diff --git a/docker-proxy.yml b/docker-proxy.yml
new file mode 100644
index 0000000..1f8ca3c
--- /dev/null
+++ b/docker-proxy.yml
@@ -0,0 +1,6 @@
+- hosts: docker-proxy
+  roles:
+  - lego-nginx
+  - role: dockerhub-proxy
+    tags:
+    - dockerhub-proxy
diff --git a/group_vars/docker-proxy.yml b/group_vars/docker-proxy.yml
new file mode 100644
index 0000000..b163e57
--- /dev/null
+++ b/group_vars/docker-proxy.yml
@@ -0,0 +1,10 @@
+data_volumes:
+- dev: /dev/vdb
+  fstype: ext4
+  mountpoint: /var/cache
+nginx_ssl_certificate: /var/lib/lego/certificates/{{ lego_domains[0] }}.crt
+nginx_ssl_certificate_key: /var/lib/lego/certificates/{{ lego_domains[0] }}.key
+lego_acme_server: https://ca.pyrocufflink.blue/acme/acme/directory
+lego_acme_email: '{{ ansible_hostname }}@pyrocufflink.net'
+lego_domains:
+- docker-hub.proxy.pyrocufflink.blue
diff --git a/roles/dockerhub-proxy/files/dockerhub-proxy-cache.conf b/roles/dockerhub-proxy/files/dockerhub-proxy-cache.conf
new file mode 100644
index 0000000..5f65628
--- /dev/null
+++ b/roles/dockerhub-proxy/files/dockerhub-proxy-cache.conf
@@ -0,0 +1,2 @@
+# vim: set ft=nginx.conf :
+proxy_cache_path /var/cache/nginx/docker levels=1:2 keys_zone=docker_cache:100m max_size=10g inactive=60m use_temp_path=off;
diff --git a/roles/dockerhub-proxy/files/dockerhub-proxy.conf b/roles/dockerhub-proxy/files/dockerhub-proxy.conf
new file mode 100644
index 0000000..0749b40
--- /dev/null
+++ b/roles/dockerhub-proxy/files/dockerhub-proxy.conf
@@ -0,0 +1,17 @@
+# vim: set ft=nginx.conf :
+location /v2/ {
+    proxy_pass https://registry-1.docker.io;
+
+    proxy_set_header Host registry-1.docker.io;
+    proxy_ssl_server_name on;
+
+    proxy_cache docker_cache;
+    proxy_cache_valid 200 302 60m;
+    proxy_cache_valid 404 10m;
+    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
+    proxy_buffers 8 16k;
+    proxy_buffer_size 32k;
+
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+}
diff --git a/roles/dockerhub-proxy/meta/main.yml b/roles/dockerhub-proxy/meta/main.yml
new file mode 100644
index 0000000..3ebd2a7
--- /dev/null
+++ b/roles/dockerhub-proxy/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+- role: nginx
+  tags:
+  - nginx
diff --git a/roles/dockerhub-proxy/tasks/main.yml b/roles/dockerhub-proxy/tasks/main.yml
new file mode 100644
index 0000000..6810373
--- /dev/null
+++ b/roles/dockerhub-proxy/tasks/main.yml
@@ -0,0 +1,38 @@
+- name: ensure nginx is allowed to proxy
+  seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+  tags:
+  - selinux
+
+- name: ensure nginx docker proxy cache directory exists
+  file:
+    path: /var/cache/nginx/docker
+    owner: nginx
+    group: nginx
+    mode: u=rwx,go=
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure nginx docker proxy cache path is configured
+  copy:
+    src: dockerhub-proxy-cache.conf
+    dest: /etc/nginx/conf.d/
+  notify:
+  - reload nginx
+  tags:
+  - nginx-config
+
+- name: ensure nginx is configured to proxy for docker hub
+  copy:
+    src: dockerhub-proxy.conf
+    dest: /etc/nginx/default.d/dockerhub-proxy.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload nginx
+  tags:
+  - nginx-config
diff --git a/site.yml b/site.yml
index 4671029..89e7976 100644
--- a/site.yml
+++ b/site.yml
@@ -14,3 +14,4 @@
 - import_playbook: unifi.yml
 - import_playbook: victoria-logs.yml
 - import_playbook: restic.yml
+- import_playbook: docker-proxy.yml