diff --git a/lmn-www-server.yml b/lmn-www-server.yml
new file mode 100644
index 0000000..fb751fc
--- /dev/null
+++ b/lmn-www-server.yml
@@ -0,0 +1,43 @@
+## This playbook deploys a FvS web server machine.
+---
+- name: apply configuration to the web server
+  hosts: all
+  remote_user: ansible
+  become: yes
+  pre_tasks:
+    - pause:
+        prompt: "Enter global-admin AD password. Leave empty to skip domain join"
+        echo: false
+      register: adpw
+      no_log: true
+      when: "ansible_cmdline.adpw is not defined"
+  vars:
+    domain: "pn.steinbeis.schule"
+    extra_pkgs:
+      - vim
+      - apache2
+      - python3-flask
+
+    extra_pkgs_bpo: [ ]  # [ libreoffice ]
+
+  roles:
+    - up2date_debian
+    - lmn_sssd
+    - kerberize
+
+  tasks:
+    - name: Override home dir location
+      lineinfile:
+        dest: /etc/sssd/sssd.conf
+        line: override_homedir = /home/%u
+
+    - name: enable pam_mkhomedir.so
+      lineinfile:
+        dest: /etc/pam.d/common-session
+        line: "session	optional	pam_mkhomedir.so  umask=0026"
+        insertbefore: "session	optional	pam_mount.so"
+
+    - name: enable apache mod userdir
+      apache2_module:
+        state: present
+        name: userdir
diff --git a/roles/kerberize/tasks/main.yml b/roles/kerberize/tasks/main.yml
index 25ec4db..ee17a3e 100644
--- a/roles/kerberize/tasks/main.yml
+++ b/roles/kerberize/tasks/main.yml
@@ -1,28 +1,27 @@
-- name: kerberize sshd server
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: "GSSAPIAuthentication yes"
-    insertafter: "#GSSAPIAuthentication no"
+- name: Install kerberos packages
+  apt:
+    name: krb5-user
+    state: latest
+
+- name: Kerberize sshd server
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_config.d/kerberize.conf
+    content: |
+      GSSAPIAuthentication yes
   notify: "reload sshd"
 
-- name: kerberize ssh client, authenticate
-  lineinfile:
-    dest: /etc/ssh/ssh_config
-    line: "GSSAPIAuthentication yes"
-    insertafter: "#   GSSAPIAuthentication no"
+- name: Kerberize ssh client, authenticate and delegate credentials
+  ansible.builtin.copy:
+    dest: /etc/ssh/ssh_config.d/kerberize.conf
+    content: |
+      GSSAPIAuthentication yes
+      GSSAPIDelegateCredentials yes
 
-- name: kerberize ssh client, delegate credentials
-  lineinfile:
-    dest: /etc/ssh/ssh_config
-    line: "GSSAPIDelegateCredentials yes"
-    insertafter: "#   GSSAPIDelegateCredentials no"
-
-
-- name: check if firefox is available
+- name: Check if firefox is available
   stat: path=/etc/firefox-esr/firefox-esr.js
   register: firefox
 
-- name: kerberize firefox for sites in the local domain
+- name: Kerberize firefox for sites in the local domain
   lineinfile:
     dest: /etc/firefox-esr/firefox-esr.js
     line: "{{ item }}"
@@ -32,12 +31,12 @@
     - 'pref("network.negotiate-auth.trusted-uris", "{{ kerberize_uris | default(ansible_domain) }}");'
   when: firefox.stat.exists
 
-- name: ensures /etc/chromium/policies/managed dir exists
-  file: 
+- name: Ensures /etc/chromium/policies/managed dir exists
+  file:
     path: "/etc/chromium/policies/managed"
     state: directory
 
-- name: kerberize chromium for sites in the local domain
+- name: Kerberize chromium for sites in the local domain
   copy:
     dest: /etc/chromium/policies/managed/idam.json
     content: |