diff --git a/code/etherpad.sls b/code/etherpad.sls
new file mode 100644
index 0000000..c045903
--- /dev/null
+++ b/code/etherpad.sls
@@ -0,0 +1,28 @@
+{%- set dir = '/srv/webplatform/etherpad' -%}
+{%- set salt_master_ip = salt['pillar.get']('infra:hosts_entries:salt') -%}
+{%- set upstream_port = salt['pillar.get']('upstream:etherpad:port', 8006) %}
+
+include:
+  - users.app-user
+
+{{ dir }}:
+  file.directory:
+    - user: app-user
+    - group: www-data
+    - recurse:
+      - user
+      - group
+
+{{ dir }}/docker-compose.yml:
+  file.managed:
+    - source: salt://code/files/etherpad/docker-compose.yml.jinja
+    - template: jinja
+    - user: app-user
+    - group: www-data
+    - mode: 644
+    - context:
+        upstream_port: {{ upstream_port }}
+        salt_master_ip: {{ salt_master_ip }}
+    - require:
+      - file: {{ dir }}
+
diff --git a/code/files/etherpad/docker-compose.yml.jinja b/code/files/etherpad/docker-compose.yml.jinja
new file mode 100644
index 0000000..e6bd08a
--- /dev/null
+++ b/code/files/etherpad/docker-compose.yml.jinja
@@ -0,0 +1,20 @@
+## Managed by Salt Stack, please DO NOT TOUCH, or ALL CHANGES WILL be LOST!
+## source {{ source }}
+
+# ref:
+#   - http://docs.docker.com/compose/
+#   - http://docs.docker.com/compose/yml/
+
+web:
+  image: webplatform/etherpad
+
+  restart: always
+
+  ports:
+    - "{{ upstream_port }}:9001"
+
+  dns:
+    - 10.10.10.41
+    - 8.8.8.8
+
+# vim: et ts=2 sw=2 ft=yaml:
diff --git a/etherpad/files/nginx.frontend.conf.jinja b/etherpad/files/nginx.frontend.conf.jinja
new file mode 100644
index 0000000..c3b2b8a
--- /dev/null
+++ b/etherpad/files/nginx.frontend.conf.jinja
@@ -0,0 +1,56 @@
+
+#
+# This is the PUBLIC virtual host for etherpad.{{ tld }}
+#
+# Note that we call another NGINX virtual host, from the internal network,
+# without SSL, and with a different name than the publicly exposed.
+#
+# Intention is that we can have multiple internal upstreams load-balanced
+# by this very virtual host.
+#
+# ===========================================================================
+#
+# Managed by Salt Stack. Do NOT edit manually!
+# source: {{ source }}
+#
+
+upstream upstream_etherpad {
+    keepalive 16;
+    ip_hash;
+
+{%- for b in upstreams %}
+    server    {{ b }}:{{ upstream_port }};
+{%- endfor %}
+}
+
+server {
+    listen      80;
+    server_name etherpad.{{ tld }};
+    include     common_params;
+    return      301 https://etherpad.{{ tld }}$request_uri;
+}
+
+server {
+    listen      443 ssl spdy;
+    server_name etherpad.{{ tld }};
+
+    root    /var/www/html;
+    include common_params;
+    include ssl_params;
+
+    ssl                 on;
+    ssl_certificate     /etc/ssl/webplatform/public_wildcard_201407.pem;
+    ssl_certificate_key /etc/ssl/webplatform/201407.key;
+
+    location / {
+        proxy_pass             http://upstream_etherpad;
+        include                proxy_params;
+        proxy_intercept_errors on;
+
+        # Backend keepalive
+        # ref: http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
+        proxy_http_version 1.1;
+        proxy_set_header   Connection "";
+    }
+}
+
diff --git a/etherpad/frontend.sls b/etherpad/frontend.sls
new file mode 100644
index 0000000..d3a9437
--- /dev/null
+++ b/etherpad/frontend.sls
@@ -0,0 +1,31 @@
+{%- set tld = salt['pillar.get']('infra:current:tld', 'webplatform.org') -%}
+{%- set upstreams = salt['pillar.get']('upstream:etherpad:nodes', ['127.0.0.1']) -%}
+{%- set upstream_port = salt['pillar.get']('upstream:etherpad:port', 8006) %}
+
+include:
+  - nginx
+
+#
+# This is the PUBLIC virtual host for **etherpad** subdomain proxying requests
+# to an internal webserver.
+#
+# ===========================================================================
+#
+
+/etc/nginx/sites-available/etherpad:
+  file.managed:
+    - source: salt://etherpad/files/nginx.frontend.conf.jinja
+    - template: jinja
+    - context:
+        tld: {{ tld }}
+        upstreams: {{ upstreams }}
+        upstream_port: {{ upstream_port }}
+    - require:
+      - pkg: nginx
+
+/etc/nginx/sites-enabled/10-etherpad:
+  file.symlink:
+    - target: /etc/nginx/sites-available/etherpad
+    - require:
+      - file: /etc/nginx/sites-available/etherpad
+
diff --git a/monitor/files/nginx.frontend.conf.jinja b/monitor/files/nginx.frontend.conf.jinja
index db9c0b2..87de4f1 100644
--- a/monitor/files/nginx.frontend.conf.jinja
+++ b/monitor/files/nginx.frontend.conf.jinja
@@ -1,6 +1,6 @@
 
 #
-# This is the PUBLIC virtual host for specs.{{ tld }}
+# This is the PUBLIC virtual host for monitor.{{ tld }}
 #
 # Note that we call another NGINX virtual host, from the internal network,
 # without SSL, and with a different name than the publicly exposed.
diff --git a/nutcracker/init.sls b/nutcracker/init.sls
index 0be832e..a2af903 100644
--- a/nutcracker/init.sls
+++ b/nutcracker/init.sls
@@ -4,6 +4,9 @@ include:
   - mmonit
   - code.packages
 
+# https://launchpad.net/~twemproxy/+archive/ubuntu/stable
+# add-apt-repository -y ppa:twemproxy/stable
+
 nutcracker:
   pkg.installed:
     - skip_verify: True
diff --git a/roles/docker.sls b/roles/docker.sls
index ba1065b..5341e70 100644
--- a/roles/docker.sls
+++ b/roles/docker.sls
@@ -2,4 +2,5 @@ include:
   - code.discuss
   - code.status
   - code.publican
+  - code.etherpad
 
diff --git a/top.sls b/top.sls
index 2b02485..887b53d 100644
--- a/top.sls
+++ b/top.sls
@@ -65,7 +65,8 @@ base:
   'code*':
     - gerrit
     - rsync
-  'db*':
+  'roles:db':
+    - match: grain
     - logwatch
     - mysql.server
     - rsync
@@ -73,6 +74,7 @@ base:
     - match: grain
     - webplatform.postgres
     - postgres
+    - logwatch
     - rsync
   'memcache*':
     - memcached
@@ -145,6 +147,7 @@ base:
     - piwik.frontend
     - monitor.frontend
     - discourse.frontend
+    - etherpad.frontend
 
 # vim: ai filetype=yaml tabstop=2 softtabstop=2 shiftwidth=2