diff --git a/manifests/init.pp b/manifests/init.pp
index c8006cb..342dc8c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -137,13 +137,10 @@ class mastodon (
     'libyaml-dev',
     'lsb-release',
     'nginx',
-    # 'nodejs',
     'pkg-config',
     # 'postgresql-contrib',
-    # 'postgresql',
     'protobuf-compiler',
-    'python3-certbot-nginx',
-    # 'redis-server',
+    'python3-certbot-apache',
     # 'redis-tools',
     'wget',
     'zlib1g-dev',
@@ -310,6 +307,11 @@ class mastodon (
     timeout     => 0,
     require     => File["${mastodon_home}/live/.env.production"],
   }
+  exec { "register-${hostname}-letsencrypt":
+    command => "/etc/init.d/apache2 stop && /usr/bin/certbot certonly --agree-tos --email certs@susurrando.com -d ${hostname} -n --standalone && /etc/init.d/apache2 start",
+    creates => "/etc/letsencrypt/live/${hostname}/privkey.pem",
+    require => Package['python3-certbot-apache'],
+  }
   apache::vhost { $hostname:
     ensure                => $ensure,
     access_log_file       => $hostname,
@@ -325,6 +327,7 @@ class mastodon (
       'http/1.1',
     ],
     protocols_honor_order => true,
+    proxy_requests        => false,
     proxy_pass            => [
       { 'path' => '/500.html', 'url'  => '!' },
       { 'path' => '/sw.js', 'url' => '!' },
@@ -346,7 +349,10 @@ class mastodon (
     request_headers       => [
       'set X-Forwarded-Proto "https"',
     ],
-    headers               => ['always set Strict-Transport-Security "max-age=31536000"'],
+    headers               => [
+      'always set Strict-Transport-Security "max-age=31536000"',
+      'always set Strict-Transport-Security "max-age=15552001; includeSubDomains"',
+    ],
     directories           => [
       {
         'path'     => '^/(assets|avatars|emoji|headers|packs|sounds|system)',
@@ -368,6 +374,18 @@ class mastodon (
       { 'error_code' => '503', 'document' => '/503' },
       { 'error_code' => '504', 'document' => '/504' },
     ],
+    ssl                         => true,
+    ssl_cert                    => "/etc/letsencrypt/live/${hostname}/fullchain.pem",
+    ssl_cipher                  => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
+    ssl_honorcipherorder        => true,
+    ssl_protocol                => 'all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1',
+    ssl_key                     => "/etc/letsencrypt/live/${hostname}/privkey.pem",
+    ssl_proxy_check_peer_cn     => true,
+    ssl_proxy_check_peer_expire => true,
+    ssl_proxyengine             => true,
+    ssl_reload_on_change        => true,
+    allow_encoded_slashes       => true,
+    require                     => Exec["register-${hostname}-letsencrypt"],
   }
   apache::vhost { "${hostname}_insecure":
     ensure           => $ensure,