diff --git a/.forgejo/workflows/cache.yaml b/.forgejo/workflows/cache.yaml
index a3d2fa66..a841ac9a 100644
--- a/.forgejo/workflows/cache.yaml
+++ b/.forgejo/workflows/cache.yaml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - run: attic login fediversity http://attic.fediversity.net:8080 ${{ secrets.ATTIC_PUSH_KEY }} && attic use demo
+      - run: attic login fediversity https://attic.fediversity.net ${{ secrets.ATTIC_PUSH_KEY }} && attic use demo
 
       - name: Set up SSH key to access age secrets
         run: |
diff --git a/infra/common/nixos/default.nix b/infra/common/nixos/default.nix
index a45499b4..9d9f994d 100644
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@@ -26,7 +26,7 @@ in
 
   nix.settings = {
     substituters = [
-      "http://attic.fediversity.net/demo"
+      "https://attic.fediversity.net/demo"
     ];
     trusted-public-keys = [
       "demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM="
diff --git a/infra/common/nixos/nftables-ruleset.nft b/infra/common/nixos/nftables-ruleset.nft
index d64f1e2a..985240f5 100644
--- a/infra/common/nixos/nftables-ruleset.nft
+++ b/infra/common/nixos/nftables-ruleset.nft
@@ -43,8 +43,7 @@ table inet filter {
         ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
 
         # open tcp ports: sshd (22)
-        # 8080: used in atticd
-        tcp dport {ssh,8080} accept
+        tcp dport ssh accept
 
         # open tcp ports: snmp (161)
         ip saddr $snmp_allow udp dport {snmp} accept
diff --git a/services/fediversity/attic/default.nix b/services/fediversity/attic/default.nix
index 4dd87eea..5113a6a3 100644
--- a/services/fediversity/attic/default.nix
+++ b/services/fediversity/attic/default.nix
@@ -69,7 +69,7 @@ in
         ];
       };
 
-      # open up access to the mastodon web interface. 80 is necessary if only for ACME
+      # open up access. 80 is necessary if only for ACME
       networking.firewall.allowedTCPPorts = [
         80
         443
@@ -77,6 +77,27 @@ in
         9000
       ];
 
+      # https://wiki.nixos.org/wiki/Nginx#TLS_reverse_proxy
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        virtualHosts."attic.${config.fediversity.domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:8080";
+            proxyWebsockets = true; # needed if you need to use WebSocket
+            extraConfig =
+              # required when the target is also TLS server with multiple hosts
+              "proxy_ssl_server_name on;"
+              +
+                # required when the server wants to use HTTP Authentication
+                "proxy_pass_header Authorization;";
+          };
+        };
+      };
+
       vars.settings.on-machine.enable = true;
       vars.generators."templates" = rec {
         dependencies = [ "attic" ];