diff --git a/cmd/tailscaled/tailscaled.defaults b/cmd/tailscaled/tailscaled.defaults
new file mode 100644
index 000000000..144ddd51c
--- /dev/null
+++ b/cmd/tailscaled/tailscaled.defaults
@@ -0,0 +1,8 @@
+# Set the port to listen on for incoming VPN packets.
+# Remote nodes will automatically be informed about the new port number,
+# but you might want to configure this in order to set external firewall
+# settings.
+PORT="41641"
+
+# Extra flags you might want to pass to relaynode.
+FLAGS=""
diff --git a/cmd/tailscaled/tailscaled.service b/cmd/tailscaled/tailscaled.service
new file mode 100644
index 000000000..809977dbd
--- /dev/null
+++ b/cmd/tailscaled/tailscaled.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Tailscale node agent
+Documentation=https://tailscale.com/kb/
+Wants=network-pre.target
+After=network-pre.target
+
+[Service]
+EnvironmentFile=/etc/default/tailscaled
+ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=$PORT $FLAGS
+
+Restart=on-failure
+StartLimitIntervalSec=0
+
+RuntimeDirectory=tailscale
+RuntimeDirectoryMode=0755
+StateDirectory=tailscale
+StateDirectoryMode=0750
+# TODO(danderson): make a less privileged user and grant pinhole CAP_*.
+User=root
+Group=root
+
+[Install]
+WantedBy=multi-user.target