diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..de971bd
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+derper/derper.env
+derper/certbot.env
+derper/letsencrypt
+derper/certs
+derper/logs
\ No newline at end of file
diff --git a/derper/Dockerfile b/derper/Dockerfile
new file mode 100644
index 0000000..6c499fa
--- /dev/null
+++ b/derper/Dockerfile
@@ -0,0 +1,32 @@
+# ─── Stage 1: Build derper ────────────────────────────────────────────
+FROM golang:1.24 AS builder
+WORKDIR /src
+
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go install -ldflags="-s -w -extldflags=-static" \
+    tailscale.com/cmd/derper@main
+
+# ─── Stage 2: Final image ────────────────────────────────────────────
+FROM alpine:3.14
+LABEL maintainer="you@example.com"
+
+RUN apk add --no-cache \
+      bash \
+      curl \
+      jq \
+      openssl \
+      certbot \
+      bind-tools \
+      ca-certificates \
+      wget \
+      tar
+
+# 工作目录 & 日志目录
+WORKDIR /app
+
+# 复制 derper 二进制 & 脚本
+COPY --from=builder /go/bin/derper /app/derper
+COPY scripts/ /app/scripts/
+RUN chmod +x /app/derper /app/scripts/*.sh
+
+
diff --git a/derper/docker-compose.yml b/derper/docker-compose.yml
new file mode 100644
index 0000000..c94ec02
--- /dev/null
+++ b/derper/docker-compose.yml
@@ -0,0 +1,36 @@
+version: "3.8"
+
+services:
+  derper:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: hotwa/derper:latest
+    container_name: derper
+    restart: unless-stopped
+    env_file:
+      - derper.env
+    ports:
+      - "3477:3477"
+      - "3478:3478/udp"
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+      - ./certs:/app/certs
+      - ./logs:/var/log/certbot
+      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro
+      # tailscale login first require
+    entrypoint: [""]
+    command:
+      - /bin/bash
+      - -c
+      - |
+          /app/derper \
+          -hostname headscale.jmsu.top \
+          -certdir /app/certs \
+          -certmode manual \
+          -a :3477 \
+          -stun-port 3478 \
+          -http-port -1 \
+          -verify-clients
+
+
diff --git a/derper/install.sh b/derper/install.sh
new file mode 100644
index 0000000..22f40e3
--- /dev/null
+++ b/derper/install.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+cd /opt/certbot-aliyun-docker/derper
+docker run --rm \
+  -e REGION=cn-hangzhou \
+  -e ACCESS_KEY_ID=LTAI5tP1yWFMMJhF6nrGYEit \
+  -e ACCESS_KEY_SECRET=xBEMX76UwvO21DCES2605VM0kAU7TV \
+  -e DOMAIN=headscale.jmsu.top \
+  -e EMAIL=pylyzeng@gmail.com \
+  -e CRON_SCHEDULE="0 0 * * *" \
+  -v "$PWD/letsencrypt:/etc/letsencrypt" \
+  -v "$PWD/certs:/app/certs" \
+  -v "$PWD/logs:/var/log/certbot" \
+  hotwa/certbot:latest \
+  certbot certonly \
+    -d "*.headscale.jmsu.top" \
+    --manual \
+    --preferred-challenges dns \
+    --manual-auth-hook "alidns" \
+    --manual-cleanup-hook "alidns clean" \
+    --email pylyzeng@gmail.com \
+    --agree-tos \
+    --non-interactive \
+    -v
\ No newline at end of file
diff --git a/derper/renew.sh b/derper/renew.sh
new file mode 100644
index 0000000..286db08
--- /dev/null
+++ b/derper/renew.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+cd /opt/certbot-aliyun-docker/derper
+docker run --rm \
+  -e REGION=cn-hangzhou \
+  -e ACCESS_KEY_ID=LTAI5tP1yWFMMJhF6nrGYEit \
+  -e ACCESS_KEY_SECRET=LTAI5tP1yWFMMJhF6nrGYEit \
+  -e DOMAIN=headscale.jmsu.top \
+  -e EMAIL=pylyzeng@gmail.com \
+  -v "$PWD/letsencrypt:/etc/letsencrypt" \
+  -v "$PWD/certs:/app/certs" \
+  -v "$PWD/logs:/var/log/certbot" \
+  hotwa/certbot:latest \
+  certbot renew \
+    --manual \
+    --preferred-challenges dns \
+    --manual-auth-hook "alidns" \
+    --manual-cleanup-hook "alidns clean" \
+    --deploy-hook "/app/scripts/webhook.sh" \
+    --no-random-sleep-on-renew \
+    -v