diff --git a/roles/websites/darkchestofwonders.us/files/dcow.wsgi b/roles/websites/darkchestofwonders.us/files/dcow.wsgi
new file mode 100644
index 0000000..1d0cefc
--- /dev/null
+++ b/roles/websites/darkchestofwonders.us/files/dcow.wsgi
@@ -0,0 +1,13 @@
+import os
+import sys
+
+here = os.path.dirname(__file__)
+
+srcdir = os.path.join(here, 'src')
+sys.path.insert(0, srcdir)
+
+import dcow.app
+
+
+config = os.path.join(here, 'production.ini')
+application = dcow.app.Application.create(config)
diff --git a/roles/websites/darkchestofwonders.us/files/production.ini b/roles/websites/darkchestofwonders.us/files/production.ini
new file mode 100644
index 0000000..8cc7993
--- /dev/null
+++ b/roles/websites/darkchestofwonders.us/files/production.ini
@@ -0,0 +1,3 @@
+[gallery]
+screenshot_dir = /srv/www/darkchestofwonders.us/screenshots
+thumbnail_dir = /srv/www/darkchestofwonders.us/thumbnails
diff --git a/roles/websites/darkchestofwonders.us/handlers/main.yml b/roles/websites/darkchestofwonders.us/handlers/main.yml
new file mode 100644
index 0000000..68662db
--- /dev/null
+++ b/roles/websites/darkchestofwonders.us/handlers/main.yml
@@ -0,0 +1,8 @@
+- name: restart httpd
+  service:
+    name=httpd
+    state=restarted
+- name: reload httpd
+  service:
+    name=httpd
+    state=reloaded
diff --git a/roles/websites/darkchestofwonders.us/tasks/main.yml b/roles/websites/darkchestofwonders.us/tasks/main.yml
new file mode 100644
index 0000000..720951e
--- /dev/null
+++ b/roles/websites/darkchestofwonders.us/tasks/main.yml
@@ -0,0 +1,75 @@
+- name: ensure mod_wsgi is installed
+  package:
+    name=python3-mod_wsgi
+    state=present
+  notify: restart httpd
+  tags:
+  - install
+
+- name: ensure rsync is installed
+  package:
+    name=rsync
+    state=present
+  tags:
+  - install
+
+- name: ensure app group exists
+  group:
+    name=webapp.dcow
+    state=present
+- name: ensure app user exists
+  user:
+    name=webapp.dcow
+    group=webapp.dcow
+    home=/srv/www/darkchestofwonders.us
+    createhome=yes
+    state=present
+
+- name: ensure app home directory permissions are set
+  file:
+    path=/srv/www/darkchestofwonders.us
+    mode=0755
+    state=directory
+
+- name: ensure publisher keys are trusted
+  authorized_key:
+    key: "{{ dcow_publisher_keys|join('\n') }}"
+    user: webapp.dcow
+    exclusive: true
+
+- name: ensure virtualenv exists
+  become: true
+  become_user: webapp.dcow
+  pip:
+    name: pip
+    virtualenv: /srv/www/darkchestofwonders.us/venv
+    virtualenv_command: /usr/bin/python3 -m venv
+
+- name: ensure dcow wsgi script is installed
+  copy:
+    src=dcow.wsgi
+    dest=/srv/www/darkchestofwonders.us/dcow.wsgi
+    mode=0644
+
+- name: ensure dcow app is configured
+  copy:
+    src=production.ini
+    dest=/srv/www/darkchestofwonders.us/production.ini
+    mode=0644
+- name: ensure screenshot storage directories exist
+  file:
+    path=/srv/www/darkchestofwonders.us/{{ item }}
+    owner=webapp.dcow
+    group=webapp.dcow
+    mode=0755
+    state=directory
+  with_items:
+  - screenshots
+  - thumbnails
+
+- name: ensure apache is configured to serve darkchestofwonders.us
+  template:
+    src=darkchestofwonders.us.httpd.conf.j2
+    dest=/etc/httpd/conf.d/darkchestofwonders.us.conf
+    mode=0644
+  notify: reload httpd
diff --git a/roles/websites/darkchestofwonders.us/templates/darkchestofwonders.us.httpd.conf.j2 b/roles/websites/darkchestofwonders.us/templates/darkchestofwonders.us.httpd.conf.j2
new file mode 100644
index 0000000..d0a62bd
--- /dev/null
+++ b/roles/websites/darkchestofwonders.us/templates/darkchestofwonders.us.httpd.conf.j2
@@ -0,0 +1,47 @@
+WSGIDaemonProcess dcow \
+	user=webapp.dcow \
+	group=webapp.dcow \
+	python-home=/srv/www/darkchestofwonders.us/venv \
+	lang=en_US.UTF-8 \
+	display-name=%{GROUP}
+
+<VirtualHost _default_:80>
+ServerName darkchestofwonders.us
+
+RewriteEngine On
+RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
+</VirtualHost>
+
+<VirtualHost _default_:443>
+ServerName darkchestofwonders.us
+
+Include conf.d/ssl.include
+SSLCertificateKeyFile /var/lib/letsencrypt/live/darkchestofwonders.us/privkey.pem
+SSLCertificateFile /var/lib/letsencrypt/live/darkchestofwonders.us/fullchain.pem
+
+<IfModule mod_headers.c>
+	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</IfModule>
+
+WSGIScriptAlias / /srv/www/darkchestofwonders.us/dcow.wsgi \
+	process-group=dcow
+Alias /screenshots /srv/www/darkchestofwonders.us/screenshots
+
+<Location />
+	Require all granted
+</Location>
+
+<Location /upload>
+<IfModule auth_gssapi_module>
+	AuthType GSSAPI
+	AuthName "{{ krb5_realm|lower }} Domain Authentication"
+	#KrbServiceName HTTP/{{ ansible_fqdn }}@{{ krb5_realm }}
+	GssapiCredStore keytab:/etc/httpd/httpd.keytab
+	GssapiBasicAuth On
+	Require valid-user
+</IfModule>
+<IfModule !auth_kerb_module>
+	Require all denied
+</IfModule>
+</Location>	
+</VirtualHost>