diff --git a/ansible/main.yml b/ansible/main.yml
index f2093c3..f562f4d 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -44,6 +44,7 @@
     - gitea
     - duplicati
     - yourls
+    - pve_nebula_route
 
 - hosts: ingress
   roles:
@@ -58,3 +59,4 @@
       become: true
     - pve
     - zfs
+    - pve_nebula_route
diff --git a/ansible/roles/pve_nebula_route/tasks/main.yml b/ansible/roles/pve_nebula_route/tasks/main.yml
new file mode 100644
index 0000000..ade4ad0
--- /dev/null
+++ b/ansible/roles/pve_nebula_route/tasks/main.yml
@@ -0,0 +1,22 @@
+- name: Get routes
+  command:
+    argv:
+      - ip
+      - route
+      - show
+      - "{{ nebula.subnet }}"
+  register: routes
+  changed_when: false
+  become: true
+
+- name: Add route to nebula hosts via ingress
+  command:
+    argv:
+      - ip
+      - route
+      - add
+      - "{{ nebula.subnet }}"
+      - via
+      - "{{ ingress_private_ip }}"
+  become: true
+  when: nebula.subnet not in routes.stdout
diff --git a/ansible/roles/pve_nebula_route/vars/main.yml b/ansible/roles/pve_nebula_route/vars/main.yml
new file mode 100644
index 0000000..f424e8a
--- /dev/null
+++ b/ansible/roles/pve_nebula_route/vars/main.yml
@@ -0,0 +1 @@
+ingress_private_ip: 10.23.1.88