diff --git a/README.md b/README.md
index 2422c01..0c9eb06 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,9 @@
 # tailscale-initramfs
 
 Run the [tailscale](https://tailscale.com) client in a Debian or Ubuntu
-initramfs, to provide access to the Linux system prior to unlocking an encrypted
-root filesystem. For instance, when combined with
+initramfs, to provide access to the Linux system prior to unlocking an
+encrypted root filesystem. When combined with [tailscale
+ssh](https://tailscale.com/kb/1193/tailscale-ssh) or
 [dropbear-initramfs](https://packages.debian.org/stable/dropbear-initramfs),
 allows remote unlocking of an encrypted root filesystem from other systems in
 the tailnet.
@@ -12,7 +13,8 @@ key](https://tailscale.com/kb/1085/auth-keys/) to log into your tailnet.  Assign
 an [ACL
 tag](https://tailscale.com/kb/1068/acl-tags/#generate-an-auth-key-with-an-acl-tag
 ) to that auth key to lock down what access the pre-boot environment can have to
-the rest of the tailnet.
+the rest of the tailnet, i.e. to disallow all outbound access from the
+initramfs, and only permit inbound connections.
 
 ## Install
 
@@ -46,3 +48,9 @@ update-initramfs -c -k all
   the initramfs will show up as the existing device on the tailnet, but means
   the private key material is stored in the initramfs (which is commonly
   unencrypted).
+
+* [tailscale-initramfs by Lugoues](https://github.com/Lugoues/tailscale-initramfs)
+
+  Similar to this package, but registers the initrd as a tailscale device when
+  you configure the package.  The initrd device will be present in the tailnet
+  all the time.
diff --git a/config/config b/config/config
index 48dba5f..d07bc86 100644
--- a/config/config
+++ b/config/config
@@ -8,11 +8,13 @@
 # --authkey, so can also be file:/path/to/secret (the file will be copied into
 # the initramfs).
 #
-# Note that the config (and any key) is stored in the initramfs, which is
-# often outside of a cryptroot.
 # - https://tailscale.com/kb/1068/acl-tags/#generate-an-auth-key-with-an-acl-tag
 # - https://tailscale.com/kb/1111/ephemeral-nodes/
 #
+# Note: The authkey (like this config file) is stored in the initramfs. If
+# you're using disk encryption (LUKS), the initramfs is stored *unencrypted* in
+# the boot partition.
+#
 TAILSCALE_AUTHKEY=
 
 #
@@ -35,8 +37,17 @@ TAILSCALE_AUTHKEY=
 #TAILSCALED_OPTIONS=
 
 #
-# Set to any non-empty string to log out of tailscale before passing out of
-# the initramfs. This is ineffective if some other package in the initramfs
+# Set to any non-empty string to disable tailscale SSH
+# - https://tailscale.com/kb/1193/tailscale-ssh
+# Default: none
+#
+#TAILSCALE_DISABLE_SSH=
+
+#
+# Set to any non-empty string to log out of tailscale before exiting out of
+# the initramfs and continuing to boot the system.
+#
+# This is ineffective if some other package in the initramfs
 # (dropbear-initramfs) brings down the external interfaces.  See IFDOWN in
 # dropbear-initramfs's config.
 # Default: none
@@ -50,7 +61,7 @@ TAILSCALE_AUTHKEY=
 #
 # Tailscale will eventually fall back to bootstrapping DNS itself, but there's
 # no reason to rely on that (adds a slight delay).  Tailscale's fallback is
-# also problematic in some corner cases in some versions (see
+# also problematic in some corner cases in some older versions (see
 # https://github.com/tailscale/tailscale/issues/6110).
 #
 #FALLBACK_DNS_SERVERS=
diff --git a/debian/changelog b/debian/changelog
index a1f2aae..005e8a5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ tailscale-initramfs (0.4) UNRELEASED; urgency=medium
 
   * Copy the iptables userspace modules into the initramfs, so that tailscale
     is able to update iptables rules.
+  * Add Tailscale SSH support (allow tailscale to run its SSH server in the
+    initramfs).
 
  -- Paul Aurich <paul@darkrain42.org>  Thu, 16 May 2024 19:20:32 -0700
 
diff --git a/debian/rules b/debian/rules
index 0f6a310..61564dc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,6 +12,6 @@ execute_after_dh_fixperms:
 	chmod 600 debian/tailscale-initramfs/etc/tailscale/initramfs/config
 
 override_dh_builddeb:
-	# Workaround for building on Ubuntu and installing on Debian (Ubuntu uses
-	# zstd). https://bugs.debian.org/892664
+	# Workaround for building on Ubuntu and installing on Debian prior to
+	# Bookworm (Ubuntu uses zstd). https://bugs.debian.org/892664
 	dh_builddeb -- -Zxz
diff --git a/hooks/tailscale b/hooks/tailscale
index 12f3943..5b32c85 100755
--- a/hooks/tailscale
+++ b/hooks/tailscale
@@ -44,6 +44,21 @@ manual_add_modules tun
 copy_file config /etc/ssl/certs/ca-certificates.crt
 copy_file config /etc/hostname /etc/tailscale/initramfs/hostname
 
+if [ -z "${TAILSCALE_DISABLE_SSH:-}" ]; then
+    copy_exec /usr/bin/getent bin
+
+    # Create root user/group for 'tailscale ssh', if another hook (i.e. dropbear) hasn't
+    if ! grep -sq '^root:' "$DESTDIR/etc/passwd"; then
+        home="$(mktemp --directory -- "$DESTDIR/root-XXXXXXXXXX")"
+        chmod 0700 -- "$home"
+        echo "root:x:0:0:root:${home#"$DESTDIR"}:/bin/sh" >> "$DESTDIR/etc/passwd"
+    fi
+
+    if ! grep -sq '^root:' "$DESTDIR/etc/group"; then
+        echo "root:x:0:" >> "$DESTDIR/etc/group"
+    fi
+fi
+
 if [ -e /etc/tailscale/initramfs/config ]; then
     cp -pt "$DESTDIR/etc/tailscale/initramfs" /etc/tailscale/initramfs/config
     . /etc/tailscale/initramfs/config
diff --git a/scripts/init-premount/tailscale b/scripts/init-premount/tailscale
index 55d93fc..b1c607c 100755
--- a/scripts/init-premount/tailscale
+++ b/scripts/init-premount/tailscale
@@ -77,7 +77,11 @@ run_tailscale()
 {
     log_begin_msg "Starting tailscale"
 
-    local options="--state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock"
+    local client_options=""
+    if [ -z "${TAILSCALE_DISABLE_SSH:-}" ]; then
+        client_options="$client_options --ssh"
+    fi
+    local daemon_options="--state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock"
 
     # FIXME: This races with dropbear-initramfs bringing up the network
     # asynchronously
@@ -101,13 +105,13 @@ run_tailscale()
 
     # A little race-y to start the client before the daemon, but the client
     # will attempt to connect to the socket for a while.
-    # https://github.com/tailscale/tailscale/blob/8cf1af8a0703c36256fc58e98ddb63b8907848f1/safesocket/safesocket.go#L119-L122
-    /bin/tailscale --socket=/run/tailscale/tailscaled.sock up --authkey="${TAILSCALE_AUTHKEY}" --hostname="${TAILSCALE_HOSTNAME}" $TAILSCALE_OPTIONS &
+    # https://github.com/tailscale/tailscale/blob/0cce456ee5bf45b555521109ff525ef81adb9650/safesocket/safesocket.go#L35-L65
+    /bin/tailscale --socket=/run/tailscale/tailscaled.sock up --authkey="${TAILSCALE_AUTHKEY}" --hostname="${TAILSCALE_HOSTNAME}" $client_options ${TAILSCALE_OPTIONS-} &
 
     if [ "${debug:-}" != y ]; then
         exec 2>/run/initramfs/tailscale.log
     fi
-    exec /sbin/tailscaled $options $TAILSCALED_OPTIONS
+    exec /sbin/tailscaled $daemon_options ${TAILSCALED_OPTIONS-}
 }
 
 [ "$BOOT" = nfs ] && configure_networking