diff --git a/lawipac.com/etc/apache2/conf-enabled/calibre-opds.conf b/lawipac.com/etc/apache2/conf-enabled/calibre-opds.conf
new file mode 100644
index 0000000..fc24845
--- /dev/null
+++ b/lawipac.com/etc/apache2/conf-enabled/calibre-opds.conf
@@ -0,0 +1,25 @@
+Alias /books-opds "/var/www/calibre_php_opds.1.01/"
+
+<Directory "/var/www/calibre_php_opds.1.01">
+    Options +FollowSymLinks
+    AllowOverride All
+
+    <IfModule mod_dav.c>
+      Dav off
+    </IfModule>
+
+    SetEnv HOME /var/www/calibre_php_opds.1.01
+    SetEnv HTTP_HOME /var/calibre_php_opds.1.01
+
+
+</Directory>
+
+#<Directory "/var/www/nextcloud/data/">
+#  # just in case if .htaccess gets disabled
+#  Require all denied
+#</Directory>
+
+## Please enable this manually, if needed. See also
+## https://doc.owncloud.org/server/8.2/admin_manual/issues/index.html#apple-ios
+# Redirect 301 /.well-known/carddav /owncloud/remote.php/carddav
+# Redirect 301 /.well-known/caldav  /owncloud/remote.php/caldav
diff --git a/lawipac.com/etc/apache2/conf-enabled/espocrm.conf b/lawipac.com/etc/apache2/conf-enabled/espocrm.conf
new file mode 100644
index 0000000..0dcd606
--- /dev/null
+++ b/lawipac.com/etc/apache2/conf-enabled/espocrm.conf
@@ -0,0 +1,17 @@
+Alias /crm "/var/www/crm/"
+<Directory "/var/www/crm/">
+    Options +FollowSymLinks
+    AllowOverride All
+
+    <IfModule mod_dav.c>
+      Dav off
+    </IfModule>
+
+    SetEnv HOME /var/www/crm
+    SetEnv HTTP_HOME /var/www/crm
+</Directory>
+
+#<Directory "/var/www/crm/">
+  # just in case if .htaccess gets disabled
+#  Require all denied
+#</Directory>
diff --git a/lawipac.com/etc/apache2/conf-enabled/owncloud.conf b/lawipac.com/etc/apache2/conf-enabled/owncloud.conf
new file mode 100644
index 0000000..6e4ee91
--- /dev/null
+++ b/lawipac.com/etc/apache2/conf-enabled/owncloud.conf
@@ -0,0 +1,26 @@
+Alias /nextcloud "/var/www/nextcloud/"
+Alias /owncloud "/var/www/nextcloud/"
+
+<Directory "/var/www/nextcloud">
+    Options +FollowSymLinks
+    AllowOverride All
+
+    <IfModule mod_dav.c>
+      Dav off
+    </IfModule>
+
+    SetEnv HOME /var/www/nextcloud
+    SetEnv HTTP_HOME /var/www/nextcloud
+
+
+</Directory>
+
+<Directory "/var/www/nextcloud/data/">
+  # just in case if .htaccess gets disabled
+  Require all denied
+</Directory>
+
+## Please enable this manually, if needed. See also
+## https://doc.owncloud.org/server/8.2/admin_manual/issues/index.html#apple-ios
+# Redirect 301 /.well-known/carddav /owncloud/remote.php/carddav
+# Redirect 301 /.well-known/caldav  /owncloud/remote.php/caldav
diff --git a/lawipac.com/etc/apache2/conf-enabled/subsonic-music-server.conf b/lawipac.com/etc/apache2/conf-enabled/subsonic-music-server.conf
new file mode 100644
index 0000000..7069193
--- /dev/null
+++ b/lawipac.com/etc/apache2/conf-enabled/subsonic-music-server.conf
@@ -0,0 +1,7 @@
+<Location /media>
+	RequestHeader unset Accept-Encoding
+	ProxyPass http://127.0.0.1:4040/media	
+	ProxyPassReverse http://127.0.0.1:4040/media
+	Order allow,deny
+	Allow from all
+</Location>
diff --git a/lawipac.com/etc/apache2/sites-enabled/draw-lawipac-ssl.conf b/lawipac.com/etc/apache2/sites-enabled/draw-lawipac-ssl.conf
new file mode 100644
index 0000000..2eb92ea
--- /dev/null
+++ b/lawipac.com/etc/apache2/sites-enabled/draw-lawipac-ssl.conf
@@ -0,0 +1,146 @@
+<IfModule mod_ssl.c>
+	<VirtualHost _default_:443>
+		ServerName draw.lawipac.com
+		ServerAdmin sp@lawipac.com
+
+		ProxyPass / http://s-gate.lawipac.com:38080/
+		ProxyPassReverse / http://s-gate.lawipac.com:38080/
+
+		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+		# error, crit, alert, emerg.
+		# It is also possible to configure the loglevel for particular
+		# modules, e.g.
+		#LogLevel info ssl:warn
+
+		ErrorLog ${APACHE_LOG_DIR}/draw.lawipac.com.error.log
+		CustomLog ${APACHE_LOG_DIR}/draw.lawipac.com.access.log combined
+
+		# For most configuration files from conf-available/, which are
+		# enabled or disabled at a global level, it is possible to
+		# include a line for only one particular virtual host. For example the
+		# following line enables the CGI configuration for this host only
+		# after it has been globally disabled with "a2disconf".
+		#Include conf-available/serve-cgi-bin.conf
+
+		#   SSL Engine Switch:
+		#   Enable/Disable SSL for this virtual host.
+		SSLEngine on
+
+		#   A self-signed (snakeoil) certificate can be created by installing
+		#   the ssl-cert package. See
+		#   /usr/share/doc/apache2/README.Debian.gz for more info.
+		#   If both key and certificate are stored in the same file, only the
+		#   SSLCertificateFile directive is needed.
+		#SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
+		#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+		#SSLCertificateFile    /etc/apache2/myssl_certs/lawipac.com.crt
+	        #SSLCertificateKeyFile /etc/apache2/myssl_certs/lawipac.com.key
+		Include /etc/letsencrypt/options-ssl-apache.conf
+
+
+		#   Server Certificate Chain:
+		#   Point SSLCertificateChainFile at a file containing the
+		#   concatenation of PEM encoded CA certificates which form the
+		#   certificate chain for the server certificate. Alternatively
+		#   the referenced file can be the same as SSLCertificateFile
+		#   when the CA certificates are directly appended to the server
+		#   certificate for convinience.
+		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+		#SSLCertificateChainFile /etc/apache2/myssl_certs/startcom_sub.class1.server.ca.pem
+		#SSLCertificateChainFile /etc/apache2/myssl_certs/startcom_1_root_boundle.crt
+
+		#   Certificate Authority (CA):
+		#   Set the CA certificate verification path where to find CA
+		#   certificates for client authentication or alternatively one
+		#   huge file containing all of them (file must be PEM encoded)
+		#   Note: Inside SSLCACertificatePath you need hash symlinks
+		#		 to point to the certificate files. Use the provided
+		#		 Makefile to update the hash symlinks after changes.
+		#SSLCACertificatePath /etc/ssl/certs/
+		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+		#   Certificate Revocation Lists (CRL):
+		#   Set the CA revocation path where to find CA CRLs for client
+		#   authentication or alternatively one huge file containing all
+		#   of them (file must be PEM encoded)
+		#   Note: Inside SSLCARevocationPath you need hash symlinks
+		#		 to point to the certificate files. Use the provided
+		#		 Makefile to update the hash symlinks after changes.
+		#SSLCARevocationPath /etc/apache2/ssl.crl/
+		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+		#   Client Authentication (Type):
+		#   Client certificate verification type and depth.  Types are
+		#   none, optional, require and optional_no_ca.  Depth is a
+		#   number which specifies how deeply to verify the certificate
+		#   issuer chain before deciding the certificate is not valid.
+		#SSLVerifyClient require
+		#SSLVerifyDepth  10
+
+		#   SSL Engine Options:
+		#   Set various options for the SSL engine.
+		#   o FakeBasicAuth:
+		#	 Translate the client X.509 into a Basic Authorisation.  This means that
+		#	 the standard Auth/DBMAuth methods can be used for access control.  The
+		#	 user name is the `one line' version of the client's X.509 certificate.
+		#	 Note that no password is obtained from the user. Every entry in the user
+		#	 file needs this password: `xxj31ZMTZzkVA'.
+		#   o ExportCertData:
+		#	 This exports two additional environment variables: SSL_CLIENT_CERT and
+		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+		#	 server (always existing) and the client (only existing when client
+		#	 authentication is used). This can be used to import the certificates
+		#	 into CGI scripts.
+		#   o StdEnvVars:
+		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
+		#	 Per default this exportation is switched off for performance reasons,
+		#	 because the extraction step is an expensive operation and is usually
+		#	 useless for serving static content. So one usually enables the
+		#	 exportation for CGI and SSI requests only.
+		#   o OptRenegotiate:
+		#	 This enables optimized SSL connection renegotiation handling when SSL
+		#	 directives are used in per-directory context.
+		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+		<FilesMatch "\.(cgi|shtml|phtml|php)$">
+				SSLOptions +StdEnvVars
+		</FilesMatch>
+		<Directory /usr/lib/cgi-bin>
+				SSLOptions +StdEnvVars
+		</Directory>
+
+		#   SSL Protocol Adjustments:
+		#   The safe and default but still SSL/TLS standard compliant shutdown
+		#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+		#   the close notify alert from client. When you need a different shutdown
+		#   approach you can use one of the following variables:
+		#   o ssl-unclean-shutdown:
+		#	 This forces an unclean shutdown when the connection is closed, i.e. no
+		#	 SSL close notify alert is send or allowed to received.  This violates
+		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
+		#	 this when you receive I/O errors because of the standard approach where
+		#	 mod_ssl sends the close notify alert.
+		#   o ssl-accurate-shutdown:
+		#	 This forces an accurate shutdown when the connection is closed, i.e. a
+		#	 SSL close notify alert is send and mod_ssl waits for the close notify
+		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
+		#	 practice often causes hanging connections with brain-dead browsers. Use
+		#	 this only for browsers where you know that their SSL implementation
+		#	 works correctly.
+		#   Notice: Most problems of broken clients are also related to the HTTP
+		#   keep-alive facility, so you usually additionally want to disable
+		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+		#   "force-response-1.0" for this.
+		BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+		# MSIE 7 and newer should be able to use keepalive
+		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+		Include /etc/letsencrypt/options-ssl-apache.conf
+		SSLCertificateFile /etc/letsencrypt/live/lawipac.com/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/lawipac.com/privkey.pem
+Include /etc/letsencrypt/options-ssl-apache.conf
+	</VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/lawipac.com/etc/apache2/sites-enabled/lawipac-com-ssl.conf b/lawipac.com/etc/apache2/sites-enabled/lawipac-com-ssl.conf
new file mode 100644
index 0000000..2695e3e
--- /dev/null
+++ b/lawipac.com/etc/apache2/sites-enabled/lawipac-com-ssl.conf
@@ -0,0 +1,178 @@
+<IfModule mod_ssl.c>
+	<VirtualHost _default_:443>
+		ServerName lawipac.com
+		ServerAlias www.lawipac.com
+		ServerAdmin sp@lawipac.com
+
+		DocumentRoot /var/www/lawipac.com/
+
+#		Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+
+#	        <Directory />
+#        	        Options FollowSymLinks
+#                	AllowOverride All
+#	        </Directory>
+        	<Directory /var/www/lawipac.com/>
+                	Options Indexes FollowSymLinks MultiViews
+	                AllowOverride all
+        	        Order allow,deny
+                	allow from all
+	        </Directory>
+
+#        	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+#	        <Directory "/usr/lib/cgi-bin">
+#        	        AllowOverride None
+#                	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+#	                Order allow,deny
+#        	        Allow from all
+#	        </Directory>
+
+
+#/books as proxy
+    		ProxyPass /books http://127.0.0.1:8080/
+    		ProxyPassReverse /books http://127.0.0.1:8080/
+
+    		ProxyPass /opds http://127.0.0.1:8080/opds
+    		ProxyPassReverse /opds http://127.0.0.1:8080/opds
+#draw.io as proxy
+		ProxyPass /draw http://192.168.1.3:38080/
+		ProxyPassReverse /draw http://192.168.1.3:38080/
+
+		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+		# error, crit, alert, emerg.
+		# It is also possible to configure the loglevel for particular
+		# modules, e.g.
+		#LogLevel info ssl:warn
+
+		ErrorLog ${APACHE_LOG_DIR}/lawipac.com.error.log
+		CustomLog ${APACHE_LOG_DIR}/lawipac.com.access.log combined
+
+		# For most configuration files from conf-available/, which are
+		# enabled or disabled at a global level, it is possible to
+		# include a line for only one particular virtual host. For example the
+		# following line enables the CGI configuration for this host only
+		# after it has been globally disabled with "a2disconf".
+		#Include conf-available/serve-cgi-bin.conf
+
+		#   SSL Engine Switch:
+		#   Enable/Disable SSL for this virtual host.
+		SSLEngine on
+
+		#   A self-signed (snakeoil) certificate can be created by installing
+		#   the ssl-cert package. See
+		#   /usr/share/doc/apache2/README.Debian.gz for more info.
+		#   If both key and certificate are stored in the same file, only the
+		#   SSLCertificateFile directive is needed.
+		#SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
+		#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+		#SSLCertificateFile    /etc/apache2/myssl_certs/lawipac.com.crt
+	        #SSLCertificateKeyFile /etc/apache2/myssl_certs/lawipac.com.key
+		Include /etc/letsencrypt/options-ssl-apache.conf
+
+
+		#   Server Certificate Chain:
+		#   Point SSLCertificateChainFile at a file containing the
+		#   concatenation of PEM encoded CA certificates which form the
+		#   certificate chain for the server certificate. Alternatively
+		#   the referenced file can be the same as SSLCertificateFile
+		#   when the CA certificates are directly appended to the server
+		#   certificate for convinience.
+		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+		#SSLCertificateChainFile /etc/apache2/myssl_certs/startcom_sub.class1.server.ca.pem
+		#SSLCertificateChainFile /etc/apache2/myssl_certs/startcom_1_root_boundle.crt
+
+		#   Certificate Authority (CA):
+		#   Set the CA certificate verification path where to find CA
+		#   certificates for client authentication or alternatively one
+		#   huge file containing all of them (file must be PEM encoded)
+		#   Note: Inside SSLCACertificatePath you need hash symlinks
+		#		 to point to the certificate files. Use the provided
+		#		 Makefile to update the hash symlinks after changes.
+		#SSLCACertificatePath /etc/ssl/certs/
+		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+		#   Certificate Revocation Lists (CRL):
+		#   Set the CA revocation path where to find CA CRLs for client
+		#   authentication or alternatively one huge file containing all
+		#   of them (file must be PEM encoded)
+		#   Note: Inside SSLCARevocationPath you need hash symlinks
+		#		 to point to the certificate files. Use the provided
+		#		 Makefile to update the hash symlinks after changes.
+		#SSLCARevocationPath /etc/apache2/ssl.crl/
+		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+		#   Client Authentication (Type):
+		#   Client certificate verification type and depth.  Types are
+		#   none, optional, require and optional_no_ca.  Depth is a
+		#   number which specifies how deeply to verify the certificate
+		#   issuer chain before deciding the certificate is not valid.
+		#SSLVerifyClient require
+		#SSLVerifyDepth  10
+
+		#   SSL Engine Options:
+		#   Set various options for the SSL engine.
+		#   o FakeBasicAuth:
+		#	 Translate the client X.509 into a Basic Authorisation.  This means that
+		#	 the standard Auth/DBMAuth methods can be used for access control.  The
+		#	 user name is the `one line' version of the client's X.509 certificate.
+		#	 Note that no password is obtained from the user. Every entry in the user
+		#	 file needs this password: `xxj31ZMTZzkVA'.
+		#   o ExportCertData:
+		#	 This exports two additional environment variables: SSL_CLIENT_CERT and
+		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+		#	 server (always existing) and the client (only existing when client
+		#	 authentication is used). This can be used to import the certificates
+		#	 into CGI scripts.
+		#   o StdEnvVars:
+		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
+		#	 Per default this exportation is switched off for performance reasons,
+		#	 because the extraction step is an expensive operation and is usually
+		#	 useless for serving static content. So one usually enables the
+		#	 exportation for CGI and SSI requests only.
+		#   o OptRenegotiate:
+		#	 This enables optimized SSL connection renegotiation handling when SSL
+		#	 directives are used in per-directory context.
+		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+		<FilesMatch "\.(cgi|shtml|phtml|php)$">
+				SSLOptions +StdEnvVars
+		</FilesMatch>
+		<Directory /usr/lib/cgi-bin>
+				SSLOptions +StdEnvVars
+		</Directory>
+
+		#   SSL Protocol Adjustments:
+		#   The safe and default but still SSL/TLS standard compliant shutdown
+		#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+		#   the close notify alert from client. When you need a different shutdown
+		#   approach you can use one of the following variables:
+		#   o ssl-unclean-shutdown:
+		#	 This forces an unclean shutdown when the connection is closed, i.e. no
+		#	 SSL close notify alert is send or allowed to received.  This violates
+		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
+		#	 this when you receive I/O errors because of the standard approach where
+		#	 mod_ssl sends the close notify alert.
+		#   o ssl-accurate-shutdown:
+		#	 This forces an accurate shutdown when the connection is closed, i.e. a
+		#	 SSL close notify alert is send and mod_ssl waits for the close notify
+		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
+		#	 practice often causes hanging connections with brain-dead browsers. Use
+		#	 this only for browsers where you know that their SSL implementation
+		#	 works correctly.
+		#   Notice: Most problems of broken clients are also related to the HTTP
+		#   keep-alive facility, so you usually additionally want to disable
+		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+		#   "force-response-1.0" for this.
+		BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+		# MSIE 7 and newer should be able to use keepalive
+		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+		Include /etc/letsencrypt/options-ssl-apache.conf
+		SSLCertificateFile /etc/letsencrypt/live/lawipac.com/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/lawipac.com/privkey.pem
+Include /etc/letsencrypt/options-ssl-apache.conf
+	</VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/lawipac.com/etc/apache2/sites-enabled/lawipac-com.conf b/lawipac.com/etc/apache2/sites-enabled/lawipac-com.conf
new file mode 100644
index 0000000..95c903e
--- /dev/null
+++ b/lawipac.com/etc/apache2/sites-enabled/lawipac-com.conf
@@ -0,0 +1,19 @@
+<VirtualHost *:80>
+        # The ServerName directive sets the request scheme, hostname and port that
+        # the server uses to identify itself. This is used when creating
+        # redirection URLs. In the context of virtual hosts, the ServerName
+        # specifies what hostname must appear in the request's Host: header to
+        # match this virtual host. For the default virtual host (this file) this
+        # value is not decisive as it is used as a last resort host regardless.
+        # However, you must set it for any further virtual host explicitly.
+        ServerName lawipac.com
+	ServerAlias www.lawipac.com
+	redirect / https://lawipac.com/
+
+RewriteEngine on
+RewriteCond %{SERVER_NAME} =lawipac.com [OR]
+RewriteCond %{SERVER_NAME} =www.lawipac.com
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+</VirtualHost>
+
+