diff --git a/host_vars/srv02 b/host_vars/srv02
index d38f4b1..3be525b 100644
--- a/host_vars/srv02
+++ b/host_vars/srv02
@@ -4,4 +4,6 @@ basics_autoupdate_origins:
   - o=TorProject,n=${distro_codename}
 hopglass_frontend_tls_crt: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/fullchain.pem
 hopglass_frontend_tls_key: /etc/letsencrypt/live/hopglass.hamburg.freifunk.net/privkey.pem
+media_tls_crt: /etc/letsencrypt/live/media.hamburg.freifunk.net/fullchain.pem
+media_tls_key: /etc/letsencrypt/live/media.hamburg.freifunk.net/privkey.pem
 nginx_resolver: 127.0.0.1
diff --git a/production b/production
index 4f2b0ce..2acbba2 100644
--- a/production
+++ b/production
@@ -13,6 +13,9 @@ srv03
 [hopglass-frontend]
 srv02
 
+[media]
+srv02
+
 [nginx]
 gw03-new ansible_host=gw03-new.hamburg.freifunk.net
 
diff --git a/roles/website/media/defaults/main.yml b/roles/website/media/defaults/main.yml
new file mode 100644
index 0000000..c900efd
--- /dev/null
+++ b/roles/website/media/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+media_root: /var/www/media
+site: media
diff --git a/roles/website/media/handlers/main.yml b/roles/website/media/handlers/main.yml
deleted file mode 100644
index 811526f..0000000
--- a/roles/website/media/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-- include: "{{ playbook_dir }}/roles/website/includes/base-static/handlers/main.yml"
diff --git a/roles/website/media/meta/main.yml b/roles/website/media/meta/main.yml
index f6688f0..8b662c9 100644
--- a/roles/website/media/meta/main.yml
+++ b/roles/website/media/meta/main.yml
@@ -1,4 +1,3 @@
 ---
 dependencies:
   - role: nginx
-
diff --git a/roles/website/media/tasks/main.yml b/roles/website/media/tasks/main.yml
index 54d4c57..43b4966 100644
--- a/roles/website/media/tasks/main.yml
+++ b/roles/website/media/tasks/main.yml
@@ -1,13 +1,13 @@
 ---
-- include: "{{ playbook_dir }}/roles/website/includes/base-static/tasks/main.yml"
-  vars:
-    site: ffhh_media
-    domains:
-      - media.services.ffhh
-      - media.hamburg.freifunk.net
-    ports:
-      - { number: 80, ssl: false }
-      - { number: 443, ssl: true }
-    document_root: { path: /var/www/ffhh/media, create: true }
-    listing: true
+- name: template site
+  template:
+    src: templates/site.j2
+    dest: /etc/nginx/sites-available/{{ site }}
+  notify: reload nginx
 
+- name: enable site
+  file:
+    src: ../sites-available/{{ site }}
+    dest: /etc/nginx/sites-enabled/{{ site }}
+    state: link
+  notify: reload nginx
diff --git a/roles/website/media/templates/site.j2 b/roles/website/media/templates/site.j2
new file mode 100644
index 0000000..3e24907
--- /dev/null
+++ b/roles/website/media/templates/site.j2
@@ -0,0 +1,24 @@
+{% if media_tls_crt is defined %}
+server {
+    server_name media.hamburg.freifunk.net;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate {{ media_tls_crt }};
+    ssl_certificate_key {{ media_tls_key }};
+
+    root {{ media_root }};
+    include snippets/autoindex.conf;
+    include snippets/header-hsts.conf;
+    include snippets/no-unsafe-files.conf;
+}
+
+{% endif %}
+server {
+    server_name media.hamburg.freifunk.net;
+    listen 80;
+    listen [::]:80;
+
+    return 302 https://$server_name$request_uri;
+
+    include snippets/location-acme.conf;
+}
diff --git a/services.yml b/services.yml
index 6822986..cb010ab 100644
--- a/services.yml
+++ b/services.yml
@@ -7,6 +7,11 @@
   roles:
     - ntp-server
 
+- hosts: media
+  roles:
+    - website/media
+  tags: media
+
 - hosts: updates
   roles:
     - website/updates