diff --git a/Makefile b/Makefile
index d77b95f..1e1d515 100644
--- a/Makefile
+++ b/Makefile
@@ -31,6 +31,8 @@ down:
 	$(DOCKER) down
 nginx-shell:
 	$(DOCKER) exec nginx sh
+nginx-logs:
+	$(DOCKER) logs -f --tail 1000 nginx
 grafana-shell:
 	$(DOCKER) exec grafana bash
 hedgedoc-shell:
diff --git a/mastodon.yaml b/mastodon.yaml
index aba46af..e3819e8 100644
--- a/mastodon.yaml
+++ b/mastodon.yaml
@@ -35,14 +35,20 @@ services:
       - ./data/mastodon/redis:/data
 
   mastodon-es:
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.5
     restart: always
     container_name: mastodon-es
     environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m -Des.enforce.bootstrap.checks=true"
+      - "xpack.license.self_generated.type=basic"
+      - "xpack.security.enabled=false"
+      - "xpack.watcher.enabled=false"
+      - "xpack.graph.enabled=false"
+      - "xpack.ml.enabled=false"
+      - "bootstrap.memory_lock=true"
       - "cluster.name=es-mastodon"
       - "discovery.type=single-node"
-      - "bootstrap.memory_lock=true"
+      - "thread_pool.write.queue_size=1000"
     env_file:
       - ./env.production
       - ./mastodon/env.production
@@ -53,7 +59,7 @@ services:
     volumes:
        - ./data/mastodon/elasticsearch:/usr/share/elasticsearch/data
     # fixup the permissions on the data directory since they are created as root on host
-    entrypoint: ["/bin/sh", "-c", "chown -R elasticsearch:elasticsearch data && exec /usr/local/bin/docker-entrypoint.sh eswrapper"]
+    entrypoint: ["/bin/sh", "-c", "sysctl -w vm.max_map_count=262144 && chown elasticsearch:elasticsearch data && exec /usr/local/bin/docker-entrypoint.sh eswrapper"]
     ulimits:
       memlock:
         soft: -1
diff --git a/nginx/docker-entrypoint.d/10-createkey.sh b/nginx/docker-entrypoint.d/10-createkey.sh
index 1fd36f0..d590dff 100755
--- a/nginx/docker-entrypoint.d/10-createkey.sh
+++ b/nginx/docker-entrypoint.d/10-createkey.sh
@@ -7,6 +7,7 @@ if [ -z "$DOMAIN_NAME" ]; then
 fi
 
 certdir="/etc/letsencrypt/live/${DOMAIN_NAME}"
+mkdir -p "$certdir"
 
 # ensure that the keys are available with a fixed path
 for key in fullchain.pem privkey.pem ; do
@@ -17,7 +18,6 @@ if [ -r "$certdir/fullchain.pem" ]; then
 	exit 0
 fi
 
-mkdir -p "$certdir"
 
 echo >&2 "$certdir: Creating temporary keys"
 openssl req \