diff --git a/roles/tlshd/handlers/main.yml b/roles/tlshd/handlers/main.yml
new file mode 100644
index 0000000..ed0f6fd
--- /dev/null
+++ b/roles/tlshd/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart tlshd
+  ansible.builtin.service:
+    name: tlshd
+    state: restarted
diff --git a/roles/tlshd/tasks/main.yml b/roles/tlshd/tasks/main.yml
new file mode 100644
index 0000000..7105884
--- /dev/null
+++ b/roles/tlshd/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Install packages
+  ansible.builtin.package:
+    name: ktls-utils
+
+- name: Configure tlshd
+  ansible.builtin.template:
+    dest: /etc/tlshd.conf
+    src: tlshd.conf.j2
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart tlshd
+
+- name: Configure tlshd private key
+  ansible.builtin.copy:
+    dest: "{{ tls_private }}/tlshd.key"
+    src: "{{ tls_private }}/{{ inventory_hostname }}.key"
+    mode: "0600"
+    owner: root
+    group: "{{ ansible_wheel }}"
+    remote_src: true
+  tags: certificates
+  notify: Restart tlshd
+
+- name: Enable tlshd services
+  ansible.builtin.service:
+    name: tlshd
+    state: started
+    enabled: true
diff --git a/roles/tlshd/templates/tlshd.conf.j2 b/roles/tlshd/templates/tlshd.conf.j2
new file mode 100644
index 0000000..5063216
--- /dev/null
+++ b/roles/tlshd/templates/tlshd.conf.j2
@@ -0,0 +1,16 @@
+[debug]
+loglevel=0
+tls=0
+nl=0
+
+[authenticate]
+
+[authenticate.client]
+x509.truststore = {{ tls_certs }}/ca.crt
+x509.certificate = {{ tls_certs }}/{{ inventory_hostname }}.crt
+x509.private_key = {{ tls_private }}/tlshd.key
+
+[authenticate.server]
+x509.truststore = {{ tls_certs }}/ca.crt
+x509.certificate = {{ tls_certs }}/{{ inventory_hostname }}.crt
+x509.private_key = {{ tls_private }}/tlshd.key