diff --git a/sites-available/koel b/sites-available/koel
index 5d9f440..2094dc7 100644
--- a/sites-available/koel
+++ b/sites-available/koel
@@ -1,7 +1,14 @@
-# HTTP-only NGINX config for music.aaf.systems (no SSL)
+# Block 1: Redirects all HTTP traffic to HTTPS
 server {
     listen 80;
     server_name music.aaf.systems;
+    return 301 https://$host$request_uri;
+}
+
+# Block 2: Handles the secure HTTPS traffic
+server {
+    listen 443 ssl http2;
+    server_name music.aaf.systems;
 
     location / {
         proxy_pass http://100.93.165.98:4075;
@@ -12,4 +19,10 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
     }
-}
+
+    # SSL settings managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/music.aaf.systems/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/music.aaf.systems/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
\ No newline at end of file