diff --git a/ansible/group_vars/status.yml b/ansible/group_vars/status.yml
index 6e36d06..c4150b4 100644
--- a/ansible/group_vars/status.yml
+++ b/ansible/group_vars/status.yml
@@ -12,6 +12,7 @@ nim_waku_node_key: '{{lookup("bitwarden", "fleets/status/"+stage+"/nodekeys", fi
 # Ports
 nim_waku_p2p_tcp_port: 30303
 nim_waku_p2p_udp_port: 30303
+nim_waku_websock_port: 443
 nim_waku_metrics_port: 8008
 nim_waku_rpc_tcp_port: 8545
 nim_waku_rpc_tcp_addr: 0.0.0.0
@@ -24,6 +25,13 @@ nim_waku_sqlite_retention_time: 1209600 # 14 days
 nim_waku_disc_v5_enabled: true
 nim_waku_disc_v5_enr_auto_update: true
 nim_waku_disc_v5_port: 9000
+# Websockets
+nim_waku_websocket_enabled: true
+nim_waku_websocket_secure_enabled: true
+nim_waku_websocket_domain: '{{ dns_entry }}'
+nim_waku_websocket_ssl_dir: '/etc/letsencrypt'
+nim_waku_websocket_ssl_cert: '/etc/letsencrypt/live/{{ nim_waku_websocket_domain }}/fullchain.pem'
+nim_waku_websocket_ssl_key: '/etc/letsencrypt/live/{{ nim_waku_websocket_domain }}/privkey.pem'
 # Consul Service
 nim_waku_consul_success_before_passing: '{{ (stage == "prod") | ternary(2, 4) }}'
 nim_waku_consul_failures_before_warning: '{{ (stage == "prod") | ternary(1, 2) }}'
@@ -37,13 +45,22 @@ waku_peers_consul_services:
   - { name: '{{ nim_waku_cont_name }}', env: '{{ env }}',  stage: '{{ stage }}' }
   - { name: 'nim-waku-bridge',          env: '{{ env }}',  stage: '{{ stage }}' }
 
+# LetsEncrypt via Certbot
+certbot_docker_enabled: true
+certbot_admin_email: 'devops@status.im'
+certbot_containers_to_stop: ['websockify']
+certbot_certs:
+  - domains: [ '{{ nim_waku_websocket_domain }}' ]
+
 # Open LibP2P Ports
 open_ports_default_comment: '{{ nim_waku_cont_name }}'
 open_ports_default_protocol: 'tcp'
 open_ports_default_chain: 'SERVICES'
 open_ports_list:
+  - { port: '80', comment: 'Certbot verification' }
   - { port: '{{ nim_waku_p2p_tcp_port }}' }
   - { port: '{{ nim_waku_p2p_udp_port }}', protocol: 'udp' }
   - { port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
+  - { port: '{{ nim_waku_websock_port }}' }
   - { port: '{{ nim_waku_metrics_port }}', chain: 'VPN', ipset: 'metrics.hq' }
   - { port: '{{ nim_waku_rpc_tcp_port }}', chain: 'VPN', ipset: '{{ env }}.{{ stage }}' }
diff --git a/ansible/main.yml b/ansible/main.yml
index 088020d..3a1cb9c 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -22,5 +22,6 @@
   roles:
     - { role: open-ports,       tags: open-ports }
     - { role: swap-file,        tags: swap-file  }
+    - { role: certbot,          tags: certbot    }
     - { role: nim-waku,         tags: nim-waku   }
     - { role: waku-peers,       tags: waku-peers }
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index a35219d..f6208d5 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -21,7 +21,7 @@
 
 - name: consul-service
   src: git@github.com:status-im/infra-role-consul-service.git
-  version: 0cddfb4dd696e759a0a95c4753e7b95aeedc4242
+  version: 7653d06cfc4d2613ee14bf637d38d98b0201864f
   scm: git
 
 - name: nim-waku
@@ -38,3 +38,8 @@
   src: git@github.com:status-im/infra-role-systemd-timer.git
   version: 0cc94695f3dada39213a87fbe923cd90e2a7d2c2
   scm: git
+
+- name: certbot
+  src: git@github.com:status-im/infra-role-certbot.git
+  version: a0f3dc76f2f07ed6857312da1f559db52f9781a1
+  scm: git
diff --git a/nodes.tf b/nodes.tf
index 091c9e4..6ac87b5 100644
--- a/nodes.tf
+++ b/nodes.tf
@@ -16,6 +16,12 @@ module "hosts" {
   gc_type = local.ws["gc_type"] /* Google Cloud */
 
   /* firewall */
-  open_tcp_ports = [ "30303" ] /* p2p main */
-  open_udp_ports = [ "9000" ]  /* discovery v5 */
+  open_tcp_ports = [
+    "30303", /* p2p main */
+    "443",   /* websocket */
+    "80",    /* certbot */
+  ]
+  open_udp_ports = [
+    "9000",  /* discovery v5 */
+  ]
 }