diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml
index f0a266f..fcdc022 100644
--- a/ansible/playbooks/stacks.yml
+++ b/ansible/playbooks/stacks.yml
@@ -11,3 +11,4 @@
     - {role: freshrss, tags: freshrss}
     - {role: hedgedoc, tags: hedgedoc}
     - {role: overleaf, tags: overleaf}
+    - {role: cyberchef, tags: cyberchef}
diff --git a/ansible/roles/cyberchef/docker-stack.yml.j2 b/ansible/roles/cyberchef/docker-stack.yml.j2
new file mode 100644
index 0000000..209b2b3
--- /dev/null
+++ b/ansible/roles/cyberchef/docker-stack.yml.j2
@@ -0,0 +1,20 @@
+# vi: ft=yaml
+version: "3.7"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  cyberchef:
+    image: mpepping/cyberchef
+    networks:
+      - traefik
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.cyberchef.entrypoints=websecure
+        - traefik.http.services.cyberchef.loadbalancer.server.port=8000
+        - traefik.http.routers.cyberchef.rule=Host(`cyberchef.geokunis2.nl`)
+        - traefik.http.routers.cyberchef.tls=true
+        - traefik.http.routers.cyberchef.tls.certresolver=letsencrypt
diff --git a/ansible/roles/cyberchef/tasks/main.yml b/ansible/roles/cyberchef/tasks/main.yml
new file mode 100644
index 0000000..386a96f
--- /dev/null
+++ b/ansible/roles/cyberchef/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: Create working directory
+  file:
+    path: /srv/cyberchef
+    state: directory
+
+- name: Copy Docker stack file
+  template:
+    src: "{{ role_path }}/docker-stack.yml.j2"
+    dest: /srv/cyberchef/docker-stack.yml
+
+- name: Deploy Docker stack
+  docker_stack:
+    name: cyberchef
+    compose:
+      - /srv/cyberchef/docker-stack.yml