diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..cd8f4c9
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,68 @@
+version: "3.9"
+
+services:
+  moonrelay:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: moonrelay:latest
+    container_name: moonrelay
+
+    restart: unless-stopped
+
+    ports:
+      - "8080:8080"       # Web UI — access at http://<your-truenas-ip>:8080
+
+    volumes:
+      # Persist Tailscale node state across container restarts.
+      # Without this the node re-authenticates every restart.
+      - moonrelay-data:/data
+
+    environment:
+      # ── Tailscale ──────────────────────────────────────────────
+      # Generate a reusable auth key at:
+      #   https://login.tailscale.com/admin/settings/keys
+      # Or leave blank — on first boot check container logs for a
+      # login URL and authenticate interactively.
+      TS_AUTHKEY: ""
+
+      # Name this device will appear as on your tailnet
+      TS_HOSTNAME: "moonrelay"
+
+      # Set to "1" to disable Tailscale (LAN-only mode)
+      MOONRELAY_NO_TS: "0"
+
+      # ── Server ─────────────────────────────────────────────────
+      MOONRELAY_PORT: "8080"
+      MOONRELAY_HOST: "0.0.0.0"
+
+      TZ: America/New_York   # adjust to your timezone
+
+    # Tailscale's embedded WireGuard needs /dev/net/tun
+    devices:
+      - /dev/net/tun:/dev/net/tun
+
+    # Required for WireGuard kernel module access
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+
+    # Optional: restrict to a specific Docker network if you have one
+    # networks:
+    #   - homelab
+
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:8080/api/status"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+
+volumes:
+  moonrelay-data:
+    driver: local
+
+# Uncomment if using a custom Docker network
+# networks:
+#   homelab:
+#     external: true