diff --git a/config/hosts/public-web-static/configuration.nix b/config/hosts/public-web-static/configuration.nix
new file mode 100644
index 0000000..9e2aebc
--- /dev/null
+++ b/config/hosts/public-web-static/configuration.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  networking.hostName = "public-web-static";
+
+  system.stateVersion = "23.05";
+}
diff --git a/config/hosts/public-web-static/default.nix b/config/hosts/public-web-static/default.nix
new file mode 100644
index 0000000..8e051ce
--- /dev/null
+++ b/config/hosts/public-web-static/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./nginx.nix
+    ./virtualHosts
+  ];
+}
diff --git a/config/hosts/public-web-static/networking.nix b/config/hosts/public-web-static/networking.nix
new file mode 100644
index 0000000..34b36f3
--- /dev/null
+++ b/config/hosts/public-web-static/networking.nix
@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.151";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "86:72:08:F6:C0:D6";
+    linkConfig.Name = "net0";
+  };
+}
diff --git a/config/hosts/public-web-static/nginx.nix b/config/hosts/public-web-static/nginx.nix
new file mode 100644
index 0000000..9d0e173
--- /dev/null
+++ b/config/hosts/public-web-static/nginx.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  services.nginx.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+}
diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
new file mode 100644
index 0000000..a65dd9b
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  imports = [
+    ./element.hamburg.ccc.de.nix
+  ];
+}
diff --git a/config/hosts/public-web-static/virtualHosts/element-web-config/config.json b/config/hosts/public-web-static/virtualHosts/element-web-config/config.json
new file mode 100644
index 0000000..28c8f71
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/element-web-config/config.json
@@ -0,0 +1,47 @@
+{
+    "default_server_name": "hamburg.ccc.de",
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://matrix.hamburg.ccc.de",
+            "server_name": "hamburg.ccc.de"
+        },
+        "m.identity_server": {
+            "base_url": "https://vector.im"
+        }
+    },
+    "disable_custom_urls": true,
+    "disable_guests": false,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": true,
+    "brand": "Element",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+    ],
+    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
+    "uisi_autorageshake_app": "element-auto-uisi",
+    "default_country_code": "DE",
+    "show_labs_settings": true,
+    "default_federate": true,
+    "default_theme": "dark",
+    "room_directory": {
+        "servers": [
+            "matrix.org"
+        ]
+    },
+    "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+    },
+    "setting_defaults": {
+        "breadcrumbs": true
+    },
+    "jitsi": {
+        "preferredDomain": "meet.element.io"
+    }
+}
diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
new file mode 100644
index 0000000..b9e74b7
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -0,0 +1,93 @@
+{ pkgs, ... }:
+
+let
+  element-web = pkgs.fetchzip {
+    url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz";
+    sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs=";
+  };
+  elementSecurityHeaders = ''
+    # Configuration best practices
+    # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Content-Security-Policy "frame-ancestors 'none'";
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+  '';
+in
+{
+  services.nginx.virtualHosts = {
+    "acme-element.hamburg.ccc.de" = {
+      default = true;
+      enableACME = true;
+      serverName = "element.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "element.hamburg.ccc.de" = {
+      default = true;
+      forceSSL = true;
+      useACMEHost = "element.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+      ];
+
+      root = pkgs.buildEnv {
+        name = "element-web";
+        paths = [
+          element-web
+          ./element-web-config
+        ];
+      };
+
+      # Set no-cache for the version, config and index.html
+      # so that browsers always check for a new copy of Element Web.
+      # NB http://your-domain/ and http://your-domain/? are also covered by this
+
+      locations."= /index.html" = {
+        extraConfig = elementSecurityHeaders + ''
+          add_header Cache-Control "no-cache";
+        '';
+      };
+      locations."= /version" = {
+        extraConfig = elementSecurityHeaders + ''
+          add_header Cache-Control "no-cache";
+        '';
+      };
+      # covers config.json and config.hostname.json requests as it is prefix.
+      locations."/config" = {
+        extraConfig = elementSecurityHeaders + ''
+          add_header Cache-Control "no-cache";
+        '';
+      };
+      extraConfig = elementSecurityHeaders + ''
+        index  index.html;
+
+        # redirect server error pages to the static page /50x.html
+        error_page   500 502 503 504  /50x.html;
+
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}
diff --git a/flake.nix b/flake.nix
index 2e48af3..07c792f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -90,6 +90,20 @@
           ./config/hosts/matrix
         ];
       };
+
+      public-web-static = {
+        deployment = {
+          targetHost = "public-web-static-intern.hamburg.ccc.de";
+          targetPort = 22;
+          targetUser = "colmena-deploy";
+          tags = [ "chaosknoten" ];
+        };
+        imports = [
+          ./config/common
+          ./config/proxmox-vm
+          ./config/hosts/public-web-static
+        ];
+      };
     };
 
     packages.x86_64-linux = {