diff --git a/nginx/default b/nginx/default
index 6ea04f95..c16962dc 100644
--- a/nginx/default
+++ b/nginx/default
@@ -1,7 +1,18 @@
 server {
   listen 80 default_server;
   server_name build.servo.org;
+  return 307 https://$host$request_uri;
+}
+
+server {
+  ssl_certificate /etc/letsencrypt/live/build.servo.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/build.servo.org/privkey.pem;
+
+  listen 443 ssl;
+  server_name build.servo.org;
 
+  # add Strict-Transport-Security to prevent man in the middle attacks
+  add_header Strict-Transport-Security "max-age=31536000" always;
 
   location / {
     proxy_pass http://localhost:8010/;
diff --git a/nginx/init.sls b/nginx/init.sls
index 86990817..bc7fabba 100644
--- a/nginx/init.sls
+++ b/nginx/init.sls
@@ -19,3 +19,20 @@ nginx:
   file.symlink:
     - target: /etc/nginx/sites-available/default
 
+certbot:
+  pkgrepo.managed:
+    - ppa: certbot/certbot
+  pkg.installed:
+    - pkgs:
+      - certbot
+      - python-certbot-nginx
+
+certbot renew:
+  cron.present:
+    - identifier: build-cert-renew
+    - user: root
+    - minute: 0
+    - hour: 0
+    - daymonth: 1
+    - require:
+      - pkg: certbot