diff --git a/pillar/role/countdown.sls b/pillar/role/countdown.sls
new file mode 100644
index 0000000..2246657
--- /dev/null
+++ b/pillar/role/countdown.sls
@@ -0,0 +1,40 @@
+apparmor:
+ profiles:
+ httpd2-prefork:
+ source: salt://profile/countdown/files/httpd2-prefork.apparmor
+ template: jinja
+
+profile:
+ countdown:
+ languages:
+ - af
+ - bg
+ - cs
+ - da
+ - de
+ - el
+ - en
+ - es
+ - fi
+ - fr
+ - gl
+ - hr
+ - hu
+ - id
+ - it
+ - ja
+ - lt
+ - nb
+ - nl
+ - pl
+ - pt
+ - pt_BR
+ - ro
+ - ru
+ - sk
+ - sv
+ - tr
+ - tw
+ - wa
+ - zh
+ redirect_target: 'Portal:15.0'
diff --git a/salt/profile/countdown/apache.sls b/salt/profile/countdown/apache.sls
new file mode 100644
index 0000000..062acc6
--- /dev/null
+++ b/salt/profile/countdown/apache.sls
@@ -0,0 +1,28 @@
+apache2:
+ pkg.installed:
+ - pkgs:
+ - apache2-mod_apparmor
+ - apache2-prefork
+ service.running:
+ - enable: True
+
+/etc/apache2/vhosts.d/countdown.opensuse.org.conf:
+ file.managed:
+ - listen_in:
+ - service: apache2
+ - source: salt://profile/countdown/files/apache-vhost.conf
+ - template: jinja
+
+sysconfig_apache2_countdown:
+ file.replace:
+ - name: /etc/sysconfig/apache2
+ - pattern: ^APACHE_MODULES=.*$
+ # original line: "actions alias auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout authn_core php7 rewrite"
+ - repl: APACHE_MODULES=" alias apparmor auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex dir env expires include log_config mime negotiation setenvif socache_shmcb reqtimeout authn_core rewrite remoteip status"
+ - listen_in:
+ - service: apache2
+
+/etc/logrotate.d/apache2-vhosts:
+ file.managed:
+ # same file as used for the wikis, no need to duplicate it
+ - source: salt://profile/wiki/files/apache2-wiki.logrotate
diff --git a/salt/profile/countdown/files/apache-vhost.conf b/salt/profile/countdown/files/apache-vhost.conf
new file mode 100644
index 0000000..9348244
--- /dev/null
+++ b/salt/profile/countdown/files/apache-vhost.conf
@@ -0,0 +1,44 @@
+
+ ServerName countdown.opensuse.org
+ ServerAlias counter.opensuse.org
+ UseCanonicalName Off
+
+ AADefaultHatName vhost_countdown
+
+ DocumentRoot /srv/www/countdown.opensuse.org/public
+
+
+ Require all granted
+
+ Options +FollowSymlinks
+
+
+
+ Options Multiviews FollowSymLinks IncludesNoExec
+ DirectoryIndex medium
+ LanguagePriority en
+ #ForceLanguagePriority Fallback
+ #ForceLanguagePriority Prefer
+
+ {% for lang in pillar['profile']['countdown']['languages']|sort %}
+ AddLanguage {{lang}} .{{lang}}.png
+ {%- endfor %}
+
+
+ RewriteEngine on
+ RewriteCond %{REQUEST_FILENAME} !-f
+ RewriteRule ^(.+)\.png/?$ $1
+ RewriteRule ^/?((small|medium|large|wide)-nolabel)/?$ /$1 [PT]
+ RewriteRule ^/?((small|medium|large|wide)-label)/?$ /$1 [PT]
+ RewriteRule ^/?(|small|medium|large|wide)/?$ /$1 [PT]
+
+ RedirectTemp /goto/ https://en.opensuse.org/{{ pillar['profile']['countdown']['redirect_target'] }}?pk_campaign=counter
+ RedirectTemp /link/ https://en.opensuse.org/{{ pillar['profile']['countdown']['redirect_target'] }}?pk_campaign=counter
+ RedirectTemp /redirect/ https://en.opensuse.org/{{ pillar['profile']['countdown']['redirect_target'] }}?pk_campaign=counter
+
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" combinedproxy
+ CustomLog "/var/log/apache2/countdown-access_log" combinedproxy
+
+
+
+# vim:ft=apache
diff --git a/salt/profile/countdown/files/httpd2-prefork.apparmor b/salt/profile/countdown/files/httpd2-prefork.apparmor
new file mode 100644
index 0000000..38045ac
--- /dev/null
+++ b/salt/profile/countdown/files/httpd2-prefork.apparmor
@@ -0,0 +1,127 @@
+# managed by salt - do not edit!
+
+# $Id: usr.sbin.httpd2-prefork 12 2006-04-12 21:35:41Z steve-beattie $
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2017 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include
+
+profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_disconnected) {
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
+ capability dac_override,
+ capability kill,
+ capability net_admin,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_ptrace,
+ capability sys_tty_config,
+
+ / rw,
+ /bin/bash rix,
+ /dev/random r,
+ /etc/apache2/*.conf r,
+ owner /etc/apache2/conf.d/ r,
+ /etc/apache2/magic r,
+ /etc/apache2/mod_perl-startup.pl r,
+ /etc/apache2/sysconfig.d/ r,
+ /etc/apache2/vhosts.d/ r,
+ /etc/apache2/vhosts.d/hostings/ r,
+ /etc/apache2/{conf,sysconfig,vhosts}.d/* r,
+ /etc/fstab r,
+ /etc/mime.types r,
+ /etc/mtab r,
+ /etc/odbcinst.ini r,
+ /proc/*/attr/current rw,
+ /proc/meminfo r,
+ /proc/sys/kernel/ngroups_max r,
+ /run/httpd.pid rw,
+ /tmp/magic* rw,
+ /usr/apache2/error/* r,
+ /usr/lib/apache2-leader/{lib,mod_}*.so* mr,
+ /usr/lib/apache2-metuxmpm/{lib,mod_}*.so* mr,
+ /usr/lib/apache2-prefork/{lib,mod_}*.so* mr,
+ /usr/lib/apache2-worker/{lib,mod_}*.so* mr,
+ /usr/lib/apache2/modules/{lib,mod_}*.so* mr,
+ /usr/lib/apache2/{lib,mod_}*.so mr,
+ /usr/lib64/apache2-leader/{lib,mod_}*.so* mr,
+ /usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* mr,
+ /usr/lib64/apache2-prefork/{lib,mod_}*.so* mr,
+ /usr/lib64/apache2-worker/{lib,mod_}*.so* mr,
+ /usr/lib64/apache2/modules/{lib,mod_}*.so* mr,
+ /usr/lib64/apache2/{lib,mod_}*.so* mr,
+ /usr/sbin/httpd{,2}-prefork mr,
+ /usr/sbin/suexec2 mrix,
+ /usr/share/apache2/error/** r,
+ /usr/share/apache2/icons/** r,
+ /usr/share/misc/magic.mime r,
+ /usr/share/snmp/mibs r,
+ /usr/share/snmp/mibs/*.{txt,mib} r,
+ /usr/share/snmp/mibs/.index rw,
+ /var/lib/apache2/ssl_mutex w,
+ /var/log/apache2/* rwl,
+
+ ^DEFAULT_URI flags=(complain,attach_disconnected) {
+ #include
+
+ /proc/meminfo r,
+ /usr/share/zoneinfo/ r,
+ /usr/share/zoneinfo/** r,
+ /var/log/apache2/access_log w,
+ /var/log/apache2/error_log w,
+
+ }
+
+ ^HANDLING_UNTRUSTED_INPUT flags=(complain,attach_disconnected) {
+ #include
+
+ /**/.htaccess r,
+ /dev/urandom r,
+ /proc/*/attr/current w,
+ /var/lib/apache2/ssl_mutex wk,
+ /var/log/apache2/access_log w,
+ /var/log/apache2/error_log w,
+ /var/log/apache2/error_log-20[12][0-9][01][0-9][0-3][0-9] w,
+ /var/log/apache2/ssl_request_log w,
+
+ # strange, but happens in practise
+ /var/log/apache2/countdown-access_log w,
+
+ }
+
+ ^vhost_countdown flags=(complain,attach_disconnected) {
+ #include
+ #include
+
+ / r,
+# /bin/bash rix,
+# /dev/tty rw,
+# /proc/meminfo r,
+# /usr/bin/timeout rix,
+ /var/log/apache2/countdown-access_log w,
+ /var/log/apache2/countdown-access_log-21[12][0-9][01][0-9][0-3][0-9] w,
+ /var/log/apache2/error_log w,
+
+ /srv/www/countdown.opensuse.org/ r,
+ /srv/www/countdown.opensuse.org/** r,
+ }
+
+}
+
+# vim: ft=apparmor expandtab
+
diff --git a/salt/profile/countdown/init.sls b/salt/profile/countdown/init.sls
index 820cab4..9ef6597 100644
--- a/salt/profile/countdown/init.sls
+++ b/salt/profile/countdown/init.sls
@@ -1,2 +1,3 @@
include:
+ - profile.countdown.apache
- profile.countdown.countdown
diff --git a/salt/role/countdown.sls b/salt/role/countdown.sls
new file mode 100644
index 0000000..b5bbf8e
--- /dev/null
+++ b/salt/role/countdown.sls
@@ -0,0 +1,2 @@
+include:
+ - profile.countdown