diff --git a/group_vars/all/proxy_apt.yml b/group_vars/all/proxy_apt.yml
new file mode 100644
index 0000000..1132cf8
--- /dev/null
+++ b/group_vars/all/proxy_apt.yml
@@ -0,0 +1,4 @@
+---
+apt_proxy_port: 3142
+apt_proxy_admin_user: admin
+apt_proxy_admin_mdp: "{{ vault_apt_proxy_admin_mdp }}"
diff --git a/group_vars/all/vault b/group_vars/all/vault
index 2794112..a0b94d7 100644
--- a/group_vars/all/vault
+++ b/group_vars/all/vault
@@ -1,14 +1,21 @@
 $ANSIBLE_VAULT;1.1;AES256
-32366334663864626633613637366638313737333863613564633066343832313732646261613862
-6235326333333030336233363963623964643736353336630a666637623235313237383961396532
-65326234323631646537333130623331633633383634313030613065646566343866666163383663
-6131323731666232320a356162666437363538383163666230663636636662346365623263363838
-63636330636438663962653636366332366363666661366263306537363533663830346437363031
-65383531333631383033383561633633383665306335663364636166653266303765373234356135
-65656665333636633539323765616364666332323365333333343436613939393966313731373461
-65376633663638653632383761303939376463353166653135333132353937316636376165633936
-63363730616538353366666330646564373765613363653062383263653362663266346238643066
-64366437623736616631373134333439373062373537316134373033666464383532666436306231
-65333139653330383133363163623635306432653438303438616636363531633439303862346638
-35343065353966613838376338306132626132313632643765323436313961306535623235633364
-6461
+64373461313566643538663463386532303131323131373136353632363237656239373334636234
+3136333432376236626131336538616236386530376330380a323835363139333632623161313731
+31383163363835626662316332356566643936663338626136376564326139336433313139343239
+6136633637613739630a666130383230613461623237363965623038633630623033653734623630
+31663864323464326333373364663465393134346635613565636234623834633730326530663135
+32313439333732323764373765633663643938306136666231326130346266373161356361333930
+36613264383665346630636161343239306436626430626561396266306130353862333131633664
+38366236343136663931666333346237363565366563353539396338343565306431353565616135
+37336466626261633764623638633536383966663433633764356436353838343961346238613065
+64663964373239616330356265343338356434303831396461633061393739326230396139643761
+65393462323131346164396136366438323639393230326362303430656335343164306339616439
+32356537366433663830643639666333383964373837313763343736626534306365613231633936
+63313962633134366131643263306337343433633130626537313434356466613136326639616531
+35633466623131613030643036643430613634346564313431363464326235643366313031306538
+63666139366234393831313232636239666136323536626565366366353737626537613463326234
+64613036616261646165373963306161326339393339353733666533353331316132306437653863
+64386566616665386634343234323235386465396537616435333364356632626636353339353037
+39386432323062393435313963613165633365666639353864303666303337613538653534316133
+66383038633931333034336532333333356234313564393061636332666566383262383461346266
+35303261626433663137
diff --git a/host_vars/proxy_apt/networking.yml b/host_vars/proxy_apt/networking.yml
new file mode 100644
index 0000000..c512d06
--- /dev/null
+++ b/host_vars/proxy_apt/networking.yml
@@ -0,0 +1,11 @@
+---
+interfaces:
+  enp0s3:
+    ipv4: "10.0.2.31"
+    netmaskv4: 24
+  enp0s8:
+    ipv4: "10.0.42.1"
+    netmaskv4: 24
+
+ipv4_forwarding: false
+ipv6_forwarding: false
diff --git a/host_vars/proxy_apt/proxy_apt.yml b/host_vars/proxy_apt/proxy_apt.yml
new file mode 100644
index 0000000..2184496
--- /dev/null
+++ b/host_vars/proxy_apt/proxy_apt.yml
@@ -0,0 +1,4 @@
+---
+proxy_apt_interfaces:
+  - "{{ interfaces['enp0s8'].ipv4 }}"
+  - "{{ interfaces['enp0s3'].ipv4 }}"
diff --git a/roles/apt_cacher_ng/handlers/main.yml b/roles/apt_cacher_ng/handlers/main.yml
new file mode 100644
index 0000000..7a5e341
--- /dev/null
+++ b/roles/apt_cacher_ng/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart apt-cacher-ng
+  systemd:
+    name: apt-cacher-ng
+    state: restarted
diff --git a/roles/apt_cacher_ng/tasks/main.yml b/roles/apt_cacher_ng/tasks/main.yml
index d36c2a1..5ae6b2e 100644
--- a/roles/apt_cacher_ng/tasks/main.yml
+++ b/roles/apt_cacher_ng/tasks/main.yml
@@ -9,14 +9,27 @@
   retries: 3
   until: apt_result is succeeded
 
-#- name: Create config files
-#  ansible.builtin.template:
-#    src: "wiregard.conf"
-#    dest: "/etc/wireguard/{{ item.key }}.conf"
-#    owner: root
-#    group: root
-#    mode: '600'
-#  notify: Restart wireguard for interface
-#  loop:
-#    - "{{ lookup('dict', vpn_interfaces) }}"
-#  no_log: true
+- name: Create config files
+  template:
+    src: "acng.conf.j2"
+    dest: "/etc/apt-cacher-ng/acng.conf"
+    owner: root
+    group: root
+    mode: '644'
+  notify: Restart apt-cacher-ng
+
+- name: Create config files
+  template:
+    src: "security.conf.j2"
+    dest: "/etc/apt-cacher-ng/security.conf"
+    owner: root
+    group: apt-cacher-ng
+    mode: '640'
+  notify: Restart apt-cacher-ng
+  no_log: true
+
+- name: Enable apt-cacher-ng
+  systemd:
+    name: "apt-cacher-ng"
+    state: started
+    enabled: yes
diff --git a/roles/apt_cacher_ng/templates/acng.conf.j2 b/roles/apt_cacher_ng/templates/acng.conf.j2
new file mode 100644
index 0000000..b60f820
--- /dev/null
+++ b/roles/apt_cacher_ng/templates/acng.conf.j2
@@ -0,0 +1,112 @@
+{{ ansible_managed | comment }}
+
+# Storage directory for downloaded data and related maintenance activity.
+CacheDir: /var/cache/apt-cacher-ng
+
+# Log file directory, can be set empty to disable logging
+LogDir: /var/log/apt-cacher-ng
+
+# A place to look for additional configuration and resource files if they are not
+# found in the configuration directory
+SupportDir: /usr/lib/apt-cacher-ng
+
+# TCP server port for incoming http (or HTTP proxy) connections.
+# Can be set to 9999 to emulate apt-proxy. Value of 0 turns off TCP server
+# (SocketPath must be set in this case).
+Port:{{ apt_proxy_port }}
+
+# Addresses or hostnames to listen on. Multiple addresses must be separated by
+# spaces. Each entry must be an exact local address which is associated with a
+# local interface. DNS resolution is performed using getaddrinfo(3) for all
+# available protocols (IPv4, IPv6, ...). Using a protocol specific format will
+# create binding(s) only on protocol specific socket(s), e.g. 0.0.0.0 will
+# listen only to IPv4. The endpoint can also be specified as host:port (or
+# [ipv6-address]:port) which allows binding on non-standard ports (Port
+# directive is ignored in this case).
+BindAddress: localhost {{ proxy_apt_interfaces | join(' ') }}
+
+# The specification of another HTTP proxy which shall be used for downloads.
+# It can include user name and password but see the manual for limitations.
+#
+# Default: uses direct connection
+#
+# Proxy: http://www-proxy.example.net:3128
+# Proxy: https://username:proxypassword@proxy.example.net:3129
+
+# Repository remapping. See manual for details.
+# In this example, some backends files might be generated during package
+# installation using information collected on the system.
+# Examples:
+Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives
+Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
+Remap-klxrep: file:kali_mirrors /kali ; file:backends_kali # Kali Linux Archives
+Remap-cygwin: file:cygwin_mirrors /cygwin # ; file:backends_cygwin # incomplete, please create this file or specify preferred mirrors here
+Remap-sfnet:  file:sfnet_mirrors # ; file:backends_sfnet # incomplete, please create this file or specify preferred mirrors here
+Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
+Remap-fedora: file:fedora_mirrors # Fedora Linux
+Remap-epel:   file:epel_mirrors # Fedora EPEL
+Remap-slrep:  file:sl_mirrors # Scientific Linux
+Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
+Remap-secdeb: security.debian.org security.debian.org/debian-security deb.debian.org/debian-security /debian-security ; deb.debian.org/debian-security security.debian.org
+
+# Virtual page accessible in a web browser to see statistics and status
+# information, i.e. under http://localhost:3142/acng-report.html
+# NOTE: This option must be configured to run maintenance jobs (even when used
+# via acngtool in cron scripts). The AdminAuth option can be used to restrict
+# access to sensitive areas on that page.
+ReportPage: acng-report.html
+
+# Days before considering an unreferenced file expired (to be deleted).
+# WARNING: if the value is set too low and particular index files are not
+# available for some days (mirror downtime) then there is a risk of removal of
+# still useful package files.
+ExThreshold: 4
+
+# Usually, general purpose proxies like Squid expose the IP address of the
+# client user to the remote server using the X-Forwarded-For HTTP header. This
+# behaviour can be optionally turned on with the Expose-Origin option.
+ExposeOrigin: 0
+
+# When logging the originating IP address, trust the information supplied by
+# the client in the X-Forwarded-For header.
+LogSubmittedOrigin: 0
+
+# Fast fallback timeout, in seconds. This is the time to wait before
+# alternative target addresses for a client connection are tried, which can be
+# usefull for quick fallback to IPv4 in case of whacky IPv6 configuration.
+#
+# FastTimeout = 4
+
+# It's possible to use use apt-cacher-ng as a regular web server with a limited
+# feature set, i.e. directory browsing, downloads of any files, Content-Type
+# based on /etc/mime.types, but without sorting, CGI execution, index page
+# redirection and other funny things.
+# To get this behavior, mappings between virtual directories and real
+# directories on the server must be defined with the LocalDirs directive.
+# Virtual and real directories are separated by spaces, multiple pairs are
+# separated by semi-colons. Real directories must be absolute paths.
+# NOTE: Since the names of that key directories share the same namespace as
+# repository names (see Remap-...) it is administrator's job to avoid conflicts
+# between them or explicitly create them.
+#
+# LocalDirs: woo /data/debarchive/woody ; hamm /data/debarchive/hamm
+LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng
+
+# Specifies the IP protocol families to use for remote connections. Order does
+# matter, first specified are considered first. Possible combinations:
+# v6 v4
+# v4 v6
+# v6
+# v4
+# Default: use native order of the system's TCP/IP stack, influenced by the
+# BindAddress value.
+#
+# ConnectProto: v6 v4
+
+# Allow data pass-through mode for certain hosts when requested by the client
+# using a CONNECT request. This is particularly useful to allow access to SSL
+# sites (https proxying). The string is a regular expression which should cover
+# the server name with port and must be correctly formated and terminated.
+# Examples:
+# PassThroughPattern: private-ppa\.launchpad\.net:443$
+PassThroughPattern: .* # this would allow CONNECT to everything
diff --git a/roles/apt_cacher_ng/templates/security.conf b/roles/apt_cacher_ng/templates/security.conf
new file mode 100644
index 0000000..8b7a5b1
--- /dev/null
+++ b/roles/apt_cacher_ng/templates/security.conf
@@ -0,0 +1,12 @@
+{{ ansible_managed | comment }}
+
+# This file contains confidential data and should be protected with file
+# permissions from being read by untrusted users.
+#
+# NOTE: permissions are fixated with dpkg-statoverride on Debian systems.
+# Read its manual page for details.
+
+# Basic authentication with username and password, required to
+# visit pages with administrative functionality. Format: username:password
+
+AdminAuth: {{ apt_proxy_admin_user }}:{{ apt_proxy_admin_mdp }}
diff --git a/roles/apt_cacher_ng/templates/security.conf.j2 b/roles/apt_cacher_ng/templates/security.conf.j2
new file mode 100644
index 0000000..8b7a5b1
--- /dev/null
+++ b/roles/apt_cacher_ng/templates/security.conf.j2
@@ -0,0 +1,12 @@
+{{ ansible_managed | comment }}
+
+# This file contains confidential data and should be protected with file
+# permissions from being read by untrusted users.
+#
+# NOTE: permissions are fixated with dpkg-statoverride on Debian systems.
+# Read its manual page for details.
+
+# Basic authentication with username and password, required to
+# visit pages with administrative functionality. Format: username:password
+
+AdminAuth: {{ apt_proxy_admin_user }}:{{ apt_proxy_admin_mdp }}