diff --git a/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml b/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
index 5e30291..2d9ceb2 100644
--- a/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
@@ -11,8 +11,14 @@ resources:
 
 # Rewrite the proxyclass image to our local nix-built mirror.
 # Scoped to ringtail only; indri's tailscale-operator/kustomization.yaml still
-# pulls from upstream docker.io.
-images:
-  - name: docker.io/tailscale/tailscale
-    newName: registry.ops.eblu.me/blumeops/tailscale
-    newTag: v1.94.2-67af7a8-nix
+# pulls from upstream docker.io. A strategic merge patch is used instead of
+# kustomize's `images:` directive because that directive only rewrites images
+# in standard k8s container fields, not custom-resource fields like
+# ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
+patches:
+  - path: proxyclass-image.yaml
+    target:
+      group: tailscale.com
+      version: v1alpha1
+      kind: ProxyClass
+      name: default
diff --git a/argocd/manifests/tailscale-operator-ringtail/proxyclass-image.yaml b/argocd/manifests/tailscale-operator-ringtail/proxyclass-image.yaml
new file mode 100644
index 0000000..b585e22
--- /dev/null
+++ b/argocd/manifests/tailscale-operator-ringtail/proxyclass-image.yaml
@@ -0,0 +1,11 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: default
+spec:
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix
+      tailscaleInitContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix