diff --git a/debops/files/etc/nginx-master-proxy/conf.d/sample-filecloud.conf.example b/debops/files/etc/nginx-master-proxy/conf.d/sample-filecloud.conf.example
new file mode 100644
index 0000000..9163615
--- /dev/null
+++ b/debops/files/etc/nginx-master-proxy/conf.d/sample-filecloud.conf.example
@@ -0,0 +1,18 @@
+server {
+    listen 80;
+    server_name domain;
+    client_max_body_size 0;
+    location / {
+        proxy_pass http://lxc_host;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_connect_timeout 600;
+        proxy_send_timeout 600;
+        proxy_read_timeout 600;
+        send_timeout 600;
+    }
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
+}
diff --git a/debops/files/etc/nginx-master-proxy/conf.d/sample-s3.conf.example b/debops/files/etc/nginx-master-proxy/conf.d/sample-s3.conf.example
new file mode 100644
index 0000000..b81918f
--- /dev/null
+++ b/debops/files/etc/nginx-master-proxy/conf.d/sample-s3.conf.example
@@ -0,0 +1,20 @@
+server {
+    listen 80;
+    server_name domain;
+    ignore_invalid_headers off;
+    client_max_body_size 0;
+    proxy_buffering off;
+    location / {
+        proxy_pass http://lxc_host:9000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        chunked_transfer_encoding off;
+    }
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
+}
diff --git a/debops/files/etc/nginx-master-proxy/conf.d/sample-website.conf.example b/debops/files/etc/nginx-master-proxy/conf.d/sample-website.conf.example
new file mode 100644
index 0000000..0cc8c98
--- /dev/null
+++ b/debops/files/etc/nginx-master-proxy/conf.d/sample-website.conf.example
@@ -0,0 +1,13 @@
+server {
+    listen 80;
+    server_name domain;
+    location / {
+        proxy_pass https://lxc_host;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
+}
diff --git a/debops/files/etc/nginx-master-proxy/conf.d/sample-youtrack.conf.example b/debops/files/etc/nginx-master-proxy/conf.d/sample-youtrack.conf.example
new file mode 100644
index 0000000..0f349d0
--- /dev/null
+++ b/debops/files/etc/nginx-master-proxy/conf.d/sample-youtrack.conf.example
@@ -0,0 +1,32 @@
+server {
+    listen 80;
+    server_name domain;
+    location / {
+        proxy_pass http://lxc_host:8080;
+        access_log off;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        client_max_body_size 60m;
+        proxy_http_version 1.1;
+    }
+    location /api/eventSourceBus {
+        proxy_pass http://lxc_host:8080;
+        access_log off;
+        proxy_cache off;
+        proxy_buffering off;
+        proxy_read_timeout 86400s;
+        proxy_send_timeout 86400s;
+        proxy_set_header Connection '';
+        chunked_transfer_encoding off;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+    }
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
+}
diff --git a/debops/nginx-master-proxy.yml b/debops/nginx-master-proxy.yml
new file mode 100644
index 0000000..c96200e
--- /dev/null
+++ b/debops/nginx-master-proxy.yml
@@ -0,0 +1,29 @@
+---
+
+- name: Manage master nginx proxy
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+    nginx_acme: True
+    nginx_real_ip_from: ['172.16.30.0/24']
+    nginx_default_keepalive_timeout: 65
+    nginx_ocsp: False
+    nginx_worker_processes: auto
+
+  pre_tasks:
+    - name: Copy Nginx Master Proxy config examples
+      copy:
+        src: etc/nginx-master-proxy/conf.d
+        dest: /etc/nginx/
+        mode: 0644
+
+  roles:
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
diff --git a/debops/root_account.yml b/debops/root_account.yml
index ad4fb35..a778fa4 100644
--- a/debops/root_account.yml
+++ b/debops/root_account.yml
@@ -17,7 +17,7 @@
 
   post_tasks:
     - name: Tmux Plugins Manager
-      shell: git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpm && ~/.tmux/plugins/tpm/bin/install_plugins
+      shell: test -d ~/.tmux/plugins/tpm || git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpm && ~/.tmux/plugins/tpm/bin/install_plugins
 
   roles:
     - role: root_account
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 3c26339..3387441 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -3,6 +3,7 @@
 ansible_user: root
 remote_user: root
 
+keyring__keyserver: hkp://keyserver.ubuntu.com:80
 # Add further variables which apply to all servers to this file...
 
 ...
diff --git a/nginx-site.yml b/nginx-site.yml
index c76931c..b7b8905 100644
--- a/nginx-site.yml
+++ b/nginx-site.yml
@@ -1,13 +1,17 @@
 ---
+- import_playbook: playbooks/own/allow-releaseinfo-change.yml
+- import_playbook: playbooks/own/locales.yml
 - import_playbook: debops/tzdata.yml
 - import_playbook: debops/pki.yml
+- import_playbook: debops/yadm.yml
+- import_playbook: debops/root_account.yml
+- import_playbook: debops/sudo.yml
+- import_playbook: debops/system_users.yml
 - import_playbook: debops/mariadb.yml
 - import_playbook: debops/php-prod.yml
 - import_playbook: debops/nginx.yml
 - import_playbook: debops/nodejs.yml
 - import_playbook: debops/redis.yml
-- import_playbook: debops/users.yml
-- import_playbook: debops/sudo.yml
 - import_playbook: playbooks/own/var-www-set-ownerships.yml
 
 # Import all other group playbooks in this file...