diff --git a/roles/loadbalancer/templates/nginx.conf.j2 b/roles/loadbalancer/templates/nginx.conf.j2
index 479efc0..bd79de6 100644
--- a/roles/loadbalancer/templates/nginx.conf.j2
+++ b/roles/loadbalancer/templates/nginx.conf.j2
@@ -45,6 +45,27 @@ http {
   server {
     listen 443;
 
+    server_name staging.k3s.seyshiro.de *.staging.k3s.seyshiro.de
+
+    ssl_certificate /etc/nginx/ssl/staging_tls.crt;
+    ssl_certificate_key /etc/nginx/ssl/staging_tls.key;
+
+    location / {
+      proxy_pass https://k3s_servers_https;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+    }
+  }
+
+  server {
+    listen 443;
+
+    server_name production.k3s.seyshiro.de *.production.k3s.seyshiro.de
+
+    ssl_certificate /etc/nginx/ssl/production_tls.crt;
+    ssl_certificate_key /etc/nginx/ssl/production_tls.key;
+
     location / {
       proxy_pass https://k3s_servers_https;
       proxy_set_header Host $host;
diff --git a/scripts/get_tls.sh b/scripts/get_tls.sh
new file mode 100755
index 0000000..c5f2d5f
--- /dev/null
+++ b/scripts/get_tls.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+kubectl -n staging get secret k3s-seyshiro-de-staging-tls -o jsonpath='{.data.tls\.crt}' | base64 -d >staging_tls.crt
+kubectl -n staging get secret k3s-seyshiro-de-staging-tls -o jsonpath='{.data.tls\.key}' | base64 -d >staging_tls.key
+
+kubectl -n production get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.crt}' | base64 -d >production_tls.crt
+kubectl -n production get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.key}' | base64 -d >production_tls.key
+
+scp ./{production,staging}_tls.{crt,key} k3s-loadbalancer:~
+
+# onsite
+# chmod 600 ./{production,staging}_tls.{crt,key}
+# sudo mv ./{production,staging}_tls.{crt,key} /etc/nginx/ssl/