diff --git a/roles/element-and-nginx/defaults/main.json b/roles/element-and-nginx/defaults/main.json
index 64929d1..aa43d9e 100644
--- a/roles/element-and-nginx/defaults/main.json
+++ b/roles/element-and-nginx/defaults/main.json
@@ -1,5 +1,15 @@
 {
 	"var_element_and_nginx_domain": "element.example.org",
 	"var_element_and_nginx_path": "/opt/element",
-	"var_element_and_nginx_tls": "enable"
+	"var_element_and_nginx_element_version": "v1.11.47",
+	"var_element_and_nginx_element_matrix_baseurl": "https://matrix.example.org",
+	"var_element_and_nginx_element_server_name": "example"
+	"var_element_and_nginx_tls_mode": "disable",
+	"var_element_and_nginx_tls_cert_kind": "none",
+	"var_element_and_nginx_tls_cert_data_existing_key_path": "/tmp/key.pem",
+	"var_element_and_nginx_tls_cert_data_existing_cert_path": "/tmp/cert.pem",
+	"var_element_and_nginx_tls_cert_data_existing_fullchain_path": "/tmp/fullchain.pem",
+	"var_element_and_nginx_tls_cert_data_acme_inwx_acme_account_email": "REPLACE_ME",
+	"var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_username": "REPLACE_ME",
+	"var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_password": "REPLACE_ME"
 }
diff --git a/roles/element-and-nginx/meta/main.json b/roles/element-and-nginx/meta/main.json
new file mode 100644
index 0000000..3b5f228
--- /dev/null
+++ b/roles/element-and-nginx/meta/main.json
@@ -0,0 +1,32 @@
+{
+	"dependencies": [
+		{
+			"role": "element",
+			"var_element_version": "{{var_element_and_nginx_element_version}}",
+			"var_element_path": "{{var_element_and_nginx_path}}",
+			"var_element_matrix_baseurl": "{{var_element_and_nginx_element_matrix_baseurl}}",
+			"var_element_server_name": "{{var_element_and_nginx_element_server_name}}"
+		},
+		{
+			"when": "var_element_and_nginx_tls_cert_kind == 'existing'",
+			"role": "tlscert_existing",
+			"var_tlscert_existing_domain": "{{var_element_and_nginx_domain}}",
+			"var_tlscert_existing_key_path": "{{var_element_and_nginx_tls_cert_data_existing_key_path}}",
+			"var_tlscert_existing_cert_path": "{{var_element_and_nginx_tls_cert_data_existing_cert_path}}",
+			"var_tlscert_existing_fullchain_path": "{{var_element_and_nginx_tls_cert_data_existing_fullchain_path}}"
+		},
+		{
+			"when": "var_element_and_nginx_tls_cert_kind == 'selfsigned'",
+			"role": "tlscert_selfsigned",
+			"var_tlscert_selfsigned": "{{var_element_and_nginx_domain}}"
+		},
+		{
+			"when": "var_element_and_nginx_tls_cert_kind == 'acme_inwx'",
+			"role": "tlscert_acme_inwx",
+			"var_tlscert_acme_inwx_domain": "{{var_element_and_nginx_domain}}",
+			"var_tlscert_acme_inwx_acme_account_email": "{{var_element_and_nginx_tls_cert_data_acme_inwx_acme_account_email}}",
+			"var_tlscert_acme_inwx_inwx_account_username": "{{var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_username}}",
+			"var_tlscert_acme_inwx_inwx_account_password": "{{var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_password}}"
+		}
+	]
+}
diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2
index bc9c035..6df3e18 100644
--- a/roles/element-and-nginx/templates/conf.j2
+++ b/roles/element-and-nginx/templates/conf.j2
@@ -1,21 +1,20 @@
-boilerplate element {
+{% macro element_common() %}
 	root {{var_element_and_nginx_path}};
-}
-
+{% endmacro %}
 server {
 	server_name {{var_element_and_nginx_domain}};
 	
 	listen 80;
 	listen [::]:80;
 	
-{% if (var_element_and_nginx_tls == "force") %}
+{% if (var_element_and_nginx_tls_mode == "force") %}
 	return 301 https://$http_host$request_uri;
 {% else %}
-	invoke element;
+	{{ element_common() }}
 {% endif %}
 }
+{% if (var_element_and_nginx_tls_mode != "disable") %}
 
-{% if (var_element_and_nginx_tls != "disable") %}
 server {
 	server_name {{var_element_and_nginx_domain}};
 	
@@ -26,6 +25,6 @@ server {
 	ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	
-	invoke element;
+	{{ element_common() }}
 }
 {% endif %}
diff --git a/roles/element-and-nginx/vardef.json b/roles/element-and-nginx/vardef.json
new file mode 100644
index 0000000..a51eccf
--- /dev/null
+++ b/roles/element-and-nginx/vardef.json
@@ -0,0 +1,64 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"element_version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"element_matrix_baseurl": {
+		"type": "string",
+		"mandatory": false
+	},
+	"element_server_name": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		],
+		"mandatory": false
+	},
+	"tls_cert_kind": {
+		"type": "string",
+		"options": [
+			"none",
+			"selfsigned",
+			"acme_inwx"
+		],
+		"mandatory": false
+	},
+	"tls_cert_data_existing_key_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_cert_data_existing_cert_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_cert_data_existing_fullchain_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_cert_data_acme_inwx_acme_account_email": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_cert_data_acme_inwx_inwx_account_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_cert_data_acme_inwx_inwx_account_password": {
+		"type": "string",
+		"mandatory": false
+	}
+}