diff --git a/protonmail-bridge-tailscale/.helmignore b/protonmail-bridge-tailscale/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/protonmail-bridge-tailscale/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/protonmail-bridge-tailscale/Chart.yaml b/protonmail-bridge-tailscale/Chart.yaml
new file mode 100644
index 0000000..30299b0
--- /dev/null
+++ b/protonmail-bridge-tailscale/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: protonmail-bridge-tailscale
+description: A Helm chart for deploying protonmail-bridge over Tailscale
+type: application
+version: 0.1.0
+appVersion: "3.12.0-1"
diff --git a/protonmail-bridge-tailscale/templates/_helpers.tpl b/protonmail-bridge-tailscale/templates/_helpers.tpl
new file mode 100644
index 0000000..c18c1c5
--- /dev/null
+++ b/protonmail-bridge-tailscale/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "protonmail-bridge-tailscale.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "protonmail-bridge-tailscale.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "protonmail-bridge-tailscale.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "protonmail-bridge-tailscale.labels" -}}
+helm.sh/chart: {{ include "protonmail-bridge-tailscale.chart" . }}
+{{ include "protonmail-bridge-tailscale.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "protonmail-bridge-tailscale.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "protonmail-bridge-tailscale.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "protonmail-bridge-tailscale.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "protonmail-bridge-tailscale.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/protonmail-bridge-tailscale/templates/certificates-pvc.yaml b/protonmail-bridge-tailscale/templates/certificates-pvc.yaml
new file mode 100644
index 0000000..04cce35
--- /dev/null
+++ b/protonmail-bridge-tailscale/templates/certificates-pvc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: certificates-pvc
+spec:
+  accessModes:
+    - {{ .Values.containers.cert-pvc.accessModes}}
+  storageClassName: {{ .Values.containers.cert-pvc.storageClassName }}
+  resources:
+    requests:
+      storage: {{ .Values.containers.cert-pvc.storageSize }}
diff --git a/protonmail-bridge-tailscale/templates/deployment.yaml b/protonmail-bridge-tailscale/templates/deployment.yaml
new file mode 100644
index 0000000..1db87c7
--- /dev/null
+++ b/protonmail-bridge-tailscale/templates/deployment.yaml
@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: protonmail-bridge-tailscale
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+    spec:
+      containers:
+        - image: shenxn/protonmail-bridge:{{ .Values.containers.protonmail-bridge.tag }}
+          name: protonmail-bridge
+          volumeMounts:
+            - mountPath: /root
+              name: protonmail
+            - mountPath: /certs
+              name: certificates
+        - image: tailscale/tailscale:{{ .Values.containers.tailscale.tag }}
+          name: ts-protonmail-bridge
+          env:
+            - name: TS_HOSTNAME
+              value: {{ .Values.containers.tailscale.hostname }}
+            - name: TS_STATE_DIR
+              value: /var/lib/tailscale
+            - name: TS_AUTHKEY
+              valueFrom:
+                secretKeyRef:
+                  name: tailscale-auth
+                  key: TS_AUTHKEY
+            - name: TS_EXTRA_ARGS
+              valueFrom:
+                secretKeyRef:
+                  name: tailscale-auth
+                  key: TS_EXTRA_ARGS
+            - name: TS_USERSPACE
+              value: false
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN", "SYS_MODULE"]
+          volumeMounts:
+            - mountPath: /certs
+              name: certificates
+            - mountPath: /var/lib/tailscale
+              name: tailscale-state
+      restartPolicy: Always
+      volumes:
+        - name: protonmail
+          persistentVolumeClaim:
+            claimName: protonmail-bridge-pvc
+        - name: certificates
+          persistentVolumeClaim:
+            claimName: certificates-pvc
+        - name: tailscale-state
+          persistentVolumeClaim:
+            claimName: tailscale-state-pvc
diff --git a/protonmail-bridge-tailscale/templates/protonmail-bridge-pvc.yaml b/protonmail-bridge-tailscale/templates/protonmail-bridge-pvc.yaml
new file mode 100644
index 0000000..43dd073
--- /dev/null
+++ b/protonmail-bridge-tailscale/templates/protonmail-bridge-pvc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: protonmail-bridge-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: {{ .Values.containers.protonmail-bridge.pvc.storageClassName }}
+  resources:
+    requests:
+      storage: {{ .Values.containers.protonmail-bridge.pvc.storageSize }}
diff --git a/protonmail-bridge-tailscale/templates/tailscale-state-pvc.yaml b/protonmail-bridge-tailscale/templates/tailscale-state-pvc.yaml
new file mode 100644
index 0000000..5f5da80
--- /dev/null
+++ b/protonmail-bridge-tailscale/templates/tailscale-state-pvc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tailscale-state-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: {{ .Values.containers.tailscale.pvc.storageClassName }}
+  resources:
+    requests:
+      storage: {{ .Values.containers.tailscale.pvc.storageSize }}
diff --git a/protonmail-bridge-tailscale/values.yaml b/protonmail-bridge-tailscale/values.yaml
new file mode 100644
index 0000000..4ae8216
--- /dev/null
+++ b/protonmail-bridge-tailscale/values.yaml
@@ -0,0 +1,16 @@
+containers:
+  protonmail-bridge:
+    tag: {{ .Chart.appVersion }}
+    pvc:
+      storageClassName: longhorn
+      storageSize: 1Gi
+  tailscale:
+    pvc:
+      storageClassName: longhorn
+      storageSize: 100Mi
+    hostname: mail
+  cert-pvc:
+    accessModes: ReadWriteOnce
+    storageClassName: longhorn
+    storageSize: 10Mi
+