diff --git a/playbooks/host_nvak.banananet.work.yml b/playbooks/host_nvak.banananet.work.yml
index ccf5667..0e5150d 100644
--- a/playbooks/host_nvak.banananet.work.yml
+++ b/playbooks/host_nvak.banananet.work.yml
@@ -1,6 +1,7 @@
 - name: Configure nvak.banananet.work
   hosts: nvak.banananet.work
   roles:
+    - role: nginx/default_server # Would not be configurable otherwise
     # Git Server
     - role: server/gitea
       domain: git.banananet.work
diff --git a/playbooks/host_rurapenthe.banananet.work.yml b/playbooks/host_rurapenthe.banananet.work.yml
index d648247..dffecbf 100644
--- a/playbooks/host_rurapenthe.banananet.work.yml
+++ b/playbooks/host_rurapenthe.banananet.work.yml
@@ -1,6 +1,7 @@
 - name: Configure rurapenthe
   hosts: rurapenthe.banananet.work
   roles:
+    - role: nginx/default_server # Would not be configurable otherwise
 #    - role: dns/slave
 #      domain: banananet.work
 #      masters:
diff --git a/roles/nginx/default_server/meta/main.yml b/roles/nginx/default_server/meta/main.yml
new file mode 100644
index 0000000..6b7e803
--- /dev/null
+++ b/roles/nginx/default_server/meta/main.yml
@@ -0,0 +1,21 @@
+---
+
+allow_duplicates: no
+
+dependencies:
+  - role: nginx/server
+    domain: "{{ inventory_hostname }}"
+    listen_directives: |
+      listen 443 ssl http2 default_server;
+      listen [::]:443 ssl http2 default_server;
+    directives: |
+      location / {
+        return 404;
+      }
+      location = /status {
+        stub_status;
+        allow 127.0.0.1/8;
+        allow ::1;
+        allow {{ global_wireguard_ipv4_range }};
+        deny all;
+      }