diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix
index aee832d..547582f 100644
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@@ -73,6 +73,9 @@ in
       actions.ENABLED = true;
       # federation.ENABLED = true;
       webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
+      cors = {
+        ENABLED = true;
+      };
     };
   };
 
diff --git a/modules/web/default.nix b/modules/web/default.nix
index 3be7efd..cdd0729 100644
--- a/modules/web/default.nix
+++ b/modules/web/default.nix
@@ -1,6 +1,7 @@
 { ... }:
 {
   imports = [
+    ./ifsrdenew.nix
     ./ifsrde.nix
     ./ese.nix
     ./infoscreen.nix
diff --git a/modules/web/ifsrdenew.nix b/modules/web/ifsrdenew.nix
new file mode 100644
index 0000000..e2c7548
--- /dev/null
+++ b/modules/web/ifsrdenew.nix
@@ -0,0 +1,49 @@
+{ config, pkgs, lib, ... }:
+let
+  user = "fsr-web";
+  group = "fsr-web";
+  webRoot = "/srv/web/ifsrdenew";
+in
+{
+
+  users.users.${user} = {
+    group = group;
+    isSystemUser = true;
+  };
+  users.groups.${group} = { };
+  users.users.nginx = {
+    extraGroups = [ group ];
+  };
+  services.nginx = {
+
+    virtualHosts."test.${config.networking.domain}" = {
+      root = webRoot;
+      locations = {
+        "/" = {
+          tryFiles = "$uri $uri/ =404";
+        };
+        "~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1";
+        "/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";
+        "/kpp".return = "301 https://kpp.ifsr.de";
+        "/mese".return = "301 https://ifsr.de/news/mese-and-welcome-back";
+        "/sso".return = "301 https://sso.ifsr.de/realms/internal/account";
+        # security
+        "~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";
+        # deny running scripts inside core system folders
+        "~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
+        # deny running scripts inside user folder
+        "~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
+        # deny access to specific files in the root folder
+        "~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)".return = "403";
+        ## End - Security
+      };
+    };
+  };
+
+  users.users."ese-deploy" = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      ''command="${pkgs.rrsync}/bin/rrsync ${webRoot}",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRIojP9vBbxy0fCEJFMNKXgkTA7Sju9mn+i01mYzovU''
+    ];
+  };
+}