diff --git a/debian/roles/webservers-nginx/files/0-catch-all b/debian/roles/webservers-nginx/files/0-catch-all
new file mode 100644
index 0000000..92ba1ba
--- /dev/null
+++ b/debian/roles/webservers-nginx/files/0-catch-all
@@ -0,0 +1,12 @@
+# This file is a nginx catch-all vhost, probably put here in an automated
+# fashion.
+server {
+    listen 80;
+    listen [::]:80 ipv6only=on;
+    server_name _; # This is just an invalid value which will never trigger on a real hostname.
+    access_log /var/log/nginx/default.access.log;
+    index index.html;
+    server_name_in_redirect off;
+    root  /srv/www/catch-all;
+}
+
diff --git a/debian/roles/webservers-nginx/files/cloudflare.conf b/debian/roles/webservers-nginx/files/cloudflare.conf
new file mode 100644
index 0000000..3526db8
--- /dev/null
+++ b/debian/roles/webservers-nginx/files/cloudflare.conf
@@ -0,0 +1,11 @@
+# Cloudflare
+set_real_ip_from   204.93.240.0/24;
+set_real_ip_from   204.93.177.0/24;
+set_real_ip_from   199.27.128.0/21;
+set_real_ip_from   173.245.48.0/20;
+set_real_ip_from   103.22.200.0/22;
+set_real_ip_from   141.101.64.0/18;
+set_real_ip_from   108.162.192.0/18;
+set_real_ip_from   190.93.240.0/20;
+real_ip_header     CF-Connecting-IP;
+
diff --git a/debian/roles/webservers-nginx/files/nginx.conf b/debian/roles/webservers-nginx/files/nginx.conf
new file mode 100644
index 0000000..8a75855
--- /dev/null
+++ b/debian/roles/webservers-nginx/files/nginx.conf
@@ -0,0 +1,65 @@
+user www-data;
+worker_processes auto;
+pid /var/run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+	##
+	# Basic Settings
+	##
+    sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 70;
+	types_hash_max_size 2048;
+	server_tokens off;
+    ssl_session_cache  shared:SSL:10m;
+    ssl_session_timeout 10m;
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+
+	# Upstream to abstract backend connection(s) for PHP.
+	upstream php {
+#		server unix:/tmp/php-fpm.sock;
+		server 127.0.0.1:9000;
+	}
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers !3DES:!AES128:!aNULL:!eNULL:FIPS@STRENGTH;
+}
diff --git a/debian/roles/webservers-nginx/files/php-generic.conf b/debian/roles/webservers-nginx/files/php-generic.conf
new file mode 100644
index 0000000..70bb797
--- /dev/null
+++ b/debian/roles/webservers-nginx/files/php-generic.conf
@@ -0,0 +1,14 @@
+index index.php index.html index.htm;
+location / {
+    try_files $uri $uri/ /index.php?$args;
+}
+
+location ~ \.php$ {
+    try_files $uri =404;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    include fastcgi_params;
+    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+    fastcgi_pass php;
+    fastcgi_index index.php;
+}
+
diff --git a/debian/roles/webservers-nginx/files/security-generic.conf b/debian/roles/webservers-nginx/files/security-generic.conf
new file mode 100644
index 0000000..6680d90
--- /dev/null
+++ b/debian/roles/webservers-nginx/files/security-generic.conf
@@ -0,0 +1,23 @@
+location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+}
+
+location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+}
+
+# Directives to send expires headers and turn off 404 error logging.
+location ~* \.(js|css|png|jpg|jpeg|gif|ico|html)$ {
+        expires 24h;
+}
+
+# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
+location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+}
+
diff --git a/debian/roles/webservers-nginx/files/wordpress-generic.conf b/debian/roles/webservers-nginx/files/wordpress-generic.conf
new file mode 100644
index 0000000..2b6c4d1
--- /dev/null
+++ b/debian/roles/webservers-nginx/files/wordpress-generic.conf
@@ -0,0 +1,39 @@
+# WordPress single blog rules.
+# Designed to be included in any server {} block.
+
+# This order might seem weird - this is attempted to match last if rules below fail.
+# http://wiki.nginx.org/HttpCoreModule
+location / {
+        try_files $uri $uri/ /index.php?$args;
+}
+
+# Add trailing slash to */wp-admin requests.
+rewrite /wp-admin$ $scheme://$host$uri/ permanent;
+
+# Directives to send expires headers and turn off 404 error logging.
+location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+        expires 24h;
+}
+
+# Uncomment one of the lines below for the appropriate caching plugin (if used).
+#include global/wordpress-supercache.conf;
+#include global/wordpress-w3cache.conf;
+
+# Pass all .php files onto a php-fpm/php-fcgi server.
+location ~ \.php$ {
+        # Zero-day exploit defense.
+        # http://forum.nginx.org/read.php?2,88845,page=3
+        # Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
+        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine.  And then cross your fingers that you won't get hacked.
+        try_files $uri =404;
+
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
+
+        include fastcgi_params;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+#       fastcgi_intercept_errors on;
+        fastcgi_pass php;
+}
+
diff --git a/debian/roles/webservers-nginx/files/wordpress-security.conf b/debian/roles/webservers-nginx/files/wordpress-security.conf
new file mode 100644
index 0000000..b898b05
--- /dev/null
+++ b/debian/roles/webservers-nginx/files/wordpress-security.conf
@@ -0,0 +1,34 @@
+# Global restrictions configuration file.
+# Designed to be included in any server {} block.</p>
+location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+}
+
+location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+}
+
+# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
+location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+}
+
+# Deny access to any files with a .php extension in the uploads directory
+location ~* ^/wp-content/uploads/.*.php$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+}
+
+# Deny access to any files with a .php extension in the uploads directory for multisite
+location ~* /files/(.*).php$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+}
+
diff --git a/debian/roles/webservers-nginx/handlers/main.yml b/debian/roles/webservers-nginx/handlers/main.yml
new file mode 100644
index 0000000..c28e040
--- /dev/null
+++ b/debian/roles/webservers-nginx/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: start nginx
+  service: name=nginx state=started
diff --git a/debian/roles/webservers-nginx/tasks/main.yml b/debian/roles/webservers-nginx/tasks/main.yml
new file mode 100644
index 0000000..f73e671
--- /dev/null
+++ b/debian/roles/webservers-nginx/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+- name: Add Dotdeb repository
+  apt_repository: repo='deb http://packages.dotdeb.org wheezy all' state=present update_cache=yes
+- name: Install nginx package
+  apt: pkg=nginx-full state=present
+- name: Ensure nginx starts on boot
+  service: name=nginx enabled=yes
+- name: Stop nginx for now
+  service: name=nginx state=stopped
+- name: Clean out some default configs
+  file: path=/etc/nginx/sites-enabled/default state=absent
+  file: path=/etc/nginx/sites-available/default state=absent
+- name: Make global nginx conf directory
+  file: path=/etc/nginx/global state=directory
+- name: Copy our nginx.conf over
+  copy: src=nginx.conf dest=/etc/nginx/nginx.conf backup=yes
+- name: Copy our default catch-all virtualhost over and symlink it
+  copy: src=0-catch-all dest=/etc/nginx/sites-available/0-catch-all
+  file: src=/etc/nginx/sites-enabled/0-catch-all dest=/etc/nginx/sites-available/0-catch-all state=link
+- name: Copy over global includes, make catchall dir, and start nginx
+  copy: src=cloudflare.conf dest=/etc/nginx/global/cloudflare.conf
+  copy: src=php-generic.conf dest=/etc/nginx/global/php-generic.conf
+  copy: src=security-generic.conf dest=/etc/nginx/global/security-generic.conf
+  copy: src=wordpress-generic.conf dest=/etc/nginx/global/wordpress-generic.conf
+  copy: src=wordpress-security.conf dest=/etc/nginx/wordpress-security.conf
+  file: path=/srv/www/catch-all state=directory user=www-data group=www-data
+  notify:
+  - start nginx
diff --git a/debian/site.yml b/debian/site.yml
index 55a2d96..8ff6cdb 100644
--- a/debian/site.yml
+++ b/debian/site.yml
@@ -6,3 +6,10 @@
 
   roles:
     - common
+
+- name: apply configuration to web servers (nginx)
+  hosts: webservers
+  user: root
+
+  roles:
+    - webservers-nginx