diff --git a/roles/rsync/client/files/rsync-ssl b/roles/rsync/client/files/rsync-ssl
new file mode 100755
index 0000000..8b50e7b
--- /dev/null
+++ b/roles/rsync/client/files/rsync-ssl
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/bin/rsync --rsh /usr/local/libexec/rsync-ssl-tunnel "$@"
diff --git a/roles/rsync/client/files/rsync-ssl-tunnel b/roles/rsync/client/files/rsync-ssl-tunnel
new file mode 100755
index 0000000..ae2d509
--- /dev/null
+++ b/roles/rsync/client/files/rsync-ssl-tunnel
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+echo "$@" > /tmp/foo.out
+
+key="/etc/pki/tls/private/$(hostname -f).key"
+cert="/etc/pki/tls/certs/$(hostname -f).crt"
+cafile="/etc/pki/tls/certs/ca.crt"
+port=${RSYNC_SSL_PORT:-873}
+
+# If the user specified USER@HOSTNAME::module, then rsync passes us
+# the -l USER option too, so we must be prepared to ignore it.
+if [ x"$1" = x"-l" ]; then
+    shift 2
+fi
+
+hostname=$1
+shift
+
+if [ x"$hostname" = x -o x"$1" != x"rsync" -o x"$2" != x"--server" -o x"$3" != x"--daemon" ]; then
+    echo "Usage: stunnel-rsync HOSTNAME rsync --server --daemon ." 1>&2
+    exit 1
+fi
+
+# devzero@web.de came up with this no-tmpfile calling syntax:
+stunnel -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+verify = 2
+cert = $cert
+key = $key
+CAfile = $cafile
+EOF
diff --git a/roles/rsync/client/tasks/main.yml b/roles/rsync/client/tasks/main.yml
new file mode 100644
index 0000000..0ddf79b
--- /dev/null
+++ b/roles/rsync/client/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+
+- name: install rsync packages
+  package:
+    name: "{{ item }}"
+    state: installed
+  with_items:
+    - rsync
+    - stunnel
+
+- name: install rsync stunnel wrapper
+  copy:
+    dest: /usr/local/libexec/rsync-ssl-tunnel
+    src: rsync-ssl-tunnel
+    mode: 0755
+    owner: root
+    group: root
+
+- name: install rsync-ssl
+  copy:
+    dest: /usr/local/bin/rsync-ssl
+    src: rsync-ssl
+    mode: 0755
+    owner: root
+    group: root
diff --git a/roles/rsync/server/files/systemd-stunnel.conf b/roles/rsync/server/files/systemd-stunnel.conf
new file mode 100644
index 0000000..42b0229
--- /dev/null
+++ b/roles/rsync/server/files/systemd-stunnel.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/stunnel /etc/stunnel/rsyncd.conf
diff --git a/roles/rsync/server/meta/main.yml b/roles/rsync/server/meta/main.yml
new file mode 100644
index 0000000..24883db
--- /dev/null
+++ b/roles/rsync/server/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: rsync/client}
diff --git a/roles/rsync/server/tasks/main.yml b/roles/rsync/server/tasks/main.yml
new file mode 100644
index 0000000..00f6523
--- /dev/null
+++ b/roles/rsync/server/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- name: create rsyncd config
+  template:
+    dest: /etc/rsyncd.conf
+    src: rsyncd.conf.j2
+    mode: 0644
+    owner: root
+    group: root
+
+- name: create rsyncd config for stunnel
+  template:
+    dest: /etc/stunnel/rsyncd.conf
+    src: rsyncd-stunnel.conf.j2
+    mode: 0644
+    owner: root
+    group: root
+
+- name: create override directory for rsyncd socket
+  file:
+    dest: /etc/systemd/system/rsyncd@.service.d
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: create override config for rsyncd socket
+  copy:
+    dest: /etc/systemd/system/rsyncd@.service.d/stunnel.conf
+    src: systemd-stunnel.conf
+    mode: 0644
+    owner: root
+    group: root
+
+- name: enable rsyncd socket
+  systemd:
+    name: rsyncd.socket
+    enabled: true
+    state: started
diff --git a/roles/rsync/server/templates/rsyncd-stunnel.conf.j2 b/roles/rsync/server/templates/rsyncd-stunnel.conf.j2
new file mode 100644
index 0000000..7eb9813
--- /dev/null
+++ b/roles/rsync/server/templates/rsyncd-stunnel.conf.j2
@@ -0,0 +1,10 @@
+
+key = /etc/pki/tls/private/{{ inventory_hostname }}.key
+cert = /etc/pki/tls/certs/{{ inventory_hostname }}.crt
+client = no
+
+verify = 2
+CAfile = /etc/pki/tls/certs/ca.crt
+
+exec = /usr/bin/rsync
+execargs = rsync --daemon --config=/etc/rsyncd.conf
diff --git a/roles/rsync/server/templates/rsyncd.conf.j2 b/roles/rsync/server/templates/rsyncd.conf.j2
new file mode 100644
index 0000000..5f1ec4e
--- /dev/null
+++ b/roles/rsync/server/templates/rsyncd.conf.j2
@@ -0,0 +1,11 @@
+[global]
+user = rsyncd
+group = rsyncd
+use chroot = yes
+read only = yes
+hosts allow = *
+
+[test]
+comment = test module
+path = /srv/mirrors/openbsd/
+read only = yes