diff --git a/ansible/README.md b/ansible/README.md
new file mode 100644
index 0000000..9e0c061
--- /dev/null
+++ b/ansible/README.md
@@ -0,0 +1,4 @@
+# shoarma ansible
+
+This requires a rootless docker daemon on the Ansible host.
+See: https://docs.docker.com/engine/security/rootless/
diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml
index c77bcad..88949f3 100644
--- a/ansible/playbooks/stacks.yml
+++ b/ansible/playbooks/stacks.yml
@@ -17,3 +17,4 @@
     - {role: shephard, tags: shephard}
     - {role: jitsi, tags: jitsi}
     - {role: pihole, tags: pihole}
+    - {role: static, tags: static}
diff --git a/ansible/roles/static/docker-stack.yml.j2 b/ansible/roles/static/docker-stack.yml.j2
new file mode 100644
index 0000000..6214abc
--- /dev/null
+++ b/ansible/roles/static/docker-stack.yml.j2
@@ -0,0 +1,23 @@
+# vi: ft=yaml
+version: '3'
+
+networks:
+  traefik:
+    external: true
+
+services:
+  static:
+    image: git.pim.kunis.nl/pim/concourse-test:latest
+    networks:
+      - traefik
+    deploy:
+      placement:
+        constraints:
+          - "node.labels.public == true"
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.static.entrypoints=websecure
+        - traefik.http.services.static.loadbalancer.server.port=80
+        - traefik.http.routers.static.rule=Host(`pim.kunis.nl`)
+        - traefik.http.routers.static.tls=true
+        - traefik.http.routers.static.tls.certresolver=letsencrypt
diff --git a/ansible/roles/static/tasks/main.yml b/ansible/roles/static/tasks/main.yml
new file mode 100644
index 0000000..4e82a2e
--- /dev/null
+++ b/ansible/roles/static/tasks/main.yml
@@ -0,0 +1,8 @@
+- name: Deploy Docker stack
+  docker_stack:
+    name: static
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
+  environment:
+    DOCKER_HOST: ssh://root@maestro.dmz
+  delegate_to: localhost