diff --git a/.gitignore b/.gitignore
index d7f5e82..b85279f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,7 +3,7 @@ __pycache__
 
 # website
 website/gitea
-website/letsencrypt
+website/certbot
 website/sendgrid.key
 
 # monerod
diff --git a/compose.yml b/compose.yml
index 283548b..a66b150 100644
--- a/compose.yml
+++ b/compose.yml
@@ -21,18 +21,16 @@ services:
   website:
     restart: always
     build: website/.
-    entrypoint: ["/bin/sh", "/root/entry.sh"]
+    entrypoint: ["/bin/sh", "/home/ubuntu/entry.sh"]
     ports:
-      - "80:80"
-      - "443:443"
+      - "80:8080"
+      - "443:8443"
     networks:
       - web
     volumes:
-      - ./website/letsencrypt:/etc/letsencrypt
+      - ./website/certbot:/home/ubuntu/certbot
     cap_drop:
       - ALL
-    cap_add:
-      - NET_BIND_SERVICE
   gitea:
     restart: always
     image: gitea/gitea:latest-rootless
diff --git a/scripts/backup.py b/scripts/backup.py
index 84126f0..0c846c9 100755
--- a/scripts/backup.py
+++ b/scripts/backup.py
@@ -9,6 +9,6 @@ if __name__ == "__main__":
         "terraria/worlds",
         "terraria/password.txt",
         "website/gitea",
-        "website/letsencrypt",
+        "website/certbot",
         "website/sendgrid.key",
     ], check=True)
diff --git a/scripts/setup_repo.py b/scripts/setup_repo.py
index d64ebb8..4f1dbef 100755
--- a/scripts/setup_repo.py
+++ b/scripts/setup_repo.py
@@ -5,7 +5,7 @@ from pathlib import Path
 if __name__ == "__main__":
     # create folders with same UID/GID as user so containers have access
     PATHS = [
-        "website/letsencrypt",
+        "website/certbot",
         "website/gitea/config",
         "website/gitea/data",
         "monerod/.bitmonero",
diff --git a/website/.dockerignore b/website/.dockerignore
index 42483b2..f55a997 100644
--- a/website/.dockerignore
+++ b/website/.dockerignore
@@ -1,2 +1,2 @@
 gitea
-letsencrypt
+certbot
diff --git a/website/Dockerfile b/website/Dockerfile
index b66b2d6..0589cb2 100644
--- a/website/Dockerfile
+++ b/website/Dockerfile
@@ -5,18 +5,14 @@ ENV TZ=America/Los_Angeles
 RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
 
 RUN apt-get update && apt-get -y upgrade
-RUN apt-get install -y nginx certbot python3-certbot-nginx python3-pip
+RUN apt-get install -y nginx certbot python3-pip
 RUN pip3 install sendgrid --break-system-packages
 
-RUN rm /etc/nginx/sites-enabled/default
+USER ubuntu
+WORKDIR /home/ubuntu
+RUN mkdir nginx certbot
 
-# enable site
 # TODO make the website code not terrible ;-;
-COPY matthewtran.com /etc/nginx/sites-available
-RUN  ln -s /etc/nginx/sites-available/matthewtran.com /etc/nginx/sites-enabled/matthewtran.com
-COPY html /var/www/matthewtran.com/html
-
-# start script
-WORKDIR /root
-COPY sendgrid.ke[y] ip_update.py ./
-COPY entry.sh ./
+COPY --chown=ubuntu:ubuntu html ./html
+COPY --chown=ubuntu:ubuntu sendgrid.ke[y] ip_update.py ./
+COPY --chown=ubuntu:ubuntu server.conf entry.sh ./
diff --git a/website/entry.sh b/website/entry.sh
index b273834..0adbcb7 100644
--- a/website/entry.sh
+++ b/website/entry.sh
@@ -1,32 +1,29 @@
 #!/bin/sh
 
-# server needs to be up to get certs
-nginx
-while [ ! -f /var/run/nginx.pid ]
-do
-    sleep 1
-done
-
 # get certs if needed
-certbot --nginx \
-    --webroot-path /var/www/matthewtran.com \
+certbot certonly --standalone \
+    --http-01-port 8080 \
+    --config-dir ~/certbot \
+    --work-dir ~/certbot/work \
+    --logs-dir ~/certbot/logs \
     --non-interactive --agree-tos -m matthewlamtran@berkeley.edu \
     -d matthewtran.com \
     -d www.matthewtran.com \
     -d git.matthewtran.com
-nginx -s reload
 
 # background process to renew certs and check ip changes
 update() {
-    certbot renew --quiet
+    certbot renew --quiet \
+        --config-dir ~/certbot \
+        --work-dir ~/certbot/work \
+        --logs-dir ~/certbot/logs
     sleep 86400
 }
 update &
 ./ip_update.py &
 
-# wait for termination
-cleanup() {
-    echo "stopping..."
-}
-trap 'cleanup' TERM
-wait $! # wait SIGTERM, other processes can just be killed
+# run server
+nginx -c ~/server.conf
+trap 'echo "stopping website..."' TERM
+tail -f /dev/null &
+wait $!
diff --git a/website/matthewtran.com b/website/matthewtran.com
deleted file mode 100644
index a9ee4af..0000000
--- a/website/matthewtran.com
+++ /dev/null
@@ -1,29 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name matthewtran.com www.matthewtran.com;
-
-    root /var/www/matthewtran.com/html;
-    index index.html;
-
-    location / {
-        try_files $uri $uri/ =404;
-    }
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name git.matthewtran.com;
-
-    location / {
-        client_max_body_size 512M;
-        proxy_pass http://gitea:3000;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
diff --git a/website/server.conf b/website/server.conf
new file mode 100644
index 0000000..c64b529
--- /dev/null
+++ b/website/server.conf
@@ -0,0 +1,75 @@
+# adapted from /etc/nginx/nginx.conf
+worker_processes auto;
+pid /home/ubuntu/nginx/site.pid;
+error_log /dev/stderr;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    types_hash_max_size 2048;
+    gzip on;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_certificate     /home/ubuntu/certbot/live/matthewtran.com/fullchain.pem;
+    ssl_certificate_key /home/ubuntu/certbot/live/matthewtran.com/privkey.pem;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    access_log            /dev/stdout;
+    client_body_temp_path /home/ubuntu/nginx/body;
+    proxy_temp_path       /home/ubuntu/nginx/proxy;
+    fastcgi_temp_path     /home/ubuntu/nginx/fastcgi;
+    uwsgi_temp_path       /home/ubuntu/nginx/uwsgi;
+    scgi_temp_path        /home/ubuntu/nginx/scgi;
+
+    # SSL redirect
+    server {
+        listen 8080 default_server;
+        listen [::]:8080 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
+    }
+
+    # default
+    server {
+        listen 8443 ssl default_server;
+        listen [::]:8443 ssl default_server;
+        server_name _;
+        return 404;
+    }
+
+    # website
+    server {
+        listen 8443 ssl;
+        listen [::]:8443 ssl;
+        server_name matthewtran.com www.matthewtran.com;
+
+        root /home/ubuntu/html;
+        index index.html;
+        location / {
+            try_files $uri $uri/ =404;
+        }
+    }
+
+    # gitea
+    server {
+        listen 8443 ssl;
+        listen [::]:8443 ssl;
+        server_name git.matthewtran.com;
+
+        location / {
+            client_max_body_size 512M;
+            proxy_pass http://gitea:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+    }
+}