diff --git a/README.md b/README.md
index 1aabffa..48ba78e 100644
--- a/README.md
+++ b/README.md
@@ -18,10 +18,24 @@ All services below are running under Docker, except NSD and Borg.
 - KMS server using [vlmcsd](https://github.com/Wind4/vlmcsd)
 - Cloud file storage using [Seafile](https://www.seafile.com)
 - Inbucket disposable webmail, Mailinator alternative (https://inbucket.org)
+- Cyberchef (https://cyberchef.geokunis2.nl)
 - Jitsi Meet (https://meet.jit.si)
 - RSS feed reader using [FreshRSS](https://miniflux.app/)
 - Metrics using [Prometheus](https://prometheus.io/)
 
+## Virtualization
+
+Currently this repository is ran as a physical server, but we intend to virtualize it.
+First, the whole server should be virtualized on a single virtual machine.
+After that, it will be split up into several virtual machines.
+The services on each virtual machine should have similar services/security properties.
+
+Provisional split of services on virtual machines:
+- "public web" VM: Mastodon, static HTML server, cyberchef, jitsi meet, inbucket
+- "data" VM: seafile, radicale, syncthing, freshrss
+- "management" VM: reverse proxy, prometheus, kms
+- "git" VM: forgejo. Because forgejo is a somewhat single point of failure, it should have its own VM.
+
 ## Possible future services
 
 - matrix
diff --git a/max.yml b/max.yml
index 03f786a..bf406dd 100644
--- a/max.yml
+++ b/max.yml
@@ -6,6 +6,7 @@
     - {role: 'forgejo', tags: 'forgejo'}
     - {role: 'syncthing', tags: 'syncthing'}
     - {role: 'kms', tags: 'kms'}
+    - {role: 'cyberchef', tags: 'cyberchef'}
     - {role: 'radicale', tags: 'radicale'}
     - {role: 'mastodon', tags: 'mastodon'}
     - {role: 'seafile', tags: 'seafile'}
diff --git a/roles/cyberchef/files/docker-compose.yml b/roles/cyberchef/files/docker-compose.yml
new file mode 100644
index 0000000..8fc3dca
--- /dev/null
+++ b/roles/cyberchef/files/docker-compose.yml
@@ -0,0 +1,22 @@
+version: "3.7"
+
+services:
+   cyberchef-server:
+      image: mpepping/cyberchef
+      container_name: cyberchef
+      restart: always
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.cyberchef.entrypoints=websecure
+        - traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`)
+        - traefik.http.routers.cyberchef.tls=true
+        - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt
+        - traefik.http.services.cyberchef.loadbalancer.server.port=8000
+        - traefik.http.routers.cyberchef.service=cyberchef
+        - traefik.docker.network=traefik
+      networks: 
+        - traefik
+
+networks:
+  traefik:
+    external: true
diff --git a/roles/cyberchef/meta/main.yml b/roles/cyberchef/meta/main.yml
new file mode 100644
index 0000000..7f5b1d3
--- /dev/null
+++ b/roles/cyberchef/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+  - role: common
+  - role: docker
+  
\ No newline at end of file
diff --git a/roles/cyberchef/tasks/main.yml b/roles/cyberchef/tasks/main.yml
new file mode 100644
index 0000000..2518ba7
--- /dev/null
+++ b/roles/cyberchef/tasks/main.yml
@@ -0,0 +1,14 @@
+- name: Create app directory
+  file:
+    path: "{{ service_dir }}"
+    state: directory
+- name: Copy Docker Compose script
+  copy:
+    src: "{{ role_path }}/files/docker-compose.yml"
+    dest: "{{ service_dir }}/docker-compose.yml"
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: "{{ service_dir }}"
+    pull: true
+    remove_orphans: true
+
diff --git a/roles/cyberchef/vars/main.yml b/roles/cyberchef/vars/main.yml
new file mode 100644
index 0000000..471684a
--- /dev/null
+++ b/roles/cyberchef/vars/main.yml
@@ -0,0 +1,2 @@
+service_name: cyberchef
+service_dir: "{{ base_service_dir }}/{{ service_name }}"