diff --git a/.certs b/.certs
index 2f9f9ac..e335178 160000
--- a/.certs
+++ b/.certs
@@ -1 +1 @@
-Subproject commit 2f9f9ac148e5dc32f30ee447652fddd6f2fd7511
+Subproject commit e335178e3fe9df1a82ac3de735d703b6a08939d0
diff --git a/certs/websites/chmod777.sh.cer b/certs/websites/chmod777.sh.cer
new file mode 120000
index 0000000..d61d946
--- /dev/null
+++ b/certs/websites/chmod777.sh.cer
@@ -0,0 +1 @@
+../logo/chmod777.sh.crt
\ No newline at end of file
diff --git a/certs/websites/chmod777.sh.key b/certs/websites/chmod777.sh.key
new file mode 120000
index 0000000..f4cee85
--- /dev/null
+++ b/certs/websites/chmod777.sh.key
@@ -0,0 +1 @@
+../logo/chmod777.sh.key
\ No newline at end of file
diff --git a/group_vars/public-web.yml b/group_vars/public-web.yml
index 0b6a9c1..f6048b8 100644
--- a/group_vars/public-web.yml
+++ b/group_vars/public-web.yml
@@ -4,6 +4,7 @@ dchwww_publisher_keys:
 ebonfire_publisher_keys: '{{ dchwww_publisher_keys }}'
 nratonpass_publisher_keys: '{{ dchwww_publisher_keys }}'
 dcow_publisher_keys: '{{ dchwww_publisher_keys }}'
+chmod777_publisher_keys: '{{ dchwww_publisher_keys }}'
 apache_server_name: pyrocufflink.net
 apache_ssl_certificate:
   /var/lib/letsencrypt/live/pyrocufflink.net/fullchain.pem
diff --git a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2 b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
index 1999272..e3cb69e 100644
--- a/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
+++ b/roles/dch-proxy/templates/frontend-main.haproxy.cfg.j2
@@ -28,4 +28,5 @@ frontend main-tls
     use_backend nextcloud-tls if { req_ssl_sni -i nextcloud.pyrocufflink.net }
     use_backend web-tls if { req_ssl_sni -i darkchestofwonders.us }
     use_backend web-tls if { req_ssl_sni -i pyrocufflink.net }
+    use_backend web-tls if { req_ssl_sni -i -m end chmod777.sh }
     default_backend openvpn
diff --git a/roles/websites/chmod777.sh/defaults/main.yml b/roles/websites/chmod777.sh/defaults/main.yml
new file mode 100644
index 0000000..0ab7e7e
--- /dev/null
+++ b/roles/websites/chmod777.sh/defaults/main.yml
@@ -0,0 +1 @@
+chmod777_publisher_keys: []
diff --git a/roles/websites/chmod777.sh/files/chmod777.sh.httpd.conf b/roles/websites/chmod777.sh/files/chmod777.sh.httpd.conf
new file mode 100644
index 0000000..b029e4f
--- /dev/null
+++ b/roles/websites/chmod777.sh/files/chmod777.sh.httpd.conf
@@ -0,0 +1,28 @@
+<VirtualHost _default_:80>
+ServerName chmod777.sh
+ServerAlias blog.chmod777.sh www.chmod777.sh
+RewriteEngine On
+RewriteRule (.*) https://chmod777.sh$1 [R=301,L]
+</VirtualHost>
+
+<VirtualHost _default_:443>
+ServerName chmod777.sh
+ServerAlias blog.chmod777.sh www.chmod777.sh
+
+RewriteEngine On
+RewriteCond %{SERVER_NAME} !^chmod777\.sh
+RewriteRule (.*) https://chmod777.sh$2 [R=301,L]
+
+Include conf.d/ssl.include
+SSLCertificateKeyFile /etc/pki/tls/private/chmod777.sh.key
+SSLCertificateFile /etc/pki/tls/certs/chmod777.sh.cer
+
+<IfModule mod_headers.c>
+	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</IfModule>
+
+DocumentRoot /srv/www/chmod777.sh/htdocs
+<Directory /srv/www/chmod777.sh/htdocs>
+	Require all granted
+</Directory>
+</VirtualHost>
diff --git a/roles/websites/chmod777.sh/tasks/main.yml b/roles/websites/chmod777.sh/tasks/main.yml
new file mode 100644
index 0000000..dbbbdbb
--- /dev/null
+++ b/roles/websites/chmod777.sh/tasks/main.yml
@@ -0,0 +1,53 @@
+- name: ensure rsync is installed
+  package:
+    name: rsync
+    state: present
+  tags:
+  - install
+
+- name: ensure app group exists
+  group:
+    name: webapp.chmod777
+    state: present
+- name: ensure app user exists
+  user:
+    name: webapp.chmod777
+    group: webapp.chmod777
+    home: /srv/www/chmod777.sh
+    createhome: yes
+    state: present
+
+- name: ensure app home directory permissions are set
+  file:
+    path: /srv/www/chmod777.sh
+    mode: '0755'
+    state: directory
+
+- name: ensure app ssh home directory exists
+  file:
+    path: /srv/www/chmod777.sh/.ssh
+    mode: '0700'
+    owner: webapp.chmod777
+    group: webapp.chmod777
+    setype: ssh_home_t
+- name: ensure publisher keys are trusted
+  authorized_key:
+    key: "{{ chmod777_publisher_keys|join('\n') }}"
+    user: webapp.chmod777
+    exclusive: true
+- name: ensure authorized keys file permissions are correct
+  file:
+    path: /srv/www/chmod777.sh/.ssh/authorized_keys
+    mode: '0600'
+    owner: webapp.chmod777
+    group: webapp.chmod777
+    setype: ssh_home_t
+
+- name: ensure apache is configured to serve chmod777.sh
+  copy:
+    src: chmod777.sh.httpd.conf
+    dest: /etc/httpd/conf.d/chmod777.sh.conf
+    mode: '0644'
+  notify: reload httpd
+  tags:
+  - httpd-config
diff --git a/websites.yml b/websites.yml
index 33a5f22..5c592ce 100644
--- a/websites.yml
+++ b/websites.yml
@@ -8,6 +8,14 @@
   - websites/ebonfire.com
   - websites/nratonpass.com
   - websites/darkchestofwonders.us
+  - role: cert
+    cert_src: websites/chmod777.sh.cer
+    cert_dest: /etc/pki/tls/certs/chmod777.sh.cer
+    cert_key_src: websites/chmod777.sh.key
+    cert_key_dest: /etc/pki/tls/private/chmod777.sh.key
+    tags: websites/chmod777.sh
+  - role: websites/chmod777.sh
+    tags: websites/chmod777.sh
   tasks:
   - name: ensure httpd service is running
     service: