diff --git a/Dockerfile b/Dockerfile
index 68233ab..d213f0e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,4 +20,18 @@ RUN luarocks install busted
 RUN luarocks install luajit-curl
 RUN luarocks install luasocket # needed for testing nginx reverse proxy
 
+RUN mkdir -p /var/www/certs/miti.sh \
+    && openssl req -x509 -newkey rsa:4096 -nodes \
+      -keyout /var/www/certs/miti.sh/privkey.pem \
+      -out /var/www/certs/miti.sh/fullchain.pem \
+      -sha256 -days 365 -subj '/CN=miti.sh' \
+      -addext "subjectAltName=DNS:miti.sh,DNS:git.miti.sh,DNS:apps.miti.sh"
+
+RUN mkdir -p /var/www/certs/webdevcat.me \
+    && openssl req -x509 -newkey rsa:4096 -nodes \
+      -keyout /var/www/certs/webdevcat.me/privkey.pem \
+      -out /var/www/certs/webdevcat.me/fullchain.pem \
+      -sha256 -days 365 -subj '/CN=webdevcat.me' \
+      -addext "subjectAltName=DNS:webdevcat.me,DNS:git.webdevcat.me,DNS:apps.webdevcat.me"
+
 CMD ["sh", "-c", "openresty -p `pwd` -g 'daemon off;'"]
diff --git a/Makefile b/Makefile
index ac7471c..3d3b558 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,12 @@ run:
 build:
 	docker run --rm -w /opt/app -v $(PWD):/opt/app $(image) sitegen
 
+image-rm:
+	docker image rm $(image):latest
+
+image-build:
+	docker build -t $(image) .
+
 lint:
 	docker run --rm -w /opt/app -v $(PWD):/opt/app $(image) moonc -l .
 
diff --git a/conf/nginx.conf b/conf/nginx.conf
index 43d27a9..076e9e1 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -8,12 +8,23 @@ events {
 http {
     server {
         listen 80;
-        # listen 443 ssl;
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen 443 ssl;
 
         include mime.types;
         charset utf-8;
         default_type text/html;
 
+        ssl_certificate /var/www/certs/miti.sh/fullchain.pem;
+        ssl_certificate_key /var/www/certs/miti.sh/privkey.pem;
+
+        location ^~ /.well-known/acme-challenge {
+            alias /var/www/dehydrated;
+        }
+
         try_files $uri $uri/ $uri.html =404;
 
         # return `/posts/index.html` from `/posts`
@@ -33,8 +44,13 @@ http {
     }
 
     server {
+        listen 443 ssl;
         server_name git.miti.sh;
 
+        location ^~ /.well-known/acme-challenge {
+            alias /var/www/dehydrated;
+        }
+
         location / {
             client_max_body_size 1024M;
             proxy_pass http://unix:/run/gitea/gitea.socket;
diff --git a/spec/nginx_spec.moon b/spec/nginx_spec.moon
index 3787e3b..8dc754c 100644
--- a/spec/nginx_spec.moon
+++ b/spec/nginx_spec.moon
@@ -11,6 +11,13 @@ describe "test environment", ->
   it "can't connect to the internet", ->
     assert.has_error (-> req "http://example.org"), "Couldn't resolve host name"
 
+describe "http://miti.sh", ->
+  it "redirects to https", ->
+    request = req "http://miti.sh"
+    assert.same request\statusCode!, 301
+    assert.same request\statusMessage!, "Moved Permanently"
+    assert.same request\header!.Location, "https://miti.sh/"
+
 describe "http://webdevcat.me", ->
   it "permanently redirects to http://miti.sh", ->
     request = req "http://webdevcat.me"
@@ -67,42 +74,42 @@ describe "http://apps.webdevcat.me/btroops", ->
     assert.same request\statusMessage!, "Moved Permanently"
     assert.same request\header!.Location, "http://apps.miti.sh/btroops"
 
-describe "http://miti.sh", ->
+describe "https://miti.sh", ->
   it "sends /index.html", ->
-    request = req "http://miti.sh"
+    request = req "https://miti.sh"
     assert.same request\statusCode!, 200
     assert.same request\statusMessage!, "OK"
     assert.same request\body!\match("<title>(.*)</title>"), index_title
 
-describe "http://miti.sh/index", ->
+describe "https://miti.sh/index", ->
   it "sends /index.html", ->
-    request = req "http://miti.sh/index"
+    request = req "https://miti.sh/index"
     assert.same request\statusCode!, 200
     assert.same request\statusMessage!, "OK"
     assert.same request\body!\match("<title>(.*)</title>"), index_title
 
-describe "http://miti.sh/index.html", ->
+describe "https://miti.sh/index.html", ->
   it "sends /index.html", ->
-    request = req "http://miti.sh/index.html"
+    request = req "https://miti.sh/index.html"
     assert.same request\statusCode!, 200
     assert.same request\statusMessage!, "OK"
     assert.same request\body!\match("<title>(.*)</title>"), index_title
 
-describe "http://miti.sh/posts/", ->
+describe "https://miti.sh/posts/", ->
   it "permanently redirects to http://miti.sh/posts", ->
-    request = req "http://miti.sh/posts/"
+    request = req "https://miti.sh/posts/"
     assert.same request\statusCode!, 301
     assert.same request\statusMessage!, "Moved Permanently"
-    assert.same request\header!.Location, "http://miti.sh/posts"
+    assert.same request\header!.Location, "https://miti.sh/posts"
 
-describe "http://miti.sh/posts", ->
+describe "https://miti.sh/posts", ->
   it "sends /posts/index.html", ->
-    request = req "http://miti.sh/posts"
+    request = req "https://miti.sh/posts"
     assert.same request\statusCode!, 200
     assert.same request\statusMessage!, "OK"
     assert.same request\body!\match("<title>(.*)</title>"), "miti.sh · Posts"
 
-describe "http://git.miti.sh", ->
+describe "https://git.miti.sh", ->
   it "reverse-proxies request to a gitea unix socket", ->
     Path = require "sitegen.path"
     socket_fname = "unixstreamsrvr.moon"
@@ -117,7 +124,7 @@ describe "http://git.miti.sh", ->
     result = Path.read_exec "find", socket_dir, "-type", "s", "-ls"
     assert.truthy result\match "nobody%s+root.+" .. Path.join(socket_dir, "gitea.socket")
 
-    req "http://git.miti.sh"
+    req "https://git.miti.sh"
 
     reqheader = with server\read "*a"
       server\close!