diff --git a/clink/.env.example b/clink/.env.example
new file mode 100644
index 0000000..fd69615
--- /dev/null
+++ b/clink/.env.example
@@ -0,0 +1,3 @@
+TS_HOSTNAME=clink
+TS_AUTHKEY=tskey-client-nnn-nnn
+TS_EXTRA_ARGS=--advertise-tags=tag:container
diff --git a/clink/Dockerfile b/clink/Dockerfile
new file mode 100644
index 0000000..6664b1f
--- /dev/null
+++ b/clink/Dockerfile
@@ -0,0 +1,18 @@
+FROM debian:bookworm
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    build-essential \
+    ca-certificates \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN git clone https://git.swurl.xyz/swirl/clink.git /tmp/clink && \
+    make -C /tmp/clink && make -C /tmp/clink install-bin && \
+    rm -rf /tmp/clink
+
+RUN mkdir /clink-data
+
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+ENTRYPOINT ["docker-entrypoint.sh"]
diff --git a/clink/docker-compose.yml b/clink/docker-compose.yml
new file mode 100644
index 0000000..15a784d
--- /dev/null
+++ b/clink/docker-compose.yml
@@ -0,0 +1,57 @@
+services:
+  ts-clink:
+    image: tailscale/tailscale:latest
+    container_name: ts-clink
+    restart: unless-stopped
+    hostname: ${TS_HOSTNAME}
+    environment:
+      - TS_AUTHKEY
+      - TS_EXTRA_ARGS
+      - TS_SERVE_CONFIG=/ts/serve.json
+    volumes:
+      - tailscale:/var/lib/tailscale
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - net_admin
+      - sys_module
+    configs:
+      - source: serve-config
+        target: /ts/serve.json
+  clink:
+    build: .
+    container_name: clink
+    network_mode: service:ts-clink
+    depends_on:
+      - ts-clink
+    volumes:
+      - clink-data:/clink-data
+    # Optional: Random seed generated, or use deterministic seed
+    #environment:
+      #- PB_SECRET
+    restart: unless-stopped
+volumes:
+  clink-data:
+  tailscale:
+configs:
+  serve-config:
+    content: |
+      {
+        "TCP": {
+          "443": {
+            "HTTPS": true
+          }
+        },
+        "Web": {
+          "$${TS_CERT_DOMAIN}:443": {
+            "Handlers": {
+              "/": {
+                "Proxy": "http://127.0.0.1:8081"
+              }
+            }
+          }
+        },
+        "AllowFunnel": {
+          "$${TS_CERT_DOMAIN}:443": false
+        }
+      }
diff --git a/clink/docker-entrypoint.sh b/clink/docker-entrypoint.sh
new file mode 100644
index 0000000..91849dc
--- /dev/null
+++ b/clink/docker-entrypoint.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+SECRET="${PB_SECRET:-$(head -c 32 /dev/urandom | sha256sum | cut -d' ' -f1)}"
+
+exec clink -d /clink-data -p 8081 -s "$SECRET" -k