diff --git a/ansible/deploy-airflow.yml b/ansible/deploy-airflow.yml
index 2359196..2f07c62 100644
--- a/ansible/deploy-airflow.yml
+++ b/ansible/deploy-airflow.yml
@@ -4,5 +4,4 @@
     - data2.htz-fsn.prod.ooni.nu
   become: true
   roles:
-    # Comes from https://github.com/idealista/airflow-role
-    - {"role": "airflow"}
+    - oonidata_airflow
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index f8e40a3..e78d86b 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -12,4 +12,4 @@
   name: idealista.clickhouse_role
 - src: https://github.com/ooni/airflow-role.git
   scm: git
-  name: airflow
+  name: ooni.airflow_role
diff --git a/ansible/roles/dehydrated/meta/main.yml b/ansible/roles/dehydrated/meta/main.yml
index e7e996b..0e72e86 100644
--- a/ansible/roles/dehydrated/meta/main.yml
+++ b/ansible/roles/dehydrated/meta/main.yml
@@ -1,5 +1,5 @@
 ---
 dependencies:
-  - nginx-buster
+  - nginx
 ...
 
diff --git a/ansible/roles/dehydrated/tasks/main.yml b/ansible/roles/dehydrated/tasks/main.yml
index 0bfaf7c..0a84f1a 100644
--- a/ansible/roles/dehydrated/tasks/main.yml
+++ b/ansible/roles/dehydrated/tasks/main.yml
@@ -47,14 +47,6 @@
   tags: dehydrated
   shell: systemctl reload nginx.service
 
-- name: allow incoming TCP connections to Nginx on port 80
-  tags: dehydrated
-  blockinfile:
-    path: /etc/ooni/nftables/tcp/80.nft
-    create: yes
-    block: |
-      add rule inet filter input tcp dport 80 counter accept comment "incoming HTTP"
-
 - name: reload nftables service
   tags: dehydrated
   shell: systemctl reload nftables.service
diff --git a/ansible/roles/oonidata_airflow/defaults/main.yml b/ansible/roles/oonidata_airflow/defaults/main.yml
new file mode 100644
index 0000000..5456c44
--- /dev/null
+++ b/ansible/roles/oonidata_airflow/defaults/main.yml
@@ -0,0 +1,3 @@
+tls_cert_dir: /var/lib/dehydrated/certs
+airflow_public_fqdn: "{{ inventory_hostname }}"
+certbot_domains_extra: []
diff --git a/ansible/roles/oonidata_airflow/handlers/main.yml b/ansible/roles/oonidata_airflow/handlers/main.yml
new file mode 100644
index 0000000..f6dda47
--- /dev/null
+++ b/ansible/roles/oonidata_airflow/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Reload nginx
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: reloaded
diff --git a/ansible/roles/oonidata_airflow/tasks/main.yml b/ansible/roles/oonidata_airflow/tasks/main.yml
new file mode 100644
index 0000000..ba4f07a
--- /dev/null
+++ b/ansible/roles/oonidata_airflow/tasks/main.yml
@@ -0,0 +1,35 @@
+- ansible.builtin.include_role:
+    name: ooni.airflow_role
+  tags:
+    - oonidata
+    - airflow
+  vars:
+    airflow_webserver_host: "127.0.0.1"
+    airflow_webserver_port: 8080
+    airflow_webserver_base_url: "https://{{ airflow_public_fqdn }}/airflow"
+
+- ansible.builtin.include_role:
+    name: nginx
+  tags:
+    - oonidata
+    - nginx
+
+- ansible.builtin.include_role:
+    name: dehydrated
+  tags:
+    - oonidata
+    - dehydrated
+  vars:
+    ssl_domains: "{{ [ airflow_public_fqdn ] + certbot_domains_extra }}"
+
+- name: Setup airflow nginx config
+  ansible.builtin.template:
+    src: nginx-airflow.j2
+    dest: /etc/nginx/sites-enabled/02-airflow
+    owner: root
+    mode: "0655"
+  notify:
+    - Reload nginx
+  tags:
+    - oonidata
+    - config
diff --git a/ansible/roles/oonidata_airflow/templates/nginx-airflow.j2 b/ansible/roles/oonidata_airflow/templates/nginx-airflow.j2
new file mode 100644
index 0000000..426cb59
--- /dev/null
+++ b/ansible/roles/oonidata_airflow/templates/nginx-airflow.j2
@@ -0,0 +1,40 @@
+# ansible-managed in ooni/devops.git
+
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+server {
+    listen 443 ssl http2;
+
+    include /etc/nginx/ssl_intermediate.conf;
+
+    ssl_certificate {{ tls_cert_dir }}/{{ airflow_public_fqdn }}/fullchain.pem;
+    ssl_certificate_key {{ tls_cert_dir }}/{{ airflow_public_fqdn }}/privkey.pem;
+    ssl_trusted_certificate {{ tls_cert_dir }}/{{ airflow_public_fqdn }}/chain.pem;
+
+    server_name _;
+    access_log  /var/log/nginx/{{ airflow_public_fqdn }}.access.log;
+    error_log   /var/log/nginx/{{ airflow_public_fqdn }}.log warn;
+
+    add_header Access-Control-Allow-Origin *;
+
+    ## Airflow reverse proxy
+    location /airflow {
+        proxy_pass http://127.0.0.1:8080;
+
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+	    client_max_body_size 100M;
+
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header X-Scheme $scheme;
+        proxy_buffering off;
+    }
+}