diff --git a/docs/services/gotosocial.md b/docs/services/gotosocial.md
new file mode 100644
index 0000000..f149942
--- /dev/null
+++ b/docs/services/gotosocial.md
@@ -0,0 +1,42 @@
+# GoToSocial
+
+[GoToSocial](https://gotosocial.org/) is a self-hosted [ActivityPub](https://activitypub.rocks/) social network server, that this playbook can install, powered by the [moan0s/role-gotosocial](https://github.com/moan0s/role-gotosocial) Ansible role.
+
+## Configuration
+
+To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
+
+```yaml
+########################################################################
+#                                                                      #
+# gotosocial                                                           #
+#                                                                      #
+########################################################################
+
+gotosocial_enabled: true
+gotosocial_hostname: 'social.example.org'
+
+########################################################################
+#                                                                      #
+# /gotosocial                                                          #
+#                                                                      #
+########################################################################
+```
+
+After installation, you can use `just run-tags firezone-create-or-reset-admin` any time to:
+- create the configured admin account
+- or, reset the password to the current password configured in `vars.yml`
+
+### Networking
+
+By default, the following ports will be exposed by the container on **all network interfaces**:
+
+- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://en.wikipedia.org/wiki/WireGuard) connections
+
+Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it.
+
+### Usage
+
+After [installing](../installing.md), you can login at the URL specified in `firezone_hostname`, with the credentials set in `firezone_default_admin_email` and `firezone_default_admin_password`.
+
+Refer to the [official documentation](https://www.firezone.dev/docs/user-guides/add-devices/) to figure out how to add devices, etc.
diff --git a/group_vars/mash_servers b/group_vars/mash_servers
index bf4d12b..9e1c469 100644
--- a/group_vars/mash_servers
+++ b/group_vars/mash_servers
@@ -1348,3 +1348,50 @@ firezone_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certReso
 # /firezone                                                             #
 #                                                                      #
 ########################################################################
+
+
+########################################################################
+#                                                                      #
+# gotsocial                                                            #
+#                                                                      #
+########################################################################
+
+gotosocial_enabled: false
+
+gotosocial_identifier: "{{ mash_playbook_service_identifier_prefix }}gotosocial"
+
+gotosocial_base_path: "{{ mash_playbook_base_path }}/gotosocial"
+
+gotosocial_uid: "{{ mash_playbook_uid }}"
+gotosocial_gid: "{{ mash_playbook_gid }}"
+
+gotosocial_database_host: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
+gotosocial_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
+gotosocial_database_name: "{{ gotosocial_identifier }}"
+gotosocial_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.gotosocial', rounds=655555) | to_uuid }}"
+gotosocial_database_user: "{{ gotosocial_identifier }}"
+
+gotosocial_systemd_required_services_list: |
+  {{
+    (['docker.service'])
+    +
+    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and gotosocial_database_host == devture_postgres_identifier else [])
+  }}
+
+gotosocial_container_additional_networks: |
+  {{
+    ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+    +
+    ([devture_postgres_container_network] if devture_postgres_enabled and gotosocial_database_host == devture_postgres_identifier and gotosocial_container_network != devture_postgres_container_network else [])
+  }}
+
+gotosocial_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
+gotosocial_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
+gotosocial_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+gotosocial_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+########################################################################
+#                                                                      #
+# /gotosocial                                                          #
+#                                                                      #
+########################################################################
diff --git a/setup.yml b/setup.yml
index 4413310..14173b7 100644
--- a/setup.yml
+++ b/setup.yml
@@ -66,6 +66,8 @@
 
     - role: galaxy/gitea
 
+    - role: galaxy/gotosocial
+
     - role: galaxy/grafana
 
     - role: galaxy/miniflux