diff --git a/roles/dl/defaults/main.yaml b/roles/dl/defaults/main.yaml
new file mode 100644
index 0000000..5420d2f
--- /dev/null
+++ b/roles/dl/defaults/main.yaml
@@ -0,0 +1,8 @@
+---
+dl_server_name: dl.kill0.net
+dl_server_root: /var/www/dl
+dl_access_log: /var/log/nginx/dl.access.log
+dl_error_log: /var/log/nginx/dl.error.log
+dl_ssl_enabled: false
+dl_ssl_certificate: "/etc/letsencrypt/live/{{ dl_server_name }}/fullchain.pem"
+dl_ssl_certificate_key: "/etc/letsencrypt/live/{{ dl_server_name }}/privkey.pem"
diff --git a/roles/dl/handlers/main.yaml b/roles/dl/handlers/main.yaml
new file mode 100644
index 0000000..d4e42ca
--- /dev/null
+++ b/roles/dl/handlers/main.yaml
@@ -0,0 +1,5 @@
+---
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
diff --git a/roles/dl/tasks/main.yaml b/roles/dl/tasks/main.yaml
new file mode 100644
index 0000000..0f5c275
--- /dev/null
+++ b/roles/dl/tasks/main.yaml
@@ -0,0 +1,31 @@
+---
+- name: check if SSL key exists
+  stat:
+    path: "{{ dl_ssl_certificate_key }}"
+  register: key_st
+
+- name: check if SSL certificate exists
+  stat:
+    path: "{{ dl_ssl_certificate }}"
+  register: crt_st
+
+- name: ssl enabled
+  set_fact:
+    dl_ssl_enabled: true
+  when:
+    - key_st.stat.exists
+    - crt_st.stat.exists
+
+- name: configure nginx
+  template:
+    src: nginx.conf.j2
+    dest: "/etc/nginx/conf.d/dl.conf"
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nginx
+
+- name: create web root
+  file:
+    path: "{{ dl_server_root }}"
+    state: directory
diff --git a/roles/dl/templates/nginx.conf.j2 b/roles/dl/templates/nginx.conf.j2
new file mode 100644
index 0000000..7d1b879
--- /dev/null
+++ b/roles/dl/templates/nginx.conf.j2
@@ -0,0 +1,63 @@
+# {{ ansible_managed }}
+
+server {
+    listen 80;
+{% if ansible_all_ipv6_addresses | length %}
+    listen [::]:80;
+{% endif %}
+    server_name {{ dl_server_name }};
+
+    access_log {{ dl_access_log }} main;
+    error_log {{ dl_error_log }} warn;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+        try_files $uri =404;
+    }
+
+{% if dl_ssl_enabled is defined and
+      dl_ssl_enabled %}
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+{% endif %}
+}
+
+{% if dl_ssl_enabled is defined and
+      dl_ssl_enabled %}
+server {
+    listen 443 ssl http2;
+{% if ansible_all_ipv6_addresses | length %}
+    listen [::]:443 ssl http2;
+{% endif %}
+    server_name {{ dl_server_name }};
+    access_log {{ dl_access_log }} main;
+    error_log {{ dl_error_log }} warn;
+
+    root {{ dl_server_root }};
+
+{% if dl_ssl_certificate is defined %}
+    ssl_certificate {{ dl_ssl_certificate }};
+{% endif %}
+{% if dl_ssl_certificate_key is defined %}
+    ssl_certificate_key {{ dl_ssl_certificate_key }};
+{% endif %}
+{% if dl_ssl_dhparam is defined %}
+    ssl_dhparam {{ dl_ssl_dhparam }};
+{% endif %}
+
+    location ~ ^\/~(.+?)(\/.*)?$ {
+        alias /home/$1/public_html$2;
+        index index.html index.htm;
+        autoindex on;
+        auth_basic "Files";
+        auth_basic_user_file /home/$1/.htpasswd;
+    }
+
+    location /repo/ {
+        root /var/www/html;
+        autoindex on;
+        try_files $uri $uri/ =404;
+    }
+}
+{% endif %}