diff --git a/.gitignore b/.gitignore
index aec34e3..d6cb11c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,9 @@
 .DS_Store
 __pycache__
 
+# website
+website/letsencrypt
+
 # monerod
 monerod/.bitmonero
 
diff --git a/README.md b/README.md
index 63c5772..87e3d8d 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 # matthewtran.com
 
-Stuff that's deployed on [matthewtran.com](matthewtran.com). Tested on Ubuntu Server 22.04.3 LTS. Currently running the following services.
+Stuff that's deployed on [matthewtran.com](http://matthewtran.com). Tested on Ubuntu Server 22.04.3 LTS. Currently running the following services.
 
 - website
-- gitea ([git.matthewtran.com](git.matthewtran.com))
+- gitea ([git.matthewtran.com](http://git.matthewtran.com))
 - monerod
 - p2pool (`xmrig -o matthewtran.com:3333`)
 - minecraft
diff --git a/compose.yml b/compose.yml
index 1cef099..f60c414 100644
--- a/compose.yml
+++ b/compose.yml
@@ -6,6 +6,8 @@ services:
     ports:
       - "80:80"
       - "443:443"
+    volumes:
+      - ./website/letsencrypt:/etc/letsencrypt
   monerod:
     restart: always
     build: monerod/.
diff --git a/website/.dockerignore b/website/.dockerignore
new file mode 100644
index 0000000..153240a
--- /dev/null
+++ b/website/.dockerignore
@@ -0,0 +1 @@
+letsencrypt
diff --git a/website/Dockerfile b/website/Dockerfile
index b383aec..7e3376c 100644
--- a/website/Dockerfile
+++ b/website/Dockerfile
@@ -1,18 +1,19 @@
 FROM ubuntu:22.04
 
+# install dependencies
 RUN apt-get update && apt-get upgrade
-RUN apt-get install -y git nginx
+RUN apt-get install -y nginx certbot python3-certbot-nginx
 
 RUN rm /etc/nginx/sites-enabled/default
-RUN ln -sf /dev/stdout /var/log/nginx/access.log
-RUN ln -sf /dev/stderr /var/log/nginx/error.log
 
+# enable matthewtran.com
 COPY matthewtran.com /etc/nginx/sites-available
 RUN  ln -s /etc/nginx/sites-available/matthewtran.com /etc/nginx/sites-enabled/matthewtran.com
 COPY html /var/www/matthewtran.com/html
 
+# TODO gitea
+# disable registration!
+
+# start script
 WORKDIR /root
 COPY entry.sh ./
-
-# TODO gitea
-# TODO disable registration except admin
diff --git a/website/entry.sh b/website/entry.sh
index 57630cf..e67d97a 100644
--- a/website/entry.sh
+++ b/website/entry.sh
@@ -1,3 +1,24 @@
 #!/bin/sh
 
-nginx -g 'daemon off;'
+nginx
+while [ ! -f /var/run/nginx.pid ]
+do
+    sleep 1
+done
+
+# server needs to be up to grab certificates
+certbot --nginx \
+    --test-cert \
+    --webroot-path /var/www/matthewtran.com \
+    --non-interactive --agree-tos -m matthewlamtran@berkeley.edu \
+    -d matthewtran.com \
+    -d www.matthewtran.com
+
+nginx -s reload
+
+# try renew once a day
+while true
+do
+    certbot renew --quiet
+    sleep 86400
+done