diff --git a/deploy/nginx.conf b/deploy/nginx.conf
index d87413543e2b83216a9ad564de540a6b69a4b6aa..7395e37d90a4fa5b1ce800ce5c4afdfff2dfb5a4 100644
--- a/deploy/nginx.conf
+++ b/deploy/nginx.conf
@@ -4,9 +4,29 @@ upstream funkwhale-api {
 }
 
 server {
-    listen      80;
+  listen 80;
+  listen [::]:80;
+  server_name demo.funkwhale.audio;
+  # useful for Let's Encrypt
+  location /.well-known/acme-challenge/ { allow all; }
+  location / { return 301 https://$host$request_uri; }
+}
+
+server {
+    listen      443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name demo.funkwhale.audio;
 
+    # TLS
+    ssl_protocols TLSv1.2;
+    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    # HSTS
+    add_header Strict-Transport-Security "max-age=31536000";
+
     root /srv/funkwhale/front/dist;
 
     location / {