diff --git a/build-rootfs.sh b/build-rootfs.sh
index 0c5c8f2..1271c36 100755
--- a/build-rootfs.sh
+++ b/build-rootfs.sh
@@ -3,7 +3,10 @@ source $stdenv/setup
 set -o pipefail
 
 # basic file system layout
-mkdir -p $out/etc $out/proc $out/sys $out/dev $out/run $out/tmp $out/var/tmp $out/var/lib $out/var/log
+mkdir -p $out/etc $out/proc $out/sys $out/dev $out/run $out/tmp $out/var/tmp $out/var/lib/private/$serviceName $out/var/log $out/var/cache/private/$serviceName
+
+ln -sf /var/cache/private/$serviceName $out/var/cache/$serviceName
+ln -sf /var/lib/private/$serviceName $out/var/lib/$serviceName 
 
 # empty files to mount over with host's version
 touch $out/etc/resolv.conf $out/etc/machine-id
diff --git a/default.nix b/default.nix
index 2d1aa6c..94ce4ef 100644
--- a/default.nix
+++ b/default.nix
@@ -52,6 +52,7 @@ let
 
   rootfs = stdenv.mkDerivation {
     name = "rootfs";
+    serviceName = name;
     builder = ./build-rootfs.sh;
     inherit units;
     unitNames = map getUnitName units;
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..2362728
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,26 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1650161686,
+        "narHash": "sha256-70ZWAlOQ9nAZ08OU6WY7n4Ij2kOO199dLfNlvO/+pf8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1ffba9f2f683063c2b14c9f4d12c55ad5f4ed887",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
index 9daf31e..d6ef8d7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,7 +1,32 @@
 {
   description = "Nix tools to help you build portable services";
 
-  outputs = { self }: {
+  inputs.nixpkgs.url = "nixpkgs/nixos-unstable";
+
+  outputs = { self, nixpkgs, ... }: {
     overlay = final: prev: { portableService = prev.pkgs.callPackage ./. { }; };
+
+    packages.x86_64-linux.default = let
+      pkgs = import nixpkgs {
+        overlays = [ self.overlay ];
+        system = "x86_64-linux";
+      };
+
+      service = pkgs.substituteAll {
+        name = "tailscaled.service";
+        src = ./ts/tailscaled.service.in;
+        inherit (pkgs) tailscale;
+      };
+    in pkgs.portableService {
+      name = "tailscale";
+      version = pkgs.tailscale.version;
+      homepage = "https://tailscale.com";
+      units = [ service ];
+
+      symlinks = [{
+        object = "${pkgs.cacert}/etc/ssl";
+        symlink = "/etc/ssl";
+      }];
+    };
   };
 }
diff --git a/ts/tailscaled.service.in b/ts/tailscaled.service.in
new file mode 100644
index 0000000..f44a855
--- /dev/null
+++ b/ts/tailscaled.service.in
@@ -0,0 +1,26 @@
+[Unit]
+Description=Tailscale node agent
+Documentation=https://tailscale.com/kb/
+Wants=network-pre.target
+After=network-pre.target NetworkManager.service systemd-resolved.service
+
+[Service]
+ExecStartPre=@tailscale@/bin/tailscaled --cleanup
+ExecStart=@tailscale@/bin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --tun=userspace-networking
+ExecStopPost=@tailscale@/bin/tailscaled --cleanup
+AmbientCapabilities=CAP_NET_ADMIN
+Restart=on-failure
+User=root
+BindPaths=/dev/net
+BindPaths=/etc/resolv.conf
+BindPaths=/run/tailscale
+RuntimeDirectory=tailscale
+RuntimeDirectoryMode=0755
+StateDirectory=tailscale
+StateDirectoryMode=0700
+CacheDirectory=tailscale
+CacheDirectoryMode=0750
+Type=notify
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file