diff --git a/roles/authelia-and-nginx/defaults/main.json b/roles/authelia-and-nginx/defaults/main.json
index 7559dcb..e1d1396 100644
--- a/roles/authelia-and-nginx/defaults/main.json
+++ b/roles/authelia-and-nginx/defaults/main.json
@@ -1,3 +1,4 @@
 {
-	"var_authelia_and_nginx_domain": "authelia.example.org"
+	"var_authelia_and_nginx_domain": "authelia.example.org",
+	"var_authelia_and_nginx_tls_mode": "enable"
 }
diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2
index 231a61d..cd3b8d6 100644
--- a/roles/authelia-and-nginx/templates/conf.j2
+++ b/roles/authelia-and-nginx/templates/conf.j2
@@ -1,22 +1,4 @@
-server {
-	server_name {{var_authelia_and_nginx_domain}};
-	
-	listen [::]:80;
-	listen 80;
-	
-	return 301 https://$server_name$request_uri;
-}
-
-server {
-	server_name {{var_authelia_and_nginx_domain}};
-	
-	listen [::]:443 ssl http2;
-	listen 443 ssl http2;
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro authelia_common() %}
 	location / {
 		## Headers
 		proxy_set_header Host $host;
@@ -28,7 +10,7 @@ server {
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header Connection "";
-
+		
 		## Basic Proxy Configuration
 		client_body_buffer_size 128k;
 		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
@@ -37,7 +19,7 @@ server {
 		proxy_cache_bypass $cookie_session;
 		proxy_no_cache $cookie_session;
 		proxy_buffers 64 256k;
-
+		
 		## Trusted Proxies Configuration
 		## Please read the following documentation before configuring this:
 		##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
@@ -47,7 +29,7 @@ server {
 		# set_real_ip_from fc00::/7;
 		real_ip_header X-Forwarded-For;
 		real_ip_recursive on;
-
+		
 		## Advanced Proxy Configuration
 		send_timeout 5m;
 		proxy_read_timeout 360;
@@ -60,4 +42,32 @@ server {
 	location /api/verify {
 		proxy_pass http://localhost:9091;
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_authelia_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_authelia_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ authelia_common() }}
+{% endif %}
 }
+
+{% if (var_authelia_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_authelia_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ authelia_common() }}
+}
+{% endif %}
diff --git a/roles/authelia-and-nginx/vardef.json b/roles/authelia-and-nginx/vardef.json
new file mode 100644
index 0000000..e1e1a74
--- /dev/null
+++ b/roles/authelia-and-nginx/vardef.json
@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+        "type": "string",
+        "options": [
+			"disable",
+			"enable",
+			"force"
+        ],
+        "mandatory": false
+	}
+}
diff --git a/roles/dokuwiki-and-nginx/defaults/main.json b/roles/dokuwiki-and-nginx/defaults/main.json
index 22367fe..05e1d7f 100644
--- a/roles/dokuwiki-and-nginx/defaults/main.json
+++ b/roles/dokuwiki-and-nginx/defaults/main.json
@@ -1,5 +1,5 @@
 {
 	"var_dokuwiki_and_nginx_directory": "/opt/dokuwiki",
 	"var_dokuwiki_and_nginx_domain": "dokuwiki.example.org",
-	"var_dokuwiki_and_nginx_tls_enable": true
+	"var_dokuwiki_and_nginx_tls_mode": "enable"
 }
diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2
index 514ceab..e5e5252 100644
--- a/roles/dokuwiki-and-nginx/templates/conf.j2
+++ b/roles/dokuwiki-and-nginx/templates/conf.j2
@@ -1,22 +1,4 @@
-server {
-	listen 80;
-	listen [::]:80;
-	server_name {{var_dokuwiki_and_nginx_domain}};
-	return 301 https://$server_name$request_uri;
-}
- 
-server {
-	listen [::]:443 ssl;
-	listen 443 ssl;
-	
-	server_name {{var_dokuwiki_and_nginx_domain}};
-	
-{% if var_dokuwiki_and_nginx_tls_enable %}
-	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-{% endif %}
-	
+{% macro dokuwiki_common() %}
 	# Maximum file upload size is 4MB - change accordingly if needed
 	client_max_body_size 4M;
 	client_body_buffer_size 128k;
@@ -58,4 +40,32 @@ server {
 		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
 		# fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_dokuwiki_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_dokuwiki_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ dokuwiki_common() }}
+{% endif %}
 }
+
+{% if (var_dokuwiki_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_dokuwiki_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ dokuwiki_common() }}
+}
+{% endif %}
diff --git a/roles/dokuwiki-and-nginx/vardef.json b/roles/dokuwiki-and-nginx/vardef.json
new file mode 100644
index 0000000..a3fa777
--- /dev/null
+++ b/roles/dokuwiki-and-nginx/vardef.json
@@ -0,0 +1,19 @@
+{
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+        "type": "string",
+        "options": [
+			"disable",
+			"enable",
+			"force"
+        ],
+        "mandatory": false
+	}
+}
diff --git a/roles/element-and-nginx/defaults/main.json b/roles/element-and-nginx/defaults/main.json
index c7db00b..4c7e5b6 100644
--- a/roles/element-and-nginx/defaults/main.json
+++ b/roles/element-and-nginx/defaults/main.json
@@ -1,4 +1,5 @@
 {
 	"var_element_and_nginx_domain": "element.example.org",
-	"var_element_and_nginx_path": "/opt/element"
+	"var_element_and_nginx_path": "/opt/element",
+	"var_element_and_nginx_tls_mode": "enable"
 }
diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2
index 08330a6..2108550 100644
--- a/roles/element-and-nginx/templates/conf.j2
+++ b/roles/element-and-nginx/templates/conf.j2
@@ -1,14 +1,31 @@
+{% macro element_common() %}
+root {{var_element_and_nginx_path}};
+{% endmacro %}
+
 server {
+	server_name {{var_element_and_nginx_domain}};
+	
 	listen 80;
 	listen [::]:80;
+
+{% if (var_element_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ element_common() }}
+{% endif %}
+}
+
+{% if (var_element_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_element_and_nginx_domain}};
+	
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	
-	server_name {{var_element_and_nginx_domain}};
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	
-	root {{var_element_and_nginx_path}};
+{{ element_common() }}
 }
+{% endif %}
diff --git a/roles/element-and-nginx/vardef.json b/roles/element-and-nginx/vardef.json
new file mode 100644
index 0000000..eff28cf
--- /dev/null
+++ b/roles/element-and-nginx/vardef.json
@@ -0,0 +1,19 @@
+{
+	"domain": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"path": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"tls_mode": {
+		"mandatory": false,
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		]
+	}
+}
diff --git a/roles/gitlab-and-nginx/defaults/main.json b/roles/gitlab-and-nginx/defaults/main.json
index 6bffbd7..4f0da06 100644
--- a/roles/gitlab-and-nginx/defaults/main.json
+++ b/roles/gitlab-and-nginx/defaults/main.json
@@ -1,4 +1,5 @@
 {
 	"var_gitlab_and_nginx_domain": "element.example.org",
-	"var_gitlab_and_nginx_path": "/opt/element"
+	"var_gitlab_and_nginx_path": "/opt/element",
+	"var_gitlab_and_nginx_tls_mode": "enable"
 }
diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2
index 4208162..fa4e246 100644
--- a/roles/gitlab-and-nginx/templates/conf.j2
+++ b/roles/gitlab-and-nginx/templates/conf.j2
@@ -1,64 +1,7 @@
-upstream gitlab-workhorse {
-	server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
-}
-
-map $http_upgrade $connection_upgrade_gitlab_ssl {
-	default upgrade;
-	'' close;
-}
-
-log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';
-
-map $request_uri $gitlab_ssl_temp_request_uri_1 {
-	default $request_uri;
-	~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
-}
-
-map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
-	default $gitlab_ssl_temp_request_uri_1;
-	~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
-}
-
-map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
-	default $gitlab_ssl_temp_request_uri_2;
-	~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
-}
-
-map $http_referer $gitlab_ssl_filtered_http_referer {
-	default $http_referer;
-	~^(?<temp>.*)\? $temp;
-}
-
-server {
-	listen 80 default_server;
-	listen [::]:80 ipv6only=on default_server;
-	
-	server_name {{var_gitlab_and_nginx_domain}};
-	server_tokens off;
-	
-	return 301 https://$http_host$request_uri;
-	
-	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
-	error_log /var/log/nginx/gitlab_error.log;
-}
-
-server {
-	listen 0.0.0.0:443 ssl http2;
-	listen [::]:443 ipv6only=on ssl http2 default_server;
-	
-	server_name {{var_gitlab_and_nginx_domain}};
-	server_tokens off;
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro gitlab_common() %}
 	real_ip_header X-Real-IP;
 	real_ip_recursive off;
 	
-	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
-	error_log /var/log/nginx/gitlab_error.log;
-	
 	location / {
 		client_max_body_size 0;
 		gzip off;
@@ -90,5 +33,71 @@ server {
 		root /home/git/gitlab/public;
 		internal;
 	}
+{% endmacro %}
+
+upstream gitlab-workhorse {
+	server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
 }
 
+map $http_upgrade $connection_upgrade_gitlab_ssl {
+	default upgrade;
+	'' close;
+}
+
+log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';
+
+map $request_uri $gitlab_ssl_temp_request_uri_1 {
+	default $request_uri;
+	~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
+}
+
+map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
+	default $gitlab_ssl_temp_request_uri_1;
+	~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
+}
+
+map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
+	default $gitlab_ssl_temp_request_uri_2;
+	~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
+}
+
+map $http_referer $gitlab_ssl_filtered_http_referer {
+	default $http_referer;
+	~^(?<temp>.*)\? $temp;
+}
+
+server {
+	server_name {{var_gitlab_and_nginx_domain}};
+	server_tokens off;
+	
+	listen 80;
+	listen [::]:80 ipv6only=on;
+	
+{% if (var_gitlab_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+	access_log /var/log/nginx/gitlab_access.log;
+	error_log /var/log/nginx/gitlab_error.log;
+	
+{{ gitlab_common() }}
+{% endif %}
+}
+
+{% if (var_gitlab_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_gitlab_and_nginx_domain}};
+	server_tokens off;
+	
+	listen 443 ssl http2;
+	listen [::]:443 ipv6only=on ssl http2;
+	
+	ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
+	error_log /var/log/nginx/gitlab_error.log;
+	
+{{ gitlab_common() }}
+}
+{% endif %}
diff --git a/roles/gitlab-and-nginx/vardef.json b/roles/gitlab-and-nginx/vardef.json
new file mode 100644
index 0000000..eff28cf
--- /dev/null
+++ b/roles/gitlab-and-nginx/vardef.json
@@ -0,0 +1,19 @@
+{
+	"domain": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"path": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"tls_mode": {
+		"mandatory": false,
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		]
+	}
+}
diff --git a/roles/hedgedoc-and-nginx/defaults/main.json b/roles/hedgedoc-and-nginx/defaults/main.json
index 840159e..aab8b85 100644
--- a/roles/hedgedoc-and-nginx/defaults/main.json
+++ b/roles/hedgedoc-and-nginx/defaults/main.json
@@ -1,3 +1,4 @@
 {
-	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org"
+	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org",
+	"var_hedgedoc_and_nginx_tls_mode": "enable"
 }
diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2
index 467a014..e8fe34b 100644
--- a/roles/hedgedoc-and-nginx/templates/conf.j2
+++ b/roles/hedgedoc-and-nginx/templates/conf.j2
@@ -3,16 +3,7 @@ map $http_upgrade $connection_upgrade {
 	'' close;
 }
 
-server {
-	server_name {{var_hedgedoc_and_nginx_domain}};
-	
-	listen [::]:443 ssl http2;
-	listen 443 ssl http2;
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro hedgedoc_common() %}
 	location / {
 		proxy_pass http://localhost:3000;
 		proxy_set_header Host $host;
@@ -30,4 +21,31 @@ server {
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection $connection_upgrade;
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_hedgedoc_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_element_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ hedgedoc_common() }}
+{% endif %}
+}
+
+{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_hedgedoc_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ hedgedoc_common() }}
 }
diff --git a/roles/hedgedoc-and-nginx/vardef.json b/roles/hedgedoc-and-nginx/vardef.json
new file mode 100644
index 0000000..e1e1a74
--- /dev/null
+++ b/roles/hedgedoc-and-nginx/vardef.json
@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+        "type": "string",
+        "options": [
+			"disable",
+			"enable",
+			"force"
+        ],
+        "mandatory": false
+	}
+}
diff --git a/roles/hedgedoc/defaults/main.json b/roles/hedgedoc/defaults/main.json
index e2a58c4..f59f7f1 100644
--- a/roles/hedgedoc/defaults/main.json
+++ b/roles/hedgedoc/defaults/main.json
@@ -14,7 +14,7 @@
 	"var_hedgedoc_authentication_kind": "authelia",
 	"var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc",
 	"var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME",
-	"var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.linke.sx",
+	"var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org",
 	"var_hedgedoc_guest_allow_create": false,
 	"var_hedgedoc_guest_allow_change": false,
 	"var_hedgedoc_free_names_mode": "authed"
diff --git a/roles/synapse-and-nginx/defaults/main.json b/roles/synapse-and-nginx/defaults/main.json
index 8a172d0..e504fa6 100644
--- a/roles/synapse-and-nginx/defaults/main.json
+++ b/roles/synapse-and-nginx/defaults/main.json
@@ -1,3 +1,4 @@
 {
-	"var_synapse_and_nginx_domain": "REPLACE_ME"
+	"var_synapse_and_nginx_domain": "REPLACE_ME",
+	"var_synapse_and_nginx_tls_mode": "enable"
 }
diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2
index e59fb99..952b9e4 100644
--- a/roles/synapse-and-nginx/templates/conf.j2
+++ b/roles/synapse-and-nginx/templates/conf.j2
@@ -1,19 +1,4 @@
-server {
-	listen 80;
-	listen [::]:80;
-	listen 443 ssl;
-	listen [::]:443 ssl;
-	
-	## For the federation port
-	listen 8448 ssl http2 default_server;
-	listen [::]:8448 ssl http2 default_server;
-	
-	server_name {{var_synapse_and_nginx_domain}};
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro synapse_common() %}
 	location ~ ^(/_matrix|/_synapse/client) {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
@@ -24,4 +9,36 @@ server {
 		
 		proxy_http_version 1.1;
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_synapse_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_synapse_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ synapse_common() }}
+{% endif %}
 }
+
+{% if (var_synapse_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_synapse_and_nginx_domain}};
+	
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	
+	## For the federation port
+	listen 8448 ssl http2 default_server;
+	listen [::]:8448 ssl http2 default_server;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ synapse_common() }}
+}
+{% endif %}
diff --git a/roles/synapse-and-nginx/vardef.json b/roles/synapse-and-nginx/vardef.json
new file mode 100644
index 0000000..e1e1a74
--- /dev/null
+++ b/roles/synapse-and-nginx/vardef.json
@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+        "type": "string",
+        "options": [
+			"disable",
+			"enable",
+			"force"
+        ],
+        "mandatory": false
+	}
+}
diff --git a/roles/system_basics/tasks/main.json b/roles/system_basics/tasks/main.json
index d19d6fb..cb39ff3 100644
--- a/roles/system_basics/tasks/main.json
+++ b/roles/system_basics/tasks/main.json
@@ -21,6 +21,7 @@
 		"become": true,
 		"ansible.builtin.apt": {
 			"pkg": [
+				"acl",
 				"vim",
 				"htop",
 				"tmux",
diff --git a/roles/tlscert_existing/defaults/main.json b/roles/tlscert_existing/defaults/main.json
index 66473bb..b47e0a2 100644
--- a/roles/tlscert_existing/defaults/main.json
+++ b/roles/tlscert_existing/defaults/main.json
@@ -1,8 +1,6 @@
 {
+	"var_tlscert_existing_domain": "foo.example.org",
 	"var_tlscert_existing_key_path": "/tmp/key.pem",
 	"var_tlscert_existing_cert_path": "/tmp/cert.pem",
-	"var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem",
-	"var_tlscert_existing_domain_base": "example.org",
-	"var_tlscert_existing_domain_path": "foo",
-	"var_tlscert_existing_ssl_directory": "/etc/ssl"
+	"var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem"
 }
diff --git a/roles/tlscert_existing/tasks/main.json b/roles/tlscert_existing/tasks/main.json
index 28ebd49..bc4354a 100644
--- a/roles/tlscert_existing/tasks/main.json
+++ b/roles/tlscert_existing/tasks/main.json
@@ -3,10 +3,10 @@
 		"name": "directories",
 		"become": true,
 		"loop": [
-			"{{var_tlscert_existing_ssl_directory}}/private",
-			"{{var_tlscert_existing_ssl_directory}}/csr",
-			"{{var_tlscert_existing_ssl_directory}}/certs",
-			"{{var_tlscert_existing_ssl_directory}}/fullchains"
+			"/etc/ssl/private",
+			"/etc/ssl/csr",
+			"/etc/ssl/certs",
+			"/etc/ssl/fullchains"
 		],
 		"ansible.builtin.file": {
 			"state": "directory",
@@ -18,7 +18,7 @@
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "{{var_tlscert_existing_key_path}}",
-			"dest": "{{var_tlscert_existing_ssl_directory}}/private/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
+			"dest": "/etc/ssl/private/{{var_tlscert_existing_domain}}.pem"
 		}
 	},
 	{
@@ -26,7 +26,7 @@
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "{{var_tlscert_existing_cert_path}}",
-			"dest": "{{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
+			"dest": "/etc/ssl/certs/{{var_tlscert_existing_domain}}.pem"
 		}
 	},
 	{
@@ -35,7 +35,7 @@
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "{{var_tlscert_existing_fullchain_path}}",
-			"dest": "{{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
+			"dest": "/etc/ssl/fullchains/{{var_tlscert_existing_domain}}.pem"
 		}
 	},
 	{
@@ -43,7 +43,7 @@
 		"when": "var_tlscert_existing_fullchain_path == None",
 		"become": true,
 		"ansible.builtin.shell": {
-			"cmd": "cat {{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem > {{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
+			"cmd": "cat /etc/ssl/certs/{{var_tlscert_existing_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_existing_domain}}.pem"
 		}
 	}
 ]
diff --git a/roles/tlscert_selfsigned/defaults/main.json b/roles/tlscert_selfsigned/defaults/main.json
index 23e7808..06c1a9a 100644
--- a/roles/tlscert_selfsigned/defaults/main.json
+++ b/roles/tlscert_selfsigned/defaults/main.json
@@ -1,5 +1,3 @@
 {
-	"var_tlscert_selfsigned_domain_base": "example.org",
-	"var_tlscert_selfsigned_domain_path": "foo",
-	"var_tlscert_selfsigned_ssl_directory": "/etc/ssl"
+	"var_tlscert_selfsigned_domain": "foo.example.org"
 }
diff --git a/roles/tlscert_selfsigned/tasks/main.json b/roles/tlscert_selfsigned/tasks/main.json
index 5b816f3..bed8255 100644
--- a/roles/tlscert_selfsigned/tasks/main.json
+++ b/roles/tlscert_selfsigned/tasks/main.json
@@ -14,10 +14,10 @@
 		"name": "setup directories",
 		"become": true,
 		"loop": [
-			"{{var_tlscert_selfsigned_ssl_directory}}/private",
-			"{{var_tlscert_selfsigned_ssl_directory}}/csr",
-			"{{var_tlscert_selfsigned_ssl_directory}}/certs",
-			"{{var_tlscert_selfsigned_ssl_directory}}/fullchains"
+			"/etc/ssl/private",
+			"/etc/ssl/csr",
+			"/etc/ssl/certs",
+			"/etc/ssl/fullchains"
 		],
 		"ansible.builtin.file": {
 			"state": "directory",
@@ -28,19 +28,19 @@
 		"name": "csr | generate private key",
 		"become": true,
 		"community.crypto.openssl_privatekey": {
-			"path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem"
+			"path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem"
 		}
 	},
 	{
 		"name": "csr | execute",
 		"become": true,
 		"community.crypto.openssl_csr": {
-			"privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem",
-			"common_name": "{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}",
+			"privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem",
+			"common_name": "{{var_tlscert_selfsigned_domain}}",
 			"subject_alt_name": [
-				"DNS:{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}"
+				"DNS:{{var_tlscert_selfsigned_domain}}"
 			],
-			"path": "{{var_tlscert_selfsigned_ssl_directory}}/csr/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem"
+			"path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem"
 		},
 		"register": "temp_csr"
 	},
@@ -48,17 +48,17 @@
 		"name": "generate certificate",
 		"become": true,
 		"community.crypto.x509_certificate": {
-			"privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem",
-			"csr_path": "{{var_tlscert_selfsigned_ssl_directory}}/csr/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem",
+			"privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem",
+			"csr_path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem",
 			"provider": "selfsigned",
-			"path": "{{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem"
+			"path": "/etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem"
 		}
 	},
 	{
 		"name": "compose fullchain",
 		"become": true,
 		"ansible.builtin.shell": {
-			"cmd": "cat {{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem > {{var_tlscert_selfsigned_ssl_directory}}/fullchains/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem"
+			"cmd": "cat /etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_selfsigned_domain}}.pem"
 		}
 	}
 ]
diff --git a/roles/vikunja-and-nginx/defaults/main.json b/roles/vikunja-and-nginx/defaults/main.json
index e08064b..494801c 100644
--- a/roles/vikunja-and-nginx/defaults/main.json
+++ b/roles/vikunja-and-nginx/defaults/main.json
@@ -1,3 +1,4 @@
 {
-	"var_vikunja_and_nginx_domain": "vikunja.example.org"
+	"var_vikunja_and_nginx_domain": "vikunja.example.org",
+	"var_vikunja_and_nginx_tls_mode": "enable"
 }
diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2
index a9a8241..211f4ea 100644
--- a/roles/vikunja-and-nginx/templates/conf.j2
+++ b/roles/vikunja-and-nginx/templates/conf.j2
@@ -1,17 +1,34 @@
-server {
-	listen 80;
-	listen [::]:80;
-	listen 443 ssl;
-	listen [::]:443 ssl;
-	
-	server_name {{var_vikunja_and_nginx_domain}};
-	
-	ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem;
-	ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
+{% macro vikunja_common() %}
 	location / {
 		proxy_pass http://localhost:3456;
 		client_max_body_size 20M;
 	}
+{% endmacro %}
+
+server {
+	server_name {{var_vikunja_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_vikunja_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ vikunja_common() }}
+{% endif %}
 }
+
+{% if (var_vikunja_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_vikunja_and_nginx_domain}};
+	
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ vikunja_common() }}
+}
+{% endif %}
diff --git a/roles/vikunja-and-nginx/vardef.json b/roles/vikunja-and-nginx/vardef.json
new file mode 100644
index 0000000..e1e1a74
--- /dev/null
+++ b/roles/vikunja-and-nginx/vardef.json
@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+        "type": "string",
+        "options": [
+			"disable",
+			"enable",
+			"force"
+        ],
+        "mandatory": false
+	}
+}