diff --git a/mastodon/setup b/mastodon/setup
index e0f05b8..65d5ee5 100755
--- a/mastodon/setup
+++ b/mastodon/setup
@@ -27,7 +27,8 @@ OIDC_CLIENT_SECRET="$(openssl rand -hex 32)"
 mkdir -p "$(dirname "$SECRETS")"
 cat <<EOF > "$SECRETS"
 # DO NOT CHECK IN
-LOCAL_DOMAIN=$MASTODON_HOSTNAME
+WEB_DOMAIN=$MASTODON_HOSTNAME
+LOCAL_DOMAIN=$DOMAIN_NAME
 OIDC_DISPLAY_NAME=$REALM
 OIDC_ISSUER=https://$KEYCLOAK_HOSTNAME/realms/$REALM
 OIDC_REDIRECT_URI=https://$MASTODON_HOSTNAME/auth/auth/openid_connect/callback
diff --git a/nginx/nginx/templates/000-default.conf.template b/nginx/nginx/templates/000-default.conf.template
index 491ca2b..503d1dd 100644
--- a/nginx/nginx/templates/000-default.conf.template
+++ b/nginx/nginx/templates/000-default.conf.template
@@ -30,10 +30,16 @@ server {
 		root /var/www;
 	}
 
+	# delegated Matrix server
 	location /.well-known/matrix {
 		proxy_pass https://${MATRIX_HOSTNAME};
 	}
 
+	# separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN
+	location = /.well-known/host-meta {
+		return 301 https://${MASTODON_HOSTNAME}$request_uri;
+	}
+
 	listen 443 ssl default_server;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;