diff --git a/roles/apache-php/tasks/main.yml b/roles/apache-php/tasks/main.yml
new file mode 100644
index 0000000..7819e81
--- /dev/null
+++ b/roles/apache-php/tasks/main.yml
@@ -0,0 +1,20 @@
+- name: Install standard expected packages
+  package:
+    name: acl,php,php-apache2,php-session,php-iconv
+
+- name: Get installed packages
+  package_facts:
+
+- name: Set PHP version
+  set_fact:
+    php_version: "{{ ansible_facts.packages | select('match', '^php[0-9]+$') | first | replace('php', '') }}"
+
+- name: Set PHP settings
+  lineinfile:
+    path: '/etc/php{{ php_version }}/php.ini'
+    regexp: '^{{ item.key }}\s*='
+    line: '{{ item.key }} = {{ item.value }}'
+  loop:
+    - key: upload_max_filesize
+      value: 200M
+
diff --git a/roles/reverse_proxy/README.md b/roles/reverse_proxy/README.md
new file mode 100644
index 0000000..ab83b7a
--- /dev/null
+++ b/roles/reverse_proxy/README.md
@@ -0,0 +1,5 @@
+Set up a basic nginx reverse proxy.
+
+NetBox config context should contain a proxy_pass property with the server address.
+
+Custom error page can be placed in /srv/http/error/index.html.
diff --git a/roles/reverse_proxy/meta/main.yml b/roles/reverse_proxy/meta/main.yml
new file mode 100644
index 0000000..69891c7
--- /dev/null
+++ b/roles/reverse_proxy/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - role: nginx
diff --git a/roles/reverse_proxy/tasks/main.yml b/roles/reverse_proxy/tasks/main.yml
new file mode 100644
index 0000000..8cbf5ce
--- /dev/null
+++ b/roles/reverse_proxy/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: Set up nginx site
+  template:
+    dest: '/etc/nginx/http.d/{{ inventory_hostname }}.conf'
+    src: 'nginx.conf.j2'
+  notify: reload nginx
diff --git a/roles/reverse_proxy/templates/nginx.conf.j2 b/roles/reverse_proxy/templates/nginx.conf.j2
new file mode 100644
index 0000000..357247b
--- /dev/null
+++ b/roles/reverse_proxy/templates/nginx.conf.j2
@@ -0,0 +1,31 @@
+server {
+    server_name {{ ([dns_name] + tls_domains|default([])) | join(" ") }};
+
+    listen [::]:443 ssl ipv6only=off;
+    ssl_certificate /etc/letsencrypt/live/{{ dns_name }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ dns_name }}/privkey.pem;
+
+    error_page 500 501 502 503 504 505 506 507 508 510 511 /error/;
+
+    location / {
+        proxy_pass {{ proxy_pass }};
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+
+        proxy_connect_timeout 30s;
+        proxy_read_timeout 800s;
+        proxy_request_buffering off;
+        proxy_max_temp_file_size 0;
+        client_max_body_size 200M;
+
+        # TODO maybe
+        #proxy_ssl_verify on;
+        #proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+    }
+
+    location /error/ {
+        root /srv/http;
+        try_files $uri $uri/index.html =503;
+    }
+}