diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix
index 1c0d668fbd4ae59bab115c2116b7fa377395dcfc..896580d3e5e8721e94c104be32b88475e085dc35 100644
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -86,8 +86,33 @@
   };
 
   services.private-storage-issuer = {
-    inherit letsEncryptAdminEmail allowedChargeOrigins;
+    inherit allowedChargeOrigins;
     domains = issuerDomains;
+    # Arbitrary non-priviledged port:
+    httpPort = 1061;
+  };
+
+  # nginx reverse proxy
+  security.acme.email = letsEncryptAdminEmail;
+  security.acme.acceptTerms = true;
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256:
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    virtualHosts."${config.networking.hostName}.${config.networking.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
+      };
+    };
   };
 
   system.stateVersion = "19.03";
diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 51046b436e297cdc5034134e3503556e8030588c..716fe760d5f50e961dd40a732ab3792571fdcdd8 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -50,7 +50,8 @@ rec {
 
   services.private-storage-issuer = {
     enable = true;
-    tls = true;
+    # We'll let NGINX handle TLS termination:
+    tls = false;
     ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
     stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
     database = "SQLite3";