diff --git a/configure_nginx.yml b/configure_nginx.yml
index 68abdc93231c010dc9f4b180693c0c0c199b7aa2..0ec77d152c54ef8be727eb1b49e1ba2a095b0bae 100644
--- a/configure_nginx.yml
+++ b/configure_nginx.yml
@@ -32,6 +32,26 @@
         - absent
         - directory
 
+    # add and enable default_server entry; on http: 302->https, on https throw 403 per default
+    - name: setup nginx vhosts
+      template:
+        src: templates/nginx_default_site.conf.j2
+        dest: "{{ nginx_sites_available }}/default.{{ otree_domain }}"
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: create symlinks for nginx vhosts confs
+      file:
+        state: link
+        src: "{{ nginx_sites_available }}/default.{{ otree_domain }}"
+        dest: "{{ nginx_sites_enabled }}/default.{{ otree_domain }}"
+        owner: root
+        group: root
+        mode: "0644"
+      notify: restart nginx
+
+
     # add new vhost configs and enable them
     - name: setup nginx vhosts
       template:
@@ -62,22 +82,6 @@
         group: root
         mode: "0644"
       notify: restart nginx
-    # TLS certificates
-    # Unfourtunately not scriptable due to security considerations
-    #- name: copy over certificate key files
-    #  copy:
-    #    src: "{{ item.src }}"
-    #    dest: "{{ item.dest }}"
-    #    group: root
-    #    mode: "{{ item.mode }}"
-    #  no_log: yes
-    #  with_items:
-    #    - src: "ssl/certs/localhost.crt"
-    #      dest: "/etc/ssl/certs/localhost.crt"
-    #      mode: "0644"
-    #    - src: "ssl/private/localhost.key"
-    #      dest: "/etc/ssl/private/localhost.key"
-    #      mode: "0600"
 
   handlers:
     - name: restart nginx
diff --git a/configure_otree.yml b/configure_otree.yml
index 496355f61375a9b4c143786326b505898f6caaf6..84082a927fde25ba3c7567920e9900f3c178c1d3 100644
--- a/configure_otree.yml
+++ b/configure_otree.yml
@@ -115,20 +115,3 @@
       become_user: "{{ item.key }}"
       with_dict: "{{ otree_users }}"
       when: item.value.override
-
-    - name: create supervisor-config for otree instances from template 
-      template:
-        src: templates/supervisor_otree.conf.j2
-        dest: "/etc/supervisor/conf.d/{{ item.key }}.conf"
-        owner: root
-        group: root
-        mode: "0644"
-      with_dict: "{{ otree_users }}"
-      when: item.value.override
-
-    - name: make sure services are created and (re)-started
-      supervisorctl:
-        name: "{{ item.key }}"
-        state: restarted
-      with_dict: "{{ otree_users }}"
-    # TODO: set up otree (create venv, install pip packages, adapt .bashrc, run resetdb
diff --git a/configure_supervisor.yml b/configure_supervisor.yml
index 6eeb9006dd0ea9db80a765a43fe2b8d1dffa6d30..f5b0deef513389713e765ad2737c1a2ab52eb373 100644
--- a/configure_supervisor.yml
+++ b/configure_supervisor.yml
@@ -1 +1,22 @@
-FIXME: TODO
+---
+- name: setup otree
+  become: true
+  hosts: all
+  tasks:
+    # create current supervisor configs and start it
+    - name: create supervisor-config for otree instances from template
+      template:
+        src: templates/supervisor_otree.conf.j2
+        dest: "/etc/supervisor/conf.d/{{ item.key }}.conf"
+        owner: root
+        group: root
+        mode: "0640"
+      with_dict: "{{ otree_users }}"
+      when: item.value.override
+
+    - name: make sure services are created and (re)-started
+      supervisorctl:
+        name: "{{ item.key }}"
+        state: restarted
+      with_dict: "{{ otree_users }}"
+      when: item.value.override
diff --git a/site.yml b/site.yml
index 301b99c4880e91737451b710e12b22728ebf7681..2761bda74b03761cbc3dae213e22d2be5b84ccc9 100644
--- a/site.yml
+++ b/site.yml
@@ -22,6 +22,15 @@
       - postgresql
       - postgresql-contrib
   tasks:
+   # install all apt packages
+    - name: update package information
+      apt: update_cache=yes
+
+    - name: install required packages
+      apt:
+        name: "{{ prereq_packages }}"
+        state: latest
+
     # create/delete users as specified in group_vars/otree_users.yml
     - name: Create group for otreeusers
       group:
@@ -45,11 +54,10 @@
       set_fact:
         removed_users: "{{existing_users.stdout_lines | difference(otree_users) }}"
 
-    - name: Delete removed user accounts
-      user:
+    - name: stop supervisor services
+      supervisorctl:
         name: "{{ item }}"
-        state: absent
-        remove: yes
+        state: stopped
       with_items: "{{ removed_users }}"
 
     - name: remove supervisor services
@@ -57,23 +65,22 @@
         name: "{{ item }}"
         state: absent
       with_items: "{{ removed_users }}"
-    # FIXME: remove supervisor configs for deleted users
 
-    # add python repos, FIXME should be avoided by using recent unbuntu version
-    #- name: add ppa repository with python versions
-    #  apt_repository: "ppa:deadsnakes/ppa"
-    #  state: present
-    
-    # install all apt packages
-    - name: update package information
-      apt: update_cache=yes
+    - name: remove supervisor config files
+      file:
+        state: absent
+        path: "/etc/supervisor/conf.d/{{ item }}.conf"
+      with_items: "{{ removed_users }}"
 
-    - name: install required packages
-      apt:
-        name: "{{ prereq_packages }}"
-        state: latest
+    - name: Delete removed user accounts
+      user:
+        name: "{{ item }}"
+        state: absent
+        remove: yes
+      with_items: "{{ removed_users }}"
 
 - import_playbook: "configure_nginx.yml"
 - import_playbook: "configure_postgresql.yml"
 - import_playbook: "configure_otree.yml"
+- import_playbook: "configure_supervisor.yml"
 - import_playbook: "configure_ufw.yml"
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
index ecd6b9c7c74c19826644ccefbdd85c1d13b293f8..266a0bc712bc028256c85849a31b17a47c4a4911 100644
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -29,7 +29,7 @@ http {
 
 	##
 	# SSL Settings
-	# keep an eye on: https://cipherli.st/ and https://www.ssllabs.com/ssltest/analyze.html?d={{ otree_domain }}
+	# keep an eye on: https://cipherli.st/ and https://www.ssllabs.com/ssltest/analyze.html?d=otree.{{ otree_domain }}
 	##
 	ssl_dhparam /etc/nginx/dhparam.pem; 
 	# assumes command executed: openssl dhparam -out /etc/nginx/dhparam.pem 4096
diff --git a/templates/nginx_default_site.conf.j2 b/templates/nginx_default_site.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..22eb9a2fa8d030b7e739572b4583a213b85cd2c3
--- /dev/null
+++ b/templates/nginx_default_site.conf.j2
@@ -0,0 +1,27 @@
+# Default server configuration for http
+# Redirect http to https
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        server_name _;
+
+        return 301 https://$host$request_uri;
+}
+
+# Default server configuration for https
+# Throw 403 if no specific domain is matched
+# FIXME: Custom 403
+server {
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
+        server_name _;
+
+        ssl_certificate {{ ssl_certificate_path }};
+        ssl_certificate_key {{ ssl_certificate_key_path }};
+
+        location / {
+                return 403;
+        }
+}
+
diff --git a/templates/nginx_site.conf.j2 b/templates/nginx_site.conf.j2
index b08f76b8a8054db8f32d05f2fd6f71b60c69e236..b64b6717de3f3977a536cf7eeeb49a5ccb7ccca4 100644
--- a/templates/nginx_site.conf.j2
+++ b/templates/nginx_site.conf.j2
@@ -3,32 +3,19 @@ map $http_upgrade $connection_upgrade {
 	''	close;
 }
 
-{% if item.key == otree_master %}
-# Default server configuration for http
-# Redirect http to https
 server {
-        listen 80 default_server;
-	listen [::]:80 default_server;
 
-        server_name _;
+	listen 443 ssl;
+	listen [::]:443 ssl;
 
-        return 301 https://$host$request_uri;
-}
-{% endif %}
-
-server {
-
-	listen 443 ssl{% if item.key == otree_master  %} default_server{% endif %};
-	listen [::]:443 ssl{% if item.key == otree_master %} default_server{% endif %};
-
-	server_name {% if item.key == otree_master %}{{ otree_domain }} *.{{otree_domain}}{% else %}{{ item.key }}.{{otree_domain}}{% endif %};
+	server_name {{ item.key }}.{{ otree_domain }};
 
 	ssl_certificate {{ ssl_certificate_path }};
 	ssl_certificate_key {{ ssl_certificate_key_path }};
 
 	location / {
 		access_log off;
-		proxy_pass http://localhost:{{ item.value.port }};
+		proxy_pass http://127.0.0.1:{{ item.value.port }};
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;