diff --git a/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml b/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
index a14ca81..5e30291 100644
--- a/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
@@ -8,3 +8,11 @@ resources:
   - ../tailscale-operator-base
   - proxygroup-ingress.yaml
   - external-secret.yaml
+
+# Rewrite the proxyclass image to our local nix-built mirror.
+# Scoped to ringtail only; indri's tailscale-operator/kustomization.yaml still
+# pulls from upstream docker.io.
+images:
+  - name: docker.io/tailscale/tailscale
+    newName: registry.ops.eblu.me/blumeops/tailscale
+    newTag: v1.94.2-67af7a8-nix
diff --git a/docs/changelog.d/mirror-tailscale-container.infra.md b/docs/changelog.d/mirror-tailscale-container.infra.md
new file mode 100644
index 0000000..54ca3ba
--- /dev/null
+++ b/docs/changelog.d/mirror-tailscale-container.infra.md
@@ -0,0 +1 @@
+Add local nix container build for `tailscale` (`containers/tailscale/default.nix`) so ringtail's tailscale-operator ProxyClass proxy pods pull from the forge mirror instead of `docker.io/tailscale/tailscale`. Pinned at v1.94.2 to match `service-versions.yaml`. Indri's tailscale-operator continues to use upstream during the k8s-to-ringtail migration.