diff --git a/hosts/pbx/configuration.nix b/hosts/pbx/configuration.nix
index 8babe6e..15d1460 100644
--- a/hosts/pbx/configuration.nix
+++ b/hosts/pbx/configuration.nix
@@ -14,6 +14,11 @@
     zram.enable = true;
   };
 
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "it@weinturm-open-air.de";
+  };
+
   boot = {
     initrd = {
       availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
diff --git a/hosts/pbx/services/default.nix b/hosts/pbx/services/default.nix
index 8dcb2f5..d22355b 100644
--- a/hosts/pbx/services/default.nix
+++ b/hosts/pbx/services/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./fieldpoc
     ./public-ip4-tunnel.nix
+    ./webserver.nix
   ];
 }
diff --git a/hosts/pbx/services/webserver.nix b/hosts/pbx/services/webserver.nix
new file mode 100644
index 0000000..583b446
--- /dev/null
+++ b/hosts/pbx/services/webserver.nix
@@ -0,0 +1,33 @@
+{config, ...}: let
+  domain = "tel.weinturm.de";
+in {
+  networking.firewall.allowedTCPPorts = [
+    config.services.nginx.defaultHTTPListenPort
+    config.services.nginx.defaultSSLListenPort
+  ];
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    commonHttpConfig = ''
+      map $scheme $hsts_header {
+        https   "max-age=31536000";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      add_header Referrer-Policy strict-origin;
+      add_header X-Content-Type-Options nosniff;
+      add_header X-Frame-Options SAMEORIGIN;
+    '';
+    virtualHosts = {
+      "${domain}" = {
+        serverAliases = ["tel.weinturm-open-air.de"];
+        enableACME = true;
+        forceSSL = true;
+        root = "/persist/html";
+      };
+    };
+  };
+}