diff --git a/certs/websites/apps.du5t1n.xyz.cer b/certs/websites/apps.du5t1n.xyz.cer
new file mode 120000
index 0000000..e8dcb1c
--- /dev/null
+++ b/certs/websites/apps.du5t1n.xyz.cer
@@ -0,0 +1 @@
+../../.certs/certificates/apps.du5t1n.xyz.crt
\ No newline at end of file
diff --git a/certs/websites/apps.du5t1n.xyz.key b/certs/websites/apps.du5t1n.xyz.key
new file mode 120000
index 0000000..af5560e
--- /dev/null
+++ b/certs/websites/apps.du5t1n.xyz.key
@@ -0,0 +1 @@
+../../.certs/certificates/apps.du5t1n.xyz.key
\ No newline at end of file
diff --git a/group_vars/dch-proxy.yml b/group_vars/dch-proxy.yml
index d702312..62b1d3a 100644
--- a/group_vars/dch-proxy.yml
+++ b/group_vars/dch-proxy.yml
@@ -36,6 +36,8 @@ dch_proxy_sites:
 - backend: web
   match: ebonfire.com
   matcher: end
+- backend: web
+  match: apps.du5t1n.xyz
 - backend: web
   match: hatchlearningcenter hlckc hlcks
   matcher: dom
diff --git a/group_vars/public-web/main.yml b/group_vars/public-web/main.yml
index 8a58a20..656bb88 100644
--- a/group_vars/public-web/main.yml
+++ b/group_vars/public-web/main.yml
@@ -9,6 +9,7 @@ ebonfire_publisher_keys: '{{ dchwww_publisher_keys }}'
 nratonpass_publisher_keys: '{{ dchwww_publisher_keys }}'
 dcow_publisher_keys: '{{ dchwww_publisher_keys }}'
 chmod777_publisher_keys: '{{ dchwww_publisher_keys }}'
+appsxyz_publisher_keys: '{{ dchwww_publisher_keys }}'
 apache_server_name: pyrocufflink.net
 userdir_proxy_backend: http://files.pyrocufflink.blue
 tabitha_publisher_keys:
diff --git a/roles/websites/apps.du5t1n.xyz/defaults/main.yml b/roles/websites/apps.du5t1n.xyz/defaults/main.yml
new file mode 100644
index 0000000..2a65879
--- /dev/null
+++ b/roles/websites/apps.du5t1n.xyz/defaults/main.yml
@@ -0,0 +1 @@
+appsxyz_publisher_keys: []
diff --git a/roles/websites/apps.du5t1n.xyz/files/apps.du5t1n.xyz.httpd.conf b/roles/websites/apps.du5t1n.xyz/files/apps.du5t1n.xyz.httpd.conf
new file mode 100644
index 0000000..ce4b0cc
--- /dev/null
+++ b/roles/websites/apps.du5t1n.xyz/files/apps.du5t1n.xyz.httpd.conf
@@ -0,0 +1,23 @@
+<VirtualHost _default_:80>
+ServerName apps.du5t1n.xyz
+
+RewriteEngine On
+RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
+</VirtualHost>
+
+<VirtualHost _default_:443>
+ServerName apps.du5t1n.xyz
+
+Include conf.d/ssl.include
+SSLCertificateKeyFile /etc/pki/tls/private/apps.du5t1n.xyz.key
+SSLCertificateFile /etc/pki/tls/certs/apps.du5t1n.xyz.cer
+
+<IfModule mod_headers.c>
+	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</IfModule>
+
+DocumentRoot /srv/www/apps.du5t1n.xyz/htdocs
+<Directory /srv/www/apps.du5t1n.xyz/htdocs>
+	Require all granted
+</Directory>
+</VirtualHost>
diff --git a/roles/websites/apps.du5t1n.xyz/meta/main.yml b/roles/websites/apps.du5t1n.xyz/meta/main.yml
new file mode 100644
index 0000000..2a3807b
--- /dev/null
+++ b/roles/websites/apps.du5t1n.xyz/meta/main.yml
@@ -0,0 +1,7 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: websites/apps.du5t1n.xyz.cer
+    cert_dest: /etc/pki/tls/certs/apps.du5t1n.xyz.cer
+    cert_key_src: websites/apps.du5t1n.xyz.key
+    cert_key_dest: /etc/pki/tls/private/apps.du5t1n.xyz.key
diff --git a/roles/websites/apps.du5t1n.xyz/tasks/main.yml b/roles/websites/apps.du5t1n.xyz/tasks/main.yml
new file mode 100644
index 0000000..a15c3ff
--- /dev/null
+++ b/roles/websites/apps.du5t1n.xyz/tasks/main.yml
@@ -0,0 +1,55 @@
+- name: ensure rsync is installed
+  package:
+    name: rsync
+    state: present
+  tags:
+  - install
+
+- name: ensure app group exists
+  group:
+    name: webapp.appsxyz
+    state: present
+- name: ensure app user exists
+  user:
+    name: webapp.appsxyz
+    group: webapp.appsxyz
+    home: /srv/www/apps.du5t1n.xyz
+    createhome: true
+    state: present
+
+- name: ensure app home directory permissions are set
+  file:
+    path: /srv/www/apps.du5t1n.xyz
+    mode: u=rwx,go=rx
+    state: directory
+
+- name: ensure app ssh home directory exists
+  file:
+    path: /srv/www/apps.du5t1n.xyz/.ssh
+    mode: '0700'
+    owner: webapp.appsxyz
+    group: webapp.appsxyz
+    setype: ssh_home_t
+    state: directory
+- name: ensure publisher keys are trusted
+  authorized_key:
+    key: "{{ appsxyz_publisher_keys|join('\n') }}"
+    user: webapp.appsxyz
+    exclusive: true
+- name: ensure authorized_keys file permissions are correct
+  file:
+    path: /srv/www/apps.du5t1n.xyz/.ssh/authorized_keys
+    mode: u=rw,go=
+    owner: webapp.appsxyz
+    group: webapp.appsxyz
+    setype: ssh_home_t
+
+- name: ensure apache is configured to serve apps.du5t1n.xyz
+  copy:
+    src: apps.du5t1n.xyz.httpd.conf
+    dest: /etc/httpd/conf.d/apps.du5t1n.xyz.conf
+    mode: u=rw,go=r
+  notify: reload httpd
+  tags:
+  - httpd-config
+
diff --git a/websites.yml b/websites.yml
index 0676a36..348554d 100644
--- a/websites.yml
+++ b/websites.yml
@@ -23,6 +23,8 @@
     tags: websites/darkchestofwonders.us
   - role: websites/chmod777.sh
     tags: websites/chmod777.sh
+  - role: websites/apps.du5t1n.xyz
+    tags: websites/apps.du5t1n.xyz
   - role: cert
     cert_src: websites/hatch.chat.cer
     cert_dest: /etc/pki/tls/certs/hatch.chat.cer