diff --git a/manifests/init.pp b/manifests/init.pp
index 9af3907..76b6d2b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -289,5 +289,63 @@ class mastodon (
     timeout     => 0,
     require     => File["${mastodon_home}/live/.env.production"],
   }
-  # Apache::vhost
+  apache::vhost { $hostname:
+    ensure                   => $ensure,
+    access_log_file          => $hostname,
+    error_log_file           => $hostname,
+    docroot                  => "${mastodon_home}/live/public",
+    manage_docroot           => false,
+    proxy_preserve_host      => true,
+    proxy_add_headers        => true,
+    port                     => 443,
+    priority                 => 15,
+    protocols                => [
+      'h2',
+      'http/1.1',
+    ],
+    protocols_honor_order    => true,
+    proxy_dest               => [
+      { 'path' => '/500.html', 'url'  => '!' },
+      { 'path' => '/sw.js', 'url' => '!' },
+      { 'path' => '/robots.txt', 'url' => '!' },
+      { 'path' => '/manifest.json', 'url' => '!' },
+      { 'path' => '/browserconfig.xml', 'url' => '!' },
+      { 'path' => '/mask-icon.svg', 'url' => '!' },
+    ],
+    proxy_dest_reverse_match => [
+      { 'path' => '/api/v1/streaming', 'url' => 'ws://localhost:4000' },
+      { 'path' => '/', 'url' => 'http://localhost:3000/' },
+    ],
+    proxy_dest_match         => [
+      { 'path' => '^(/.*\.(png|ico)$)', 'url' => '!' },
+      { 'path' => '^/(assets|avatars|emoji|headers|packs|sounds|system)', 'url' => '!' },
+    ],
+    request_headers          => [
+      'set X-Forwarded-Proto "https"',
+    ],
+    headers                  => 'always set Strict-Transport-Security "max-age=31536000"',
+    directories              => [
+      {
+        'path'     => '^/(assets|avatars|emoji|headers|packs|sounds|system)',
+        'provider' => 'locationmatch',
+        'headers'  => 'always set Cache-Control "public, max-age=31536000, immutable"',
+        'deny'     => 'from all',
+        'require'  => 'all granted',
+      },
+      {
+        'path'     => '/',
+        'provider' => 'location',
+        'require'  => 'all granted',
+      },
+    ],
+    error_documents          => [
+      { 'error_code' => '500', 'document' => '/500' },
+      { 'error_code' => '501', 'document' => '/501' },
+      { 'error_code' => '502', 'document' => '/502' },
+      { 'error_code' => '503', 'document' => '/503' },
+      { 'error_code' => '504', 'document' => '/504' },
+    ],
+  }
+  # systemd units
+  # systemctl enable --now mastodon-web mastodon-sidekiq mastodon-streaming
 }