diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp
index 12ec17d..b75782d 100644
--- a/site/profiles/manifests/reposync/webserver.pp
+++ b/site/profiles/manifests/reposync/webserver.pp
@@ -1,6 +1,7 @@
 # setup a reposync webserver
 class profiles::reposync::webserver (
   String  $www_root = '/data/repos/snap',
+  String  $cache_root = '/data/repos/cache',
   String  $nginx_vhost = 'repos.main.unkin.net',
   Stdlib::Port $nginx_port = 80,
   Stdlib::Port $nginx_ssl_port = 443,
@@ -77,10 +78,45 @@ class profiles::reposync::webserver (
   # merge the hashes conditionally
   $nginx_parameters = merge($defaults, $extras_hash)
 
+  # manage the nginx class
+  class { 'nginx':
+    proxy_cache_path      => {
+      "${cache_root}/debian" => 'debian:128m',
+    },
+    proxy_cache_levels    => '1:2',
+    proxy_cache_keys_zone => 'debian:128m',
+    proxy_cache_max_size  => '30000m',
+    proxy_cache_inactive  => '60d',
+    proxy_temp_path       => "${cache_root}/tmp",
+  }
+
   # create the nginx vhost with the merged parameters
-  class { 'nginx': }
   create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
 
+  # cache debian packages from upstream
+  nginx::resource::location { "${nginx_vhost}-debian":
+    ensure   => present,
+    ssl      => true,
+    ssl_only => false,
+    location => '/debian',
+    server   => $nginx_vhost,
+    proxy    => 'http://mirror.gsl.icu/debian',
+  }
+
+  nginx::resource::location { "${nginx_vhost}-debian_pool":
+    ensure            => present,
+    ssl               => true,
+    ssl_only          => false,
+    location          => '/debian/pool',
+    server            => $nginx_vhost,
+    proxy             => 'http://mirror.gsl.icu/debian/pool',
+    proxy_cache       => 'debian',
+    proxy_cache_valid => [
+        '200 302 1440h',
+        '404 1m'
+    ],
+  }
+
   if $favicon {
     file { "${www_root}/favicon.ico":
       ensure => 'file',
@@ -109,6 +145,13 @@ class profiles::reposync::webserver (
       pathspec => "${www_root}(/.*)?",
     }
 
+    # set httpd_sys_rw_content_t to all files under the cache_root
+    selinux::fcontext { $cache_root:
+      ensure   => 'present',
+      seltype  => 'httpd_sys_rw_content_t',
+      pathspec => "${cache_root}(/.*)?",
+    }
+
     # make sure we can connect to port 80
     selboolean { 'httpd_can_network_connect':
       persistent => true,
@@ -121,5 +164,12 @@ class profiles::reposync::webserver (
       refreshonly => true,
       subscribe   => Selinux::Fcontext[$www_root],
     }
+
+    exec { "restorecon_${cache_root}":
+      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      command     => "restorecon -Rv ${cache_root}",
+      refreshonly => true,
+      subscribe   => Selinux::Fcontext[$cache_root],
+    }
   }
 }