diff --git a/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json b/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json
new file mode 100644
index 0000000..16c8d4e
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json
@@ -0,0 +1,4 @@
+{
+	"var_hedgedoc_and_lighttpd_domain": "hedgedoc.example.org",
+	"var_hedgedoc_and_lighttpd_tls_enable": true
+}
diff --git a/ansible/roles/hedgedoc-and-lighttpd/info.md b/ansible/roles/hedgedoc-and-lighttpd/info.md
new file mode 100644
index 0000000..99a615a
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-lighttpd/info.md
@@ -0,0 +1,8 @@
+## Beschreibung
+
+- zur Einrichtung von [Lighttpd](../lighttpd) als Reverse-Proxy für [Hedgedoc](../hedgedoc)
+
+
+## Verweise
+
+- [Hedgedoc-Dokumentation | Using a Reverse Proxy](https://docs.hedgedoc.org/guides/reverse-proxy/)
diff --git a/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json b/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json
new file mode 100644
index 0000000..1bbe93f
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json
@@ -0,0 +1,34 @@
+[
+	{
+		"name": "activate proxy module",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "lighttpd-enable-mod proxy || exit 0"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf",
+			"dest": "/etc/lighttpd/conf-enabled/{{var_hedgedoc_and_lighttpd_domain}}.conf"
+		}
+	},
+	{
+		"name": "restart lighttpd",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "lighttpd"
+		}
+	}
+]
diff --git a/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2 b/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2
new file mode 100644
index 0000000..4b6013c
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2
@@ -0,0 +1,33 @@
+$HTTP["host"] == "{{var_hedgedoc_and_lighttpd_domain}}" {
+	server.name = "{{var_hedgedoc_and_lighttpd_domain}}"
+	proxy.server = (
+		"" => (
+			"" => (
+				"host" => "127.0.0.1",
+				"port" => 2400
+			)
+		)
+	)
+	proxy.header = (
+		"upgrade" => "enable"
+	)
+	
+{% if var_hedgedoc_and_lighttpd_tls_enable %}
+	## alle Anfragen auf Port 80
+	$SERVER["socket"] == ":80" {
+		## auf HTTPS umleiten
+		url.redirect = ("^/(.*)$" => "https://{{var_hedgedoc_and_lighttpd_domain}}/$1")
+	}
+	
+	## alle Anfragen auf Port 443
+	$SERVER["socket"] == ":443" {
+		## mit dem SSL-Kram beglücken
+		ssl.engine  = "enable"
+		ssl.pemfile = "/etc/ssl/certs/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.privkey = "/etc/ssl/keys/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.ca-file = "/etc/ssl/fullchains/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.use-sslv2 = "disable"
+		ssl.use-sslv3 = "disable"
+	}
+{% endif %}
+}