diff --git a/fediversity/peertube.nix b/fediversity/peertube.nix
index 7b121ed..fe26232 100644
--- a/fediversity/peertube.nix
+++ b/fediversity/peertube.nix
@@ -8,7 +8,7 @@ in
 { config, lib, pkgs, ... }:
 
 lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
-  networking.firewall.allowedTCPPorts = [ 80 9000 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   services.garage = {
     ensureBuckets = {
@@ -59,7 +59,6 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
     # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
     redis.createLocally = true;
     database.createLocally = true;
-    configureNginx = true;
 
     secrets.secretsFile = config.fediversity.temp.peertubeSecretsFile;
 
@@ -96,4 +95,12 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
     AWS_ACCESS_KEY_ID=${snakeoil_key.id}
     AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}
   '';
+
+  ## Proxying through Nginx
+
+  services.peertube.configureNginx = true;
+  services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
+    forceSSL = true;
+    enableACME = true;
+  };
 }