diff --git a/.gitignore b/.gitignore
index 01be70a..77607d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,9 +6,9 @@
 
 # Production files
 *.yml
-host_vars/**
+host_vars
 
 # Testing env exceptions
 !testing.yml
-!./host_vars/all.yml
+!all.yml
 
diff --git a/group_vars/all.yml b/group_vars/all.yml
new file mode 100644
index 0000000..65cd2da
--- /dev/null
+++ b/group_vars/all.yml
@@ -0,0 +1,15 @@
+## Nextcloud Configuration ##
+nc_version: 16.0.3
+nc_sha256sum: a13f68ce47a1362318629ba5b118a59fa98358bb18f4afc371ea15104f2881f3
+
+nc_domain: www.example.com
+nc_docroot: /var/www/nextcloud
+nc_data: /var/www/nextcloud/data
+
+nc_db: nextcloud
+nc_db_user: nextcloud
+nc_db_pass: nc+password
+
+nc_admin: admin
+nc_admin_pass: ncadmin+password
+
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 085fe68..ad2c1c0 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -109,6 +109,27 @@
   notify:
     - Reload Apache
 
+- name: Enable Apache Rewrite Module
+  apache2_module:
+    name: rewrite
+    state: present
+  notify:
+    - Reload Apache
+
+- name: Enable Apache SSL Module
+  apache2_module:
+    name: ssl
+    state: present
+  notify:
+    - Reload Apache
+
+- name: Enable Apache Headers Module
+  apache2_module:
+    name: headers
+    state: present
+  notify:
+     - Reload Apache
+
 - name: Enable Site
   file:
     src: /etc/apache2/sites-available/{{ nc_domain }}.conf
@@ -118,3 +139,4 @@
     group: root
   notify:
     - Reload Apache
+
diff --git a/roles/nextcloud/templates/apacheconf.conf b/roles/nextcloud/templates/apacheconf.conf
index 39db7e8..add282c 100644
--- a/roles/nextcloud/templates/apacheconf.conf
+++ b/roles/nextcloud/templates/apacheconf.conf
@@ -16,6 +16,19 @@
 
 <VirtualHost *:80>
         ServerName {{ nc_domain }}
+        ServerAdmin {{ nc_admin }}
+
+        RewriteEngine On
+        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+</VirtualHost>
+
+
+<VirtualHost *:443>
+        ServerName {{ nc_domain }}
 
         ServerAdmin {{ nc_admin }}
         DocumentRoot {{ nc_docroot }}
@@ -23,8 +36,17 @@
         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined
 
+        SSLEngine on
+        SSLCertificateFile      /etc/letsencrypt/live/{{ nc_domain }}/cert.pem
+        SSLCertificateKeyFile   /etc/letsencrypt/live/{{ nc_domain }}/privkey.pem
+        SSLCertificateChainFile /etc/letsencrypt/live/{{ nc_domain }}/chain.pem
+
+        Protocols h2 http/1.1
+
+        Header always set Strict-Transport-Security "max-age=63072000"
 </VirtualHost>
 
+
 <Directory {{ nc_docroot }}>
     Options Indexes FollowSymLinks
     AllowOverride All
@@ -33,4 +55,13 @@
     php_value memory_limit 512M
 </Directory>
 
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder     off
+SSLSessionTickets       off
+
+SSLUseStapling On
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
+
 # vim: syntax=apache
+