diff --git a/nginx-balsillie-net/Dockerfile b/nginx-balsillie-net/Dockerfile
index d7dbd7e..37607da 100644
--- a/nginx-balsillie-net/Dockerfile
+++ b/nginx-balsillie-net/Dockerfile
@@ -1,4 +1,4 @@
 FROM nginxinc/nginx-unprivileged:stable-alpine
 COPY --chown=nginx:nginx content /usr/share/nginx/html
-COPY --chown=nginx:nginx nginx.conf /etc/nginx/nginx.conf
+COPY --chown=nginx:nginx default.conf /etc/nginx/conf.d/default.conf
 USER nginx
\ No newline at end of file
diff --git a/nginx-balsillie-net/default.conf b/nginx-balsillie-net/default.conf
index 322c91f..2dd4050 100644
--- a/nginx-balsillie-net/default.conf
+++ b/nginx-balsillie-net/default.conf
@@ -1,50 +1,88 @@
+http2 on;
+ssl_certificate /usr/share/nginx/ssl/tls.crt;
+ssl_certificate_key /usr/share/nginx/ssl/tls.key;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+
 server {
-    listen       8080 default_server;
-    server_name  _;
+    listen 8080;
+    server_name  balsillie.net balsillie.email openpgpkey.balsillie.net openpgpkey.balsillie.email;
     return 301 https://$host$request_uri;
 }
 
 server {
-    listen 8443 ssl:
-    server_name balsillie.net;
-    http2 on;
+    listen 8080 default_server;
+    return 444;
+}
 
-    #access_log  /var/log/nginx/host.access.log  main;
+server {
+    listen 8443 ssl;
+    server_name balsillie.net;
+
+    location = /michael.vcf {
+        default_type application/octet-stream;
+        root   /usr/share/nginx/html;
+    }
+
+    location = /.well-known/mta-sts.txt {
+        default_type application/octet-stream;
+        root /usr/share/nginx/html/mta-sts/balsillie_net;
+    }
+
+    location /.well-known/host-meta {
+        return 301 https://social.balsillie.net$request_uri;
+    }
+
+    location /.well-known/webfinger {
+        return 301 https://social.balsillie.net$request_uri;
+    }
+
+    location /.well-known/nodeinfo {
+        return 301 https://social.balsillie.net$request_uri;
+    }
+
+    location /.well-known/matrix/ {
+        default_type application/json;
+        root /usr/share/nginx/html;
+    }
 
     location / {
-        root   /usr/share/nginx/html;
-        index  index.html index.htm;
+        return 444;
     }
-
-    #error_page  404              /404.html;
-
-    # redirect server error pages to the static page /50x.html
-    #
-    error_page   500 502 503 504  /50x.html;
-    location = /50x.html {
-        root   /usr/share/nginx/html;
-    }
-
-    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
-    #
-    #location ~ \.php$ {
-    #    proxy_pass   http://127.0.0.1;
-    #}
-
-    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
-    #
-    #location ~ \.php$ {
-    #    root           html;
-    #    fastcgi_pass   127.0.0.1:9000;
-    #    fastcgi_index  index.php;
-    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
-    #    include        fastcgi_params;
-    #}
-
-    # deny access to .htaccess files, if Apache's document root
-    # concurs with nginx's one
-    #
-    #location ~ /\.ht {
-    #    deny  all;
-    #}
+}
+
+server { 
+    listen 8443 ssl;
+    server_name balsillie.email;
+
+    location = /.well-known/mta-sts.txt {
+        default_type application/octet-stream;
+        root /usr/share/nginx/html/mta-sts/balsillie_email;
+    }
+
+    location / {
+        return 444;
+    }
+}
+
+server {
+    listen 8443 ssl;
+    server_name openpgpkey.balsillie.net openpgpkey.balsillie.email;
+
+    location /.well-known/openpgpkey {
+        default_type application/octet-stream;
+        root /usr/share/nginx/html;
+    }
+
+    location / {
+        return 444;
+    }
+}
+
+server {
+    listen 8443 ssl default_server;
+    ssl_reject_handshake on;
 }