diff --git a/roles/unbound_exporter/files/unbound_exporter_stunnel.sh b/roles/unbound_exporter/files/unbound_exporter_stunnel.sh
new file mode 100755
index 0000000..8328224
--- /dev/null
+++ b/roles/unbound_exporter/files/unbound_exporter_stunnel.sh
@@ -0,0 +1,10 @@
+#!/bin/ksh
+
+daemon="/usr/local/sbin/stunnel"
+daemon_flags="/etc/unbound_exporter/stunnel.conf"
+
+. /etc/rc.d/rc.subr
+
+rc_reload=NO
+
+rc_cmd $1
diff --git a/roles/unbound_exporter/templates/stunnel.conf.j2 b/roles/unbound_exporter/templates/stunnel.conf.j2
new file mode 100644
index 0000000..8f4aab4
--- /dev/null
+++ b/roles/unbound_exporter/templates/stunnel.conf.j2
@@ -0,0 +1,23 @@
+setuid = _unboundexporter
+setgid = _unboundexporter
+
+sslVersionMin = TLSv1.3
+ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+curves = X25519:prime256v1:secp384r1
+
+key = {{ tls_private }}/{{ inventory_hostname }}.key
+cert = {{ tls_certs }}/{{ inventory_hostname }}.crt
+
+verify = 2
+CAfile = {{ tls_certs }}/ca.crt
+
+syslog = yes
+
+[unbound_exporter]
+{% for ip in ansible_all_ipv4_addresses %}
+accept = {{ ip }}:9167
+{% endfor %}
+connect = 127.0.0.1:9167
+{% for host in groups['prometheus'] %}
+checkHost = {{ host }}
+{% endfor %}