diff --git a/ansible/main.yml b/ansible/main.yml
index 88fa237..b6e9abd 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -18,4 +18,5 @@
     - nextcloud
     - tautulli
     - gitea
-    - synapse
+    - unifi-controller
+
diff --git a/ansible/roles/unifi-controller/tasks/main.yml b/ansible/roles/unifi-controller/tasks/main.yml
new file mode 100644
index 0000000..5c0fdfc
--- /dev/null
+++ b/ansible/roles/unifi-controller/tasks/main.yml
@@ -0,0 +1,29 @@
+- name: Create service user
+  user:
+    name: "{{ role_name }}"
+    system: true
+  register: service_user
+  become: true
+
+- name: Create install directory
+  file:
+    path: "{{ install_directory }}/{{ role_name }}"
+    state: directory
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Copy docker-compose file to destination
+  template:
+    src: docker-compose.yml
+    dest: "{{ install_directory }}/{{ role_name }}/docker-compose.yml"
+    owner: "{{ docker_user }}"
+    mode: "{{ docker_compose_file_mask }}"
+    validate: docker-compose -f %s config
+  become: true
+
+- name: Start docker container
+  community.docker.docker_compose:
+    project_src: "{{ install_directory }}/{{ role_name }}"
+    pull: true
+    remove_orphans: yes
diff --git a/ansible/roles/unifi-controller/templates/docker-compose.yml b/ansible/roles/unifi-controller/templates/docker-compose.yml
new file mode 100644
index 0000000..a4e36bf
--- /dev/null
+++ b/ansible/roles/unifi-controller/templates/docker-compose.yml
@@ -0,0 +1,28 @@
+version: "{{ docker_compose_version }}"
+
+networks:
+  traefik:
+    external: true
+
+services:
+  tautulli:
+    container_name: unifi-controller
+    image: lscr.io/linuxserver/unifi-controller:latest
+    restart: unless-stopped
+    networks:
+      - traefik
+    ports:
+      - 8443:8443 # WebUI
+      - 3478:3478/udp # STUN
+      - 10001:10001/udp # AP discovery
+      - 8080:8080 # Device communication
+    environment:
+      - "PUID={{ service_user.uid }}"
+      - "PGID={{ service_user.uid }}"
+      - "TZ={{ timezone }}"
+    volumes:
+      - "{{ data_dir }}/{{ role_name }}:/config"
+    labels:
+      traefik.enable: true
+      traefik.http.routers.unifi.rule: "Host(`unifi.local.{{ personal_domain }}`)"
+      traefik.http.routers.unifi.middlewares: lan-whitelist@file