diff --git a/global/overlay/etc/puppet/modules/soc/files/intelmq/api-config.json b/global/overlay/etc/puppet/modules/soc/files/intelmq/api-config.json
new file mode 100644
index 0000000..435bdcb
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/files/intelmq/api-config.json
@@ -0,0 +1,7 @@
+{
+	"intelmq_ctl_cmd": ["sudo", "-u", "intelmq", "/opt/intelmq/venv/bin/intelmqctl"],
+	"allowed_path": "/opt/intelmq/var/lib/bots/",
+	"session_store": "/etc/intelmq/api-session.sqlite",
+	"session_duration": 86400,
+	"allow_origins": ["*"]
+}
diff --git a/global/overlay/etc/puppet/modules/soc/files/intelmq/intelmq-api.service b/global/overlay/etc/puppet/modules/soc/files/intelmq/intelmq-api.service
new file mode 100644
index 0000000..d1ef41c
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/files/intelmq/intelmq-api.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Gunicorn deamon to serve the IntelMQ API
+Requires=intelmq-api.socket
+After=network.target
+
+[Service]
+
+# To override settings path, use e.g.:
+# Environment="INTELMQ_API_CONFIG=/etc/intelmq/api-config.json"
+
+Environment="ROOT_PATH=/intelmq"
+User=www-data
+Group=www-data
+RuntimeDirectory=gunicorn
+WorkingDirectory=/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api
+ExecStart=/opt/intelmq/venv/bin/gunicorn intelmq_api.main:app --workers 4 --worker-class uvicorn.workers.UvicornWorker --bind unix:intelmq_api.sock --log-level DEBUG
+ExecReload=/bin/kill -s HUP $MAINPID
+KillMode=mixed
+TimeoutStopSec=5
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/global/overlay/etc/puppet/modules/soc/files/intelmq/intelmq-api.socket b/global/overlay/etc/puppet/modules/soc/files/intelmq/intelmq-api.socket
new file mode 100644
index 0000000..69bf331
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/files/intelmq/intelmq-api.socket
@@ -0,0 +1,9 @@
+[Unit]
+Description=The socket to handle IntelMQ API requests
+
+[Socket]
+ListenStream=/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api/intelmq_api.sock
+SocketUser=www-data
+
+[Install]
+WantedBy=sockets.target
diff --git a/global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp b/global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp
index 00441fd..29f93ca 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/intelmq.pp
@@ -1,5 +1,11 @@
 class soc::intelmq(
+  Optional[String]    $tls_cert   = undef,
+  Optional[String]    $tls_chain  = undef,
+  Optional[String]    $tls_key    = undef,
+  String              $servername = $::fact['networking.fqdn'],
+  Boolean             $use_snakeoil = false,
 ) {
+  include sunet::systemd_reload
 
   group { 'intelmq':
     ensure => present,
@@ -88,4 +94,51 @@ class soc::intelmq(
     notify  => Service['apache2'],
   }
 
+  file { '/etc/apache2/sites-available/intelmq-vhost.conf':
+    ensure   => file,
+    template => 'soc/intelmq/intelmq-vhost.conf.erb'
+  }
+
+  file { '/etc/intelmq/api-config.json':
+    ensure  => file,
+    owner   => 'intelmq',
+    group   => 'intelmq',
+    mode    => '0444'
+    content => 'soc/intelmq/api-config.json',
+  }
+
+  file { 'api-session.sqlite':
+    ensure  => 'present',
+    replace => 'no',
+    owner   => 'intelmq',
+    group   => 'www-data',
+    mode    => '0660'
+  }
+
+  file { '/etc/systemd/system/intelmq-api.service':
+    ensure  => file,
+    content => 'soc/intelmq/intelmq-api.service',
+    notify  => [Class['sunet:systemd_reload'], Service['intelmq-api.service'],],
+  }
+
+  file { '/etc/systemd/system/intelmq-api.socket':
+    ensure  => file,
+    content => 'soc/intelmq/intelmq-api.socket',
+    notify  => [Class['sunet:systemd_reload'], Service['intelmq-api.socket'],],
+  }
+
+  service { 'intelmq-api.service':
+    ensure     => running,
+    name       => 'intelmq-api.service',
+    enabled    => true,
+    hasrestart => true,
+  }
+
+  service { 'intelmq-api.socket':
+    ensure     => running,
+    name       => 'intelmq-api.socket',
+    enabled    => true,
+    hasrestart => true,
+  }
+
 }
diff --git a/global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb b/global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb
new file mode 100644
index 0000000..efe8a1d
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb
@@ -0,0 +1,80 @@
+<VirtualHost *:80>
+        ServerName <%= @servername %>
+        ServerAdmin cert@cert.sunet.se
+        DocumentRoot /var/www/html
+
+        RewriteEngine   On
+        RewriteRule     ^(.*)$          https://<%= @servername %>/$1     [R,L]
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
+
+<VirtualHost *:443>
+        ServerName <%= @servername %>
+        ServerAdmin cert@cert.sunet.se
+
+        SSLEngine on
+        <% if @use_snakeoil -%>
+        SSLCertificateFile      /etc/letsencrypt/live/intelmq-test.cert.sunet.se/cert.pem
+        SSLCertificateKeyFile   /etc/letsencrypt/live/intelmq-test.cert.sunet.se/privkey.pem
+        <% else -%> 
+        SSLCertificateFile      <%= @tls_cert %>
+        SSLCertificateKeyFile   <%= @tls_key %>
+        SSLCertificateChainFile <%= @tls_chain %>
+        <% end -%>
+
+        SSLCACertificatePath /etc/ssl/certs/
+        SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
+
+        Protocols               h2 http/1.1
+        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
+        SSLHonorCipherOrder     off
+        SSLSessionTickets       off
+        Header                  always set Strict-Transport-Security "max-age=63072000"
+
+        <IfModule mod_proxy.c>
+                ProxyRequests   Off
+                <Location "/api">
+                        ProxyPass               "http://127.0.0.1:8666/api"
+                        ProxyPassReverse        "http://127.0.0.1:8666/api"
+                        Header                  always set X-DEBUG-PATH "/api"
+                </Location>
+        </IfModule>
+
+#        RewriteEngine on
+#        RewriteCond %{REQUEST_URI} !^/(index.html|static|api|intelmq-webinput)
+#        RewriteRule .* /index.html [PT]
+
+        DocumentRoot /opt/intelmq/www-fody
+        <Directory /opt/intelmq/www-fody>
+            <IfModule mod_headers.c>
+                Header set Content-Security-Policy "script-src 'self'"
+                Header set X-Content-Security-Policy "script-src 'self'"
+            </IfModule>
+            Require all granted
+            Options FollowSymLinks
+        </Directory>
+
+        Alias /intelmq-manager /usr/share/intelmq_manager/html/
+        <Directory /usr/share/intelmq_manager/html>
+#                AuthType                Basic
+#                AuthName                "IntelMQ"
+#                AuthBasicProvider       file
+#                AuthUserFile            /etc/apache2/htpasswd
+#                Require                 user sunetcert
+
+            <IfModule mod_headers.c>
+                    Header set Content-Security-Policy "script-src 'self'"
+                    Header set X-Content-Security-Policy "script-src 'self'"
+            </IfModule>
+        </Directory>
+
+        <Location /intelmq/>
+                ProxyPass unix:/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api/intelmq_api.sock|http://127.0.0.1/
+                ProxyPassReverse unix:/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api/intelmq_api.sock|http://127.0.0.1/
+        </Location>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>