diff --git a/ansible/group_vars/all/nebula.yml b/ansible/group_vars/all/nebula.yml
index 08bed71..70e0723 100644
--- a/ansible/group_vars/all/nebula.yml
+++ b/ansible/group_vars/all/nebula.yml
@@ -9,3 +9,5 @@ nebula:
       ip: 10.23.2.4
     ingress:
       ip: 10.23.2.5
+    decker:
+      ip: 10.23.2.6
diff --git a/ansible/host_vars/decker.yml b/ansible/host_vars/decker.yml
new file mode 100644
index 0000000..39de68a
--- /dev/null
+++ b/ansible/host_vars/decker.yml
@@ -0,0 +1,11 @@
+restic_backup_locations:
+  - /opt
+  - "{{ home }}/db-backups"
+restic_healthchecks_id: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  38326130663036353465396538356534333432393033623531393433383263383665353736653762
+  3061633438386630643536366265633262663365363539320a343134396562626136346435373163
+  33313762336136373836376133656437396139653366363666353432616433663464356532303535
+  3833323130363961620a666630313566376134313139666361366439626666393962373965386238
+  37326164393231303331616630636231316664383461346136323738616364383635313261666537
+  3162363138386335656232336666646536666266383665346634
diff --git a/ansible/hosts b/ansible/hosts
index 507a995..b0ed8e8 100644
--- a/ansible/hosts
+++ b/ansible/hosts
@@ -1,6 +1,7 @@
 casey
 walker
 grimes
+decker
 
 pve
 
diff --git a/ansible/main.yml b/ansible/main.yml
index adfdc7b..1cfced8 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -17,6 +17,7 @@
     - qbittorrent
     - walker
     - grimes
+    - decker
   roles:
     - role: geerlingguy.ntp
       become: true
@@ -30,6 +31,7 @@
     - walker
     - pve-gitlab-runner
     - grimes
+    - decker
   roles:
     - role: geerlingguy.docker
       become: true
@@ -43,6 +45,7 @@
 - hosts:
     - pve-docker
     - walker
+    - decker
   roles:
     - traefik
 
@@ -113,3 +116,8 @@
     - role: dokku_bot.ansible_dokku
       become: true
     - restic
+
+- hosts: decker
+  roles:
+    - nebula
+    - restic
diff --git a/ansible/roles/nebula/files/certs/decker.crt b/ansible/roles/nebula/files/certs/decker.crt
new file mode 100644
index 0000000..f8baec6
--- /dev/null
+++ b/ansible/roles/nebula/files/certs/decker.crt
@@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.1;AES256
+66313365626166623139343638363632626563616434626336313637376537333165303363353932
+6434393565666434643433316436323338653965653064630a663063393863306131363666326135
+30333435633430383133373831326662613136313736353032643563383165396239653866393534
+3366626536373065640a623930643863636634313062383164303237643965623034643363343561
+63646234633238626139613736343434313531336531376639303261346135643933626537636439
+32313137623261316639326238303365646365376534303831303663636437343163393536313562
+62393566396536396363383865393962636236356335353264383139633663373865393861393034
+35613465373830663632316264353634623361396663343764303732316131333337663432616230
+33333463663738386132366235623661653037623564366166643061363266656438313739313830
+34356464373238363730366239326231653532346162633066363164303838366438323962306366
+62616136643130663534633161633633336461636564353734393737386364333734353065353661
+39333964323661393864346231346436353533373334313936343433343538373666396232383433
+66353264373332353366646666333636633166333565643363373636656263316130613564623134
+30616161346138386538383931326531646634376634336137363864326165643231643735366435
+61613435623339383231373062376434333839393134623138303366636637323464343232306235
+37303034316637376664363437653662326138326236633733636535393436353638303438333738
+61343332626633653838303535303430373436366263313062376233393565633266356436306365
+63656137666161396537616339613031396663656139663462396261643162316438653439643537
+386438626131393330383465303037633366
diff --git a/ansible/roles/nebula/files/certs/decker.key b/ansible/roles/nebula/files/certs/decker.key
new file mode 100644
index 0000000..d2e8b7c
--- /dev/null
+++ b/ansible/roles/nebula/files/certs/decker.key
@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+31626534383936313834333334346434626464656166323664616562663831623630313237663864
+3437303465383439376538623466613330326236356637350a353034613434653965633165363831
+32613766336338396434306339353530363139626236326436333835363933373732663935333163
+3233643931303535650a646531303063313265616435653336376561353138326233356563646363
+64326164356532666537306137633465346562363063653436643131656534643166376535383035
+35316130663436643261333838333531353234303635616166666164376366373737626561643135
+39613265303662373933623235633266343430363766623064313065626631326131323633373439
+32366332343864643736313163353635323333356562383839623965613365633236363633306431
+35353932343261613239616462626333396532343737343166653032383033313032636230343337
+6462373035316266633134323961643866323630653237653539
diff --git a/terraform/decker_vps.tf b/terraform/decker_vps.tf
new file mode 100644
index 0000000..650e98c
--- /dev/null
+++ b/terraform/decker_vps.tf
@@ -0,0 +1,18 @@
+module "decker_firewall" {
+  source = "./vultr_firewall/"
+
+  description = "decker"
+  ports = [
+    "80/tcp",
+    "443/tcp",
+    "7743/tcp"
+  ]
+}
+
+
+resource "vultr_instance" "decker" {
+  plan              = "vc2-1c-1gb"
+  region            = "ams"
+  hostname          = "decker"
+  firewall_group_id = module.decker_firewall.firewall_group.id
+}