diff --git a/.gitignore b/.gitignore
index d21c49e..6cb7347 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 filebrowser/filebrowser.db
 filebrowser/tailscale-state/**
 comfyui/tailscale-state/**
+llama/tailscale-state/**
diff --git a/docker-compose.yml b/docker-compose.yml
index ba9d412..0fdd33e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -68,3 +68,31 @@ services:
       - ./filebrowser/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./.htpasswd:/etc/nginx/.htpasswd:ro
     network_mode: service:filebrowser_tailscale
+
+  llama_tailscale:
+    image: tailscale/tailscale:latest
+    hostname: llama
+    environment:
+      - TS_AUTHKEY=tskey-auth-kNm64Dbcts11CNTRL-4eLQjm2pQYCLdy285gNaYCFDF1KTjP71
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_SERVE_CONFIG=/config/ts_serve.json
+      - TS_USERSPACE=false
+    volumes:
+      - ./llama/tailscale-state:/var/lib/tailscale
+      - ./llama/ts_serve.json:/config/ts_serve.json
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - net_admin
+      - net_raw
+    restart: unless-stopped
+
+  llama_nginx:
+    image: nginx:latest
+    depends_on:
+      - llama_tailscale
+    restart: unless-stopped
+    volumes:
+      - ./llama/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./.htpasswd:/etc/nginx/.htpasswd:ro
+    network_mode: service:llama_tailscale
diff --git a/llama/nginx.conf b/llama/nginx.conf
new file mode 100644
index 0000000..3858163
--- /dev/null
+++ b/llama/nginx.conf
@@ -0,0 +1,48 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 256;
+    gzip_proxied any;
+    gzip_types
+        application/json
+        application/javascript
+        application/xml
+        application/xml+rss
+        text/css
+        text/javascript
+        text/plain
+        text/xml;
+
+    server {
+        listen 80;
+        server_name _;
+
+        auth_basic "Restricted Access";
+        auth_basic_user_file /etc/nginx/.htpasswd;
+
+        client_max_body_size 100M;
+
+        location / {
+            proxy_pass http://workstation:5082;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
+        }
+    }
+}
diff --git a/llama/ts_serve.json b/llama/ts_serve.json
new file mode 100644
index 0000000..3984161
--- /dev/null
+++ b/llama/ts_serve.json
@@ -0,0 +1,19 @@
+{
+  "TCP": {
+    "443": {
+      "HTTPS": true
+    }
+  },
+  "Web": {
+    "llama.story-basking.ts.net:443": {
+      "Handlers": {
+        "/": {
+          "Proxy": "http://127.0.0.1:80"
+        }
+      }
+    }
+  },
+  "AllowFunnel": {
+    "llama.story-basking.ts.net:443": true
+  }
+}