diff --git a/contrib/README b/contrib/README
deleted file mode 100644
index 8648244..0000000
--- a/contrib/README
+++ /dev/null
@@ -1 +0,0 @@
-These files are provided for reference only.
diff --git a/contrib/pages.sr.ht/Caddyfile b/contrib/pages.sr.ht/Caddyfile
deleted file mode 100644
index 00fa8ec..0000000
--- a/contrib/pages.sr.ht/Caddyfile
+++ /dev/null
@@ -1,52 +0,0 @@
-{
-	on_demand_tls {
-		ask http://localhost:5112/domain
-		interval 10s
-		burst 5
-	}
-}
-
-(logging) {
-	log {
-		output file /var/log/access.log {
-			roll_disabled
-		}
-		format console
-	}
-}
-
-(uacme) {
-	tls /etc/ssl/uacme/srht.site/cert.pem /etc/ssl/uacme/private/srht.site/key.pem
-}
-
-(sts) {
-	header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-	header Permissions-Policy "interest-cohort=()"
-}
-
-pages.sr.ht {
-	redir / https://srht.site temporary
-	import sts
-	import logging
-	reverse_proxy localhost:5112
-}
-
-node.pages.sr.ht:80 {
-	import logging
-	reverse_proxy localhost:9100
-}
-
-*.srht.site {
-	import sts
-	import logging
-	import uacme
-	reverse_proxy localhost:5012
-}
-
-:443 {
-	reverse_proxy localhost:5012
-	tls {
-		on_demand
-	}
-	import logging
-}
diff --git a/pages.sr.ht/nginx.conf b/pages.sr.ht/nginx.conf
new file mode 100644
index 0000000..6c7d0d0
--- /dev/null
+++ b/pages.sr.ht/nginx.conf
@@ -0,0 +1,18 @@
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	location / {
+		return 302 https://$host$request_uri;
+	}
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+	server_name node.pages.sr.ht;
+
+	location /metrics {
+		proxy_pass http://127.0.0.1:9100;
+	}
+}
diff --git a/pages.sr.ht/tlstunnel.conf b/pages.sr.ht/tlstunnel.conf
new file mode 100644
index 0000000..0343587
--- /dev/null
+++ b/pages.sr.ht/tlstunnel.conf
@@ -0,0 +1,20 @@
+tls {
+	on_demand {
+		validate_command sh -c "[ $TLSTUNNEL_NAME = pages.sr.ht ] || curl -f http://localhost:5112/domain?domain=$TLSTUNNEL_NAME"
+	}
+}
+
+frontend pages.sr.ht:443 {
+	backend localhost:5112
+}
+
+frontend *.srht.site:443 {
+	backend localhost:5012
+	tls {
+		load /etc/ssl/uacme/srht.site/cert.pem /etc/ssl/uacme/private/srht.site/key.pem
+	}
+}
+
+frontend :443 {
+	backend localhost:5012
+}