diff --git a/certs/websites/tabitha.biz.cer b/certs/websites/tabitha.biz.cer
new file mode 120000
index 0000000..c098a8f
--- /dev/null
+++ b/certs/websites/tabitha.biz.cer
@@ -0,0 +1 @@
+../lego/tabitha.biz.crt
\ No newline at end of file
diff --git a/certs/websites/tabitha.biz.key b/certs/websites/tabitha.biz.key
new file mode 120000
index 0000000..449ab30
--- /dev/null
+++ b/certs/websites/tabitha.biz.key
@@ -0,0 +1 @@
+../lego/tabitha.biz.key
\ No newline at end of file
diff --git a/group_vars/public-web.yml b/group_vars/public-web.yml
index 1f601f1..83ebc95 100644
--- a/group_vars/public-web.yml
+++ b/group_vars/public-web.yml
@@ -7,3 +7,5 @@ dcow_publisher_keys: '{{ dchwww_publisher_keys }}'
 chmod777_publisher_keys: '{{ dchwww_publisher_keys }}'
 apache_server_name: pyrocufflink.net
 userdir_proxy_backend: http://files.pyrocufflink.blue
+tabitha_publisher_keys:
+- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbeVaQ5eGTaQU9P0sqo9R2IISoe50qS/Hv/vvFdt3ce tabitha@Tabithas-MacBook-Pro.local
diff --git a/roles/websites/tabitha/files/tabitha.httpd.conf b/roles/websites/tabitha/files/tabitha.httpd.conf
new file mode 100644
index 0000000..4334017
--- /dev/null
+++ b/roles/websites/tabitha/files/tabitha.httpd.conf
@@ -0,0 +1,27 @@
+<VirtualHost _default_:80>
+ServerName tabitha.biz
+ServerAlias www.tabitha.biz
+
+RewriteEngine On
+RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
+</VirtualHost>
+
+<VirtualHost _default_:443>
+ServerName tabitha.biz
+ServerAlias www.tabitha.biz
+
+Include conf.d/ssl.include
+SSLCertificateKeyFile /etc/pki/tls/private/tabitha.biz.key
+SSLCertificateFile /etc/pki/tls/certs/tabitha.biz.cer
+
+<IfModule mod_headers.c>
+	Header always set \
+		Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</IfModule>
+
+
+DocumentRoot /srv/www/tabitha/htdocs
+<Directory /srv/www/tabitha/htdocs>
+	Require all granted
+</Directory>
+</VirtualHost>
diff --git a/roles/websites/tabitha/meta/main.yml b/roles/websites/tabitha/meta/main.yml
new file mode 100644
index 0000000..e8b8aa7
--- /dev/null
+++ b/roles/websites/tabitha/meta/main.yml
@@ -0,0 +1,9 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: websites/tabitha.biz.cer
+    cert_dest: /etc/pki/tls/certs/tabitha.biz.cer
+    cert_key_src: websites/tabitha.biz.key
+    cert_key_dest: /etc/pki/tls/private/tabitha.biz.key
+  tags:
+  - websites/darkchestofwonders.us
diff --git a/roles/websites/tabitha/tasks/main.yml b/roles/websites/tabitha/tasks/main.yml
new file mode 100644
index 0000000..50ec5ba
--- /dev/null
+++ b/roles/websites/tabitha/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: ensure app group exists
+  group:
+    name: webapp.tabitha
+    state: present
+- name: ensure app user exists
+  user:
+    name: webapp.tabitha
+    group: webapp.tabitha
+    home: /srv/www/tabitha
+    createhome: true
+    state: present
+
+- name: ensure app home directory permissions are set
+  file:
+    path: /srv/www/tabitha
+    mode: '0755'
+    state: directory
+
+- name: ensure publisher keys are trusted
+  authorized_key:
+    key: "{{ tabitha_publisher_keys|join('\n') }}"
+    user: webapp.tabitha
+    exclusive: true
+- name: ensure authorized_keys file permissions are correct
+  file:
+    path: /srv/www/tabitha/.ssh/authorized_keys
+    mode: '0600'
+    owner: webapp.tabitha
+    group: webapp.tabitha
+    setype: ssh_home_t
+
+- name: ensure apache is configured to serve tabitha.biz
+  copy:
+    src: tabitha.httpd.conf
+    dest: /etc/httpd/conf.d/tabitha.conf
+    mode: '0644'
+  notify: reload httpd
diff --git a/websites.yml b/websites.yml
index 3fdfb49..c21db87 100644
--- a/websites.yml
+++ b/websites.yml
@@ -45,6 +45,9 @@
     tags:
     - websites/proxy
     - websites/hatch.chat
+  - role: websites/tabitha
+    tags:
+    - websites/tabitha
   tasks:
   - name: ensure httpd service is running
     service: