diff --git a/hack/debug-tsnet.yaml b/hack/debug-tsnet.yaml
new file mode 100644
index 0000000..919c0ce
--- /dev/null
+++ b/hack/debug-tsnet.yaml
@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: debug-tsnet
+spec:
+  shareProcessNamespace: true
+  containers:
+  - name: tailscale
+    image: ghcr.io/tailscale/tailscale:v1.50.1
+    imagePullPolicy: IfNotPresent
+    command:
+    - /bin/sh
+    - -c
+    - |
+      export PATH=$PATH:/tailscale/bin
+      export PINGIP="100.64.0.20"
+      export PROCESS_TO_WAIT_FOR="bash"
+      set -e
+
+      if [[ ! -d /dev/net ]]; then
+          mkdir -p /dev/net
+      fi
+      if [[ ! -c /dev/net/tun ]]; then
+          mknod /dev/net/tun c 10 200
+      fi
+
+      echo "==> Starting tailscaled in background"
+      tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp &
+      TS_PID=$!
+
+      echo "==> Running tailscale up"
+      tailscale --socket=/tmp/tailscaled.sock up --authkey=${TS_AUTH_KEY} --accept-dns=false --login-server https://headscale.tbrnt.ch
+
+      echo "==> Waiting for Tailscale to connect properly"
+      until tailscale --socket=/tmp/tailscaled.sock status; do
+        echo "... Tailscale not ready yet"
+        sleep 2
+      done
+
+      echo "==> Checking Tailscale connection to target"
+      until tailscale --socket=/tmp/tailscaled.sock ping $PINGIP; do
+        echo "==> ... No Tailscale connection yet"
+        sleep 2
+      done
+
+      echo "==> Checking network connection to brunnernas"
+      until ping -c1 $PINGIP; do
+        echo "==> ... No network connection yet"
+        sleep 2
+      done
+
+      echo "==> Connected! Waiting for main container to exit"
+      while pidof $PROCESS_TO_WAIT_FOR > /dev/null; do sleep 1; done
+
+      echo "==> Main container ended - stopping Tailscale"
+      kill -s SIGINT $TS_PID
+      wait ${TS_PID}
+    env:
+    - name: TS_AUTH_KEY
+      valueFrom:
+        secretKeyRef:
+          key: TS_AUTH_KEY
+          name: tailscale-auth-backup
+    resources: {}
+    securityContext:
+      capabilities:
+        add:
+        - NET_ADMIN
+  - name: debugger
+    image: docker.io/nicolaka/netshoot:latest
+    imagePullPolicy: Always
+    command: ["/bin/bash"]
+    args: ["-c", "while true; do ping -i 10 localhost; sleep 60;done"]
+    resources: {}
diff --git a/hack/jspolicies/jspolicy-tailscale-proxy-injector.yaml b/hack/jspolicies/jspolicy-tailscale-proxy-injector.yaml
new file mode 100644
index 0000000..84ba371
--- /dev/null
+++ b/hack/jspolicies/jspolicy-tailscale-proxy-injector.yaml
@@ -0,0 +1,31 @@
+apiVersion: policy.jspolicy.com/v1beta1
+kind: JsPolicy
+metadata:
+  name: inject-tailscale-proxy.tbrnt.ch
+spec:
+  type: Mutating
+  operations: ["CREATE"]
+  resources: ["pods"]
+  scope: Namespaced
+  objectSelector:
+    matchLabels:
+      k8upjob: "true"
+  javascript: |
+    const httpProxy = {
+      name: "http_proxy",
+      value: "127.0.0.1:1055"
+    }
+    const httpsProxy = {
+      name: "https_proxy",
+      value: "127.0.0.1:1055"
+    }
+
+    request.object.spec.containers?.forEach(container => {
+      if (container.name.match(/^backup$/)) {
+        print("Found backup container, injecting env vars")
+        //container.env.push(httpProxy)
+        //container.env.push(httpsProxy)
+      }
+    });
+
+    mutate(request.object);