diff --git a/configure-nginx-host.sh b/configure-nginx-host.sh
line changes: +10/-0
index 0000000..d80fe57
--- /dev/null
+++ b/configure-nginx-host.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+. lib.sh
+. common.opts
+
+load_opts "$1"
+
+sed -e "s/\$MASTODON_ADDR/$MASTODON_ADDR/" \
+    -e "s/\$HOSTNAME/$HOSTNAME/" \
+       nginx/server.conf > /usr/local/etc/nginx/sites-available/$HOSTNAME

diff --git a/nginx/server.conf b/nginx/server.conf
line changes: +40/-0
index 0000000..97861af
--- /dev/null
+++ b/nginx/server.conf

@@ -0,0 +1,40 @@
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	''      close;
+}
+
+server {
+	listen 80;
+	server_name $HOSTNAME;
+	location / { return 301 https://$host$request_uri; }
+}
+
+server {
+	listen 443 ssl http2;
+	server_name $HOSTNAME;
+
+	ssl_protocols TLSv1.3;
+	ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+	ssl_prefer_server_ciphers on;
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_tickets off;
+
+	# Uncomment these lines once you acquire a certificate:
+	ssl_certificate     /usr/local/etc/nginx/mastodon.crt;
+	ssl_certificate_key /usr/local/etc/nginx/mastodon.key;
+
+	location / {
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_buffering on;
+		proxy_redirect off;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+		proxy_pass http://$MASTODON_ADDR;
+
+		tcp_nodelay on;
+	}
+}