diff --git a/bank.yaml b/bank.yaml
index 43c92b7..837d27b 100644
--- a/bank.yaml
+++ b/bank.yaml
@@ -1,8 +1,8 @@
 ---
 
 - hosts: bank
-  roles:
-    - common
-    - bank
   vars:
     bank_revbank_git: https://github.com/bitlair/revbank.git
+  roles:
+    - { role: "common", tags: [ "common" ] }
+    - { role: "bank", tags: [ "bank" ] }
diff --git a/bar.yaml b/bar.yaml
index 5752cc3..919a4d8 100644
--- a/bar.yaml
+++ b/bar.yaml
@@ -4,6 +4,6 @@
   vars:
     raspi_rotate_display: "2"
   roles:
-    - raspi
-    - common
-    - bank-terminal
+    - { role: "raspi", tags: [ "raspi" ] }
+    - { role: "common", tags: [ "common" ] }
+    - { role: "bank-terminal", tags: [ "bank-terminal" ] }
diff --git a/bitlair.yaml b/bitlair.yaml
index ec019e7..71e06f0 100644
--- a/bitlair.yaml
+++ b/bitlair.yaml
@@ -31,6 +31,7 @@
 - hosts: monitoring
   roles:
     - { role: "acme", tags: [ "acme" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "monitoring", tags: [ "monitoring" ] }
 
 - hosts: mqtt
@@ -55,4 +56,5 @@
 - hosts: wiki
   roles:
     - { role: "acme", tags: [ "acme" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "www", tags: [ "www" ] }
diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml
new file mode 100644
index 0000000..e9a1937
--- /dev/null
+++ b/group_vars/wiki.yaml
@@ -0,0 +1,21 @@
+acme_bootstrap_certs: yes
+acme_san_domains:
+  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
+  - [ bitair.nl ]
+  - [ ravespace.nl ]
+
+nginx_sites:
+  - server_name: "bitlair.nl"
+    server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl"
+    snippets:
+      - "mqtt2web-nginx.j2"
+      - "spaceapi-nginx.j2"
+      - "www-nginx.j2"
+  - server_name: "bitair.nl"
+    server_alias: "www.bitair.nl"
+    snippets:
+      - "bitair-nginx.j2"
+  - server_name: "ravespace.nl"
+    server_alias: "www.ravespace.nl"
+    snippets:
+      - "ravespace-nginx.j2"
diff --git a/group_vars/www.yaml b/group_vars/www.yaml
deleted file mode 100644
index e1db9d5..0000000
--- a/group_vars/www.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-acme_bootstrap_certs: yes
-acme_san_domains:
-  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
-  - [ bitair.nl ]
-  - [ ravespace.nl ]
diff --git a/mqtt-internal.yaml b/mqtt-internal.yaml
index bdf76a8..4e106e0 100644
--- a/mqtt-internal.yaml
+++ b/mqtt-internal.yaml
@@ -2,5 +2,5 @@
 
 - hosts: mqtt
   roles:
-    - common
-    - mqtt-internal
+    - { role: "common", tags: [ "common" ] }
+    - { role: "mqtt-internal", tags: [ "mqtt", "mqtt-internal" ] }
diff --git a/music.yaml b/music.yaml
index d12226c..e4ea70b 100644
--- a/music.yaml
+++ b/music.yaml
@@ -2,7 +2,8 @@
 
 - hosts: music
   roles:
-    - common
-    - acme
-    - go
-    - music
+    - { role: "common", tags: [ "common" ] }
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "go", tags: [ "go" ] }
+#    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "music", tags: [ "music" ] }
diff --git a/pad.yaml b/pad.yaml
index 90d227e..d9dc92f 100644
--- a/pad.yaml
+++ b/pad.yaml
@@ -5,6 +5,7 @@
     acme_san_domains:
       - [ pad.bitlair.nl ]
   roles:
-    - common
-    - acme
-    - etherpad
+    - { role: "common", tags: [ "common" ] }
+    - { role: "acme", tags: [ "acme" ] }
+#    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "etherpad", tags: [ "etherpad" ] }
diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml
index 2afe1f6..851cc02 100644
--- a/roles/etherpad/tasks/main.yaml
+++ b/roles/etherpad/tasks/main.yaml
@@ -1,9 +1,6 @@
 ---
 - tags: etherpad
   block:
-    - ansible.builtin.import_tasks:
-        file: ../../../snippets/common-nginx.yaml
-
     - name: Install dependencies
       ansible.builtin.apt:
         name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ]
diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml
index 4a5bb3c..c5fb328 100644
--- a/roles/git-server/tasks/main.yaml
+++ b/roles/git-server/tasks/main.yaml
@@ -1,6 +1,4 @@
 ---
-- ansible.builtin.import_tasks:
-    file: ../../../snippets/common-nginx.yaml
 
 - name: Install dependencies
   ansible.builtin.apt:
diff --git a/roles/monitoring/tasks/main.yaml b/roles/monitoring/tasks/main.yaml
index a13313c..398bb5f 100644
--- a/roles/monitoring/tasks/main.yaml
+++ b/roles/monitoring/tasks/main.yaml
@@ -2,9 +2,6 @@
 - name: monitoring
   tags: monitoring
   block:
-    - ansible.builtin.import_tasks:
-        file: ../../../snippets/common-nginx.yaml
-
     - name: Install nginx site
       ansible.builtin.template:
         src: nginx-site.conf
diff --git a/roles/music/tasks/main.yaml b/roles/music/tasks/main.yaml
index e91f146..cad6eb9 100644
--- a/roles/music/tasks/main.yaml
+++ b/roles/music/tasks/main.yaml
@@ -17,8 +17,6 @@
 
 - tags: music
   block:
-    - ansible.builtin.import_tasks:
-        file: ../../../snippets/common-nginx.yaml
 
     - name: Install nginx config
       ansible.builtin.template:
diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml
index 52dfccf..3835eeb 100644
--- a/roles/www/tasks/mediawiki.yaml
+++ b/roles/www/tasks/mediawiki.yaml
@@ -4,9 +4,6 @@
     name: php-fpm
     state: present
 
-- ansible.builtin.import_tasks:
-    file: ../../../snippets/common-nginx.yaml
-
 - name: Install security.txt
   ansible.builtin.template:
     src: security.txt
diff --git a/snippets/bitair-nginx.j2 b/snippets/bitair-nginx.j2
new file mode 100644
index 0000000..bfb75d6
--- /dev/null
+++ b/snippets/bitair-nginx.j2
@@ -0,0 +1,2 @@
+root /opt/bitair.nl/;
+index index.html;
diff --git a/snippets/common-nginx.yaml b/snippets/common-nginx.yaml
deleted file mode 100644
index 98aa02b..0000000
--- a/snippets/common-nginx.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-- name: Install nginx
-  apt:
-    name: nginx
-    state: present
-
-- name: Disable nginx server_tokens
-  lineinfile:
-    path: /etc/nginx/nginx.conf
-    line: "\tserver_tokens off;"
-    regexp: "server_tokens"
-  notify: reload nginx
-
-- name: Clear default nginx site
-  file:
-    state: absent
-    path: /etc/nginx/sites-enabled/default
-  notify: reload nginx
diff --git a/snippets/mqtt2web-nginx.j2 b/snippets/mqtt2web-nginx.j2
new file mode 100644
index 0000000..f719780
--- /dev/null
+++ b/snippets/mqtt2web-nginx.j2
@@ -0,0 +1,11 @@
+# mqtt2web nginx config snippet
+
+location /mqtt/ {
+        proxy_pass http://localhost:8080/mqtt;
+        include proxy_params;
+        proxy_buffering off;
+        proxy_cache off;
+        proxy_http_version 1.1;
+        proxy_set_header Connection '';
+        chunked_transfer_encoding off;
+}
diff --git a/snippets/ravespace-nginx.j2 b/snippets/ravespace-nginx.j2
new file mode 100644
index 0000000..492f366
--- /dev/null
+++ b/snippets/ravespace-nginx.j2
@@ -0,0 +1,2 @@
+root /opt/ravespace.nl/;
+index index.html;
diff --git a/snippets/spaceapi-nginx.j2 b/snippets/spaceapi-nginx.j2
new file mode 100644
index 0000000..ba6829a
--- /dev/null
+++ b/snippets/spaceapi-nginx.j2
@@ -0,0 +1,8 @@
+# spaceapi nginx config snippet
+
+location = /statejson {
+    proxy_pass http://localhost:8888;
+    include proxy_params;
+    add_header 'Access-Control-Allow-Origin' '*';
+}
+
diff --git a/snippets/www-nginx.j2 b/snippets/www-nginx.j2
new file mode 100644
index 0000000..1ff42a9
--- /dev/null
+++ b/snippets/www-nginx.j2
@@ -0,0 +1,89 @@
+root /opt/mediawiki-1.41.1/;
+
+# Photo gallery
+location = /fotos {
+    return 302 $scheme://bitlair.nl/fotos/;
+}
+
+location ~* ^/fotos/(.*)$ {
+    proxy_pass http://204.2.68.2:4567/$1$is_args$args;
+}
+
+location ~ ^/state/(.+)$ {
+    alias /opt/spaceapi/assets/$1;
+}
+
+location = /events.ics {
+    alias /var/lib/bitlair-calendar/events.ics;
+}
+
+location ~ ^/(cache|maintenance|vendor|extensions)/ {
+    deny all;
+}
+
+# Legacy space API stuff.
+location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ {
+    root "/opt/legacy/";
+    fastcgi_pass unix:/run/php/php-fpm.sock;
+    include fastcgi.conf;
+}
+
+location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ {
+    root "/opt/legacy/";
+}
+
+location ~ ^/wp-content {
+    root "/opt/legacy/";
+}
+
+location = /statejson.php {
+    rewrite ^.+$ /statejson;
+}
+
+# Mediawiki
+location / {
+    try_files $uri $uri/ @rewrite;
+}
+
+location ~ \.php$ {
+    try_files $uri @rewrite;
+    fastcgi_pass unix:/run/php/php-fpm.sock;
+    fastcgi_index index.php;
+    include fastcgi.conf;
+}
+
+location @rewrite {
+#    rewrite ^/(.*)$ /index.php;
+    rewrite ^/(.*)$ /index.php?title=$1$args;
+}
+
+location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ {
+    try_files $uri @rewrite;
+    expires 1M;
+}
+
+location = /_.gif {
+    expires max;
+    empty_gif;
+}
+
+#location /dumps {
+#    root /opt/bitlair-wiki/local;
+#    autoindex on;
+#}
+
+# Legacy: redirect old prefix.
+location /Pages/ {
+    rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
+}
+
+# Matrix realm delegation
+location = /.well-known/matrix/server {
+    add_header "Content-Type" "application/json";
+    add_header "Access-Control-Allow-Origin" "*";
+    alias /opt/matrix-delegation.json;
+}
+
+location = /.well-known/security.txt {
+    alias /opt/security.txt;
+}
diff --git a/wiki.yaml b/wiki.yaml
new file mode 100644
index 0000000..0a7dc96
--- /dev/null
+++ b/wiki.yaml
@@ -0,0 +1,8 @@
+---
+
+- hosts: wiki
+  roles:
+    - { role: "common", tags: [ "common" ] }
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "www", tags: [ "www" ] }
diff --git a/www.yaml b/www.yaml
deleted file mode 100644
index 6a66f2d..0000000
--- a/www.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-
-- hosts: wiki
-  roles:
-    - common
-    - acme
-    - www