diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml
index e0ca5616..4b1f2da7 100644
--- a/inventory/sample/group_vars/all.yml
+++ b/inventory/sample/group_vars/all.yml
@@ -81,3 +81,43 @@ proxmox_lxc_ct_ids:
   - 202
   - 203
   - 204
+
+# Only enable this if you have set up your own container registry to act as a mirror / pull-through cache
+# (harbor / nexus / docker's official registry / etc).
+# Can be beneficial for larger dev/test environments (for example if you're getting rate limited by docker hub),
+# or air-gapped environments where your nodes don't have internet access after the initial setup
+# (which is still needed for downloading the k3s binary and such).
+# k3s's documentation about private registries here: https://docs.k3s.io/installation/private-registry
+custom_registries: false
+# The registries can be authenticated or anonymous, depending on your registry server configuration.
+# If they allow anonymous access, simply remove the following bit from custom_registries_yaml
+#   configs:
+#     "registry.domain.com":
+#       auth:
+#         username: yourusername
+#         password: yourpassword
+# The following is an example that pulls all images used in this playbook through your private registries.
+# It also allows you to pull your own images from your private registry, without having to use imagePullSecrets
+# in your deployments.
+# If all you need is your own images and you don't care about caching the docker/quay/ghcr.io images,
+# you can just remove those from the mirrors: section.
+custom_registries_yaml: |
+  mirrors:
+    docker.io:
+      endpoint:
+        - "https://registry.domain.com/v2/dockerhub"
+    quay.io:
+      endpoint:
+        - "https://registry.domain.com/v2/quayio"
+    ghcr.io:
+      endpoint:
+        - "https://registry.domain.com/v2/ghcrio"
+    registry.domain.com:
+      endpoint:
+        - "https://registry.domain.com"
+
+  configs:
+    "registry.domain.com":
+      auth:
+        username: yourusername
+        password: yourpassword
diff --git a/roles/k3s_custom_registries/defaults/main.yml b/roles/k3s_custom_registries/defaults/main.yml
new file mode 100644
index 00000000..704aec7e
--- /dev/null
+++ b/roles/k3s_custom_registries/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# Indicates whether custom registries for k3s should be configured
+# Possible values:
+#   - present
+#   - absent
+state: present
diff --git a/roles/k3s_custom_registries/tasks/main.yml b/roles/k3s_custom_registries/tasks/main.yml
new file mode 100644
index 00000000..dfe48c2e
--- /dev/null
+++ b/roles/k3s_custom_registries/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+
+- name: Create directory /etc/rancher/k3s
+  file:
+    path: "/etc/{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - rancher
+    - rancher/k3s
+
+- name: Insert registries into /etc/rancher/k3s/registries.yaml
+  blockinfile:
+    path: /etc/rancher/k3s/registries.yaml
+    block: "{{ custom_registries_yaml }}"
+    mode: '0600'
+    create: true
diff --git a/site.yml b/site.yml
index 8f249825..33653a93 100644
--- a/site.yml
+++ b/site.yml
@@ -20,6 +20,9 @@
       become: true
     - role: raspberrypi
       become: true
+    - role: k3s_custom_registries
+      become: true
+      when: custom_registries
 
 - name: Setup k3s servers
   hosts: master