diff --git a/README.md b/README.md
index 3edfbf7..e09ea1d 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,3 @@
-# role_modele
+# role_stubby
 
-Modèle
\ No newline at end of file
+Deploy stubby.
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..f3b9a74
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,22 @@
+---
+# defaults file for dnsmasq
+
+stubby_listen_addresses: []
+# Example:
+#   - 127.0.0.1@53000
+#   - 0::1@53000
+
+stubby_upstream_recursive_servers: []
+# Example:
+#   - address_data: 2a0f:fc80::9
+#     tls_port: 853
+#     tls_auth_name: "dns0.eu"
+#   - address_data: 2a0f:fc81::9
+#     tls_port: 853
+#     tls_auth_name: "dns0.eu"
+#   - address_data: 193.110.81.9
+#     tls_port: 853
+#     tls_auth_name: "dns0.eu"
+#   - address_data: 185.253.5.9
+#     tls_port: 853
+#     tls_auth_name: "dns0.eu"
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..b9b821b
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,15 @@
+---
+# handlers file for stubby
+
+- name: Apply installation
+  ansible.builtin.command:
+    argv:
+      - /usr/bin/rpm-ostree
+      - apply-live
+  become: true
+
+- name: Restart stubby.service
+  ansible.builtin.systemd:
+    state: restarted
+    name: stubby.service
+  become: true
diff --git a/meta/main.yml b/meta/main.yml
index c58bebf..04dc1af 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,7 +1,7 @@
 galaxy_info:
   namespace: ykn
   author: pulsar89.5
-  description: Rôle modèle
+  description: Rôle de déploiement de stubby
 
   license: GPL-3.0-or-later
 
diff --git a/tasks/configuration.yml b/tasks/configuration.yml
new file mode 100644
index 0000000..f58c4c6
--- /dev/null
+++ b/tasks/configuration.yml
@@ -0,0 +1,9 @@
+---
+# tasks file for stubby
+
+- name: Deploy configuration
+  ansible.builtin.template:
+    src: stubby.yml.j2
+    dest: /etc/stubby/stubby.yml
+  become: true
+  notify: Restart stubby.service
diff --git a/tasks/installation.yml b/tasks/installation.yml
new file mode 100644
index 0000000..37a9ca9
--- /dev/null
+++ b/tasks/installation.yml
@@ -0,0 +1,7 @@
+---
+# tasks file for stubby
+
+- name: Install stubby
+  ansible.builtin.apt:
+    name: stubby
+  become: true
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..ed537cd
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+# tasks file for stubby
+
+- name: Include installation tasks
+  ansible.builtin.import_tasks:
+    file: installation.yml
+
+- name: Import configuration tasks
+  ansible.builtin.import_tasks:
+    file: configuration.yml
diff --git a/templates/stubby.yml.j2 b/templates/stubby.yml.j2
new file mode 100644
index 0000000..cb90ede
--- /dev/null
+++ b/templates/stubby.yml.j2
@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+
+resolution_type: GETDNS_RESOLUTION_STUB
+dns_transport_list:
+  - GETDNS_TRANSPORT_TLS
+tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
+tls_query_padding_blocksize: 128
+edns_client_subnet_private: 1
+round_robin_upstreams: 1
+idle_timeout: 10000
+
+listen_addresses:
+{% for address in stubby_listen_addresses %}
+  - {{ address }}
+{% endfor %}
+
+upstream_recursive_servers:
+{% for server in stubby_upstream_recursive_servers %}
+  - address_data: {{ server.address_data }}
+{% if server.tls_port is defined %}
+    tls_port: {{ server.tls_port }}
+{% endif %}
+    tls_auth_name: "{{ server.tls_auth_name }}"
+{% if server.tls_pubkey_pinset is defined %}
+    tls_pubkey_pinset:
+{% for pubkey in server.tls_pubkey_pinset %}
+      - digest: "{{ pubkey.digest }}"
+        value: {{ pubkey.value }}
+{% endfor %}
+{% endif %}
+{% endfor %}