diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
index dc11a70..b595fb7 100644
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -42,7 +42,7 @@ node.default['lnd']['alias'] = 'ln2.kosmos.org'
 node.default['lnd']['color'] = '#5e0c99'
 node.default['lnd']['log_level'] = 'info'
 node.default['lnd']['public_ip'] = '148.251.237.111'
-node.default['lnd']['public_port'] = '9375'
+node.default['lnd']['public_port'] = '9735'
 node.default['lnd']['port'] = '9736'
 node.default['lnd']['minchansize'] = '1000000'
 node.default['lnd']['basefee'] = '500'
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb b/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb
index b86b184..b8f2865 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb
@@ -92,3 +92,9 @@ systemd_unit 'lightningd.service' do
   triggers_reload true
   action [:create, :enable, :start]
 end
+
+firewall_rule 'lightningd' do
+  port     [9735] # TODO use attribute
+  protocol :tcp
+  command  :allow
+end
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb
index b179c42..4e2464a 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb
@@ -89,3 +89,9 @@ systemd_unit 'lnd.service' do
   triggers_reload true
   action [:create, :enable, :start]
 end
+
+firewall_rule 'lnd' do
+  port     [node['lnd']['port']]
+  protocol :tcp
+  command  :allow
+end
diff --git a/site-cookbooks/kosmos-mastodon/attributes/default.rb b/site-cookbooks/kosmos-mastodon/attributes/default.rb
index f04a577..0a92707 100644
--- a/site-cookbooks/kosmos-mastodon/attributes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb
@@ -8,5 +8,5 @@ node.default["kosmos-mastodon"]["sidekiq_threads"] = 25
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
 
 node.override["tor"]["HiddenServices"]["mastodon"] = {
-  "HiddenServicePorts" => ["80 127.0.0.1:80"]
+  "HiddenServicePorts" => ["80 127.0.0.1:80", "443 127.0.0.1:443"]
 }
diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
index 65717a1..84caba4 100644
--- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
@@ -6,6 +6,7 @@
 mastodon_path = node["kosmos-mastodon"]["directory"]
 server_name   = node["kosmos-mastodon"]["server_name"]
 
+node.override['nginx']['server_names_hash_bucket_size'] = 128
 include_recipe "kosmos-nginx"
 
 directory "#{node['nginx']['dir']}/snippets" do
diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
index 6991f7a..e1c6ebb 100644
--- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
@@ -24,3 +24,16 @@ server {
   add_header Strict-Transport-Security "max-age=31536000";
 }
 <% end %>
+
+<% if @onion_address %>
+server {
+  listen 443 ssl http2;
+  server_name mastodon.<%= @onion_address %>;
+  include <%= @shared_config_path %>;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  add_header Strict-Transport-Security "max-age=31536000";
+}
+<% end %>