diff --git a/main.tf b/main.tf
index d6bb4599..61f0ef44 100644
--- a/main.tf
+++ b/main.tf
@@ -46,6 +46,7 @@ variable "monitoring_idrac_username" {}
 variable "monitoring_idrac_password" {}
 variable "alertmanager_slack_api_url" {}
 variable "home_assistant_configuration" {}
+variable "shadowsocks_password" {}
 
 variable "ansible_prefix" {
   default     = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup"
@@ -237,4 +238,7 @@ module "kubernetes_cluster" {
 
   # home-assistant
   home_assistant_configuration = var.home_assistant_configuration
+
+  # shadowsocks
+  shadowsocks_password = var.shadowsocks_password
 }
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 6c2e9bb1..4bebd2c7 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -34,6 +34,7 @@ variable "idrac_username" {}
 variable "idrac_password" {}
 variable "alertmanager_slack_api_url" {}
 variable "home_assistant_configuration" {}
+variable "shadowsocks_password" {}
 
 resource "null_resource" "core_services" {
   # List all the core modules that must be provisioned first
@@ -191,6 +192,11 @@ module "reloader" {
   source = "./reloader"
 }
 
+module "shadowsocks" {
+  source   = "./shadowsocks"
+  password = var.shadowsocks_password
+}
+
 module "city-guesser" {
   source          = "./city-guesser"
   tls_secret_name = var.tls_secret_name
diff --git a/modules/kubernetes/shadowsocks/main.tf b/modules/kubernetes/shadowsocks/main.tf
new file mode 100644
index 00000000..cab1339b
--- /dev/null
+++ b/modules/kubernetes/shadowsocks/main.tf
@@ -0,0 +1,97 @@
+variable "password" {}
+variable "method" {
+  default = "chacha20-ietf-poly1305"
+}
+
+resource "kubernetes_namespace" "mailserver" {
+  metadata {
+    name = "shadowsocks"
+  }
+}
+
+resource "kubernetes_deployment" "shadowsocks" {
+  metadata {
+    name      = "shadowsocks"
+    namespace = "shadowsocks"
+    labels = {
+      "app" = "shadowsocks"
+    }
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+    }
+  }
+  spec {
+    replicas = "1"
+    selector {
+      match_labels = {
+        "app" = "shadowsocks"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          "app" = "shadowsocks"
+        }
+      }
+      spec {
+        container {
+          name              = "shadowsocks"
+          image             = "shadowsocks/shadowsocks-libev"
+          image_pull_policy = "IfNotPresent"
+          env {
+            name  = "METHOD"
+            value = var.method
+          }
+          env {
+            name  = "PASSWORD"
+            value = var.password
+          }
+          port {
+            container_port = 8388
+            protocol       = "TCP"
+          }
+          port {
+            container_port = 8388
+            protocol       = "UDP"
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "mailserver" {
+  metadata {
+    name      = "shadowsocks"
+    namespace = "shadowsocks"
+
+    labels = {
+      app = "shadowsocks"
+    }
+    annotations = {
+      "metallb.universe.tf/allow-shared-ip" = "shared"
+    }
+  }
+
+  spec {
+    type                    = "LoadBalancer"
+    external_traffic_policy = "Cluster"
+    selector = {
+      app = "shadowsocks"
+    }
+
+    port {
+      name        = "shadowsocks-tcp"
+      protocol    = "TCP"
+      port        = 8388
+      target_port = "8388"
+    }
+
+    port {
+      name        = "shadowsocks-udp"
+      protocol    = "UDP"
+      port        = 8388
+      target_port = "8388"
+    }
+  }
+}
diff --git a/modules/kubernetes/shadowsocks/shadowsocks_chart_values.tpl b/modules/kubernetes/shadowsocks/shadowsocks_chart_values.tpl
new file mode 100644
index 00000000..e69de29b