diff --git a/README.adoc b/README.adoc
index 0047405..bb18c9f 100644
--- a/README.adoc
+++ b/README.adoc
@@ -176,6 +176,7 @@ You can restrict playbook scope to specific areas using `--tags`.
 `cert-manager`:: Apply changes to the cert-manager including support for `Let's Encrypt`
 `gitea`:: Apply changes to gitea
 `concourse`:: Apply changes to concourse
+`snappass`:: Apply changes to snappass
 
 == Scaling the Cluster
 
diff --git a/config.yml b/config.yml
index 2a462ba..97381dc 100644
--- a/config.yml
+++ b/config.yml
@@ -30,6 +30,10 @@ all:
     concourse_local_users: "{{ vault_concourse_local_users }}"
     concourse_worker_replicas: 2
 
+    snappass_state: present
+    snappass_host: snappass.nehrke.info
+    snappass_certificate_issuer: letsencrypt-prod
+
 k3s_cluster:
   vars:
     ansible_user: root
diff --git a/roles/k8s-setup/defaults/main.yml b/roles/k8s-setup/defaults/main.yml
index db3f33a..98be8bb 100644
--- a/roles/k8s-setup/defaults/main.yml
+++ b/roles/k8s-setup/defaults/main.yml
@@ -16,3 +16,8 @@ concourse_state: present
 concourse_namespace: concourse
 concourse_local_users: {}
 concourse_worker_replicas: 2
+
+snappass_chart_version: 0.1.13
+snappass_state: present
+snappass_namespace: snappass
+snappass_tls_secret: snappass-tls
diff --git a/roles/k8s-setup/tasks/_snappass.yml b/roles/k8s-setup/tasks/_snappass.yml
new file mode 100644
index 0000000..510b08e
--- /dev/null
+++ b/roles/k8s-setup/tasks/_snappass.yml
@@ -0,0 +1,37 @@
+- name: Ensure snappass namespace
+  kubernetes.core.k8s:
+    state: "{{ snappass_state }}"
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ snappass_namespace }}"
+        labels:
+          name: "{{ snappass_namespace }}"
+
+- name: Deploy snappass
+  kubernetes.core.helm:
+    name: snappass
+    chart_ref: snappass
+    chart_version: "{{ snappass_chart_version }}"
+    chart_repo_url: https://lmacka.github.io/helm-snappass/
+    release_namespace: "{{ snappass_namespace }}"
+    release_state: "{{ snappass_state }}"
+    values:
+      image:
+        repository: nemoinho/snappass
+      ingress:
+        enabled: True
+        className: traefik
+        annotations:
+          cert-manager.io/cluster-issuer: "{{ snappass_certificate_issuer }}"
+          traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+        hosts:
+        - host: "{{ snappass_host }}"
+          paths:
+          - path: /
+            pathType: Prefix
+        tls:
+        - hosts:
+          - "{{ snappass_host }}"
+          secretName: "{{ snappass_tls_secret }}"
diff --git a/roles/k8s-setup/tasks/main.yml b/roles/k8s-setup/tasks/main.yml
index b3d3cba..5aff577 100644
--- a/roles/k8s-setup/tasks/main.yml
+++ b/roles/k8s-setup/tasks/main.yml
@@ -18,3 +18,10 @@
   - k8s
   - concourse
   import_tasks: _concourse.yml
+
+- name: Ensure snappass
+  tags:
+  - init
+  - k8s
+  - snappass
+  import_tasks: _snappass.yml