diff --git a/conf/nginx.conf b/conf/nginx.conf
new file mode 100644
index 0000000..338751c
--- /dev/null
+++ b/conf/nginx.conf
@@ -0,0 +1,51 @@
+user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+
+events {
+        worker_connections 768;
+}
+
+http {
+
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    upstream www {
+        server www;
+    }
+
+    add_header X-Content-Type-Options: nosniff;
+    add_header X-Frame-Options: DENY;
+    add_header X-XSS-Protection: "1; mode=block";
+
+    server {
+        listen                    80;
+        server_name               sophia.events;
+        rewrite ^ https://sophia.events$request_uri? permanent;
+    }
+
+    server {
+        listen                    443 ssl;
+        server_name               sophia.events;
+        ssl_certificate           /etc/ssl/certs/server.crt;
+        ssl_certificate_key       /etc/ssl/certs/server.key;
+        ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers               ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
+        ssl_session_cache         shared:SSL:20m;
+        ssl_session_timeout       4h;
+        add_header                Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+
+        location / {
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass   http://www;
+        }
+    }
+}
diff --git a/docker-stack.yml b/docker-stack.yml
new file mode 100644
index 0000000..c56c79d
--- /dev/null
+++ b/docker-stack.yml
@@ -0,0 +1,40 @@
+version: '3.4'
+services:
+  proxy:
+    image: nginx:1.12.2
+    configs:
+      - source: server_config
+        target: /etc/nginx/nginx.conf
+        mode: 0444
+        uid: '33'
+        gid: '33'
+      - source: server_cert
+        target: /etc/ssl/certs/server.crt
+        mode: 0444
+        uid: '33'
+        gid: '33'
+    secrets:
+      - source: server_key
+        target: /etc/ssl/certs/server.key
+        mode: 0400
+        uid: '33'
+        gid: '33'
+    ports:
+      - "80:80"
+      - "443:443"
+    deploy:
+      restart_policy:
+        condition: on-failure
+  www:
+    image: lucj/sophia.events
+    deploy:
+      restart_policy:
+        condition: on-failure
+configs:
+  server_config:
+    file: ./conf/nginx.conf
+  server_cert:
+    file: ./certs/sophia-cert-bundle.pem
+secrets:
+  server_key:
+    file: ./certs/sophia-key.pem