diff --git a/volumes/conf.d/code.zinomedia.de.conf b/volumes/conf.d/code.zinomedia.de.conf
new file mode 100644
index 0000000..4dbe66b
--- /dev/null
+++ b/volumes/conf.d/code.zinomedia.de.conf
@@ -0,0 +1,42 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name code.zinomedia.de;
+
+    access_log off;
+
+    ssl_certificate /etc/letsencrypt/live/code.zinomedia.de/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/code.zinomedia.de/privkey.pem; # managed by Certbot
+
+    # SSL Optimizations
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_prefer_server_ciphers on;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "code-server:8443";
+
+        proxy_pass http://$upstream;
+
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_set_header Connection upgrade;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_headers_hash_max_size 512;
+        proxy_headers_hash_bucket_size 128;
+        proxy_read_timeout 3600;
+        add_header Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';" always;
+    }
+
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name code.zinomedia.de;
+    return 301 https://$host$request_uri;
+}
\ No newline at end of file