diff --git a/attributes/apache.rb b/attributes/apache.rb
new file mode 100644
index 0000000..e69de29
diff --git a/recipes/default.rb b/recipes/default.rb
index fba74aa..38fdc1a 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -1,5 +1,52 @@
-#
-# Cookbook:: t42-common
-# Recipe:: default
-#
-# Copyright:: 2019, The Authors, All Rights Reserved.
+[
+ 'apache2',
+ 'apache2-dev',
+ 'libapache2-mod-wsgi-py3',
+].each do |pkg|
+ apt_package pkg
+end
+
+file '/etc/apache2/sites-enabled/000-default.conf' do
+ action :delete
+end
+
+execute 'enable apache mods' do
+ command 'a2enmod expires'
+end
+
+if node['web']['do_ssl']
+ apt_repository 'certbot apt repo' do
+ uri 'ppa:certbot/certbot'
+ repo_name 'ppa-certbot'
+ deb_src true
+ action :add
+ end
+
+ apt_update
+
+ [
+ 'software-properties-common',
+ 'certbot',
+ 'python-certbot-apache',
+ ].each do |pkg|
+ apt_package pkg
+ end
+
+ execute 'apache certbot' do
+ command "sudo certbot certonly --standalone -d #{node['app']['domain']} --non-interactive --agree-tos --email #{node['web']['admin_email']}"
+ end
+end
+
+if node['web']['socket.io']
+ execute 'enable apache mods' do
+ command 'a2enmod rewrite; a2enmod proxy_wstunnel; a2enmod proxy_http'
+ end
+end
+
+template '/etc/apache2/sites-enabled/000-server.conf' do
+ source 'apache/vhost.conf.erb'
+end
+
+systemd_unit 'apache2.service' do
+ action :restart
+end
diff --git a/templates/apache/vhost.conf.erb b/templates/apache/vhost.conf.erb
new file mode 100644
index 0000000..180f7d9
--- /dev/null
+++ b/templates/apache/vhost.conf.erb
@@ -0,0 +1,74 @@
+
+ ServerName www.<%= node['app']['domain'] %>
+ Redirect permanent / http://<%= node['app']['domain'] %>/
+
+
+<% if node['web']['do_ssl'] %>
+
+ ServerName www.<%= node['app']['domain'] %>
+ Redirect permanent / https://<%= node['app']['domain'] %>/
+
+ Include /etc/letsencrypt/options-ssl-apache.conf
+ SSLCertificateFile /etc/letsencrypt/live/<%= node['app']['domain'] %>/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/<%= node['app']['domain'] %>/privkey.pem
+
+
+
+ Include /etc/letsencrypt/options-ssl-apache.conf
+ SSLCertificateFile /etc/letsencrypt/live/<%= node['app']['domain'] %>/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/<%= node['app']['domain'] %>/privkey.pem
+
+
+ SetHandler server-status
+ Order Deny,Allow
+ Allow from all
+
+
+
+ SetHandler server-info
+ Order Deny,Allow
+ Allow from all
+
+<% else %>
+
+<% end %>
+ ServerName <%= node['app']['domain'] %>
+
+
+
+ ExpiresActive On
+ ExpiresDefault "access plus 1 week"
+
+
+
+ <% node['web']['static'].each do |static| -%>
+ Alias <%= static['uri'] %> <%= node['working-dir'] %>/<%= static['path'] %>
+
+ <% end -%>
+
+ <% if node['web']['wsgi'] %>
+
+ WSGIDaemonProcess <%= node['app']['name'] %> python-path=<%= node['python']['working-dir'] %> python-home=<%= node['python']['virtualenv_path'] %>
+ WSGIProcessGroup <%= node['app']['name'] %>
+ WSGIScriptAlias / <%= node['working-dir'] %>/<%= node['web']['wsgi']['wsgi_path'] %>
+
+ ">
+ Require all granted
+
+
+ <% end %>
+
+ <% if node['web']['socket.io'] %>
+
+ # socket.io conf
+ RewriteEngine On
+ RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
+ RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
+ RewriteRule .* ws://<%= node['web']['socket.io']['host']%>:<%= node['web']['socket.io']['port']%>%{REQUEST_URI} [P]
+ RewriteCond %{REQUEST_URI} ^/socket.io/$1/websocket [NC]
+ RewriteRule socket.io/(.*) ws://<%= node['web']['socket.io']['host']%>:<%= node['web']['socket.io']['port']%>/socket.io/$1 [P,L]
+ ProxyPass /socket.io http://<%= node['web']['socket.io']['host']%>:<%= node['web']['socket.io']['port']%>/socket.io
+ ProxyPassReverse /socket.io http://<%= node['web']['socket.io']['host']%>:<%= node['web']['socket.io']['port']%>/socket.io
+
+ <% end %>
+