diff --git a/arty.yml b/arty.yml
index 1e3139e..9e6b711 100644
--- a/arty.yml
+++ b/arty.yml
@@ -125,6 +125,8 @@ envs:
     KIT_STIRLING_TRAEFIK_HOST: stirling.kit.pivoine.art
     KIT_UNITS_IMAGE: ghcr.io/valknarness/units-ui:latest
     KIT_UNITS_TRAEFIK_HOST: units.kit.pivoine.art
+    KIT_DRAW_IMAGE: excalidraw/excalidraw:latest
+    KIT_DRAW_TRAEFIK_HOST: draw.kit.pivoine.art
     # Jellyfin
     JELLY_TRAEFIK_ENABLED: true
     JELLY_COMPOSE_PROJECT_NAME: jelly
diff --git a/kit/compose.yaml b/kit/compose.yaml
index 83f6fc4..8c80dab 100644
--- a/kit/compose.yaml
+++ b/kit/compose.yaml
@@ -174,6 +174,33 @@ services:
       # Watchtower
       - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
 
+  draw:
+    image: ${KIT_DRAW_IMAGE:-excalidraw/excalidraw:latest}
+    container_name: ${KIT_COMPOSE_PROJECT_NAME}_draw
+    restart: unless-stopped
+    healthcheck:
+      disable: true
+    networks:
+      - compose_network
+    labels:
+      - 'traefik.enable=${KIT_TRAEFIK_ENABLED}'
+      # HTTP to HTTPS redirect
+      - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-draw-redirect-web-secure.redirectscheme.scheme=https'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-draw-web.middlewares=${KIT_COMPOSE_PROJECT_NAME}-draw-redirect-web-secure'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-draw-web.rule=Host(`${KIT_DRAW_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-draw-web.entrypoints=web'
+      # HTTPS router
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-draw-web-secure.rule=Host(`${KIT_DRAW_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-draw-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-draw-web-secure.entrypoints=web-secure'
+      - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-draw-compress.compress=true'
+      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-draw-web-secure.middlewares=${KIT_COMPOSE_PROJECT_NAME}-draw-compress,security-headers@file'
+      # Service
+      - 'traefik.http.services.${KIT_COMPOSE_PROJECT_NAME}-draw.loadbalancer.server.port=80'
+      - 'traefik.docker.network=${NETWORK_NAME}'
+      # Watchtower
+      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+
 networks:
   compose_network:
     name: ${NETWORK_NAME}