diff --git a/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml b/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
index 2d9ceb2..fc119c9 100644
--- a/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
@@ -9,12 +9,19 @@ resources:
   - proxygroup-ingress.yaml
   - external-secret.yaml
 
-# Rewrite the proxyclass image to our local nix-built mirror.
-# Scoped to ringtail only; indri's tailscale-operator/kustomization.yaml still
-# pulls from upstream docker.io. A strategic merge patch is used instead of
-# kustomize's `images:` directive because that directive only rewrites images
-# in standard k8s container fields, not custom-resource fields like
-# ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
+# Rewrite the operator image to the locally nix-built (amd64) mirror.
+# The name must match the post-base-render image (base already rewrites
+# tailscale/k8s-operator -> docker.io/tailscale/k8s-operator).
+images:
+  - name: docker.io/tailscale/k8s-operator
+    newName: registry.ops.eblu.me/blumeops/tailscale-operator
+    newTag: v1.94.2-ac40a18-nix
+
+# Rewrite the proxyclass image to our local nix-built mirror (indri's overlay
+# carries the equivalent dagger/arm64 patch). A strategic merge patch is used
+# instead of kustomize's `images:` directive because that directive only
+# rewrites images in standard k8s container fields, not custom-resource fields
+# like ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
 patches:
   - path: proxyclass-image.yaml
     target:
diff --git a/argocd/manifests/tailscale-operator/kustomization.yaml b/argocd/manifests/tailscale-operator/kustomization.yaml
index f1d6f89..ad275a9 100644
--- a/argocd/manifests/tailscale-operator/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator/kustomization.yaml
@@ -14,3 +14,23 @@ resources:
   # Endpoints). Apply manually:
   #   kubectl --context=minikube-indri apply -f endpoints-forge.yaml
   - ingress-forge.yaml
+
+# Rewrite the operator image to the locally dagger-built (arm64) mirror.
+# The name must match the post-base-render image (base already rewrites
+# tailscale/k8s-operator -> docker.io/tailscale/k8s-operator).
+images:
+  - name: docker.io/tailscale/k8s-operator
+    newName: registry.ops.eblu.me/blumeops/tailscale-operator
+    newTag: v1.94.2-ac40a18
+
+# Rewrite the proxyclass image to the local mirror. A strategic merge patch
+# is used instead of kustomize's `images:` directive because that directive
+# only rewrites standard k8s container fields, not custom-resource fields
+# like ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
+patches:
+  - path: proxyclass-image.yaml
+    target:
+      group: tailscale.com
+      version: v1alpha1
+      kind: ProxyClass
+      name: default
diff --git a/argocd/manifests/tailscale-operator/proxyclass-image.yaml b/argocd/manifests/tailscale-operator/proxyclass-image.yaml
new file mode 100644
index 0000000..eae73eb
--- /dev/null
+++ b/argocd/manifests/tailscale-operator/proxyclass-image.yaml
@@ -0,0 +1,11 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: default
+spec:
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-ac40a18
+      tailscaleInitContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-ac40a18