diff --git a/apps/nginx-certbot/README.md b/apps/nginx-certbot/README.md
new file mode 100644
index 0000000..7601598
--- /dev/null
+++ b/apps/nginx-certbot/README.md
@@ -0,0 +1,5 @@
+## nginx service for getting letsencrypt certificates
+
+### Architecture
+
+* nginx/port 80 serves only the root for letsencrypt
diff --git a/apps/nginx-certbot/base/deployment.yaml b/apps/nginx-certbot/base/deployment.yaml
index 408d9d8..408c874 100644
--- a/apps/nginx-certbot/base/deployment.yaml
+++ b/apps/nginx-certbot/base/deployment.yaml
@@ -1,40 +1,50 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: etherpadlite
+  name: tls1
 spec:
   selector:
     matchLabels:
-      app: etherpadsooooolite
+      app: tls1
   replicas: 1
   template:
     metadata:
       labels:
-        app: etherpadsooooolite
+        app: tls1
     spec:
       containers:
-        - name: etherpad
-          image: etherpad/etherpad:1.8.13
+        - name: nginx-80
+          image: nginx:1.20.0-alpine
           ports:
-            - containerPort: 9001
+            - containerPort: 80
           volumeMounts:
-            - name: etherpadconfig
-              mountPath: "/opt/etherpad-lite/settings.json"
-              subPath: settings.json
+            - name: nginx-config-80
+              mountPath: "/etc/nginx/conf.d/"
+        - name: nginx-443
+          image: nginx:1.20.0-alpine
+          ports:
+            - containerPort: 443
+          volumeMounts:
+            - name: nginx-config-443
+              mountPath: "/etc/nginx/conf.d/"
       volumes:
-        - name: etherpadconfig
+        - name: nginx-config-80
           configMap:
-            name: etherpadliteconfig
+            name: nginx-80-config
+        - name: nginx-config-443
+          configMap:
+            name: nginx-443-config
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: etherpad
+  name: tls1
   labels:
-    app: etherpadsooooolite
+    app: tls1
 spec:
   type: ClusterIP
   ports:
-   - port: 9001
+   - port: 80
+   - port: 443
   selector:
-   app: etherpadsooooolite
+   app: tls1-nginx
diff --git a/apps/nginx-certbot/base/kustomization.yaml b/apps/nginx-certbot/base/kustomization.yaml
index da2e4e8..4f105fb 100644
--- a/apps/nginx-certbot/base/kustomization.yaml
+++ b/apps/nginx-certbot/base/kustomization.yaml
@@ -1,10 +1,9 @@
 configMapGenerator:
-- name:
+- name: nginx-80-config
   files:
-  - settings.json=settings.json
-
-commonLabels:
-  app: etherpadlite
-  customer: xyz
+  - default.conf=nginx-80
+- name: nginx-443-config
+  files:
+  - default.conf=nginx-443
 resources:
 - deployment.yaml
diff --git a/apps/nginx-certbot/base/nginx-443 b/apps/nginx-certbot/base/nginx-443
new file mode 100644
index 0000000..204265f
--- /dev/null
+++ b/apps/nginx-certbot/base/nginx-443
@@ -0,0 +1,15 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name tls1.svc.c2.k8s.ooo;
+
+    ssl_certificate      /etc/letsencrypt/live/tls1.svc.c2.k8s.ooo/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/tls1.svc.c2.k8s.ooo/privkey.pem;
+
+    client_max_body_size 256m;
+
+    root /usr/share/nginx/html;
+
+    autoindex on;
+}
diff --git a/apps/nginx-certbot/base/nginx-80 b/apps/nginx-certbot/base/nginx-80
new file mode 100644
index 0000000..8a9e368
--- /dev/null
+++ b/apps/nginx-certbot/base/nginx-80
@@ -0,0 +1,16 @@
+server {
+    listen *:80;
+    listen [::]:80;
+
+    server_name _;
+
+    # Forward for certbot
+    location /.well-known/acme-challenge/ {
+        root /usr/share/nginx/html;
+    }
+
+    # Everything else -> ssl
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
diff --git a/generic/nginx-deployment-url b/generic/nginx-deployment-url
deleted file mode 100644
index 9673969..0000000
--- a/generic/nginx-deployment-url
+++ /dev/null
@@ -1 +0,0 @@
-kubectl apply -f https://k8s.io/examples/application/deployment.yaml