diff --git a/nginx/certbot-renew b/nginx/certbot-renew
index b8d0b04..4d3bfd6 100755
--- a/nginx/certbot-renew
+++ b/nginx/certbot-renew
@@ -2,7 +2,7 @@
 source ../env.production
 source ./env.production
 
-domain_args="-d $KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME"
+domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME"
 rsa_key_size=2048
 
 set -x
@@ -10,8 +10,11 @@ set -x
 docker-compose run --rm certbot \
   certonly --webroot -w /var/www/certbot \
     $staging_arg \
-    $email_arg \
-    $domain_args \
+    --email "admin@$DOMAIN_NAME" \
     --rsa-key-size $rsa_key_size \
     --agree-tos \
-    --force-renewal
+    --force-renewal \
+    $domain_args \
+|| die "unable to renew!"
+
+docker-compose exec nginx nginx -s reload
diff --git a/nginx/data/nginx/templates/000-default.conf.template b/nginx/data/nginx/templates/000-default.conf.template
new file mode 100644
index 0000000..31c286a
--- /dev/null
+++ b/nginx/data/nginx/templates/000-default.conf.template
@@ -0,0 +1,41 @@
+server {
+	listen 80;
+	server_name ${DOMAIN_NAME};
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	server_name ${DOMAIN_NAME};
+	client_max_body_size 128m;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	#include /etc/nginx/mime.types;
+	#default_type application/octet-stream;
+
+	gzip on;
+	gzip_disable "msie6";
+
+	proxy_read_timeout 1800s;
+
+	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
+	chunked_transfer_encoding on;
+
+	location / {
+	}
+
+	listen 443 ssl;
+	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	include /etc/letsencrypt/challenge.conf;
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+}
+
+