diff --git a/host_vars/fluorine.binary-kitchen.net b/host_vars/fluorine.binary-kitchen.net
new file mode 100644
index 0000000..4492b32
--- /dev/null
+++ b/host_vars/fluorine.binary-kitchen.net
@@ -0,0 +1,4 @@
+---
+
+root_keys_host:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6uNwYKF3rqleM/HP95M+rsm+gwKY8epdtW2OutneY9 ralf@pluto"
diff --git a/roles/23b/handlers/main.yml b/roles/23b/handlers/main.yml
new file mode 100644
index 0000000..59eb615
--- /dev/null
+++ b/roles/23b/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart 23b
+  service: name=23b state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
diff --git a/roles/23b/meta/main.yml b/roles/23b/meta/main.yml
new file mode 100644
index 0000000..8fcf724
--- /dev/null
+++ b/roles/23b/meta/main.yml
@@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }
diff --git a/roles/23b/tasks/main.yml b/roles/23b/tasks/main.yml
new file mode 100644
index 0000000..90cfd9d
--- /dev/null
+++ b/roles/23b/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+
+- name: Install packages
+  apt:
+    name:
+    - docker-compose
+
+- name: Create 23b group
+  group: name=23b
+
+- name: Create 23b user
+  user:
+    name: 23b
+    home: /opt/23b
+    shell: /bin/bash
+    group: 23b
+    groups: docker
+
+# docker-compolse.yml is managed outside ansible
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ bk23b_domain }}.key -out /etc/nginx/ssl/{{ bk23b_domain }}.crt -days 730 -subj "/CN={{ bk23b_domain }}" creates=/etc/nginx/ssl/{{ bk23b_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for 23b
+  template: src=certs.j2 dest=/etc/acertmgr/{{ bk23b_domain }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/23b
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/23b dest=/etc/nginx/sites-enabled/23b state=link
+  notify: Restart nginx
+
+#- name: Systemd unit for 23b
+#  template: src=23b.service.j2 dest=/etc/systemd/system/23b.service
+#  notify:
+#  - Reload systemd
+#  - Restart 23b
+#
+#- name: Start the 23b service
+#  service: name=23b state=started enabled=yes
+
+- name: Enable monitoring
+  include_role: name=icinga-monitor tasks_from=http
+  vars:
+    vhost: "{{ bk23b_domain }}"
diff --git a/roles/23b/templates/23b.service b/roles/23b/templates/23b.service
new file mode 100644
index 0000000..f12df30
--- /dev/null
+++ b/roles/23b/templates/23b.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=23b service using docker compose
+Requires=docker.service
+After=docker.service
+Before=nginx.service
+
+[Service]
+Type=simple
+
+User=23b
+Group=23b
+
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/opt/23b
+
+# Make sure no old containers are running
+ExecStartPre=/usr/bin/docker-compose down -v
+
+# Compose up
+ExecStart=/usr/bin/docker-compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker-compose down -v
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/23b/templates/certs.j2 b/roles/23b/templates/certs.j2
new file mode 100644
index 0000000..2b101b5
--- /dev/null
+++ b/roles/23b/templates/certs.j2
@@ -0,0 +1,15 @@
+---
+
+{{ bk23b_domain }}:
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ bk23b_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
diff --git a/roles/23b/templates/vhost.j2 b/roles/23b/templates/vhost.j2
new file mode 100644
index 0000000..0634e59
--- /dev/null
+++ b/roles/23b/templates/vhost.j2
@@ -0,0 +1,36 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ bk23b_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ bk23b_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ bk23b_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ bk23b_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ bk23b_domain }}.crt;
+
+	# set max upload size
+	client_max_body_size 8M;
+
+	location / {
+		proxy_pass http://localhost:5000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}