diff --git a/roles/spiped/defaults/main.yaml b/roles/spiped/defaults/main.yaml
new file mode 100644
index 0000000..e6f9a54
--- /dev/null
+++ b/roles/spiped/defaults/main.yaml
@@ -0,0 +1,14 @@
+---
+spiped_package_name: spiped
+spiped_package_state: present
+
+spiped_etc_path: /etc/spiped
+spiped_run_path: /run/spiped
+
+spiped_user: spiped
+spiped_group: spiped
+spiped_user_state: present
+spiped_user_comment: spiped
+spiped_user_home: "{{ spiped_run_path }}"
+spiped_user_password: "!"
+spiped_user_shell: /usr/sbin/nologin
diff --git a/roles/spiped/handlers/main.yaml b/roles/spiped/handlers/main.yaml
new file mode 100644
index 0000000..e7d49b8
--- /dev/null
+++ b/roles/spiped/handlers/main.yaml
@@ -0,0 +1,10 @@
+---
+- name: spiped daemon-reload
+  systemd:
+    daemon_reload: yes
+
+- name: restart spiped tunnels
+  service:
+    name: "spiped-{{ item.name }}"
+    state: restarted
+  loop: "{{ spiped_tunnels | default([]) }}"
diff --git a/roles/spiped/tasks/main.yaml b/roles/spiped/tasks/main.yaml
new file mode 100644
index 0000000..e0b5fd3
--- /dev/null
+++ b/roles/spiped/tasks/main.yaml
@@ -0,0 +1,60 @@
+---
+- name: install package
+  package:
+    name: "{{ spiped_package_name }}"
+    state: "{{ spiped_package_state }}"
+
+- name: "create {{ spiped_user }} user"
+  user:
+    name: "{{ spiped_user }}"
+    comment: "{{ spiped_user_comment }}"
+    password: "{{ spiped_user_password }}"
+    home: "{{ spiped_user_home }}"
+    shell: "{{ spiped_user_shell }}"
+    state: "{{ spiped_user_state }}"
+    system: yes
+    create_home: no
+
+- name: create paths
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  loop:
+    - "{{ spiped_etc_path }}"
+
+- name: configure systemd unit
+  template:
+    src: spiped.service.j2
+    dest: "/etc/systemd/system/spiped-{{ item.name }}.service"
+    owner: root
+    group: root
+    mode: 0644
+  loop: "{{ spiped_tunnels | default([]) }}"
+  notify:
+    - restart spiped tunnels
+    - spiped daemon-reload
+  when: ansible_service_mgr == 'systemd'
+  no_log: true
+
+- name: configure keys
+  copy:
+    dest: "{{ spiped_etc_path }}/{{ item.name }}.key"
+    content: "{{ item.key | b64decode }}"
+    owner: "{{ spiped_user }}"
+    group: "{{ spiped_group }}"
+    mode: 0400
+  loop: "{{ spiped_tunnels | default([]) }}"
+  notify:
+    - restart spiped tunnels
+  no_log: true
+
+- name: manage services
+  service:
+    name: "spiped-{{ item.name }}.service"
+    state: "{{ item.state | default('started') }}"
+    enabled: "{{ item.enabled | default(true) }}"
+  loop: "{{ spiped_tunnels | default([]) }}"
+  no_log: true
diff --git a/roles/spiped/templates/spiped.service.j2 b/roles/spiped/templates/spiped.service.j2
new file mode 100644
index 0000000..7df988c
--- /dev/null
+++ b/roles/spiped/templates/spiped.service.j2
@@ -0,0 +1,22 @@
+{% set keyfile = "{0}/{1}.key".format(spiped_etc_path, item.name) %}
+# {{ ansible_managed }}
+
+[Unit]
+Description=spiped tunnel {{ item.name }}
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User={{ spiped_user }}
+{% if item.type == 'client' %}
+ExecStart=/usr/bin/spiped -F -g -k {{ keyfile }} -D -e -s '{{ item.source_socket }}' -t '{{ item.target_socket }}'
+{% else %}
+ExecStart=/usr/bin/spiped -F -g -k {{ keyfile }} -d -s '{{ item.source_socket }}' -t '{{ item.target_socket }}'
+{% endif %}
+Restart=always
+RestartSec=60
+RuntimeDirectory=spiped
+PIDFile={{ spiped_run_path }}/{{ item.name }}.pid
+
+[Install]
+WantedBy=multi-user.target