diff --git a/host_vars/srv04 b/host_vars/srv04
new file mode 100644
index 0000000..df080a5
--- /dev/null
+++ b/host_vars/srv04
@@ -0,0 +1,3 @@
+ssl_certificate: /etc/ssl/certsync/updates.hamburg.freifunk.net.crt
+ssl_certificate_key: /etc/ssl/certsync/updates.hamburg.freifunk.net.key
+nginx_resolver: 80.252.105.162 80.252.105.194
diff --git a/production b/production
index 902c165..30167d8 100644
--- a/production
+++ b/production
@@ -1,6 +1,9 @@
 [services]
 srv04 ansible_ssh_host=80.252.100.116
 
+[updates]
+srv04
+
 [ffhh]
 srv04
 
diff --git a/roles/website/updates/defaults/main.yml b/roles/website/updates/defaults/main.yml
new file mode 100644
index 0000000..bbafb82
--- /dev/null
+++ b/roles/website/updates/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+site: updates
+ssl_certificate: /etc/letsencrypt/live/updates.hamburg.freifunk.net/fullchain.pem
+ssl_certificate_key: /etc/letsencrypt/live/updates.hamburg.freifunk.net/privkey.pem
diff --git a/roles/website/updates/files/updates_common.conf b/roles/website/updates/files/updates_common.conf
new file mode 100644
index 0000000..9096f27
--- /dev/null
+++ b/roles/website/updates/files/updates_common.conf
@@ -0,0 +1,9 @@
+# Basis-Konfiguration für updates.
+
+root /var/www/updates;
+
+location / {
+    access_log off;
+    log_not_found off;
+    autoindex on;
+}
diff --git a/roles/website/updates/meta/main.yml b/roles/website/updates/meta/main.yml
new file mode 100644
index 0000000..8b662c9
--- /dev/null
+++ b/roles/website/updates/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: nginx
diff --git a/roles/website/updates/tasks/main.yml b/roles/website/updates/tasks/main.yml
new file mode 100644
index 0000000..577f5f1
--- /dev/null
+++ b/roles/website/updates/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+- name: copy updates_common.conf
+  copy:
+    src: files/updates_common.conf
+    dest: /etc/nginx/include
+  notify: reload nginx
+
+- name: template site
+  template:
+    src: templates/site.j2
+    dest: /etc/nginx/sites-available/{{ site }}
+  notify: reload nginx
+
+- name: enable site
+  file:
+    src: /etc/nginx/sites-available/{{ site }}
+    dest: /etc/nginx/sites-enabled/{{ site }}
+    state: link
+  notify: reload nginx
diff --git a/roles/website/updates/templates/site.j2 b/roles/website/updates/templates/site.j2
new file mode 100644
index 0000000..0f3dc6d
--- /dev/null
+++ b/roles/website/updates/templates/site.j2
@@ -0,0 +1,31 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name updates.hamburg.freifunk.net;
+
+    ssl_certificate {{ ssl_certificate }};
+    ssl_certificate_key {{ ssl_certificate_key }};
+
+    include /etc/nginx/include/updates_common.conf;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name updates.hamburg.freifunk.net;
+
+    include /etc/nginx/include/updates_common.conf;
+
+    # Kein HTTPS Redirect wg. Paketinstallation auf Routern
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name 1.updates.services.ffhh;
+
+    include /etc/nginx/include/updates_common.conf;
+}
diff --git a/services.yml b/services.yml
index b1321fa..e120996 100644
--- a/services.yml
+++ b/services.yml
@@ -2,3 +2,7 @@
 - hosts: services
   roles:
     - ntp-server
+
+- hosts: updates
+  roles:
+    - website/updates