diff --git a/roles/loadbalancer/templates/nginx.conf.j2 b/roles/loadbalancer/templates/nginx.conf.j2
index bd79de6..83438ab 100644
--- a/roles/loadbalancer/templates/nginx.conf.j2
+++ b/roles/loadbalancer/templates/nginx.conf.j2
@@ -2,8 +2,8 @@ include /etc/nginx/modules-enabled/*.conf;
 
 events {}
 
-# TCP Load Balancing for the K3s API
 stream {
+# TCP Load Balancing for the K3s API
   upstream k3s_servers {
     {% for ip in k3s_server_ips %}
     server {{ ip }}:{{k3s.loadbalancer.default_port}};
@@ -14,6 +14,17 @@ stream {
     listen {{k3s.loadbalancer.default_port}};
     proxy_pass k3s_servers;
   }
+
+  upstream dns_servers {
+    {% for ip in k3s_server_ips %}
+    server {{ ip }}:53;
+    {% endfor %}
+  }
+
+  server {
+    listen 53 udp;
+    proxy_pass dns_servers;
+  }
 }
 
 http {
@@ -43,9 +54,9 @@ http {
   }
 
   server {
-    listen 443;
+    listen 443 ssl;
 
-    server_name staging.k3s.seyshiro.de *.staging.k3s.seyshiro.de
+    server_name staging.k3s.seyshiro.de *.staging.k3s.seyshiro.de;
 
     ssl_certificate /etc/nginx/ssl/staging_tls.crt;
     ssl_certificate_key /etc/nginx/ssl/staging_tls.key;
@@ -59,9 +70,9 @@ http {
   }
 
   server {
-    listen 443;
+    listen 443 ssl;
 
-    server_name production.k3s.seyshiro.de *.production.k3s.seyshiro.de
+    server_name k3s.seyshiro.de *.k3s.seyshiro.de;
 
     ssl_certificate /etc/nginx/ssl/production_tls.crt;
     ssl_certificate_key /etc/nginx/ssl/production_tls.key;
@@ -74,3 +85,5 @@ http {
     }
   }
 }
+
+
diff --git a/scripts/get_tls.sh b/scripts/get_tls.sh
index c5f2d5f..4e81eec 100755
--- a/scripts/get_tls.sh
+++ b/scripts/get_tls.sh
@@ -1,13 +1,15 @@
 #!/bin/bash
 
-kubectl -n staging get secret k3s-seyshiro-de-staging-tls -o jsonpath='{.data.tls\.crt}' | base64 -d >staging_tls.crt
-kubectl -n staging get secret k3s-seyshiro-de-staging-tls -o jsonpath='{.data.tls\.key}' | base64 -d >staging_tls.key
+kubectl -n staging get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.crt}' | base64 -d >staging_tls.crt
+kubectl -n staging get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.key}' | base64 -d >staging_tls.key
 
 kubectl -n production get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.crt}' | base64 -d >production_tls.crt
 kubectl -n production get secret k3s-seyshiro-de-tls -o jsonpath='{.data.tls\.key}' | base64 -d >production_tls.key
 
 scp ./{production,staging}_tls.{crt,key} k3s-loadbalancer:~
+rm ./{production,staging}_tls.{crt,key}
 
-# onsite
+# on k3s-loadbalancer
 # chmod 600 ./{production,staging}_tls.{crt,key}
+# sudo chown root:root ./{production,staging}_tls.{crt,key}
 # sudo mv ./{production,staging}_tls.{crt,key} /etc/nginx/ssl/