diff --git a/stacks/tailscale/docker-compose.yaml b/stacks/tailscale/docker-compose.yaml
new file mode 100644
index 0000000..e01f9d6
--- /dev/null
+++ b/stacks/tailscale/docker-compose.yaml
@@ -0,0 +1,38 @@
+services:
+  webfinger:
+    image: nginx:stable-alpine3.23
+    container_name: webfinger
+    restart: unless-stopped
+
+    read_only: true
+    tmpfs:
+      - /var/cache/nginx
+      - /var/run
+      - /tmp
+
+    security_opt:
+      - no-new-privileges:true
+
+    cap_drop:
+      - ALL
+
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.webfinger.rule=Host(`tailscale.ulfrx.dev`) && Path(`/.well-known/webfinger`)"
+      - "traefik.http.routers.webfinger.entrypoints=websecure"
+      - "traefik.http.routers.webfinger.tls=true"
+      - "traefik.http.routers.webfinger.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.webfinger.priority=1000"
+
+      - "traefik.http.services.webfinger.loadbalancer.server.port=8080"
+
+    networks:
+      - proxy
+
+networks:
+  proxy:
+    external: true
\ No newline at end of file
diff --git a/stacks/tailscale/nginx.conf b/stacks/tailscale/nginx.conf
new file mode 100644
index 0000000..ade892a
--- /dev/null
+++ b/stacks/tailscale/nginx.conf
@@ -0,0 +1,19 @@
+server {
+    listen 8080;
+    server_name _;
+
+    access_log off;
+    server_tokens off;
+
+    location = /.well-known/webfinger {
+        default_type application/jrd+json;
+        add_header Cache-Control "no-store" always;
+        add_header X-Content-Type-Options "nosniff" always;
+
+        return 200 '{"subject":"acct:rafal@tailscale.ulfrx.dev","links":[{"rel":"http://openid.net/specs/connect/1.0/issuer","href":"https://auth.ulfrx.dev/application/o/tailscale/"}]}';
+    }
+
+    location / {
+        return 404;
+    }
+}
\ No newline at end of file