diff --git a/handlers.yml b/handlers.yml
index 9ac4d73..e8fe8b7 100644
--- a/handlers.yml
+++ b/handlers.yml
@@ -33,3 +33,10 @@
     state: restarted
     enabled: true
     scope: user
+
+- name: restart certbot
+  become: true
+  systemd:
+    name: certbot
+    state: restarted
+    enabled: false
diff --git a/tasks/nginx.yml b/tasks/nginx.yml
index 51bb317..3d0dd9d 100644
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@@ -9,6 +9,7 @@
   loop:
     - { src: 'templates/nginx/default.j2', dest: '/etc/nginx/sites-available/default' }
     - { src: 'templates/nginx/forgejo.j2', dest: '/etc/nginx/sites-available/forgejo' }
+    - { src: 'templates/nginx/woodpecker.j2', dest: '/etc/nginx/sites-available/woodpecker' }
     - { src: 'templates/nginx/sentry.j2', dest: '/etc/nginx/sites-available/sentry' }
     - { src: 'templates/nginx/vpn.j2', dest: '/etc/nginx/sites-available/vpn' }
     - {
@@ -32,6 +33,10 @@
         src: '/etc/nginx/sites-available/forgejo',
         dest: '/etc/nginx/sites-enabled/forgejo',
       }
+    - {
+        src: '/etc/nginx/sites-available/woodpecker',
+        dest: '/etc/nginx/sites-enabled/woodpecker',
+      }
     - {
         src: '/etc/nginx/sites-available/sentry',
         dest: '/etc/nginx/sites-enabled/sentry',
@@ -43,4 +48,33 @@
       }
   notify: restart nginx
 
-# TODO: provision certbot configuration
+
+# Run the folowing command to regenerate a certificate:
+#
+# sudo certbot certonly \
+#    --authenticator standalone \
+#    --pre-hook 'systemctl stop nginx' \
+#    --post-hook 'systemctl start nginx' \
+#    --cert-name fudiggity.nl \
+#    -d fudiggity.nl \
+#    -d rss.fudiggity.nl \
+#    -d .....
+#
+# This will also save its configuration.
+#
+- name: copy letsencrypt configuration
+  become: true
+  template:
+    src: 'templates/letsencrypt/cli.j2'
+    dest: '/etc/letsencrypt/cli.ini'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart certbot
+
+- name: enable certbot periodic certificate renewal
+  become: true
+  systemd:
+    name: certbot.timer
+    state: started
+    enabled: true
diff --git a/templates/letsencrypt/cli.j2 b/templates/letsencrypt/cli.j2
new file mode 100644
index 0000000..63e376c
--- /dev/null
+++ b/templates/letsencrypt/cli.j2
@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+#
+# Because we are using logrotate for greater flexibility, disable the
+# internal certbot logrotation.
+max-log-backups = 0
+
+# Adjust interactive output regarding automated renewal
+preconfigured-renewal = True
+
+authenticator = standalone
+pre-hook = /bin/systemctl stop nginx
+post-hook = /bin/systemctl start nginx
diff --git a/templates/nginx/woodpecker.j2 b/templates/nginx/woodpecker.j2
new file mode 100644
index 0000000..9dfccb7
--- /dev/null
+++ b/templates/nginx/woodpecker.j2
@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+
+server {
+	listen {{ https_port }} ssl;
+	server_name {{ woodpecker_domain }};
+
+	include snippets/certificates.conf;
+	include snippets/ssl-params.conf;
+
+	access_log /var/log/nginx/woodpecker.log;
+	error_log /var/log/nginx/woodpecker.log;
+
+	location / {
+		gzip off;
+
+		proxy_read_timeout      90;
+		proxy_connect_timeout   90;
+		proxy_redirect          off;
+
+		proxy_set_header Host 			$host;
+		proxy_set_header X-Real-IP 		$remote_addr;
+		proxy_set_header X-Forwarded-For   	$proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Ssl     	on;
+		proxy_set_header X-Forwarded-Proto 	$scheme;
+		proxy_set_header X-Frame-Options 	SAMEORIGIN;
+
+		proxy_pass 				http://{{ woodpecker_ip }}:{{ woodpecker_port }};
+	}
+}
diff --git a/vars/main.yml b/vars/main.yml
index 8be5cd3..ea123db 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -9,3 +9,4 @@ packages:
   - ca-certificates
   - gnupg
   - radeontop
+  - certbot
diff --git a/vars/network.yml b/vars/network.yml
index f8bb487..9a2a0e8 100644
--- a/vars/network.yml
+++ b/vars/network.yml
@@ -16,6 +16,9 @@ forgejo_ip: '127.0.0.1'
 forgejo_port: '3000'
 forgejo_ssh_port: '22'
 
+woodpecker_ip: '127.0.0.1'
+woodpecker_port: '8000'
+
 newsreader_ip: '127.0.0.1'
 newsreader_port: '5000'
 
diff --git a/vars/nginx.yml b/vars/nginx.yml
index 3639d00..838a6c1 100644
--- a/vars/nginx.yml
+++ b/vars/nginx.yml
@@ -1,4 +1,5 @@
 domain_name: 'fudiggity.nl'
 forgejo_domain: 'forgejo.fudiggity.nl'
+woodpecker_domain: 'woodpekcer.fudiggity.nl'
 sentry_domain: 'sentry.fudiggity.nl'
 newsreader_domain: 'rss.fudiggity.nl'