diff --git a/cookbooks/boxcutter_builder/metadata.rb b/cookbooks/boxcutter_builder/metadata.rb
index 5e12de7..4decb80 100644
--- a/cookbooks/boxcutter_builder/metadata.rb
+++ b/cookbooks/boxcutter_builder/metadata.rb
@@ -12,3 +12,4 @@
 depends 'boxcutter_github'
 depends 'boxcutter_ubuntu_desktop'
 depends 'boxcutter_nvidia'
+depends 'boxcutter_tailscale'
diff --git a/cookbooks/boxcutter_builder/recipes/default.rb b/cookbooks/boxcutter_builder/recipes/default.rb
index 156fc24..89a75ea 100644
--- a/cookbooks/boxcutter_builder/recipes/default.rb
+++ b/cookbooks/boxcutter_builder/recipes/default.rb
@@ -229,6 +229,21 @@
   ]
 
   if aws_amd64_github_self_host_runner_list.include?(node['hostname'])
+    # op item get 'tailscale oauth automation-sandbox-write-blue' --vault Automation-Sandbox
+    # op item get v5zvz2gomyzhgow46esj7txneu --format json
+    tailscale_oauth_client_id_write_blue = Polymath::OnePassword.op_read('op://Automation-Sandbox/tailscale oauth write blue/username')
+    tailscale_oauth_client_secret_write_blue = Polymath::OnePassword.op_read('op://Automation-Sandbox/tailscale oauth write blue/credential')
+    node.run_state['boxcutter_tailscale'] ||= {}
+    node.run_state['boxcutter_tailscale']['oauth_client_id'] = tailscale_oauth_client_id_write_blue
+    node.run_state['boxcutter_tailscale']['oauth_client_secret'] = tailscale_oauth_client_secret_write_blue
+    node.default['boxcutter_tailscale']['enable'] = true
+    node.default['boxcutter_tailscale']['ephemeral'] = false
+    node.default['boxcutter_tailscale']['use_tailscale_dns'] = false
+    node.default['boxcutter_tailscale']['shields_up'] = false
+    node.default['boxcutter_tailscale']['hostname'] = 'aws-boxcutter-amd64-github-runner'
+    node.default['boxcutter_tailscale']['tags'] = ['chef']
+    include_recipe 'boxcutter_tailscale::default'
+
     include_recipe 'boxcutter_users::default'
     include_recipe 'boxcutter_docker::default'