diff --git a/certbot/0.ns2.grapheneos.org b/certbot/0.ns2.grapheneos.org
new file mode 100644
index 0000000..32d1555
--- /dev/null
+++ b/certbot/0.ns2.grapheneos.org
@@ -0,0 +1,19 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
+    --cert-name ns2.grapheneos.org \
+    -d ns2.attestation.app \
+    -d ns2.grapheneos.app \
+    -d ns2.grapheneos.ca \
+    -d ns2.grapheneos.com \
+    -d ns2.grapheneos.dev \
+    -d ns2.grapheneos.info \
+    -d ns2.grapheneos.net \
+    -d ns2.grapheneos.network \
+    -d ns2.grapheneos.online \
+    -d ns2.grapheneos.org \
+    -d ns2.grapheneos.ovh \
+    -d ns2.grapheneos.page \
+    -d ns2.grapheneos.social \
+    -d ns2.seamlessupdate.app \
+    -d ns2.vanadium.app
diff --git a/certbot/ns1.grapheneos.org b/certbot/ns1.grapheneos.org
new file mode 100644
index 0000000..75a8cae
--- /dev/null
+++ b/certbot/ns1.grapheneos.org
@@ -0,0 +1,19 @@
+certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
+    --key-type ecdsa --reuse-key --must-staple --preferred-chain "ISRG Root X1" \
+    --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
+    --cert-name ns1.grapheneos.org \
+    -d ns1.attestation.app \
+    -d ns1.grapheneos.app \
+    -d ns1.grapheneos.ca \
+    -d ns1.grapheneos.com \
+    -d ns1.grapheneos.dev \
+    -d ns1.grapheneos.info \
+    -d ns1.grapheneos.net \
+    -d ns1.grapheneos.network \
+    -d ns1.grapheneos.online \
+    -d ns1.grapheneos.org \
+    -d ns1.grapheneos.ovh \
+    -d ns1.grapheneos.page \
+    -d ns1.grapheneos.social \
+    -d ns1.seamlessupdate.app \
+    -d ns1.vanadium.app
diff --git a/hosts.sh b/hosts.sh
index 4675a69..852d733 100644
--- a/hosts.sh
+++ b/hosts.sh
@@ -120,6 +120,9 @@ readonly hosts_staging=(
 )
 
 readonly hosts_certbot=(
+    ns1.staging.grapheneos.org
+    ns1.grapheneos.org
+    0.ns2.grapheneos.org
     mail.grapheneos.org
     staging.grapheneos.org
     0.grapheneos.org
@@ -151,6 +154,7 @@ readonly hosts_attestation=(
 )
 
 readonly hosts_web=(
+    "${hosts_dns[@]}"
     mail.grapheneos.org
     "${hosts_grapheneos[@]}"
     "${hosts_network[@]}"
@@ -162,7 +166,6 @@ readonly hosts_web=(
 )
 
 readonly hosts_all=(
-    "${hosts_dns[@]}"
     "${hosts_web[@]}"
 )
 
diff --git a/nftables-ns1.conf b/nftables-ns1.conf
index d304899..9765fde 100644
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@@ -28,8 +28,8 @@ table inet filter {
         iif lo accept
         udp dport 53 ip daddr {{ipv4_address}} accept
         udp dport 53 ip6 daddr {{ipv6_address}} accept
-        tcp dport {22, 53} ip daddr {{ipv4_address}} accept
-        tcp dport {22, 53} ip6 daddr {{ipv6_address}} accept
+        tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept
+        tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept
         meta l4proto {icmp, ipv6-icmp} accept
 
         ct state vmap { invalid : drop, established : accept, related : accept }
@@ -48,12 +48,12 @@ table inet filter {
         type filter hook output priority filter
 
         oif lo goto output-internal
-        skuid != {root, systemd-network, unbound, chrony, powerdns, geoipupdate} counter goto output-reject
+        skuid != {root, systemd-network, unbound, chrony, http, powerdns, geoipupdate} counter goto output-reject
     }
 
     chain output-internal {
         skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
-        skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+        skuid {chrony, http, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
 
         skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
 
diff --git a/nftables-ns2.conf b/nftables-ns2.conf
index a283764..470def3 100644
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@@ -29,9 +29,9 @@ table inet filter {
         udp dport 53 ip daddr {{ipv4_address}} accept
         udp dport 53 ip daddr 198.251.90.93 accept
         udp dport 53 ip6 daddr {{ipv6_address}} accept
-        tcp dport {22, 53} ip daddr {{ipv4_address}} accept
-        tcp dport 53 ip daddr 198.251.90.93 accept
-        tcp dport {22, 53} ip6 daddr {{ipv6_address}} accept
+        tcp dport {22, 53, 80, 443, 853} ip daddr {{ipv4_address}} accept
+        tcp dport {53, 80, 443, 853} ip daddr 198.251.90.93 accept
+        tcp dport {22, 53, 80, 443, 853} ip6 daddr {{ipv6_address}} accept
         meta l4proto {icmp, ipv6-icmp} accept
 
         ct state vmap { invalid : drop, established : accept, related : accept }
@@ -50,12 +50,12 @@ table inet filter {
         type filter hook output priority filter
 
         oif lo goto output-internal
-        skuid != {root, systemd-network, unbound, chrony, powerdns, geoipupdate} counter goto output-reject
+        skuid != {root, systemd-network, unbound, chrony, http, powerdns, geoipupdate} counter goto output-reject
     }
 
     chain output-internal {
         skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
-        skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+        skuid {chrony, http, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
 
         skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
 
diff --git a/packages/0.ns2.grapheneos.org b/packages/0.ns2.grapheneos.org
index b8a16a8..337e204 100644
--- a/packages/0.ns2.grapheneos.org
+++ b/packages/0.ns2.grapheneos.org
@@ -1,5 +1,6 @@
 base
 bash-completion
+certbot
 chrony
 cloud-guest-utils
 conntrack-tools
@@ -16,6 +17,7 @@ man-db
 moreutils
 mtr
 nftables
+nginx
 openssh
 pacman-contrib
 pacutils
diff --git a/packages/1.ns2.grapheneos.org b/packages/1.ns2.grapheneos.org
index b8a16a8..a16236e 100644
--- a/packages/1.ns2.grapheneos.org
+++ b/packages/1.ns2.grapheneos.org
@@ -16,6 +16,7 @@ man-db
 moreutils
 mtr
 nftables
+nginx
 openssh
 pacman-contrib
 pacutils
diff --git a/packages/2.ns2.grapheneos.org b/packages/2.ns2.grapheneos.org
index b8a16a8..a16236e 100644
--- a/packages/2.ns2.grapheneos.org
+++ b/packages/2.ns2.grapheneos.org
@@ -16,6 +16,7 @@ man-db
 moreutils
 mtr
 nftables
+nginx
 openssh
 pacman-contrib
 pacutils
diff --git a/packages/ns1.grapheneos.org b/packages/ns1.grapheneos.org
index b8a16a8..337e204 100644
--- a/packages/ns1.grapheneos.org
+++ b/packages/ns1.grapheneos.org
@@ -1,5 +1,6 @@
 base
 bash-completion
+certbot
 chrony
 cloud-guest-utils
 conntrack-tools
@@ -16,6 +17,7 @@ man-db
 moreutils
 mtr
 nftables
+nginx
 openssh
 pacman-contrib
 pacutils
diff --git a/packages/ns1.staging.grapheneos.org b/packages/ns1.staging.grapheneos.org
index b8a16a8..337e204 100644
--- a/packages/ns1.staging.grapheneos.org
+++ b/packages/ns1.staging.grapheneos.org
@@ -1,5 +1,6 @@
 base
 bash-completion
+certbot
 chrony
 cloud-guest-utils
 conntrack-tools
@@ -16,6 +17,7 @@ man-db
 moreutils
 mtr
 nftables
+nginx
 openssh
 pacman-contrib
 pacutils