diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index d124aa4..d89da28 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -78,5 +78,4 @@ pve_targets:
 site: ffrgb
 site_domain: regensburg.freifunk.net
 
-web_services:
-- { id: tiles, domain: tiles.regensburg.freifunk.net }
+tileserver_domain: tiles.regensburg.freifunk.net
diff --git a/hosts b/hosts
index 0888d30..5cba15d 100644
--- a/hosts
+++ b/hosts
@@ -6,7 +6,7 @@ netbox.regensburg.freifunk.net
 ns1.regensburg.freifunk.net
 resolver.regensburg.freifunk.net
 stats.regensburg.freifunk.net
+tiles.regensburg.freifunk.net
 web.regensburg.freifunk.net
 unms.ffrgb ansible_host=10.90.224.101
 unifi.ffrgb ansible_host=10.90.224.102
-tiles.ffrgb ansible_host=10.90.224.103
diff --git a/roles/tileserver/README.md b/roles/tileserver/README.md
new file mode 100644
index 0000000..3e53e26
--- /dev/null
+++ b/roles/tileserver/README.md
@@ -0,0 +1,11 @@
+# Notes
+
+To generate a current .mbtiles file:
+
+   
+# apt install tilemaker
+# cd /tmp
+# wget https://download.geofabrik.de/europe/germany-latest.osm.pbf
+# mount -o remount,size=24G /dev/shm                              
+# # tilemaker --input /tmp/germany-latest.osm.pbf --output /tmp/germany-latest.mbtiles --config /usr/share/doc/tilemaker/examples/config-openmaptiles.json --process /usr/share/doc/tilemaker/examples/process-openmaptiles.lua --store /dev/shm/
+   
diff --git a/roles/tileserver/defaults/main.yml b/roles/tileserver/defaults/main.yml
new file mode 100644
index 0000000..eed015e
--- /dev/null
+++ b/roles/tileserver/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+
+tileserver_version: 5.0.0
diff --git a/roles/tileserver/handlers/main.yml b/roles/tileserver/handlers/main.yml
index 77aed6e..0425d24 100644
--- a/roles/tileserver/handlers/main.yml
+++ b/roles/tileserver/handlers/main.yml
@@ -1,4 +1,13 @@
 ---
 
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
 - name: Restart tileserver
-  command: docker restart tileserver
+  service: name=tileserver state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
diff --git a/roles/tileserver/meta/main.yml b/roles/tileserver/meta/main.yml
index 093840b..35ce32b 100644
--- a/roles/tileserver/meta/main.yml
+++ b/roles/tileserver/meta/main.yml
@@ -1,4 +1,5 @@
 ---
 
 dependencies:
-- { role: docker }
+- { role: acertmgr }
+- { role: nginx, nginx_anonymize: True, nginx_ssl: True }
diff --git a/roles/tileserver/tasks/main.yml b/roles/tileserver/tasks/main.yml
index 5e80940..ef7fe96 100644
--- a/roles/tileserver/tasks/main.yml
+++ b/roles/tileserver/tasks/main.yml
@@ -1,33 +1,63 @@
 ---
 
-- name: Create data directories
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create tileserver group
+  group: name=tileserver
+
+- name: Create tileserver user
+  user:
+    name: tileserver
+    home: /opt/tileserver
+    shell: /bin/bash
+    group: tileserver
+    groups: docker
+
+- name: Configure tileserver container
+  template: src=docker-compose.yml.j2 dest=/opt/tileserver/docker-compose.yml
+  notify: Restart tileserver
+
+- name: Create style directory
   file:
-    path: "{{ item }}"
+    path: /opt/tileserver/data/styles
+    recurse: yes
     state: directory
-  with_items:
-  - /opt/tileserver
-  - /opt/tileserver/styles
 
 - name: Configre tileserver
   copy:
     src: "{{ item }}"
-    dest: /opt/tileserver/{{ item }}
+    dest: /opt/tileserver/data/{{ item }}
   with_items:
   - config.json
   - styles/day.json
   - styles/night.json
   notify: Restart tileserver
 
-- name: Run tileserver container
-  docker_container:
-    name: tileserver
-    image: maptiler/tileserver-gl:v5.0.0
-    interactive: yes
-    ports:
-    - "80:8080"
-    pull: yes
-    restart_policy: unless-stopped
-    state: started
-    tty: yes
-    volumes:
-    - "/opt/tileserver:/data"
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ tileserver_domain }}.key -out /etc/nginx/ssl/{{ tileserver_domain }}.crt -days 730 -subj "/CN={{ tileserver_domain }}" creates=/etc/nginx/ssl/{{ tileserver_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for tileserver
+  template: src=certs.j2 dest=/etc/acertmgr/{{ tileserver_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/tileserver
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/tileserver dest=/etc/nginx/sites-enabled/tileserver state=link
+  notify: Restart nginx
+
+
+- name: Systemd unit for tileserver
+  template: src=tileserver.service.j2 dest=/etc/systemd/system/tileserver.service
+  notify:
+  - Reload systemd
+  - Restart tileserver
+
+- name: Start the tileserver service
+  service: name=tileserver state=started enabled=yes
diff --git a/roles/web_svc/templates/tiles_certs.j2 b/roles/tileserver/templates/certs.j2
similarity index 61%
rename from roles/web_svc/templates/tiles_certs.j2
rename to roles/tileserver/templates/certs.j2
index 3abb4b6..54b54f1 100644
--- a/roles/web_svc/templates/tiles_certs.j2
+++ b/roles/tileserver/templates/certs.j2
@@ -1,15 +1,15 @@
 ---
 
-{{ domain }}:
-- path: /etc/nginx/ssl/{{ domain }}.crt
-  user: root
-  group: root
-  perm: '400'
-  format: crt,ca
-  action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ domain }}.key
+{{ tileserver_domain }}:
+- path: /etc/nginx/ssl/{{ tileserver_domain }}.key
   user: root
   group: root
   perm: '400'
   format: key
   action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ tileserver_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
diff --git a/roles/tileserver/templates/docker-compose.yml.j2 b/roles/tileserver/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..073e6d3
--- /dev/null
+++ b/roles/tileserver/templates/docker-compose.yml.j2
@@ -0,0 +1,11 @@
+---
+version: "3.4"
+services:
+  tileserver:
+    image: maptiler/tileserver-gl:v{{ tileserver_version }}
+    restart: unless-stopped
+    command: server
+    volumes:
+      - ./data:/data
+    ports:
+      - "127.0.0.1:8080:8080"
diff --git a/roles/tileserver/templates/tileserver.service.j2 b/roles/tileserver/templates/tileserver.service.j2
new file mode 100644
index 0000000..ed19f9c
--- /dev/null
+++ b/roles/tileserver/templates/tileserver.service.j2
@@ -0,0 +1,28 @@
+[Unit]
+Description=tileserver service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=tileserver
+Group=tileserver
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/tileserver
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/web_svc/templates/tiles_vhost.j2 b/roles/tileserver/templates/vhost.j2
similarity index 73%
rename from roles/web_svc/templates/tiles_vhost.j2
rename to roles/tileserver/templates/vhost.j2
index c7c0a47..0957354 100644
--- a/roles/web_svc/templates/tiles_vhost.j2
+++ b/roles/tileserver/templates/vhost.j2
@@ -2,7 +2,7 @@ server {
 	listen 80;
 	listen [::]:80;
 
-	server_name {{ domain }};
+	server_name {{ tileserver_domain }};
 
 	location /.well-known/acme-challenge {
 		default_type "text/plain";
@@ -10,7 +10,7 @@ server {
 	}
 
 	location / {
-		return 301 https://$host$request_uri;
+		return 301 https://{{ tileserver_domain }}$request_uri;
 	}
 }
 
@@ -20,13 +20,13 @@ server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 
-	server_name {{ domain }};
+	server_name {{ tileserver_domain }};
 
-	ssl_certificate_key /etc/nginx/ssl/{{ domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ domain }}.crt;
+	ssl_certificate_key /etc/nginx/ssl/{{ tileserver_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ tileserver_domain }}.crt;
 
 	location ~ /d/(.*\.png|.*\.webp) {
-		proxy_pass http://10.90.224.103/styles/day/$1;
+		proxy_pass http://127.0.0.1:8080/styles/day/$1;
 
 		proxy_cache tilecache;
 		proxy_cache_background_update on;
@@ -41,7 +41,7 @@ server {
 	}
 
 	location ~ /n/(.*\.png|.*\.webp) {
-		proxy_pass http://10.90.224.103/styles/night/$1;
+		proxy_pass http://127.0.0.1:8080/styles/night/$1;
 
 		proxy_cache tilecache;
 		proxy_cache_background_update on;
diff --git a/site.yml b/site.yml
index 031bf8a..6d44589 100644
--- a/site.yml
+++ b/site.yml
@@ -40,6 +40,11 @@
   - yanic
   - web_stats
 
+- name: Setup tile server
+  hosts: tiles.regensburg.freifunk.net
+  roles:
+  - tileserver
+
 - name: Setup name servers
   hosts: ns1.regensburg.freifunk.net
   roles:
@@ -69,8 +74,3 @@
   hosts: unifi.ffrgb
   roles:
   - unifi
-
-- name: Setup tile server
-  hosts: tiles.ffrgb
-  roles:
-  - tileserver