diff --git a/typescript/packages/toolshed/deno.json b/typescript/packages/toolshed/deno.json
index 8e304f7f1..570eb7441 100644
--- a/typescript/packages/toolshed/deno.json
+++ b/typescript/packages/toolshed/deno.json
@@ -1,12 +1,11 @@
 {
   "tasks": {
     "dev": "deno run -A --watch --env-file=.env index.ts",
+    "production": "deno run -A --env-file=.env index.ts",
     "test": "deno test -A --env-file=.env.test"
   },
   "fmt": {
-    "exclude": [
-      "./llm_documentation/*"
-    ]
+    "exclude": ["./llm_documentation/*"]
   },
   "imports": {
     "@/": "./",
diff --git a/typescript/packages/toolshed/deploy/deploy.sh b/typescript/packages/toolshed/deploy/deploy.sh
new file mode 100644
index 000000000..7a82efcab
--- /dev/null
+++ b/typescript/packages/toolshed/deploy/deploy.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+cd labs
+git pull origin main
+sudo systemctl restart toolshed@*
\ No newline at end of file
diff --git a/typescript/packages/toolshed/deploy/tailscale-serve.service b/typescript/packages/toolshed/deploy/tailscale-serve.service
new file mode 100644
index 000000000..b17ef53f6
--- /dev/null
+++ b/typescript/packages/toolshed/deploy/tailscale-serve.service
@@ -0,0 +1,15 @@
+# /etc/systemd/system/tailscale-serve.service
+
+[Unit]
+Description=Tailscale Serve Proxy
+After=network.target
+
+[Service]
+# Running as root so that binding to port 443 is allowed.
+User=root
+ExecStart=/usr/bin/tailscale serve --https=443 localhost:8080
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/typescript/packages/toolshed/deploy/toolshed.nginx.conf b/typescript/packages/toolshed/deploy/toolshed.nginx.conf
new file mode 100644
index 000000000..105b4c3af
--- /dev/null
+++ b/typescript/packages/toolshed/deploy/toolshed.nginx.conf
@@ -0,0 +1,81 @@
+# /etc/nginx/sites-enabled/toolshed.conf
+
+# Trust all proxies (adjust as needed)
+set_real_ip_from 0.0.0.0/0;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+
+# Map backend_choice to just the port number for the header.
+map $backend_choice $served_from {
+    "127.0.0.1:8001" "8001";
+    "127.0.0.1:8002" "8002";
+    "127.0.0.1:8003" "8003";
+    "127.0.0.1:8004" "8004";
+    "127.0.0.1:8005" "8005";
+}
+
+# Use the client's IP as the sticky value.
+map $remote_addr $sticky_value {
+    default $remote_addr;
+}
+
+# Deterministically assign a backend server based on the client's IP.
+split_clients "$sticky_value" $backend_choice {
+    # NOTE: 8000 is running, but reserved for "internal" use, where our codebase
+    # makes requests to localhost:8000.
+    # 20%   127.0.0.1:8000;
+    20%   127.0.0.1:8001;
+    20%   127.0.0.1:8002;
+    20%   127.0.0.1:8003;
+    20%   127.0.0.1:8004;
+    20%   127.0.0.1:8005;
+}
+
+# Map for handling the upgrade header.
+map $http_upgrade $connection_upgrade {
+    default Upgrade;
+    ''      close;
+}
+
+server {
+    listen 8080;
+    server_name localhost;
+
+    location / {
+        add_header X-Served-From $served_from always;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header Tailscale-User-Login $http_tailscale_user_login;
+        proxy_pass http://$backend_choice;
+    }
+
+    location /api/storage/memory {
+        proxy_pass http://$backend_choice;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Tailscale-User-Login $http_tailscale_user_login;
+
+        # Increase timeouts for long-lived WebSocket connections.
+        proxy_read_timeout 86400;
+        proxy_send_timeout 86400;
+    }
+
+    # Expose Nginx status at /_nginx.
+    location /_nginx {
+        # Enable the stub_status module.
+        stub_status;
+
+        # Optionally, restrict access to this endpoint.
+        # For example, only allow local connections:
+        # Allow all devices on the Tailscale network.
+        allow 100.64.0.0/10;
+        allow 127.0.0.1;
+        allow ::1;
+        deny all;
+    }
+}
\ No newline at end of file
diff --git a/typescript/packages/toolshed/deploy/toolshed@.service b/typescript/packages/toolshed/deploy/toolshed@.service
new file mode 100644
index 000000000..931152c88
--- /dev/null
+++ b/typescript/packages/toolshed/deploy/toolshed@.service
@@ -0,0 +1,15 @@
+# /etc/systemd/system/toolshed@.service
+[Unit]
+Description=Toolshed Deno Service instance on port %I
+After=network.target
+
+[Service]
+User=jake
+WorkingDirectory=/home/jake/labs/typescript/packages/toolshed
+Environment="PORT=%I"
+ExecStart=/bin/sh -c "/home/jake/.deno/bin/deno task production"
+Restart=always
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/typescript/packages/toolshed/index.ts b/typescript/packages/toolshed/index.ts
index 3fa1f75ef..f00b587bf 100644
--- a/typescript/packages/toolshed/index.ts
+++ b/typescript/packages/toolshed/index.ts
@@ -13,4 +13,4 @@ Sentry.init({
   tracesSampleRate: 1.0,
 });
 
-Deno.serve(app.fetch);
+Deno.serve({ port }, app.fetch);