diff --git a/deploy.yml b/deploy.yml
index d6442f6..f2c882c 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -36,6 +36,14 @@
   roles:
     - mounts
 
+- name: nfs-server
+  hosts:
+    - suricata
+  become: true
+  roles:
+    - nfs-server
+  tags: nfs
+
 - name: usercfg
   hosts:
     - suricata
diff --git a/hosts.yml b/hosts.yml
index 444012e..a2835eb 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -140,6 +140,32 @@ all:
           opts: "subvol=certs,noatime,compress=zstd"
           passno: "0"
 
+        - src: "/mnt/certs/acme"
+          path: "/srv/nfs/k8s/acme"
+          fstype: "none"
+          opts: "bind"
+          passno: "0"
+
+      nfs_exports:
+        - path: "/srv/nfs"
+          hosts:
+            - hostname: localhost
+              options:
+                - ro
+                - all_squash
+                - no_subtree_check
+                - fsid=0
+
+        - path: "/srv/nfs/k8s"
+          hosts:
+            - hostname: localhost
+              options:
+                - rw
+                - no_root_squash
+                - no_subtree_check
+                - sync
+                - crossmnt
+
       rpi_cfg:
         - "enable_uart=1"
         - "otg_mode=1"
diff --git a/roles/nfs-server/tasks/alpine.yml b/roles/nfs-server/tasks/alpine.yml
new file mode 100644
index 0000000..33c14fd
--- /dev/null
+++ b/roles/nfs-server/tasks/alpine.yml
@@ -0,0 +1,29 @@
+---
+
+- name: install nfs-utils with apk
+  apk:
+    name: nfs-utils
+
+- name: set NFS's `NFS_NEEDED_SERVICES`
+  lineinfile:
+    path: /etc/conf.d/nfs
+    regexp: '^NFS_NEEDED_SERVICES='
+    line: 'NFS_NEEDED_SERVICES="rpc.idmapd"'
+
+- name: set NFS's `OPTS_RPC_NFSD`
+  lineinfile:
+    path: /etc/conf.d/nfs
+    regexp: '^OPTS_RPC_NFSD='
+    line: 'OPTS_RPC_NFSD="8 -N 3 -V 4"'
+
+- name: set NFS's `OPTS_RPC_MOUNTD`
+  lineinfile:
+    path: /etc/conf.d/nfs
+    regexp: '^OPTS_RPC_MOUNTD'
+    line: 'OPTS_RPC_MOUNTD="-N 3 -V 4"'
+
+- name: start and enable nfs
+  service:
+    name: nfs
+    state: started
+    enabled: true
diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs-server/tasks/main.yml
new file mode 100644
index 0000000..ca73711
--- /dev/null
+++ b/roles/nfs-server/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+
+- name: render /etc/exports
+  template:
+    src: exports.j2
+    dest: /etc/exports
+    mode: '0644'
+  register: exports
+
+- name: alpine-specific nfs server tasks
+  include_tasks: alpine.yml
+  when: ansible_distribution == "Alpine"
+
+- name: export nfs exports
+  command: /usr/sbin/exportfs -arv
+  when: exports.changed
diff --git a/roles/nfs-server/templates/exports.j2 b/roles/nfs-server/templates/exports.j2
new file mode 100644
index 0000000..31bbe6c
--- /dev/null
+++ b/roles/nfs-server/templates/exports.j2
@@ -0,0 +1,8 @@
+{% for export in nfs_exports %}
+    {{- export.path }}{% for host in export.hosts %}
+        {{ host.hostname }}({% for option in host.options -%}
+            {{- option }},
+        {%- endfor %})
+    {%- endfor %}
+
+{% endfor %}