diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml
index 8f60c5d..bd5110e 100644
--- a/ansible/roles/podman/defaults/main.yml
+++ b/ansible/roles/podman/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+bookstack_path: "{{ podman_volumes }}/bookstack"
 drone_path: "{{ podman_volumes }}/drone"
 graylog_path: "{{ podman_volumes }}/graylog"
 hass_path: "{{ podman_volumes }}/hass"
@@ -13,6 +14,7 @@ drone_runner_capacity: "4"
 ci_server_name: ci.bdebyl.net
 pi_server_name: pi.bdebyl.net
 assistant_server_name: assistant.bdebyl.net
+bookstack_server_name: wiki.skudakrennsport.com
 home_server_name: home.bdebyl.net
 parts_server_name: parts.bdebyl.net
 video_server_name: video.bdebyl.net
diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml
index 7f2f72b..e0b2936 100644
--- a/ansible/roles/podman/tasks/configuration-nginx-http.yml
+++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml
@@ -65,6 +65,7 @@
     - "{{ pi_server_name }}.conf"
     - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
+    - "{{ bookstack_server_name }}.conf"
     - "{{ video_server_name }}.conf"
     - "{{ parts_server_name }}.conf"
     - "{{ logs_server_name }}.conf"
@@ -87,6 +88,7 @@
     - "{{ parts_server_name }}.conf"
     - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
+    - "{{ bookstack_server_name }}.conf"
     - "{{ video_server_name }}.conf"
     - "{{ logs_server_name }}.conf"
   notify:
diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml
index b307ef3..5189f75 100644
--- a/ansible/roles/podman/tasks/configuration-nginx-https.yml
+++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml
@@ -36,6 +36,7 @@
   loop:
     - "{{ ci_server_name }}.https.conf"
     - "{{ parts_server_name }}.https.conf"
+    - "{{ bookstack_server_name }}.https.conf"
   notify:
     - restorecon podman
     - restart nginx
@@ -52,6 +53,7 @@
   loop:
     - "{{ ci_server_name }}.https.conf"
     - "{{ parts_server_name }}.https.conf"
+    - "{{ bookstack_server_name }}.https.conf"
   notify:
     - restorecon podman
     - restart nginx
diff --git a/ansible/roles/podman/tasks/container-bookstack.yml b/ansible/roles/podman/tasks/container-bookstack.yml
new file mode 100644
index 0000000..bd94f14
--- /dev/null
+++ b/ansible/roles/podman/tasks/container-bookstack.yml
@@ -0,0 +1,80 @@
+---
+- name: create required bookstack volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_subuid.stdout }}"
+    group: "{{ podman_user }}"
+    mode: 0755
+  notify: restorecon podman
+  loop:
+    - "{{ bookstack_path }}/mysql"
+  tags: bookstack
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+  tags: bookstack
+
+- name: create bookstack-db container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: bookstack-db
+    image: docker.io/mysql:5.7.21
+    recreate: false
+    restart: false
+    restart_policy: on-failure
+    log_driver: journald
+    network:
+      - shared
+    env:
+      MYSQL_ROOT_PASSWORD: "{{ bookstack_db_root_pass }}"
+      TZ: "America/New_York"
+      MYSQL_DATABASE: bookstack
+      MYSQL_USER: bookstack
+      MYSQL_PASSWORD: "{{ bookstack_db_pass }}"
+    volumes:
+      - "{{ bookstack_path }}/mysql:/var/lib/mysql"
+  tags: bookstack
+
+- name: create systemd startup job for bookstack-db
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: bookstack-db
+  tags: bookstack
+
+- name: create bookstack container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: bookstack
+    image: docker.io/solidnerd/bookstack:22.04
+    recreate: true
+    restart: false
+    restart_policy: on-failure
+    log_driver: journald
+    network:
+      - shared
+    env:
+      APP_URL: "https://wiki.skudakrennsport.com"
+      DB_HOST: "bookstack-db"
+      DB_USERNAME: "bookstack"
+      DB_DATABASE: "bookstack"
+      DB_PASSWORD: "{{ bookstack_db_pass }}"
+      MAIL_DRIVER: "smtp"
+      MAIL_HOST: "{{ bookstack_mail_host }}"
+      MAIL_PORT: 465
+      MAIL_ENCRYPTION: "ssl"
+      MAIL_USERNAME: "{{ bookstack_mail_user }}"
+      MAIL_PASSWORD: "{{ bookstack_mail_pass }}"
+      MAIL_FROM: "{{ bookstack_mail_user }}"
+      MAIL_FROM_NAME: "Skudak Wiki"
+    ports:
+      - "6875:8080"
+  tags: bookstack
+#- name: create systemd startup job for bookstack
+#  include_tasks: systemd-generate.yml
+#  vars:
+#    container_name: bookstack
+#  tags: bookstack
diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml
index 4393564..b1cb4c8 100644
--- a/ansible/roles/podman/tasks/firewall.yml
+++ b/ansible/roles/podman/tasks/firewall.yml
@@ -8,14 +8,15 @@
     zone: "public"
     state: enabled
   loop:
-    - 53/tcp
-    - 53/udp
-    - 1153/tcp
-    - 1153/udp
-    - 80/tcp
-    - 443/tcp
     - "{{ syslog_udp_default }}/udp"
     - "{{ syslog_udp_error }}/udp"
     - "{{ syslog_udp_unifi }}/udp"
+    - 1153/tcp
+    - 1153/udp
+    - 443/tcp
+    - 53/tcp
+    - 53/udp
+    - 6875/tcp
+    - 80/tcp
   notify: restart firewalld
   tags: firewall
diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml
index 22d9974..a3468ea 100644
--- a/ansible/roles/podman/tasks/main.yml
+++ b/ansible/roles/podman/tasks/main.yml
@@ -8,4 +8,5 @@
 - import_tasks: container-partkeepr.yml
 - import_tasks: container-graylog.yml
 - import_tasks: container-pihole.yml
+- import_tasks: container-bookstack.yml
 - import_tasks: container-nginx.yml
diff --git a/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.conf.j2
new file mode 100644
index 0000000..cc0fb4e
--- /dev/null
+++ b/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.conf.j2
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ server_name {{ bookstack_server_name }};
+
+ location '/.well-known/acme-challenge' {
+  default_type "text/plain";
+  root /srv/http/letsencrypt;
+ }
+
+  location / {
+   return 301 https://$host$request_uri;
+  }
+}
diff --git a/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.https.conf.j2
new file mode 100644
index 0000000..c84960e
--- /dev/null
+++ b/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.https.conf.j2
@@ -0,0 +1,53 @@
+upstream bookstack {
+  server 127.0.0.1:6875;
+}
+
+server {
+  modsecurity on;
+  modsecurity_rules_file /etc/nginx/modsec_includes.conf;
+
+  resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
+
+  listen 443 ssl http2;
+  server_name {{ bookstack_server_name }};
+
+  ssl_certificate         /etc/letsencrypt/live/{{ bookstack_server_name }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ bookstack_server_name }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ bookstack_server_name }}/fullchain.pem;
+  ssl_dhparam             /etc/nginx/ssl/dhparam.pem;
+
+  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_tickets       off;
+  ssl_session_timeout       1d;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
+
+  if ($whitelisted = 0) {
+    return 302 $scheme://skudakrennsport.com$request_uri;
+  }
+
+  location / {
+    add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
+    # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains"                                                                                                                                                   always;
+    add_header X-Content-Type-Options    "nosniff"                                                                                                                                                                                always;
+
+    # Sent from upstream:
+    # add_header X-Frame-Options           "SAMEORIGIN";
+    # add_header X-XSS-Protection          "1; mode=block";
+
+    proxy_set_header Host              $http_host;
+    proxy_set_header X-Forwarded-For   $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    proxy_buffering    off;
+    proxy_http_version 1.1;
+    proxy_pass         http://bookstack;
+    proxy_redirect     off;
+
+    chunked_transfer_encoding off;
+  }
+}
+
diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml
index 1ed1fcc..fca95c6 100644
--- a/ansible/roles/ssl/tasks/certbot.yml
+++ b/ansible/roles/ssl/tasks/certbot.yml
@@ -10,6 +10,7 @@
   loop:
     - "{{ ci_server_name }}"
     - "{{ parts_server_name }}"
+    - "{{ bookstack_server_name }}"
   tags: ssl
 
 - name: set group ownership for /etc/letsencrypt/
diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml
index 666a130..bc1096f 100644
Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ