diff --git a/manifests/init.pp b/manifests/init.pp
index cebe8c2c380029b8b9fccfefb425ec4eac9e1032..cb7fb95bd895bdb614e108a7cbb8193d7592349a 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,3 +1,4 @@
+#
 class ai4ca (
   String $www_root = '/usr/share/nginx/html',
   Array[String] $index_files = ['index.html'],
@@ -14,13 +15,15 @@ class ai4ca (
   }
 
   nginx::resource::server { "${fact('networking.fqdn')} HTTPS":
-    ensure      => present,
-    listen_port => 443,
-    www_root    => $www_root,
-    index_files => $index_files,
-    ssl         => true,
-    ssl_cert    => fact("letsencrypt_certs.${fact('networking.fqdn')}.files.combined"),
-    ssl_key     => fact("letsencrypt_certs.${fact('networking.fqdn')}.files.key"),
+    ensure        => present,
+    listen_port   => 443,
+    www_root      => $www_root,
+    index_files   => $index_files,
+    ssl           => true,
+    ssl_cert      => fact("letsencrypt_certs.\"${fact('networking.fqdn')}\".files.combined"),
+    ssl_key       => fact("letsencrypt_certs.\"${fact('networking.fqdn')}\".files.key"),
+    ssl_protocols => 'TLSv1.3 TLSv1.2',
+    ssl_ciphers   => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384',
   }
 
   firewalld_service {
@@ -30,5 +33,11 @@ class ai4ca (
     'nginx https LiU':
       zone    => 'liu',
       service => 'https';
+    'nginx http Public':
+      zone    => 'public',
+      service => 'http';
+    'nginx https Public':
+      zone    => 'public',
+      service => 'https';
   }
 }