diff --git a/docs/ssh-hostkeys.txt b/docs/ssh-hostkeys.txt
index 50788cca931fa2a577438f98a66f03921b840d87..49c6400b67c4ae229528fc678eb9665da0cc30bb 100644
--- a/docs/ssh-hostkeys.txt
+++ b/docs/ssh-hostkeys.txt
@@ -174,6 +174,17 @@
 256 MD5:91:95:e9:e2:1f:17:24:66:10:ae:29:ea:90:41:d9:fb root@archlinux-packer (ED25519)
 3072 MD5:97:9f:77:0e:f5:99:44:f3:ab:db:4b:f4:4a:98:cd:dc root@archlinux-packer (RSA)
 
+# man.archlinux.org
+1024 SHA256:11C7Qa1GSNBBspSlber3Sp+LEMRpfr/VWkypfu6OnhA root@archlinux-packer (DSA)
+256 SHA256:fL79NVaEiwXGfUhTXWLkue/D1seSADYbui+jwQ2dvW0 root@archlinux-packer (ECDSA)
+256 SHA256:qnuyQJXOuk5VuN7xfainNcgyAzCc1rKjYKyTKvEd0HE root@archlinux-packer (ED25519)
+3072 SHA256:mI+a0Bi94vDqlXC8jPQToFriA9NwB2YkKsVtcjFceUE root@archlinux-packer (RSA)
+
+1024 MD5:68:9b:b0:97:76:d0:71:28:10:c1:ea:d0:1a:f7:1d:99 root@archlinux-packer (DSA)
+256 MD5:23:b4:2d:ff:10:b1:80:43:52:d0:8d:9f:ae:dd:36:0d root@archlinux-packer (ECDSA)
+256 MD5:d1:af:34:47:0c:90:9d:d7:fb:fd:47:e1:b3:97:ac:9b root@archlinux-packer (ED25519)
+3072 MD5:56:0e:71:f1:5f:73:7b:e9:0e:b8:06:60:03:ec:a0:52 root@archlinux-packer (RSA)
+
 # matrix.archlinux.org
 1024 SHA256:4xl3Vzj2VTffMV6zCiAx0DSrsYIBmMnWo41kjR4ZWUo root@archlinux-packer (DSA)
 256 SHA256:+v4KFzSadzQmENY2HvHpn8Zse0opJc7FaixR7/K3y0Y root@archlinux-packer (ECDSA)
diff --git a/docs/ssh-known_hosts.txt b/docs/ssh-known_hosts.txt
index b0d4a058b5374b884639f8d4f47da9d87cfa1aae..fc49a4bccc37280fda7a9646a8c053731c20601f 100644
--- a/docs/ssh-known_hosts.txt
+++ b/docs/ssh-known_hosts.txt
@@ -78,6 +78,11 @@ mailman3.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIb
 mailman3.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxf1nIo36jwbX9nkuYIcbE6t/jVxY7Fnlf99u9MWSvt
 mailman3.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaAmU1BnGf8S9QJUch42cpsQ671gMa7SS6+7L4XwJPd5Dv7rlBgKsCCpssa7NNCEUSTZyFr3Wo8RVXsZwjvisYmqS3AR6GeZ94zMMnOK4QlwsvMQEUwdR96PF+ANK16tJ94KENIQLDUB5gnz/RitRV4k8hVTKuqKGDUFlzzlVl8X9evwgOPyWImPVdLiCDIi/8lWz3qNeEfaFkCqLwr4nZi+b9K3qJVrR3DdKmGutEg4m7O1DR9RNBtzq1oTW49Uhv2W/7t/1MTYzmHA4yIZQ25cbi+k7Q6hY0j1oXAJ4NWOqcPM2arNUJWN4m0NlispvdJ81l7AIhXzuX4XGHGtWzhFsfweVgTnDYAsq/Hra/LB5w/43fKTqC8Lqty7JyllB1/9J6JoSGvx/e7JjXdJS8lvwMN3LivAfUbWnGz+Qs9lfKNT+dDRLryO086+DKCJ1jL7MqovRB0CZHHfUvXZ6YKQciyCWD0RM8pFa0DUJbG9b5XRKDI9KTvHRbL2xb0n0=
 
+# man.archlinux.org
+man.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhnsStoFw6rbVpE1S1vsXNk8de1SyMag1C+v0DWVSuNYzTylYg4322WbYzw45z2XhxrF6XmCSDMvgxvFwnfLQA=
+man.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzjkN+igIxSIv5N9+ANNoo6knPa51Tj5TAXs4EQ8lY2
+man.archlinux.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVQ2Wu1wRGkhiy90jWiXfW7iKF1fSN3QpAg1h7H9jXXDwNFsJipMqwqFMeHt+35gFbRfn7wDi8V34CWl5V9izURTFqkVyAAYb3Y6BIRfEWdjdLJqaJeL4Ni0BOSzoH6Nxibe6eHxO43+MlG03Pxy/adnOOeMXr0o99KfN6a8/K4jsR4Qr9z1BrrC1Q0vNQilSmFNJfX60W81qTmgSZOySSl7N49MiN0y9QLNtedvQ/6PEBfptgpjv7it13R+QUmfvnK6kvtoTDZb4mztdPcN34zMtmUpOGvShEPu4u8NniHLimB71Xk76nKvxjSGBM++teUQOxJak1IivnGg6vNZW2M1Nttr7OyIZu66NhmY1HQqbR77RoK+2P5GsbMBZ1OXh7+I6KgDlY8z5rDWNAzSCa3EYIs7UFk8uEQCPuLoNuMR7XO2RfpiBayi3/Y9iyDHcW9bdrCcwpy2sLtGzVmWSEXxwVueF3Q+mdZ2j2V8PbZDl5LoBtdPSULDMzD0ldxTM=
+
 # matrix.archlinux.org
 matrix.archlinux.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPldvati3TTpEsyK++WOwz4vNikK0Y6cxVQn0DCR5hXmjnzBkrwj08GuZHfTQEGu0HCBQTTOcDmLbQ/QMP3nYKQ=
 matrix.archlinux.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPm0Ing8aSqaw/FGvPD5NqmqZjCo99xKMq1lBdfY4NdX
diff --git a/group_vars/all/vault_archmanweb.yml b/group_vars/all/vault_archmanweb.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c7476cb9a3e7dc331b837cb0fa8864fd2ce94a0e
--- /dev/null
+++ b/group_vars/all/vault_archmanweb.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+61323463643538343139646562616537313436663237633061333262636333363564306433353330
+3064306136366262653432383632333764353832376162320a323066366462343039646235393633
+63373666323931623530653035373936303631376631346163353239653932393638353261356366
+3766663931616137340a383735623532313462313533346539636334383339623561386165316663
+63386465393033323736343662383731383232643035636666623963646436306461303063386662
+65653439646438373466366635303662393031333739313739636434666166373235356562316464
+36376332646635623964303837336139303564333566366462666631346461636363653639383361
+62643833386334393136643465396430303835326339383632333165643233656462303432353735
+31383735316265636635393830636135343339623033396362396533363263386536
diff --git a/host_vars/man.archlinux.org b/host_vars/man.archlinux.org
new file mode 100644
index 0000000000000000000000000000000000000000..ca1d9755887c76591124cff5c945654901096e53
--- /dev/null
+++ b/host_vars/man.archlinux.org
@@ -0,0 +1,2 @@
+---
+filesystem: btrfs
diff --git a/hosts b/hosts
index 111d09eeea3894ae2668a813bf7f1e1a1bee328d..0563876afb54a733cd06331a12bc89e5bc4427b9 100644
--- a/hosts
+++ b/hosts
@@ -65,6 +65,7 @@ state.archlinux.org
 quassel.archlinux.org
 accounts.archlinux.org
 patchwork.archlinux.org
+man.archlinux.org
 
 [nginx]
 archlinux.org
@@ -76,6 +77,7 @@ aur-dev.archlinux.org
 wiki.archlinux.org
 patchwork.archlinux.org
 security.archlinux.org
+man.archlinux.org
 
 [buildservers]
 dragon.archlinux.org
diff --git a/playbooks/man.archlinux.org.yml b/playbooks/man.archlinux.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f5f85f0d08b77b04817463d2b2d4a77656103562
--- /dev/null
+++ b/playbooks/man.archlinux.org.yml
@@ -0,0 +1,19 @@
+---
+
+- name: setup man.archlinux.org
+  hosts: man.archlinux.org
+  remote_user: root
+  roles:
+    - { role: firewalld }
+    - { role: common }
+    - { role: tools }
+    - { role: sshd }
+    - { role: root_ssh }
+    - { role: hardening }
+    - { role: certbot }
+    - { role: nginx }
+    - { role: fail2ban }
+    - { role: prometheus_exporters }
+    - { role: postgres }
+    - { role: uwsgi }
+    - { role: archmanweb, archmanweb_version: 'v1.0' }
diff --git a/roles/archmanweb/tasks/main.yml b/roles/archmanweb/tasks/main.yml
index 4581bd35825ce908c2ee05cabc0523bbc937cbd1..bf13894fe6875cd8efccaff539bc14f41a0482ba 100644
--- a/roles/archmanweb/tasks/main.yml
+++ b/roles/archmanweb/tasks/main.yml
@@ -1,4 +1,10 @@
 ---
+- name: create ssl cert
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ archmanweb_domain }}"]
+  when: 'archmanweb_domain is defined'
 
 - name: install required packages
   pacman:
diff --git a/roles/archmanweb/templates/archmanweb_update.service.j2 b/roles/archmanweb/templates/archmanweb_update.service.j2
index 21961935a7d77758341b12b6fc26e157c77232cc..1ded8dd95f4ffacefe99c9e19ca0179c999877d7 100644
--- a/roles/archmanweb/templates/archmanweb_update.service.j2
+++ b/roles/archmanweb/templates/archmanweb_update.service.j2
@@ -6,6 +6,7 @@ Type=oneshot
 User=archmanweb
 WorkingDirectory={{ archmanweb_dir }}/repo/
 ExecStart=/usr/bin/python3 manage.py man_update --cache-dir {{ archmanweb_cache_dir }}
+Environment=TEMP={{ archmanweb_cache_dir }}
 
 ProtectSystem=full
 PrivateTmp=true
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index db77e2b15ffa3ccd899e8bea11b2e53a5c746eb6..bfd0a3e56cace9e4d7ae0a5917993d7e8ce56f4a 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -87,6 +87,10 @@ locals {
       server_type = "cx11"
       domain      = "mailman3"
     }
+    "man.archlinux.org" = {
+      server_type = "cx11"
+      domain      = "man"
+    }
     "matrix.archlinux.org" = {
       server_type = "cpx31"
       domain      = "matrix"