diff --git a/Timeline.org b/Timeline.org
index faf3e60..15490c1 100644
--- a/Timeline.org
+++ b/Timeline.org
@@ -36,17 +36,21 @@
     - [ ] Discovery server
 *** DONE Radicale
     CLOSED: [2019-11-08 Fri 13:51]
-** Web stack [0/7] [0%]
-*** TODO Nginx [0/2] [0%]
-    - [ ] Radicale reverse proxy
+** Web stack [1/7] [14%]
+*** IN-PROGRESS Nginx [1/5] [20%]
+    - [X] Radicale reverse proxy
     - [ ] Syncthing discovery reverse proxy
+    - [ ] Wallabag vhost
+    - [ ] Gitea vhost
+    - [ ] Miniflux vhost
 *** TODO PHP [0/1] [0%]
     - [ ] Php-fpm
 *** TODO PostgreSQL [0/1] [0%]
     - [ ] Restore DBs
-*** TODO Certbot [0/2] [0%]
-    - [ ] Obtain certs
-    - [ ] Script to renew certs
+*** DONE ACME [2/2] [100%]
+    CLOSED: [2019-11-10 Sun 21:47]
+    - [X] Obtain certs
+    - [X] Automatic renewal
 *** TODO Wallabag
 *** TODO Miniflux
 *** TODO Hugo [0/2] [0%]
diff --git a/configuration.nix b/configuration.nix
index d759af9..a2bdd89 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -99,6 +99,7 @@
     ./modules/networking.nix
     ./modules/datasync.nix
     ./modules/hardware-configuration.nix
+    ./modules/webstack.nix
   ];
 
 }
diff --git a/modules/networking.nix b/modules/networking.nix
index b8500b1..5538229 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -16,7 +16,7 @@
 
   # Firewall configuration
   networking.firewall = {
-    allowedTCPPorts = [ 631 6566 22067 8384 5232 ];
+    allowedTCPPorts = [ 631 6566 22067 8384 80 443 ];
     autoLoadConntrackHelpers = true;
     connectionTrackingModules = [ "sane" ];
   };
diff --git a/modules/webstack.nix b/modules/webstack.nix
new file mode 100644
index 0000000..ec5d827
--- /dev/null
+++ b/modules/webstack.nix
@@ -0,0 +1,75 @@
+# LEPP stack configuration
+{ config, pkgs, lib, ... }:
+{
+
+  environment.systemPackages = with pkgs; [
+    nginx
+    php
+    postgresql_11
+  ];
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
+    sslProtocols = "TLSv1.2 TLSv1.3";
+    #sslDhparam = "/var/lib/dhparams";
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+    virtualHosts = {
+      "coolneng.duckdns.org" = {
+        enableACME = true;
+        forceSSL = true;
+        sslCertificate = "/var/lib/acme/radicale.coolneng.duckdns.org/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/radicale.coolneng.duckdns.org/key.pem";
+        locations."/radicale/" = {
+          proxyPass = "http://localhost:5232/";
+          extraConfig = ''
+            proxy_set_header     X-Script-Name /radicale;
+            proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass_header Authorization;
+          '';
+        };
+      };
+    };
+  };
+
+  # ACME certs configuration
+  security.acme.certs = {
+    "coolneng.duckdns.org" = {
+      email = "akasroua@gmail.com";
+      postRun = "systemctl reload nginx.service";
+    };
+  };
+
+  security.dhparams.enable = true;
+
+}