diff --git a/states/firewalls/hedwig.sls b/states/firewalls/hedwig.sls
index dd5d8a9..0478385 100644
--- a/states/firewalls/hedwig.sls
+++ b/states/firewalls/hedwig.sls
@@ -4,5 +4,7 @@ hedwig_public:
     - default: False
     - ports:
       - 22/tcp
+      - 80/tcp
+      - 443/tcp
     - require:
       - firewalld
diff --git a/states/lunch_website/dokuwiki_htaccess b/states/lunch_website/dokuwiki_htaccess
new file mode 100644
index 0000000..af2a7a0
--- /dev/null
+++ b/states/lunch_website/dokuwiki_htaccess
@@ -0,0 +1,45 @@
+## Enable this to restrict editing to logged in users only
+
+## You should disable Indexes and MultiViews either here or in the
+## global config. Symlinks maybe needed for URL rewriting.
+#Options -Indexes -MultiViews +FollowSymLinks
+
+## make sure nobody gets the htaccess, README, COPYING or VERSION files
+<Files ~ "^([\._]ht|README$|VERSION$|COPYING$)">
+    <IfModule mod_authz_host>
+        Require all denied
+    </IfModule>
+    <IfModule !mod_authz_host>
+        Order allow,deny
+        Deny from all
+    </IfModule>
+</Files>
+
+## Don't allow access to git directories
+<IfModule alias_module>
+    RedirectMatch 404 /\.git
+</IfModule>
+
+## Uncomment these rules if you want to have nice URLs using
+## $conf['userewrite'] = 1 - not needed for rewrite mode 2
+RewriteEngine on
+#
+RewriteRule ^_media/(.*)              lib/exe/fetch.php?media=$1  [QSA,L]
+RewriteRule ^_detail/(.*)             lib/exe/detail.php?media=$1  [QSA,L]
+RewriteRule ^_export/([^/]+)/(.*)     doku.php?do=export_$1&id=$2  [QSA,L]
+RewriteRule ^$                        doku.php  [L]
+RewriteCond %{REQUEST_FILENAME}       !-f
+RewriteCond %{REQUEST_FILENAME}       !-d
+RewriteRule (.*)                      doku.php?id=$1  [QSA,L]
+RewriteRule ^index.php$               doku.php
+#
+## Not all installations will require the following line.  If you do,
+## change "/dokuwiki" to the path to your dokuwiki directory relative
+## to your document root.
+RewriteBase /
+#
+## If you enable DokuWikis XML-RPC interface, you should consider to
+## restrict access to it over HTTPS only! Uncomment the following two
+## rules if your server setup allows HTTPS.
+#RewriteCond %{HTTPS} !=on
+#RewriteRule ^lib/exe/xmlrpc.php$      https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
diff --git a/states/lunch_website/dokuwiki_local.php b/states/lunch_website/dokuwiki_local.php
new file mode 100644
index 0000000..5bf7620
--- /dev/null
+++ b/states/lunch_website/dokuwiki_local.php
@@ -0,0 +1,19 @@
+<?php
+/*
+ * Dokuwiki's Main Configuration File - Local Settings 
+ * Auto-generated by config plugin 
+ * Run for user: jim
+ * Date: Mon, 28 Jan 2013 11:23:17 +0000
+ */
+
+$conf['title'] = 'Somewhere, it\'s lunchtime...';
+$conf['template'] = 'simple';
+$conf['allowdebug'] = 0;
+$conf['useacl'] = 1;
+$conf['superuser'] = 'jim';
+$conf['disableactions'] = 'register';
+$conf['htmlok'] = 1;
+$conf['userewrite'] = '1';
+$conf['basedir'] = '/';
+
+// end auto-generated content
diff --git a/states/lunch_website/init.sls b/states/lunch_website/init.sls
new file mode 100644
index 0000000..78fa7ec
--- /dev/null
+++ b/states/lunch_website/init.sls
@@ -0,0 +1,42 @@
+lunch_website_package:
+  pkg.installed:
+    - pkgs:
+      - dokuwiki
+
+lunch_website_config:
+  file.managed:
+    - names:
+      - /etc/dokuwiki/local.php:
+        - source: salt://lunch_website/dokuwiki_local.php
+        - mode: 0664
+        - group: www-data
+      - /etc/dokuwiki/local.php.bak:
+        - source: salt://lunch_website/dokuwiki_local.php
+        - mode: 0664
+        - group: www-data
+      - /etc/dokuwiki/htaccess:
+        - source: salt://lunch_website/dokuwiki_htaccess
+
+lunch_website_dir_perms:
+  file.directory:
+    - name: /etc/dokuwiki
+    - group: www-data
+    - mode: 0775
+
+lunch_website_web:
+  file.managed:
+    - require:
+      - sls: apache
+      - sls: certificates/client
+    - names:
+      - /etc/apache2/sites-available/lunch.org.uk.conf:
+        - source: salt://lunch_website/lunch.org.uk.conf
+  apache_site.enabled:
+    - require:
+      - file: /etc/apache2/sites-available/lunch.org.uk.conf
+    - name: lunch.org.uk
+  service.running:
+    - name: apache2
+    - reload: true
+    - watch:
+      - file: /etc/apache2/sites-available/lunch.org.uk.conf
diff --git a/states/lunch_website/lunch.org.uk.conf b/states/lunch_website/lunch.org.uk.conf
new file mode 100644
index 0000000..4088b64
--- /dev/null
+++ b/states/lunch_website/lunch.org.uk.conf
@@ -0,0 +1,53 @@
+<IfModule mod_ssl.c>
+
+<VirtualHost *:443>
+        ServerName lunch.org.uk
+        ServerAlias www.lunch.org.uk
+
+        ErrorLog /var/log/apache2/lunch-error.log
+        CustomLog /var/log/apache2/lunch-access.log combined
+
+        RemoteIPProxyProtocol On
+
+        Alias / /usr/share/dokuwiki/
+        <Directory /usr/share/dokuwiki/>
+                Options +FollowSymLinks
+                AllowOverride All
+                order allow,deny
+                allow from all
+                Require all granted
+        </Directory>
+
+        <Directory /usr/share/dokuwiki/bin>
+                Require all denied
+        </Directory>
+
+        <Directory /var/lib/dokuwiki/data>
+                Require all denied
+        </Directory>
+
+	SSLEngine on
+	SSLCertificateFile /var/local/certificates/lunch.org.uk/fullchain.pem
+	SSLCertificateKeyFile /var/local/certificates/lunch.org.uk/privkey.pem
+</VirtualHost>
+
+</IfModule>
+
+<VirtualHost *:80>
+        ServerName lunch.org.uk
+        ServerAlias www.lunch.org.uk
+
+        ErrorLog /var/log/apache2/lunch-error.log
+        CustomLog /var/log/apache2/lunch-access.log combined
+
+        RemoteIPProxyProtocol On
+
+        <IfModule rewrite_module>
+                #
+                # This redirects all accesses to the HTTPS version of the site.
+                #
+                RewriteEngine On
+
+                RewriteRule ^/?(.*) https://lunch.org.uk/$1 [R=301,L]
+        </IfModule>
+</VirtualHost>