diff --git a/README.md b/README.md
index 3716a42..850770a 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,7 @@ Available services
   - cadvisor
   - Redisinsight
   - Gitlab
+  - [Wireguard](https://github.com/wg-easy/wg-easy)
 
 Role variables
 ---------------
@@ -57,6 +58,7 @@ Example variables
     - cadvisor
     - redisinsight
     - gitlab
+    - wireguard
 
   traefik_domain: 'example.com'
   traefik_letsencrypt_email: 'cert@example.com'
@@ -66,14 +68,19 @@ Example variables
 
   redisinsight_domain: 'redisinsight.example.com'
   redisinsight_whitelist:
-	- 192.168.1.0/24
-	- 31.15.24.XX
-	- 37.58.179.XX
+    - 192.168.1.0/24
+    - 31.15.24.XX
+    - 37.58.179.XX
 
   gitlab_version: 'latest'
   gitlab_root_password: 'vault-this-thingy'
   gitlab_domain: gitlab.example.com
   gitlab_registry_domain: registry.example.com
+
+  wireguard_version: 'latest'
+  # wg-easy webui access:
+  wireguard_domain: 'wg.example.com'
+  wireguard_password: 'please-vault-this-too'
 ```
 
 TODO
@@ -94,8 +101,6 @@ TODO
   - needs to be implemented
 - Promtail
   - needs to be implemented
-- Gitlab
-  - needs to be implemented
 
 License
 -------
diff --git a/handlers/main.yml b/handlers/main.yml
index 37e2fba..867a26f 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -48,9 +48,16 @@
   ignore_errors: '{{ ansible_check_mode }}'
   tags: ['docker_gitlab']
 
-- name: 'gitlab-runner-restart'
+- name: gitlab-runner-restart
   systemd:
     name: docker-compose@gitlab-runner
     state: restarted
   ignore_errors: '{{ ansible_check_mode }}'
   tags: ['docker_gitlab-runner']
+
+- name: wireguard-restart
+  systemd:
+    name: docker-compose@wireguard
+    state: restarted
+  ignore_errors: '{{ ansible_check_mode }}'
+  tags: ['docker_wireguard']
diff --git a/tasks/wireguard.yml b/tasks/wireguard.yml
new file mode 100644
index 0000000..a665025
--- /dev/null
+++ b/tasks/wireguard.yml
@@ -0,0 +1,16 @@
+---
+- name: wireguard | check vars are defined
+  assert:
+    that:
+      - wireguard_domain is defined
+  tags: ['docker_wireguard']
+
+- include_tasks: base.yml
+  tags: ['docker_wireguard']
+
+- name: 'wireguard | create docker volumes'
+  docker_volume:
+    name: '{{ item }}'
+  with_items:
+    - 'wireguard__etc_wireguard'
+  tags: ['docker_wireguard']
diff --git a/templates/compose/wireguard.yml.j2 b/templates/compose/wireguard.yml.j2
new file mode 100644
index 0000000..86237d3
--- /dev/null
+++ b/templates/compose/wireguard.yml.j2
@@ -0,0 +1,41 @@
+version: '3.7'
+
+networks:
+  traefik:
+    external: true
+
+volumes:
+  wireguard__etc_wireguard:
+    external: true
+
+services:
+  wireguard:
+    container_name: wireguard
+    image: weejewel/wg-easy:{{ wireguard_version | default("latest") }}
+    restart: unless-stopped
+    ports:
+      - "51820:51820/udp"
+	volumes:
+	  - 'wireguard__etc_wireguard:/etc/wireguard'
+	cap_add:
+	  - NET_ADMIN
+	  - SYS_MODULE
+	sysctls:
+	  - net.ipv4.conf.all.src_valid_mark=1
+	  - net.ipv4.ip_forward=1
+	environment:
+	  - WG_HOST={{ wireguard_domain }}
+	  - PASSWORD={{ wireguard_password }}
+    labels:
+      traefik.enable: true
+      traefik.docker.network: traefik
+      traefik.http.routers.wireguard.rule: Host(`{{ wireguard_domain }}`)
+      traefik.http.routers.wireguard.tls: true
+      traefik.http.routers.wireguard.tls.certresolver: letsencrypt
+      traefik.http.routers.wireguard.entrypoints: websecure
+{% if traefik_ipwhitelist is defined %}
+      traefik.http.routers.wireguard.middlewares: "clientips@docker"
+{% endif %}
+      traefik.http.services.wireguard.loadbalancer.server.port: 51821
+    networks:
+      - traefik