diff --git a/README.md b/README.md
index 4f9ba53..6cc790a 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,9 @@
 This ansible collection provides various roles for installing
 and configuring basic system utilities like gnupg, ssh etc
 
+- [`nginx`](roles/nginx/README.md): [nginx](https://www.nginx.com/),
+  an advanced load balancer, webserver and reverse proxy.
+
 ## License
 
 [CNPLv7+](LICENSE.md): Cooperative Nonviolent Public License
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
new file mode 100644
index 0000000..c64c185
--- /dev/null
+++ b/roles/nginx/README.md
@@ -0,0 +1,28 @@
+# `finallycoffee.services.nginx` ansible role
+
+## Description
+
+Runs `nginx`, a HTTP reverse proxy, in a docker container.
+
+## Usage
+
+For the role to do anything, `nginx_config` needs to be populated with the configuration for nginx.
+An example would be:
+
+```yaml
+nginx_config: |+
+  server {
+    listen 80 default_server;
+    server_name my.server.fqdn;
+    location / { return 200; }
+  }
+```
+
+The container is named `nginx` by default, this can be overridden in `nginx_container_name`.
+When running this role multiple times, `nginx_base_path` should also be changed for each run,
+otherwise the configuration files collide in the filesystem.
+
+For exposing this server to the host and/or internet, the `nginx_container_ports` (port forwarding host
+from host to container), `nginx_container_networks` (docker networking) or `nginx_container_labels`
+(for label-based routing discovery like traefik) can be used. The options correspond to the arguments
+of the `community.docker.docker_container` module.
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
new file mode 100644
index 0000000..1c7ef7e
--- /dev/null
+++ b/roles/nginx/defaults/main.yml
@@ -0,0 +1,33 @@
+---
+
+nginx_version: "1.25.1"
+nginx_flavour: alpine
+nginx_base_path: /opt/nginx
+nginx_config_file: "{{ nginx_base_path }}/nginx.conf"
+
+nginx_container_name: nginx
+nginx_container_image_reference: >-
+  {{
+    nginx_container_image_repository
+    + ':' + (nginx_container_image_tag
+      | default(nginx_version
+      + (('-' + nginx_flavour) if nginx_flavour is defined else ''), true))
+  }}
+nginx_container_image_repository: >-
+  {{
+    (
+      container_registries[nginx_container_image_registry]
+      | default(nginx_container_image_registry)
+    )
+    + '/'
+    + nginx_container_image_namespace | default('')
+    + nginx_container_image_name
+  }}
+nginx_container_image_registry: "docker.io"
+nginx_container_image_name: "nginx"
+nginx_container_image_tag: ~
+
+nginx_container_restart_policy: "unless-stopped"
+nginx_container_volumes:
+  - "{{ nginx_config_file }}:/etc/nginx/conf.d/nginx.conf:ro"
+ 
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
new file mode 100644
index 0000000..1ad5e3c
--- /dev/null
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Ensure nginx container '{{ nginx_container_name }}' is restarted
+  community.docker.docker_container:
+    name: "{{ nginx_container_name }}"
+    state: started
+    restart: true
+  listen: restart-nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..6a5b98d
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+
+- name: Ensure base path '{{ nginx_base_path }}' exists
+  ansible.builtin.file:
+    path: "{{ nginx_base_path }}"
+    state: directory
+    mode: 0755
+
+- name: Ensure nginx config file is templated
+  ansible.builtin.copy:
+    dest: "{{ nginx_config_file }}"
+    content: "{{ nginx_config }}"
+    mode: 0640
+  notify:
+    - restart-nginx
+
+- name: Ensure docker container image is present
+  community.docker.docker_image:
+    name: "{{ nginx_container_image_reference }}"
+    state: present
+    source: pull
+    force_source: "{{ nginx_container_image_tag is defined and nginx_container_image_tag | string != '' }}"
+
+- name: Ensure docker container '{{ nginx_container_name }}' is running
+  community.docker.docker_container:
+    name: "{{ nginx_container_name }}"
+    image: "{{ nginx_container_image_reference }}"
+    env: "{{ nginx_container_env | default(omit, true) }}"
+    user: "{{ nginx_container_user | default(omit, true) }}"
+    ports: "{{ nginx_container_ports | default(omit, true) }}"
+    labels: "{{ nginx_container_labels | default(omit, true) }}"
+    volumes: "{{ nginx_container_volumes | default(omit, true) }}"
+    etc_hosts: "{{ nginx_container_etc_hosts | default(omit, true) }}"
+    networks: "{{ nginx_container_networks | default(omit, true) }}"
+    purge_networks: "{{ nginx_container_purge_networks | default(omit, true) }}"
+    restart_policy: "{{ nginx_container_restart_policy }}"
+    state: started