    - user: root
+    - group: root
+    - makedirs: True
+
+/usr/share/keyrings/tailscale-achive-keyring.gpg:
+  file.managed:
+    - source:
+      - salt://tailscale/tailscale-archive-keyring.gpg
+    - user: root
+    - group: root
+    - makedirs: True
+
+{% if proxy == 'cacher' %}
+/etc/apt/sources.list.d/tailscale.list:
+  file.replace:
+    - name: /etc/apt/sources.list.d/tailscale.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endif %}
+
+tailscale_installed:
+  pkg.installed:
+    - refresh: True
+    - pkgs:
+      - tailscale
+
+{% endif %}
+
+disable_tailscaled:
+  service.disabled:
+    - name: tailscaled
+
+mask_tailscaled:
+  service.masked:
+    - name: tailscaled
diff --git a/tailscale/tailscale-archive-keyring.gpg b/tailscale/tailscale-archive-keyring.gpg
new file mode 100644
index 0000000..603538d
Binary files /dev/null and b/tailscale/tailscale-archive-keyring.gpg differ
diff --git a/tailscale/tailscale.list b/tailscale/tailscale.list
new file mode 100644
index 0000000..45ef98e
--- /dev/null
+++ b/tailscale/tailscale.list
@@ -0,0 +1,2 @@
+# Tailscale packages for debian bookworm
+deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/debian bookworm main