diff --git a/fogcutter/k8s/haproxy.cfg b/fogcutter/k8s/haproxy.cfg
index 40287a3..aaeffb3 100644
--- a/fogcutter/k8s/haproxy.cfg
+++ b/fogcutter/k8s/haproxy.cfg
@@ -1,5 +1,12 @@
 ## For haproxy 2.2 COPY TO /etc/haproxy/haproxy.cfg
 ## Do https://unix.stackexchange.com/a/538901 to fix network-online.target on debian w/ /etc/intefaces
+## certbot setup:
+##   - https://certbot.eff.org/lets-encrypt/debianbuster-haproxy
+##   - Add "0 0 1 * * systemctl stop haproxy && certbot renew && systemctl start haproxy && cat /etc/letsencrypt/live/seaturtle.pw/{cert,privkey}.pem > /etc/letsencrypt/live/seaturtle.pw/haproxy_cert.pem" to root crontab
+##     - (Default systemd timer does not have option to stop haproxy before running)
+## Ensure microk8s only exposes nodeport on 127.0.0.1:
+##   - Edit /var/snap/microk8s/current/args/kube-proxy, adding "--nodeport-addresses=127.0.0.1/8" 
+
 
 defaults
     log                 global
@@ -11,25 +18,34 @@ defaults
     timeout client      50000
     timeout server      50000
 
-listen proxy80
-    mode tcp
-    bind 10.42.0.203:80
-    bind 2601:5c0:c280:80de:96c6:91ff:feab:69e3:80
-    server ipv4server30080 10.42.0.203:30080
+frontend http-in
+    mode http
+    bind :::80
+    redirect scheme https
 
-listen proxy443
-    mode tcp
-    bind 10.42.0.203:443
-    bind 2601:5c0:c280:80de:96c6:91ff:feab:69e3:443
-    server ipv4server30443 10.42.0.203:30443
+frontend https-in
+    mode http
+    option forwardfor
+    bind :::443 ssl crt /etc/letsencrypt/live/seaturtle.pw/haproxy_cert.pem ssl-min-ver TLSv1.2
+    acl server1 hdr(host) -i airsonic.seaturtle.pw
+    acl server1 hdr(host) -i git.seaturtle.pw
+    acl server1 hdr(host) -i nc.seaturtle.pw
+    acl server1 hdr(host) -i paul.walko.org
+    acl server1 hdr(host) -i plex.seaturtle.pw
+    acl server1 hdr(host) -i seaturtle.pw
+    use_backend server1 if server1
+
+backend server1
+    mode http
+    option forwardfor
+    server server1 127.0.0.1:30080
 
 listen proxy37122
     mode tcp
-    bind 2601:5c0:c280:80de:96c6:91ff:feab:69e3:37122
-    server ipv4server30122 10.42.0.203:30122
+    bind :::37122
+    server ipv4server30122 127.0.0.1:30122
 
 listen proxy25565
     mode tcp
-    bind 10.42.0.203:25565
-    bind 2601:5c0:c280:80de:96c6:91ff:feab:69e3:25565
-    server ipv4server30565 10.42.0.203:30565
+    bind :::25565
+    server ipv4server30565 127.0.0.1:30565