diff --git a/hosts/aristotle/configuration.nix b/hosts/aristotle/configuration.nix
index 8a7d3a7..717167c 100644
--- a/hosts/aristotle/configuration.nix
+++ b/hosts/aristotle/configuration.nix
@@ -9,6 +9,8 @@
     ../../modules/sops
   ];
 
+  nixpkgs.overlays = [ (import ../../overlays) ];
+
   # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
   boot.loader.grub.enable = false;
   # Enables the generation of /boot/extlinux/extlinux.conf
diff --git a/hosts/plato/configuration.nix b/hosts/plato/configuration.nix
index df107da..81389fa 100644
--- a/hosts/plato/configuration.nix
+++ b/hosts/plato/configuration.nix
@@ -23,6 +23,7 @@ in {
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   nixpkgs.config.allowUnfree = true;
+  nixpkgs.overlays = [ (import ../../overlays) ];
 
   # Set your time zone.
   time.timeZone = "America/Toronto";
diff --git a/hosts/socrates/configuration.nix b/hosts/socrates/configuration.nix
index 9515e2c..2ed14e9 100644
--- a/hosts/socrates/configuration.nix
+++ b/hosts/socrates/configuration.nix
@@ -17,6 +17,8 @@ in {
     ../../modules/matrix/nginx.nix
   ];
 
+  nixpkgs.overlays = [ (import ../../overlays) ];
+
   boot.cleanTmpDir = true;
 
   # Set your time zone.
diff --git a/overlays/default.nix b/overlays/default.nix
new file mode 100644
index 0000000..63d4ebf
--- /dev/null
+++ b/overlays/default.nix
@@ -0,0 +1,3 @@
+self: super: {
+  tailscale = super.callPackage ../pkgs/tailscale/default.nix { };
+}
diff --git a/pkgs/tailscale/default.nix b/pkgs/tailscale/default.nix
new file mode 100644
index 0000000..23fb2e6
--- /dev/null
+++ b/pkgs/tailscale/default.nix
@@ -0,0 +1,42 @@
+{ lib, stdenv, buildGo117Module, fetchFromGitHub, makeWrapper, iptables, iproute2, procps }:
+
+buildGo117Module rec {
+  pname = "tailscale";
+  version = "1.18.0";
+
+  src = fetchFromGitHub {
+    owner = "tailscale";
+    repo = "tailscale";
+    rev = "v${version}";
+    sha256 = "sha256-bexcln2BTYZo17zyxJKiRt7xkMEgAijRsl9HxHEA9og=";
+  };
+
+  nativeBuildInputs = lib.optionals stdenv.isLinux [ makeWrapper ];
+
+  CGO_ENABLED = 0;
+
+  vendorSha256 = "sha256-ulgTwnuisnkQf0WLQhZ70MwuOpZuroh7ShxBGyv0d0k=";
+
+  doCheck = false;
+
+  subPackages = [ "cmd/tailscale" "cmd/tailscaled" ];
+
+  tags = [ "xversion" ];
+
+  ldflags = [ "-X tailscale.com/version.Long=${version}" "-X tailscale.com/version.Short=${version}" ];
+
+  postInstall = lib.optionalString stdenv.isLinux ''
+    wrapProgram $out/bin/tailscaled --prefix PATH : ${lib.makeBinPath [ iproute2 iptables ]}
+    wrapProgram $out/bin/tailscale --suffix PATH : ${lib.makeBinPath [ procps ]}
+
+    sed -i -e "s#/usr/sbin#$out/bin#" -e "/^EnvironmentFile/d" ./cmd/tailscaled/tailscaled.service
+    install -D -m0444 -t $out/lib/systemd/system ./cmd/tailscaled/tailscaled.service
+  '';
+
+  meta = with lib; {
+    homepage = "https://tailscale.com";
+    description = "The node agent for Tailscale, a mesh VPN built on WireGuard";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ danderson mbaillie ];
+  };
+}
diff --git a/shell.nix b/shell.nix
index 4a040a6..a190a0d 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,6 +1,9 @@
 let
   sources = import ./nix/sources.nix;
-  pkgs = import sources.nixpkgs { };
+  pkgs = import sources.nixpkgs {
+    overlays = [ (import ./overlays) ];
+    config = { };
+  };
 in
 pkgs.mkShell {
   name = "athens";