diff --git a/README.md b/README.md
index 292559b..3e072cb 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,13 @@
 # infra
 
-Configuration système de fr.tild3.org
\ No newline at end of file
+Configuration système de fr.tild3.org
+
+# Ajouter unE utilisateurice
+
+Pour créer un compte, il suffit de le déclarer dans host_vars/fr.yml:
+
+```
+  - name: username
+  (- sudo: true)
+  - key: "clé publique SSH (format ~/.ssh/authorized_keys)"
+```
diff --git a/host_vars/fr.yml b/host_vars/fr.yml
new file mode 100644
index 0000000..18ed65c
--- /dev/null
+++ b/host_vars/fr.yml
@@ -0,0 +1,6 @@
+users:
+  - name: tofu
+    sudo: true
+    key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4bKe9LSA3/AY4gCB20eyJVPW+zOg07/b3A4QC0Z6XC"
+  - name: kumquat
+    key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZ5FBnDlBIGlJ4TI0babTTmS5ECPM3yuDP1AhnNQUDZ"
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..8016c03
--- /dev/null
+++ b/hosts
@@ -0,0 +1 @@
+fr ansible_host=fr.tild3.org ansible_user=root
diff --git a/roles/common/files/letsencrypt_cli.ini b/roles/common/files/letsencrypt_cli.ini
new file mode 100644
index 0000000..839ab3b
--- /dev/null
+++ b/roles/common/files/letsencrypt_cli.ini
@@ -0,0 +1,5 @@
+# Because we are using logrotate for greater flexibility, disable the
+# internal certbot logrotation.
+max-log-backups = 0
+rsa-key-size = 4096
+email = southerntofu@thunix.net
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..304570b
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,29 @@
+- name: setup base packages
+  apt:
+    state: present
+    name: "{{ packages }}"
+    update_cache: yes
+  vars:
+    packages:
+      - git
+      - subversion
+      - mercurial
+      - htop
+      - tmux
+      - vim
+      - emacs
+      - certbot
+      - mutt
+      - weechat
+      - elinks
+      - rustc
+      - cargo
+      - cargo-doc
+      - rsync
+
+- name: setup certbot with contact email
+  copy:
+    src: ../files/letsencrypt_cli.ini
+    dest: /etc/letsencrypt/cli.ini
+
+- include: users.yml
diff --git a/roles/common/tasks/setup_user.yml b/roles/common/tasks/setup_user.yml
new file mode 100644
index 0000000..449a0a5
--- /dev/null
+++ b/roles/common/tasks/setup_user.yml
@@ -0,0 +1,21 @@
+- name: Register users
+  user:
+    name: "{{ item.name }}"
+    state: present
+    skeleton: /etc/skel
+    shell: /bin/bash
+    system: no
+    createhome: yes
+    home: "/home/{{ item.name }}"
+
+- name: Make admins sudo
+  user:
+    name: "{{ item.name }}"
+    group: sudo
+  when: item.sudo|default(false) == true
+
+- name: Publish SSH keys
+  authorized_key:
+    user: "{{ item.name }}"
+    state: present
+    key: "{{ item.key }}"
diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml
new file mode 100644
index 0000000..635922f
--- /dev/null
+++ b/roles/common/tasks/users.yml
@@ -0,0 +1,2 @@
+- include_tasks: setup_user.yml
+  loop: "{{ users }}"
diff --git a/roles/webserver/files/default-site.conf b/roles/webserver/files/default-site.conf
new file mode 100644
index 0000000..01ca0d5
--- /dev/null
+++ b/roles/webserver/files/default-site.conf
@@ -0,0 +1,37 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    server_name _;
+    root /var/www/html;
+
+    location /.well-known/acme-challenge {
+        try_files $uri $uri/ =404;
+    }
+
+    location / {
+        return 302 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    ssl_certificate /etc/letsencrypt/live/fr.tild3.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/fr.tild3.org/privkey.pem;
+
+    server_name _;
+    root /var/www/html;
+    index index.html;
+
+    location ~ ^/~(.+?)(/.*)?$ {
+        alias /home/$1/public_html/$2;
+        autoindex on;
+        #try_files $2 $2/ = 404;
+    }
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+}
diff --git a/roles/webserver/files/ssl.conf b/roles/webserver/files/ssl.conf
new file mode 100644
index 0000000..abd49ea
--- /dev/null
+++ b/roles/webserver/files/ssl.conf
@@ -0,0 +1,16 @@
+# Taken from https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
diff --git a/roles/webserver/files/users.conf.j2 b/roles/webserver/files/users.conf.j2
new file mode 100644
index 0000000..5ede32c
--- /dev/null
+++ b/roles/webserver/files/users.conf.j2
@@ -0,0 +1,16 @@
+{% for user in users %}
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    ssl_certificate /etc/letsencrypt/live/{{ user.name }}.fr.tild3.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ user.name }}.fr.tild3.org/privkey.pem;
+    server_name {{ user.name }}.fr.tild3.org;
+    root /home/{{ user.name }}/public_html;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+}
+{% endfor %}
diff --git a/roles/webserver/handlers/main.yml b/roles/webserver/handlers/main.yml
new file mode 100644
index 0000000..0fac83a
--- /dev/null
+++ b/roles/webserver/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: reload nginx
+  service: name=nginx state=restarted
diff --git a/roles/webserver/tasks/certbot.yml b/roles/webserver/tasks/certbot.yml
new file mode 100644
index 0000000..28202fe
--- /dev/null
+++ b/roles/webserver/tasks/certbot.yml
@@ -0,0 +1,10 @@
+- name: Generate main certificate
+  command:
+    creates: /etc/letsencrypt/live/fr.tild3.org/fullchain.pem
+    cmd: certbot certonly --non-interactive --agree-tos --webroot -w /var/www/html -d fr.tild3.org -d www.fr.tild3.org
+
+- name: Generate user certificates
+  command:
+      creates: "/etc/letsencrypt/live/{{ item.name }}.fr.tild3.org/fullchain.pem"
+      cmd: "certbot certonly --non-interactive --agree-tos --webroot -w /var/www/html -d {{ item.name }}.fr.tild3.org"
+  loop: "{{ users }}"
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
new file mode 100644
index 0000000..eb2d9e8
--- /dev/null
+++ b/roles/webserver/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+# This playbook contains all of the www config
+
+- include: packages.yml
+# TODO: Some certbot is needed before we can load the whole nginx config so we need some intermediary step (bootstrapping process)
+- include: nginx.yml
+- include: certbot.yml
diff --git a/roles/webserver/tasks/nginx.yml b/roles/webserver/tasks/nginx.yml
new file mode 100644
index 0000000..b75e5d5
--- /dev/null
+++ b/roles/webserver/tasks/nginx.yml
@@ -0,0 +1,41 @@
+#This play configs apapche for us
+---
+
+#Sites
+- name: Prepare symlink for default site
+  file:
+    src: /etc/nginx/sites-available/default-site.conf
+    dest: /etc/nginx/sites-enabled/default-site.conf
+    state: link
+
+- name: Deploy default site configuration
+  copy:
+    src: ../files/default-site.conf
+    dest: /etc/nginx/sites-available/default-site.conf
+    force: yes
+    follow: no
+  notify: reload nginx
+
+- name: Deploy TLS config
+  copy:
+    src: ../files/ssl.conf
+    dest: /etc/nginx/conf.d/ssl.conf
+  notify: reload nginx
+
+- name: Prepare symlink for user sites
+  file:
+    src: /etc/nginx/sites-available/users-site.conf
+    dest: /etc/nginx/sites-enabled/users-site.conf
+    force: yes
+    follow: no
+    state: link
+
+- name: Deploy config for user sites on subdomains
+  template:
+    src: ../files/users.conf.j2
+    dest: /etc/nginx/sites-available/users-site.conf
+
+- name: Add public_html to /etc/skel
+  file:
+    path: /etc/skel/public_html
+    state: directory
diff --git a/roles/webserver/tasks/packages.yml b/roles/webserver/tasks/packages.yml
new file mode 100644
index 0000000..ed8188e
--- /dev/null
+++ b/roles/webserver/tasks/packages.yml
@@ -0,0 +1,16 @@
+# Install apache and accoutrements www, irrespective of what role they might have
+---
+- name: Install packages for webserver
+  apt:
+    name: "{{ packages }}"
+    state: present
+    update_cache: yes
+  vars:
+    packages:
+      - nginx
+      - php-fpm
+      - php-curl
+      - php-gd
+      - php-intl
+      - php-sqlite3
+      - php-mbstring
diff --git a/site.yml b/site.yml
new file mode 100644
index 0000000..d914d11
--- /dev/null
+++ b/site.yml
@@ -0,0 +1,9 @@
+- name: Setup common utilities
+  hosts: fr
+  roles:
+    - common
+
+- name: Setup web server
+  hosts: fr
+  roles:
+    - webserver