diff --git a/README.md b/README.md
index 3a3d9f5..0415995 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,31 @@
 # ansible-role-docker
 
+This role installs docker-ce (Docker Community Edition) on a Debian system. (Tested on Stretch and Buster) It also exposes the Docker socket over TCP on port 2376, using X509 TLS certificates to enable / disable access.
+
+## Prerequisites
+
+Ensure that the fqdn (hostname -f) of the host is resolvable through dns.
+
+## Example playbook
+
+```
+---
+- hosts:
+  - hostname
+  roles:
+  - role: docker
+```
+
+## Copy TLS certificates
+
+Copy /root/.docker/<fqdn> to your local home directory.
+
+## Remotely connect to your docker host
+
+```
+echo 'export DOCKER_HOST=tcp://<hostname>:2376
+export DOCKER_CERT_PATH=~/.docker/<hostname>
+export DOCKER_TLS_VERIFY=1' > vars
+source vars
+docker info
+```
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..2ec75b5
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1 @@
+docker_storage_driver: overlay2
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..17b1844
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: restart docker
+  service:
+    name: docker
+    state: restarted
+
+- name: systemctl daemon-reload
+  command: systemctl daemon-reload
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..8165833
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,2 @@
+galaxy_info:
+  author: Nils Cant
diff --git a/tasks/apt.yml b/tasks/apt.yml
new file mode 100644
index 0000000..1531934
--- /dev/null
+++ b/tasks/apt.yml
@@ -0,0 +1,16 @@
+---
+- name: Install prerequisites
+  apt: 
+    name: ['apt-transport-https', 'ca-certificates', 'gpg']
+
+- name: Add docker apt key
+  apt_key:
+    keyserver: hkp://p80.pool.sks-keyservers.net:80
+    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+
+- name: Add docker repository
+  apt_repository: 
+    repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
+
+- name: Install docker CE
+  apt: name=docker-ce state=latest
diff --git a/tasks/docker.yml b/tasks/docker.yml
new file mode 100644
index 0000000..59cb213
--- /dev/null
+++ b/tasks/docker.yml
@@ -0,0 +1,13 @@
+---
+- name: Create docker systemd drop-in directory
+  file: 
+    path: /etc/systemd/system/docker.service.d 
+    state: directory
+
+- name: Configure docker startup options
+  template: 
+    src: docker-systemd-conf.j2 
+    dest: /etc/systemd/system/docker.service.d/exec.conf
+  notify: 
+    - restart docker
+    - systemctl daemon-reload
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..ac80716
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- import_tasks: apt.yml
+- import_tasks: tls.yml
+- import_tasks: docker.yml
diff --git a/tasks/tls.yml b/tasks/tls.yml
new file mode 100644
index 0000000..d8a3362
--- /dev/null
+++ b/tasks/tls.yml
@@ -0,0 +1,40 @@
+---
+- name: Docker TLS directory
+  file: 
+    path: /etc/docker/tls 
+    state: directory
+
+- name: Openssl docker ext config file
+  copy:
+    content: "subjectAltName = DNS:{{ ansible_fqdn}},IP:127.0.0.1"
+    dest: "/etc/docker/tls/extfile.cnf"
+
+- name: Generate server CA and server TLS certificates
+  shell: |
+    openssl req -new -days 7300 -batch -newkey rsa:4096 -keyout ca.key -nodes -subj "/commonName={{ ansible_fqdn }} docker CA/" -x509 -out ca.pem
+    openssl genrsa -out server.key 4096
+    openssl req -subj "/CN={{ ansible_fqdn }}" -sha256 -new -key server.key -out server.csr
+    openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -extfile extfile.cnf
+  args:
+    chdir: /etc/docker/tls
+    creates: /etc/docker/tls/*.pem
+
+- name: TLS client extfile
+  copy:
+    content: "extendedKeyUsage = clientAuth" 
+    dest: /etc/docker/tls/client-extfile.cnf
+
+- name: Docker client certificate directory
+  file: 
+    path: "/root/.docker/{{ ansible_fqdn }}"
+    state: directory
+
+- name: Generate and sign client TLS certificate
+  shell: |
+    openssl genrsa -out "/root/.docker/{{ ansible_fqdn }}/key.pem" 4096
+    openssl req -subj '/CN=client' -new -key "/root/.docker/{{ ansible_fqdn }}/key.pem" -out "/root/.docker/{{ ansible_fqdn }}/client.csr"
+    openssl x509 -req -days 3650 -sha256 -in "/root/.docker/{{ ansible_fqdn }}/client.csr" -CA ca.pem -CAkey ca.key -CAcreateserial -out "/root/.docker/{{ ansible_fqdn }}/cert.pem" -extfile client-extfile.cnf 
+    cp /etc/docker/tls/ca.pem "/root/.docker/{{ ansible_fqdn }}"
+  args:
+    chdir: /etc/docker/tls
+    creates: "/root/.docker/{{ ansible_fqdn }}/cert.pem"
diff --git a/templates/docker-systemd-conf.j2 b/templates/docker-systemd-conf.j2
new file mode 100644
index 0000000..08967e9
--- /dev/null
+++ b/templates/docker-systemd-conf.j2
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd -H fd:// --storage-driver={{ docker_storage_driver }} --tlsverify --tlscacert=/etc/docker/tls/ca.pem --tlscert=/etc/docker/tls/server.pem --tlskey=/etc/docker/tls/server.key -H=0.0.0.0:2376