diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..22a2a1f
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,99 @@
+server {
+	server_name www.kirsle.net;
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	index index.cgi index.php index.html index.htm;
+
+	access_log /home/kirsle/logs/access_log;
+	error_log /home/kirsle/logs/error_log;
+
+	ssl on;
+	ssl_certificate /etc/letsencrypt/live/www.kirsle.net/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/www.kirsle.net/privkey.pem;
+	include ssl_params;
+
+	root /home/kirsle/git/rophako;
+
+	location /static {
+		alias /home/kirsle/www/static;
+	}
+	location /creativity {
+		alias /home/kirsle/www/creativity;
+	}
+	location /doc {
+		alias /home/kirsle/www/doc;
+	}
+	location /images {
+		alias /home/kirsle/www/images;
+	}
+	location /mail {
+		alias /home/kirsle/www/mail;
+	}
+	location /piwik {
+		alias /home/kirsle/www/piwik;
+		index index.php;
+	}
+	location /projects {
+		alias /home/kirsle/www/projects;
+	}
+	location /wizards {
+		alias /home/kirsle/www/wizards;
+	}
+	location /favicon.ico {
+		alias /home/kirsle/www/favicon.ico;
+	}
+
+	# uwsgi
+	location / {
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto https;
+		proxy_redirect off;
+		proxy_pass http://127.0.0.1:9000;
+	}
+
+	# run php scripts
+	location ~ \.php$ {
+		include fastcgi_params;
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+		fastcgi_pass unix:/var/run/php5-fpm.sock;
+		fastcgi_index index.php;
+		fastcgi_param SCRIPT_FILENAME /home/kirsle/www$fastcgi_script_name;
+	}
+
+	# legacy CGI scripts
+	# https://wiki.debian.org/nginx/FastCGI
+	location ~ \.cgi$ {
+		try_files $uri $uri/ /index.cgi;
+		gzip off;
+		root /home/kirsle/public_html;
+		fastcgi_pass unix:/var/run/fcgiwrap.socket;
+		include fastcgi_params;
+		fastcgi_param SERVER_NAME $host;
+	}
+}
+
+# Legacy kirsle domains over port 80
+server {
+	server_name kirsle.net www.kirsle.net .kirsle.com .kirsle.org .cuvou.com .cuvou.net .cuvou.org ckir.net .ckir.net;
+	listen 80;
+	listen [::]:80;
+	return 301 https://www.kirsle.net$request_uri;
+}
+
+# SSL, but wrong domain
+server {
+	server_name kirsle.net .kirsle.com .kirsle.org;
+	listen [::]:443 ssl;
+	listen 443 ssl;
+
+	ssl on;
+	ssl_certificate /etc/letsencrypt/live/www.kirsle.net/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/www.kirsle.net/privkey.pem;
+	include ssl_params;
+
+	return 301 https://www.kirsle.net$request_uri;
+}
+