diff --git a/ansible/playbook/runa.yml b/ansible/playbook/runa.yml
index 7a6a942..cc49f2d 100644
--- a/ansible/playbook/runa.yml
+++ b/ansible/playbook/runa.yml
@@ -12,6 +12,11 @@
       tags:
         - synapse
       when: '"synapse" in docker_compose'
+    - name: SSL Certs
+      include_role:
+        name: ssl-certificates
+      tags:
+        - ssl
     - name: Add docker-compose
       include_role:
         name: docker-compose
diff --git a/ansible/roles/docker-compose/files/synapse/.env b/ansible/roles/docker-compose/files/synapse/.env
index 28549a8..42c28c3 100644
--- a/ansible/roles/docker-compose/files/synapse/.env
+++ b/ansible/roles/docker-compose/files/synapse/.env
@@ -1,4 +1,5 @@
 SYNAPSE_VERSION=v1.92.3
+NGINX_VERSION=1.25.2-alpine
 
 SYNAPSE_SERVER_NAME=corp-serv.net
 NGINX_SYNAPSE_FQDN=synapse.corp-apps.com
diff --git a/ansible/roles/docker-compose/files/synapse/docker-compose.yaml b/ansible/roles/docker-compose/files/synapse/docker-compose.yaml
index 5c41f68..82195d8 100644
--- a/ansible/roles/docker-compose/files/synapse/docker-compose.yaml
+++ b/ansible/roles/docker-compose/files/synapse/docker-compose.yaml
@@ -12,3 +12,11 @@ services:
       - --config-path=/config/homeserver.yaml
 #      - --config-path=/config/generic_worker.yaml
     restart: always
+  nginx:
+    image: nginx:${NGINX_VERSION}
+    ports:
+      - "80:80/tcp"
+      - "443:443/tcp"
+    volumes:
+      - ./nginx:/etc/nginx/conf.d
+      - /ssl:/ssl
diff --git a/ansible/roles/docker-compose/files/synapse/nginx/synapse.conf b/ansible/roles/docker-compose/files/synapse/nginx/synapse.conf
new file mode 100644
index 0000000..a1c0e9b
--- /dev/null
+++ b/ansible/roles/docker-compose/files/synapse/nginx/synapse.conf
@@ -0,0 +1,39 @@
+server {
+
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    ssl_certificate      /ssl/chain.crt;
+    ssl_certificate_key  /ssl/certificate.keyplain;
+
+    client_max_body_size 100m;
+
+    error_page 403 404 /403_404.html;
+    location = /403_404.html {
+	    default_type application/json;
+	    return 200 'You are not authorized to access this page.';
+    }
+
+    location /.well-known/matrix/server {
+      default_type application/json;
+      return 200 '{"m.server": "ungleich.matrix.ungleich.cloud:443" }';
+    }
+    location /.well-known/matrix/client {
+      default_type application/json;
+      return 200 '{ "m.homeserver": { "base_url": "https://ungleich.matrix.ungleich.cloud" } }';
+    }
+
+
+    location ~ /_matrix|/_synapse {
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $http_host;
+
+      proxy_connect_timeout 600s;
+      proxy_send_timeout 600s;
+      proxy_read_timeout 600s;
+      send_timeout 600s;
+
+      proxy_pass http://localhost:8008;
+    }
+}
diff --git a/ansible/roles/ssl-certificates/tasks/main.yml b/ansible/roles/ssl-certificates/tasks/main.yml
new file mode 100644
index 0000000..752c923
--- /dev/null
+++ b/ansible/roles/ssl-certificates/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Create ssl directory
+  ansible.builtin.file:
+    path: /ssl
+    state: directory
+    mode: '0755'
+    owner: root
+  tags:
+    - dir
+    - ssl
+- name: Copy SSL certificate
+  ansible.builtin.copy:
+    src: files/{{ inventory_hostname }}/
+    dest: /ssl
+    owner: root
+    mode: '0644'
+  tags:
+    - files
+    - ssl
diff --git a/ansible/roles/synapse-base/tasks/main.yml b/ansible/roles/synapse-base/tasks/main.yml
index 40a9843..4d05f76 100644
--- a/ansible/roles/synapse-base/tasks/main.yml
+++ b/ansible/roles/synapse-base/tasks/main.yml
@@ -9,7 +9,7 @@
     path: /mnt/synapse_data
     state: directory
     mode: '0700'
-    owner: "{{ ansible_user }}"
+    owner: 991
   tags:
     - directory
 # - name: Create homeserver.yaml file