diff --git a/prod/syncthing-packer/packer/Makefile b/prod/syncthing-packer/packer/Makefile
index a0620d9..5b76152 100644
--- a/prod/syncthing-packer/packer/Makefile
+++ b/prod/syncthing-packer/packer/Makefile
@@ -1,6 +1,13 @@
-.PHONY: packer
+.PHONY: packer reissue-certs
 
-packer: syncthing-config.xml syncthing.json syncthing-cert.pem syncthing-key.pem certbot/live/syncthing.jeremydormitzer.com/fullchain.pem certbot/live/syncthing.jeremydormitzer.com/privkey.pem
+packer-manifest.json: syncthing-config.xml \
+                      syncthing.json \
+                      syncthing.conf \
+                      syncthing@.service \
+                      syncthing-cert.pem \
+                      syncthing-key.pem \
+                      certbot/live/syncthing.jeremydormitzer.com/fullchain.pem \
+                      certbot/live/syncthing.jeremydormitzer.com/privkey.pem
 	packer build syncthing.json
 
 syncthing-config.xml: syncthing-config.xml.template
@@ -13,8 +20,20 @@ syncthing-key.pem: syncthing-key.pem.template
 	sigil -p -f syncthing-key.pem.template > syncthing-key.pem
 
 certbot/live/syncthing.jeremydormitzer.com/fullchain.pem certbot/live/syncthing.jeremydormitzer.com/privkey.pem &: do.ini
-	certbot certonly -n --agree-tos --email ${CERTBOT_EMAIL} --dns-digitalocean --dns-digitalocean-credentials do.ini --config-dir ./certbot --work-dir ./certbot --logs-dir ./certbot -d syncthing.jeremydormitzer.com
+	certbot certonly -n \
+                         --agree-tos \
+                         --email ${CERTBOT_EMAIL} \
+                         --dns-digitalocean \
+                         --dns-digitalocean-credentials do.ini \
+                         --config-dir ./certbot \
+                         --work-dir ./certbot \
+                         --logs-dir ./certbot \
+                         -d syncthing.jeremydormitzer.com
 
 do.ini: do.ini.template
 	sigil -p -f do.ini.template > do.ini
 	chmod 600 do.ini
+
+reissue-certs:
+	rm -rf certbot
+	make
diff --git a/prod/syncthing-packer/packer/packer-manifest.json b/prod/syncthing-packer/packer/packer-manifest.json
new file mode 100644
index 0000000..e5176a8
--- /dev/null
+++ b/prod/syncthing-packer/packer/packer-manifest.json
@@ -0,0 +1,41 @@
+{
+  "builds": [
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1609427687,
+      "files": null,
+      "artifact_id": "nyc1:76122293",
+      "packer_run_uuid": "b8b05181-f2b2-fd24-8231-64db6a8ee83e",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1609428815,
+      "files": null,
+      "artifact_id": "nyc1:76122707",
+      "packer_run_uuid": "6f564392-0dbc-1643-e857-1dffe292f182",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1609429797,
+      "files": null,
+      "artifact_id": "nyc1:76123038",
+      "packer_run_uuid": "3476cdcc-3e08-7ede-8348-379491435681",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1609430273,
+      "files": null,
+      "artifact_id": "nyc1:76123201",
+      "packer_run_uuid": "e61d396f-483d-ad37-8f9f-ba0b436e2c53",
+      "custom_data": null
+    }
+  ],
+  "last_run_uuid": "e61d396f-483d-ad37-8f9f-ba0b436e2c53"
+}
\ No newline at end of file
diff --git a/prod/syncthing-packer/packer/syncthing.conf b/prod/syncthing-packer/packer/syncthing.conf
index 928b6a3..969ff5d 100644
--- a/prod/syncthing-packer/packer/syncthing.conf
+++ b/prod/syncthing-packer/packer/syncthing.conf
@@ -1,8 +1,26 @@
 server {
-       listen 80;
-       listen [::]:80;
 
        location / {
                 proxy_pass http://127.0.0.1:8384;
        }
+
+       listen [::]:443 ssl ipv6only=on;
+       listen 443 ssl;
+
+       ssl_certificate /home/syncthing/.config/syncthing/https-cert.pem;
+       ssl_certificate_key /home/syncthing/.config/syncthing/https-key.pem;
+
+       ssl_session_cache shared:le_nginx_SSL:1m;
+       ssl_session_timeout 1440m;
+
+       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+       ssl_prefer_server_ciphers on;
+
+       ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+}
+
+server {
+       listen 80;
+       listen [::]:80;
+       return 301 https://$host$request_uri;
 }
\ No newline at end of file
diff --git a/prod/syncthing-packer/packer/syncthing.json b/prod/syncthing-packer/packer/syncthing.json
index a7617bb..8ac9e3e 100644
--- a/prod/syncthing-packer/packer/syncthing.json
+++ b/prod/syncthing-packer/packer/syncthing.json
@@ -63,15 +63,33 @@
       "source": "syncthing.conf",
       "destination": "/tmp/syncthing.conf"
     },
+    {
+      "type": "file",
+      "source": "certbot/live/syncthing.jeremydormitzer.com/fullchain.pem",
+      "destination": "/tmp/https-cert.pem"
+    },
+    {
+      "type": "file",
+      "source": "certbot/live/syncthing.jeremydormitzer.com/privkey.pem",
+      "destination": "/tmp/https-key.pem"
+    },
     {
       "type": "shell",
       "inline": [
         "sudo apt-get install -y nginx",
         "sudo mv /tmp/syncthing.conf /etc/nginx/sites-available/syncthing.conf",
+        "sudo mv /tmp/https-cert.pem /home/syncthing/.config/syncthing/https-cert.pem",
+        "sudo mv /tmp/https-key.pem /home/syncthing/.config/syncthing/https-key.pem",
+        "sudo chown -R syncthing:syncthing /home/syncthing/.config/syncthing",
         "sudo ln -s /etc/nginx/sites-available/syncthing.conf /etc/nginx/sites-enabled/",
         "sudo unlink /etc/nginx/sites-enabled/default",
         "sudo systemctl enable nginx"
       ]
     }
+  ],
+  "post-processors": [
+    {
+      "type": "manifest"
+    }
   ]
 }
diff --git a/prod/syncthing-packer/terraform/main.tf b/prod/syncthing-packer/terraform/main.tf
index d780346..0fbe74f 100644
--- a/prod/syncthing-packer/terraform/main.tf
+++ b/prod/syncthing-packer/terraform/main.tf
@@ -4,10 +4,6 @@ provider "digitalocean" {
   spaces_secret_key = var.spaces_secret_key
 }
 
-data "digitalocean_image" "syncthing" {
-  name = "syncthing-packer-1609384536"
-}
-
 data "terraform_remote_state" "do_ssh_keys" {
   backend = "s3"
 
@@ -25,7 +21,7 @@ data "terraform_remote_state" "do_ssh_keys" {
 
 resource "digitalocean_droplet" "syncthing" {
   name       = "syncthing"
-  image      = data.digitalocean_image.syncthing.id
+  image      = "76123201"
   region     = "nyc1"
   size       = "s-1vcpu-1gb"
   backups    = true
@@ -43,4 +39,8 @@ resource "digitalocean_volume" "syncthing_volume" {
   size                     = 100
   initial_filesystem_label = "syncthing-volume"
   initial_filesystem_type  = "ext4"
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }