diff --git a/roles/craige4rocky.nix b/roles/craige4rocky.nix
new file mode 100644
index 0000000..e85960c
--- /dev/null
+++ b/roles/craige4rocky.nix
@@ -0,0 +1,50 @@
+# NixOps configuration for deploying the craige4rocky website
+
+{ config, pkgs, ...}:
+
+let
+  craige4rocky = import (pkgs.fetchgit {
+    name       = "craige4rocky-src";
+    url        = "https://source.mcwhirter.io/craige/craige4rocky.git";
+    branchName = "master";
+    sha256     = "1cammdgszclrhvp56af3c7vnanyn0gplvkhqi6jkg1ygy01ard4w";
+  }) { nixpkgs = pkgs; };
+  webdomain = "craige4rocky.org";
+
+in {
+
+  environment.sessionVariables = {
+    LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
+  };
+
+  services.nginx = {
+    enable = true;                     # Enable Nginx
+    recommendedGzipSettings  = true;
+    recommendedOptimisation  = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings   = true;
+    virtualHosts = {
+      "${webdomain}" = {               # website hostname
+        enableACME = true;             # Use ACME certs
+        forceSSL = true;               # Force SSL
+        root = "${craige4rocky}";      # Wesbite root
+      };
+      "www.${webdomain}" = {           # Respect our elders :-)
+        forceSSL = true;
+        enableACME = true;
+        locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs = {
+      "${webdomain}".email     = "admin@${webdomain}";
+      "www.${webdomain}".email = "admin@${webdomain}";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+}