diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix
index 6872c6a..258e611 100644
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -143,6 +143,16 @@
                 nat = {
                   enable = true;
                   externalInterface = "wan";
+                  forwardPorts = [
+                    {
+                      port = "http";
+                      dst = allAssignments.middleman.internal.ipv4.address + ":http";
+                    }
+                    {
+                      port = "https";
+                      dst = allAssignments.middleman.internal.ipv4.address + ":https";
+                    }
+                  ];
                 };
                 extraRules =
                 let
diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix
index acc1512..f75d694 100644
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -234,6 +234,8 @@ in
             ns IN ALIAS ${config.networking.fqdn}.
 
             @ IN ALIAS ${config.networking.fqdn}.
+            http IN A ${assignments.internal.ipv4.address}
+            http IN AAAA ${allAssignments.middleman.internal.ipv6.address}
 
             $TTL 3
             _acme-challenge IN LUA TXT ${fileRecVal}
diff --git a/nixos/boxes/colony/vms/shill/containers/middleman.nix b/nixos/boxes/colony/vms/shill/containers/middleman.nix
index d03f6ee..30c8f0f 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman.nix
@@ -6,7 +6,6 @@
     assignments = {
       internal = {
         name = "middleman-ctr";
-        altNames = [ "http" ];
         domain = lib.my.colony.domain;
         ipv4.address = "${lib.my.colony.start.ctrs.v4}2";
         ipv6 = {
@@ -18,7 +17,8 @@
 
     configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
     let
-      inherit (lib) mkMerge mkIf;
+      inherit (builtins) mapAttrs;
+      inherit (lib) mkMerge mkIf mkDefault;
       inherit (lib.my) networkdAssignment;
     in
     {
@@ -30,7 +30,11 @@
             secrets = {
               key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip";
               files = {
-                "dhparams.pem" = {};
+                "dhparams.pem" = {
+                  owner = "acme";
+                  group = "acme";
+                  mode = "440";
+                };
                 "pdns-file-records.key" = {
                   owner = "acme";
                   group = "acme";
@@ -46,6 +50,12 @@
             ];
           };
 
+          users = {
+            users = {
+              nginx.extraGroups = [ "acme" ];
+            };
+          };
+
           systemd = {
             network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
           };
@@ -156,6 +166,26 @@
                 proxy_set_header X-Forwarded-Protocol $scheme;
                 proxy_set_header X-Scheme $scheme;
               '';
+
+              virtualHosts =
+              let
+                hosts = {
+                  "_" = {
+                    default = true;
+                    forceSSL = true;
+                    onlySSL = false;
+                  };
+                };
+              in
+              mkMerge [
+                hosts
+                (mapAttrs (n: _: {
+                  onlySSL = mkDefault true;
+                  useACMEHost = mkDefault "${config.networking.domain}";
+                  kTLS = mkDefault true;
+                  http2 = mkDefault true;
+                }) hosts)
+              ];
             };
           };
         }