diff --git a/deploy/nginx.conf b/deploy/nginx.conf
index 32fe193f557e6602e92ea7b16d742f2626f4f556..0b2a534dff2400761e1a670444ff6933517c3596 100644
--- a/deploy/nginx.conf
+++ b/deploy/nginx.conf
@@ -4,9 +4,29 @@ upstream funkwhale-api {
 }
 
 server {
-    listen      80;
+  listen 80;
+  listen [::]:80;
+  server_name demo.funkwhale.audio;
+  # useful for Let's Encrypt
+  location /.well-known/acme-challenge/ { allow all; }
+  location / { return 301 https://$host$request_uri; }
+}
+
+server {
+    listen      443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name demo.funkwhale.audio;
 
+    # TLS
+    ssl_protocols TLSv1.2;
+    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    # HSTS
+    add_header Strict-Transport-Security "max-age=31536000";
+
     root /srv/funkwhale/front/dist;
 
     location / {