diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index d1c9f1e..657ad99 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -45,6 +45,8 @@ backend_imap_port: 12892
 
 global_ansible_facts_directory: "/etc/ansible/facts.d"
 
+global_apparmor_profiles_directory: "/etc/apparmor.d"
+
 global_apt_sources_directory: "/etc/apt/sources.list.d"
 
 global_ip_discover_server_name: "nvak.banananet.work"
diff --git a/roles/server/minecraft/defaults/main.yml b/roles/server/minecraft/defaults/main.yml
index 6ccb6c3..b586f02 100644
--- a/roles/server/minecraft/defaults/main.yml
+++ b/roles/server/minecraft/defaults/main.yml
@@ -10,6 +10,7 @@ mcrcon_directory: "{{ user_directory }}/mcrcon"
 data_directory: "{{ user_directory }}/data"
 remote_control_script: "{{ user_directory }}/cmd"
 launch_script: "{{ user_directory }}/launch"
+apparmor_profile: "{{ global_apparmor_profiles_directory }}/webservers_{{ domain }}"
 
 # minecraft_version: "1.10" # for naming
 minecraft_source_link_generator: "curl --silent https://mcversions.net | grep minecraft_server-{{ minecraft_version }}.jar | grep --only-matching --perl-regexp '(?<=\")https://launcher.mojang.com/[^\"]+(?=\")'"
diff --git a/roles/server/minecraft/handlers/main.yml b/roles/server/minecraft/handlers/main.yml
index 463fae0..de93c74 100644
--- a/roles/server/minecraft/handlers/main.yml
+++ b/roles/server/minecraft/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
 
+- name: reload apparmor profile
+  command: "/usr/sbin/apparmor_parser -r {{ apparmor_profile }}"
+
 - name: restart minecraft server
   systemd:
     state: restarted
diff --git a/roles/server/minecraft/tasks/main.yml b/roles/server/minecraft/tasks/main.yml
index 4c3ce6c..495a8c8 100644
--- a/roles/server/minecraft/tasks/main.yml
+++ b/roles/server/minecraft/tasks/main.yml
@@ -82,6 +82,17 @@
     - name: "control.sh"
       path: "{{ remote_control_script }}"
 
+- name: Configure apparmor profile
+  template:
+    src: "profile.apparmor"
+    dest: "{{ apparmor_profile }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o="
+  notify:
+    - reload apparmor profile
+    - restart minecraft server
+
 - name: Configure minecraft server
   template:
     src: server.properties
diff --git a/roles/server/minecraft/templates/profile.apparmor b/roles/server/minecraft/templates/profile.apparmor
new file mode 100644
index 0000000..bddbf14
--- /dev/null
+++ b/roles/server/minecraft/templates/profile.apparmor
@@ -0,0 +1,26 @@
+#include <tunables/global>
+
+/var/webservers/mc.wg.banananet.work/launch {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+  #include <abstractions/nameservice>
+  #include <abstractions/ubuntu-browsers.d/java>
+  #include <abstractions/user-tmp>
+
+  /etc/timezone r,
+  /proc/*/net/if_inet6 r,
+  /proc/*/net/ipv6_route r,
+  /proc/sys/net/core/somaxconn r,
+  /proc/sys/net/ipv4/tcp_fastopen r,
+  /usr/bin/dash ix,
+  /usr/lib/jvm/java-11-openjdk-amd64/bin/java mrix,
+  /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa mr,
+  /usr/share/java/java-atk-wrapper.jar r,
+  /var/webservers/mc.wg.banananet.work/launch r,
+  owner /proc/*/coredump_filter rw,
+  owner /proc/*/mountinfo r,
+  owner /tmp/libnetty_transport_native_epoll_x86_*.so mrw,
+  owner /var/webservers/mc.wg.banananet.work/bin/server.*.jar r,
+  owner /var/webservers/mc.wg.banananet.work/data/** rw,
+
+}