diff --git a/network.yml b/network.yml
index bdebc1781d622479726fb5b729aa58e198711fb5..5c0cefc4ba65fe26de945c583440ef206182eff2 100644
--- a/network.yml
+++ b/network.yml
@@ -13,6 +13,14 @@
     - wireguard
     - motd-role
 
+# Deploy DHCP server
+- hosts: dhcp.adm.crans.org
+  vars:
+    dhcp:
+      authoritative: true
+  roles:
+    - isc-dhcp-server
+
 # Deploy recursive DNS cache server
 - hosts: odlyd.adm.crans.org
   roles:
diff --git a/roles/isc-dhcp-server/tasks/main.yml b/roles/isc-dhcp-server/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..000408133e81c514295da047301cbadb9eddd84f
--- /dev/null
+++ b/roles/isc-dhcp-server/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+- name: Install isc-dhcp-server
+  apt:
+    update_cache: true
+    name: isc-dhcp-server
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure isc-dhcp-server
+  template:
+    src: dhcp/dhcpd.conf.j2
+    dest: /etc/dhcp/dhcpd.conf
+    mode: 0600
+
+- name: Ensure that isc-dhcp-server is started
+  systemd:
+    name: isc-dhcp-server
+    state: started
+    enabled: true
diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..6b6fe6cc1505aa00cb3566d717ee1bd401262598
--- /dev/null
+++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
@@ -0,0 +1,32 @@
+# dhcpd.conf
+# {{ ansible_managed }}
+
+# option definitions common to all supported networks...
+#option domain-name "example.org";
+#option domain-name-servers ns1.example.org, ns2.example.org;
+
+# We have tagged network so use last 4 bytes for tag (1500 max)
+option interface-mtu 1496;
+
+default-lease-time 600;
+max-lease-time 7200;
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+{% if dhcp.authoritative %}
+authoritative;
+{% else %}
+#authoritative;
+{% endif %}
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+#log-facility local7;
+
+# TODO